"*.sharepoint.com" - user upload / download files for DLP / AV inspection (but not for EW)
"*.sharepointonline.com" - user upload / download files for DLP / AV inspection (but not for EW)
"teams.microsoft.com" - user login for modifying Teams client for Audio, Video, Screen share, user login.
"*.teams.microsoft.com" - user, presence and conversations info
"*.ng.msg.teams.microsoft.com" - chat server for IMs and Files
"pipe.skype.com" - for Audio, Video, Screen share events
"*.notifications.teams.microsoft.com" - for incoming IMs and Files / push notifications (no longer needed for latest versions of Teams clients. Replaced by "*.trouter.teams.microsoft.com".
"*.asyncgw.teams.microsoft.com" - conversations data
"*.msgapi.teams.microsoft.com" - chat server for outgoing IMs and Files
substrate.office.com - Some search results. Required to prevent users from viewing search suggestions of blocked contacts (EW). Affects Teams, SharePoint and other apps
graph.microsoft.com - Search results in SharePoint and other apps (not Teams)
"*.trouter.teams.microsoft.com" - Real time push notifications. Currently required for filtering incoming messages to managed clients. May be omitted if filtering incoming messages isn’t required.
Link to latest PAC version from repository: https://gitlab.com/agat-software/filter-devs/teams_protector/-/blob/efa810b60720d03c7d0cad727f53282a6c48879b/Config/PACs/pac_file.pac
Last updated 13.06.2023
function FindProxyForURL(url, host) { // Specify your proxy here: e.g. "Proxy 11.22.33.4:80" var agatProxy = "PROXY <Bastion IP>:<Bastion Port>" var ignorelist = new Array( "secure.aadcdn.microsoftonline-p.com", "statics.teams.microsoft.com"); var proxylist = new Array( "*.sharepoint.com", "*.sharepointonline.com", "teams.microsoft.com", "*.ng.msg.teams.microsoft.com", "pipe.skype.com", "*.notifications.teams.microsoft.com", "*.asyncgw.teams.microsoft.com", "*.agatskype.net", "*.msgapi.teams.microsoft.com", "substrate.office.com", "graph.microsoft.com", "*.trouter.teams.microsoft.com" ); // Check if need to ignore for (var i = 0; i < ignorelist.length; i++) { var value = ignorelist[i]; if (dnsDomainIs(host, value)) { return "DIRECT"; } } //One subdomain under teams if (shExpMatch(host, "*.teams.microsoft.com") && dnsDomainLevels(host) == 3){ return agatProxy; } // Return our proxy name for matched domains/hosts for (var i = 0; i < proxylist.length; i++) { var value = proxylist[i]; if (shExpMatch(host, value)) { return agatProxy; } } return "DIRECT"; }
URLs to whitelist in firewalls
*.sharepoint.com
*.sharepointonline.com
teams.microsoft.com
*.teams.microsoft.com
*.ng.msg.teams.microsoft.com
pipe.skype.com
*.notifications.teams.microsoft.com
*.asyncgw.teams.microsoft.com
*.msgapi.teams.microsoft.com
*.trouter.teams.microsoft.com