Wednesday, 29 July 2015

Getting Office 365 to Work Without Completely Opening Up Internet Access

When it comes to Internet access I'm a firm believer in only granting the minimum access to get the job done.  I typically run a Squid proxy using Kerberos authentication, coupled with a default-deny firewall policy.

Office 365 isn't able to work through a proxy, even when no authentication is required.  If you can prove me wrong I would love to hear about it!

To work around this issue, I wrote a simple Python script to grab the address ranges from the XML file provided by the Microsoft Office 365 team.

I load the ranges into an array object and write out two files:

The first file contains the commands to create an address list for the firewall.  A rule is defined on the firewall to allow requests to TCP ports 80 and 443 if the destination address is within said address list.

The second file is a JavaScript PAC file telling the browser to go direct if the host resolves to an IP within the list.  I also add the loopback address and RFC 1918 addresses to the list.  If the host isn't in the list, it will fall back to using the defined proxy.

Here is a trimmed version of the file so you can see how it works:

function FindProxyForURL(url, host)
{
    var resolved_ip = dnsResolve(host);
    if (isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
        isInNet(resolved_ip, "23.100.86.91", "255.255.255.255") ||
        ...
        isInNet(resolved_ip, "213.199.148.0", "255.255.254.0") ||
        isInNet(resolved_ip, "213.199.182.128", "255.255.255.128")
    {
        return "DIRECT";
    }
    return "PROXY proxy.host.name:3128";
}

You can push out proxy settings using Group Policy.

While this isn't ideal (you can't monitor how much traffic users are using to/from Office 365) you can at least keep tabs on the rest of Internet usage.