How do I allow Microsoft Office 365 clients through Smoothwall?

Article #:

Product

Castle

1740

Guardian

All

Summary

Unable to access Microsoft Office 365® — Client fails to connect

Problem

This software requires multiple ports to be opened, as well as URLs added to an Allow rule, Whitelist rule, and Authentication Exceptions.

Solution

1. Create a firewall rule(s) that allows the following ports:
TCP port 5061
UDP port 3478
TCP/UDP port 5223
UDP ports 50000-59999

See https://help.smoothwall.net/Hearst/Content/modules/rule/cgi-bin/rule/sourcerules.htm for pre-Inverness customers; or https://help.smoothwall.net/Inverness/Content/ui/admin/ipfilter/forward.htm for customers running Inverness or higher.

2. Create a category containing the following domains:
lync.com
outlook.com
login.microsoftonline.com
Your email domain — this is the domain part of your organization's email address, for example, if your email is username@mydomain.local.com, you would add mydomain.local to Domain/URL filtering.
a. As part of the new custom category, add the following:

URL patternsautodiscover

 

3. Add the new category created in step 2 to Authentication Exceptions.

For more information see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authexceptions.htm

4. Also add the following categories to Authentication Exceptions (note, this may have already been done for a previous application):
SSL/CRL
Software Updates
5. Add the new category created in step 2 to a Whitelist policy for Everyone — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/filteringpolicywiz.htm.
6. Move the policy you created up the Web filter policies table until it is above any block or blanket block in place for the group Unauthenticated IPs — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/policies.htm.
7. Save and restart the web proxy.

Note: On some Windows XP and Android clients, despite using proxy settings, some of the traffic from the Lync login process attempts to go out directly on port 443 regardless of proxy settings. If you are using transparent HTTPS interception, this traffic may be intercepted, however Lync does not support SNI and will not connect.

If you filter the web filter realtime logs by the IP of your test client and obtain the destination IPs Lync is using, these can be added as custom entries to the built in category entitled Transparent HTTPS Incompatible Sites — go to Guardian > Policy objects > Categories > Categories > Standard categories.

Seeing HTTP Code 503 in the Web Filter Logs

Using Auto Configuration URL in Outlook Client fails to configure the client and you see httpcode 503 in the guardian logs.

Office 365 DOES NOT support HTTPS for the auto configuration  URL. This will most likely be caused by an SRV record or group policy setting. Most likely its a setting leftover from when an Exchange server was used on site before moving to a cloud solution. Even if the Exchange function has been removed from a server, Exchange schema changes to the domain schema cannot be removed.

You will need to use HTTP else you will see httpcode 503 when accessing autodiscover.yourdomain.com — see https://support.microsoft.com/en-gb/kb/2612922.

Attribution:

Last updated:

Author:

Contributions by:

6th December 2016

 

TE

 

Copyright © 2000-2016 Smoothwall All rights reserved.