View Source

"^[^.]+.sharepoint.com" - user upload / download files for DLP / AV inspection (but not for EW)
"^[^.]+.sharepointonline.com" - user upload / download files for DLP / AV inspection (but not for EW)
"teams.microsoft.com" - user login for modifying Teams client for Audio, Video, Screen share, user login.
"^[^.]+.teams.microsoft.com" - user and conversations info
"^[^.]+.ng.msg.teams.microsoft.com" - chat server for IMs and Files
"pipe.skype.com" - for Audio, Video, Screen share events
"^[^.]+.notifications.teams.microsoft.com" - for incoming IMs and Files / push notifications (no longer needed for latest versions of Teams clients. Replaced by "^[^.]+.trouter.teams.microsoft.com".
"^[^.]+.asyncgw.teams.microsoft.com" - conversations data

"^[^.]+.msgapi.teams.microsoft.com" - chat server for outgoing IMs and Files

substrate.office.com - Some search results. Required to prevent users from viewing search suggestions of blocked contacts (EW). Affects Teams, SharePoint and other apps

graph.microsoft.com - Search results in SharePoint and other apps (not Teams)

"^[^.]+.trouter.teams.microsoft.com" - Real time push notifications. Currently required for filtering incoming messages to managed clients. May be omitted if filtering incoming messages isn’t required.

Link to latest PAC version from repository: https://gitlab.com/agat-software/filter-devs/teams_protector/-/blob/efa810b60720d03c7d0cad727f53282a6c48879b/Config/PACs/pac_file.pac

Last updated 31.5.2021

function FindProxyForURL(url, host) {
	
	var ignorelist = new Array(
		"secure.aadcdn.microsoftonline-p.com",
		"statics.teams.microsoft.com");
	
	var proxylist = new Array(
			"^[^.]+.sharepoint.com",
			"^[^.]+.sharepointonline.com",
			"teams.microsoft.com",
			"^[^.]+.teams.microsoft.com",
			"^[^.]+.ng.msg.teams.microsoft.com",
		        "pipe.skype.com",
			"^[^.]+.notifications.teams.microsoft.com",
			"^[^.]+.asyncgw.teams.microsoft.com",
			"^[^.]+.agatskype.net",
			"^[^.]+.msgapi.teams.microsoft.com",
			"substrate.office.com",
			"graph.microsoft.com",
			"^[^.]+.trouter.teams.microsoft.com"
			);
			
	// Check if need to ignore
	for (var i = 0; i < ignorelist.length; i++) {
		var value = ignorelist[i];
		if (dnsDomainIs(host, value)) {
			return "DIRECT";
		}
	}
	
	// Return our proxy name for matched domains/hosts
	for (var i = 0; i < proxylist.length; i++) {
		var value = proxylist[i];
		if (shExpMatch(host, value)) {
			return "PROXY <**** BASTION SERVER IP ****>";
		}
	}

	return "DIRECT";
}

URLs to whitelist in firewalls

*.sharepoint.com
*.sharepointonline.com
teams.microsoft.com
*.teams.microsoft.com
*.ng.msg.teams.microsoft.com
pipe.skype.com
*.notifications.teams.microsoft.com
*.asyncgw.teams.microsoft.com

*.msgapi.teams.microsoft.com

substrate.office.com

graph.microsoft.com