FW Teams Proxy PAC + File explanations

"*.sharepoint.com" - user upload / download files for DLP / AV inspection (but not for EW)
"*.sharepointonline.com" - user upload / download files for DLP / AV inspection (but not for EW)
"teams.microsoft.com" - user login for modifying Teams client for Audio, Video, Screen share, user login.
"*.teams.microsoft.com" - user, presence and conversations info
"*.ng.msg.teams.microsoft.com" - chat server for IMs and Files
"pipe.skype.com" - for Audio, Video, Screen share events
"*.notifications.teams.microsoft.com" - for incoming IMs and Files / push notifications (no longer needed for latest versions of Teams clients. Replaced by "*.trouter.teams.microsoft.com".
"*.asyncgw.teams.microsoft.com" - conversations data

"*.msgapi.teams.microsoft.com" - chat server for outgoing IMs and Files

substrate.office.com - Some search results. Required to prevent users from viewing search suggestions of blocked contacts (EW). Affects Teams, SharePoint and other apps

graph.microsoft.com - Search results in SharePoint and other apps (not Teams)

"*.trouter.teams.microsoft.com" - Real time push notifications. Currently required for filtering incoming messages to managed clients. May be omitted if filtering incoming messages isn’t required.

 "statics.teams.cdn.office.net" - Get static scripts from AGAT CDN server

 

Link to latest PAC version from repository: https://gitlab.com/agat-software/filter-devs/teams_protector/-/blob/efa810b60720d03c7d0cad727f53282a6c48879b/Config/PACs/pac_file.pac

Last updated 06.11.2023

Version from 13.06.2023 includes a change from regular expressions to shell expressions. These are more widely supported by platforms other than Windows, including iOS.

Note that the proxy address is specified on line 5 only.

function FindProxyForURL(url, host) { // Specify your proxy here: e.g. "Proxy 11.22.33.4:80" var agatProxy = "PROXY <Bastion IP>:<Bastion Port>" var proxylist = new Array( "*.sharepoint.com", "*.sharepointonline.com", "teams.microsoft.com", "*.ng.msg.teams.microsoft.com", "pipe.skype.com", "*.notifications.teams.microsoft.com", "*.asyncgw.teams.microsoft.com", "*.msgapi.teams.microsoft.com", "substrate.office.com", "graph.microsoft.com", "*.trouter.teams.microsoft.com" ); //One subdomain under teams if (shExpMatch(host, "*.teams.microsoft.com") && dnsDomainLevels(host) == 3){ return agatProxy; } // Return our proxy name for matched domains/hosts for (var i = 0; i < proxylist.length; i++) { var value = proxylist[i]; if (shExpMatch(host, value)) { return agatProxy; } } return "DIRECT"; }

 

General Explanations

  • The PAC file uses shell expressions. These are more widely supported by platforms other than Windows, including iOS. Use of regexes may cause unexpected behavior.

  • The PAC file is written to catch all single level subdomains of teams.microsoft.com (e.g. config.teams.microsoft.com) but not two level subdomains (e.g. api.flightproxy.teams.microsoft.com). Exceptions to this rule are explicitly specified (e.g. *.ng.msg.teams.microsoft.com).
    Adding a catch all subdomain rule will cause undesired behavior (e.g. shExpMatch(host, "*.teams.microsoft.com")


Note that the proxy address is specified on line 5 only.

URLs to whitelist in firewalls

*.sharepoint.com
*.sharepointonline.com
teams.microsoft.com
*.teams.microsoft.com
*.ng.msg.teams.microsoft.com
pipe.skype.com
*.notifications.teams.microsoft.com
*.asyncgw.teams.microsoft.com

*.msgapi.teams.microsoft.com

substrate.office.com

graph.microsoft.com

*.trouter.teams.microsoft.com