How do I allow Microsoft Office 365 clients through Smoothwall?

Article #:

Product

Castle

1740

Guardian

All

Summary:

This article explains how to setup your Smoothwall so that you are able to allow the use of Microsoft Office 365 clients.

Problem:

Microsoft Office 365 may be blocked or inaccessible with your current Smoothwall configuration.

Solution:

To enable use of Microsoft Office 365 clients:

1. Create a firewall rule(s) that allows the following ports:
TCP port 5061
UDP port 3478
TCP/UDP port 5223
UDP ports 50000-59999

See https://help.smoothwall.net/Hearst/Content/modules/rule/cgi-bin/rule/sourcerules.htm for pre-Inverness customers; or https://help.smoothwall.net/Inverness/Content/ui/admin/ipfilter/forward.htm for customers running Inverness or higher.

2. Create a Web Filter Policy to Allow the Microsoft Office 365 [NEW] category. To do this:
a. Navigate to Guardian > Web Filter > Policy Wizard.
b. Create a Web Filter Policy with the following settings:

Who — *As Required

What — Microsoft Office 365 [NEW]

Where — *As Required

When — *As Required

Action — Allow

c. Click Save.
3. Add your email domain to the Microsoft Office 365 category, to do this:
a. Navigate to Guardian > Policy Objects > Categories .
b. In the Categories panel, expand Standard Categories.
c. Edit Microsoft Office 365 [NEW].
d. Add mydomain.local to Domain/URL filtering where mydomain.local is your username@mydomain.local.com.
4. Add the Microsoft Office 365 [NEW] category to Authentication Exceptions.

For more information see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authexceptions.htm

5. Also add the following categories to Authentication Exceptions:

Note: The following categories may have already added for a previous application.

SSL/CRL
Software Updates
6. Add the Microsoft Office 365 [NEW] category to a Whitelist policy for Everyone — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/filteringpolicywiz.htm.
7. Move the policy you created up the Web filter policies table until it is above any block or blanket block in place for the group Unauthenticated IPs — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/policies.htm.
8. Save and restart the web proxy.

Note: On some Windows XP and Android clients, despite using proxy settings, some of the traffic from the Lync login process attempts to go out directly on port 443 regardless of proxy settings. If you are using transparent HTTPS interception, this traffic may be intercepted, however Lync does not support SNI and will not connect.

If you filter the web filter realtime logs by the IP of your test client and obtain the destination IPs Lync is using, these can be added as custom entries to the built in category entitled Transparent HTTPS Incompatible Sites — go to Guardian > Policy objects > Categories > Categories > Standard categories.

Seeing HTTP Code 503 in the Web Filter Logs

Using Auto Configuration URL in Outlook Client fails to configure the client and you see HTTP Code 503 in the guardian logs.

Office 365 DOES NOT support HTTPS for the auto configuration URL. This will most likely be caused by an SRV record or group policy setting. Most likely it’s a setting leftover from when an Exchange server was used on site before moving to a cloud solution. Even if the Exchange function has been removed from a server, Exchange schema changes to the domain schema cannot be removed.

You will need to use HTTP else you will see HTTP Code 503 when accessing autodiscover.yourdomain.com — see https://support.microsoft.com/en-gb/kb/2612922.

 

Attribution:

Last updated:

Author:

Contributions by:

11 January 2018

Patrick Gleeson

Jonathan Mckeague

 


Copyright © 2000-2018 Smoothwall All rights reserved.