FW Teams Proxy PAC + File explanations
"*.sharepoint.com" - user upload / download files for DLP / AV inspection (but not for EW)
"*.sharepointonline.com" - user upload / download files for DLP / AV inspection (but not for EW)
"teams.microsoft.com" - user login for modifying Teams client for Audio, Video, Screen share, user login.
"*.teams.microsoft.com" - user, presence and conversations info
"*.ng.msg.teams.microsoft.com" - chat server for IMs and Files
"pipe.skype.com" - for Audio, Video, Screen share events
"*.notifications.teams.microsoft.com" - for incoming IMs and Files / push notifications (no longer needed for latest versions of Teams clients. Replaced by "*.trouter.teams.microsoft.com".
"*.asyncgw.teams.microsoft.com" - conversations data
"*.msgapi.teams.microsoft.com" - chat server for outgoing IMs and Files
substrate.office.com - Some search results. Required to prevent users from viewing search suggestions of blocked contacts (EW). Affects Teams, SharePoint and other apps
graph.microsoft.com - Search results in SharePoint and other apps (not Teams)
"*.trouter.teams.microsoft.com" - Real time push notifications. Currently required for filtering incoming messages to managed clients. May be omitted if filtering incoming messages isn’t required.
Link to latest PAC version from repository: https://gitlab.com/agat-software/filter-devs/teams_protector/-/blob/efa810b60720d03c7d0cad727f53282a6c48879b/Config/PACs/pac_file.pac
Last updated 06.11.2023
Version from 13.06.2023 includes a change from regular expressions to shell expressions. These are more widely supported by platforms other than Windows, including iOS.
Note that the proxy address is specified on line 5 only.
function FindProxyForURL(url, host) {
// Specify your proxy here: e.g. "Proxy 11.22.33.4:80"
var agatProxy = "PROXY <Bastion IP>:<Bastion Port>"
var proxylist = new Array(
"*.sharepoint.com",
"*.sharepointonline.com",
"teams.microsoft.com",
"*.ng.msg.teams.microsoft.com",
"pipe.skype.com",
"*.notifications.teams.microsoft.com",
"*.asyncgw.teams.microsoft.com",
"*.msgapi.teams.microsoft.com",
"substrate.office.com",
"graph.microsoft.com",
"*.trouter.teams.microsoft.com"
);
//One subdomain under teams
if (shExpMatch(host, "*.teams.microsoft.com") && dnsDomainLevels(host) == 3){
return agatProxy;
}
// Return our proxy name for matched domains/hosts
for (var i = 0; i < proxylist.length; i++) {
var value = proxylist[i];
if (shExpMatch(host, value)) {
return agatProxy;
}
}
return "DIRECT";
}
General Explanations
The PAC file uses shell expressions. These are more widely supported by platforms other than Windows, including iOS. Use of regexes may cause unexpected behavior.
The PAC file is written to catch all single level subdomains of teams.microsoft.com (e.g. config.teams.microsoft.com) but not two level subdomains (e.g. api.flightproxy.teams.microsoft.com). Exceptions to this rule are explicitly specified (e.g.
*.ng.msg.teams.microsoft.com).
Adding a catch all subdomain rule will cause undesired behavior (e.g.shExpMatch(host, "*.teams.microsoft.com")
Note that the proxy address is specified on line 5 only.
URLs to whitelist in firewalls
*.sharepoint.com
*.sharepointonline.com
teams.microsoft.com
*.teams.microsoft.com
*.ng.msg.teams.microsoft.com
pipe.skype.com
*.notifications.teams.microsoft.com
*.asyncgw.teams.microsoft.com
*.msgapi.teams.microsoft.com
*.trouter.teams.microsoft.com