anybody seeing issues with XG17 causing Outlook desktop client losing "sync" with Office365.

XG has always caused some kind of connectivity issues with Office 356 and windows updates, Ive been waiting for Sophos to add a method to use XML files or web db's of URL's & IP CIDRs for firewall rules destinations.  I managed to import a list of URLs i created from an XML file from MS but its only a web filter category so its not ideal as its till hitting the web proxy.  We need to import CIDR's to create hosts / host groups / or using XML files from urls really so firewall rules can be used with these as destinations and then set the filters & AV to none.

MS are updating the list of urls & ips all the time so best way would be to be pull from a web db.

JK

May I ask how you were able to import the XML file? I am trying to import an XML of web exceptions but i keep getting an error stating that it only accepts .TAR files even though the file i am trying to import is a .tar.  I have exported and tried editing directly in 7zip but that doesn`t work either. 

In short i wasnt able too.  Have you seen the Outlook_url.zip someone posted in this thread??

I used that and modified it so they were just the domain names then created a new Web filter Category and imported the TXT file there.  It allows you to create Web exceptions based on them but doesnt work for FQDN Hosts for FW rules which is what im still stuck on.

JK

Below is the modified list 

3652.OUTLOOK_URLS_Modified.zip

https://community.sophos.com/products/xg-firewall/f/web-protection/102231/communication-with-office-365-products/372676#372676

Here is a link to someone who seems to have done so.  I am not sure how because I followed the steps he outlined. 

Yeah i see that post but what it doesnt tell you is how to use the XG API to import it, Ive contacted sophos support about it too and they said presently there wasnt a way to import a list of FQDN hosts only Web filter URLs.

At moment i setup a rule for HTTP & HTTPS traffic to *.office365.com, *.office.com & *.outlook.com and didnt set any AV scanning, Web filtering, App filtering or IPS on it.  Seems to have helped a touch, See MS have long lists of FQDNs dont they which are always changing so ideally we need a feature to setup FW rules to a web db of FQDN / CIDR hosts as destinations.

Its a big problem for such an app as Outlook.

JK

Sorry just realised that one is for Web filters again, which i was able to setup exceptions for using the list i mentioned and by adding it as a web category then creating a web exception for that category.

Web filter exceptions doesn't seem to help the issue, which is why i have a FW rule bypassing any filtering at all now.  But i know im missing some FQDN hosts, It would take hours to input an XML list from MS into XG as FQDN hosts.

JK

It worked.  Finally i must have had something incorrect in my original XML file

Let me know if Web filter exceptions works for you then, it didnt for me.  Only thing that helped was FW rule with no filtering at all as i mentioned.

Anyway be interested to know,

Now you know your way around the API try for FQDN hosts and let me know if it works.

JK

Let me know if Web filter exceptions works for you then, it didnt for me.  Only thing that helped was FW rule with no filtering at all as i mentioned.

Anyway be interested to know,

Now you know your way around the API try for FQDN hosts and let me know if it works.

JK

I have a couple of troubled users in my network so i should know by the end of the day.  I will keep you posted.  I also have the firewall rule setup and that didn`t work.  I am hopeful that these exceptions work. 

But did your Rule have all the FQDNs / URLs as the Destinations though???  

Hi All

Below is an extract of what i received from GES 

Office 365 traffic is legitimate traffic for that generally it is safe to bypass that traffic from AV scanning done on XG firewall.
With AV scanning applied on the firewall rule than in that case it is possible that outlook server will not be able to validate XG firewall's SSL certificate in that case we recommend to add exception for office 365 domains.

To bypass office 365 traffic from AV scanning we generally recommend to create LAN to WAN destination based plain FQDN rule for domains on which outlook client is making connection. This should be in the top position with no scanning applied, no policy applied except NAT policy default.(i.e. MASQ), source- any, service -any, destination- FQDN host group.

API feature available in XG firewall to create FQDN host and FQDN host group for office 365 domain.

1) refer below API query to create multiple FQDN host with single API query. here you can add <FQDNHost></FQNDHost> tag as mention below for remaining o365 domains before </Set> tag.

https://<Sophos IP>:<port>/webconsole/APIController?reqxml=<Request><Login><UserName>admin</UserName><Password>admin</Password></Login>
<Set Operation="add">
<FQDNHost><Name>*.aadrm.com</Name><FQDN>*.aadrm.com</FQDN></FQDNHost>
<FQDNHost><Name>*.activedirectory.windowsazure.com</Name><FQDN>*.activedirectory.windowsazure.com</FQDN></FQDNHost>
<FQDNHost><Name>*.adhybridhealth.azure.com</Name><FQDN>*.adhybridhealth.azure.com</FQDN></FQDNHost>
<FQDNHost><Name>*.azurerms.com</Name><FQDN>*.azurerms.com</FQDN></FQDNHost>
</Set>
</Request>

2) refer below API query to add those multiple FQDN hosts created in step 1) to one FQDN Hostgroup name (i.e. O365_domains)

https://<Sophos IP>:<port>/webconsole/APIController?reqxml=<Request><Login><UserName>admin</UserName><Password>admin</Password></Login>
<Set Operation="add">
<FQDNHostGroup>
<Name>O365_domains</Name>
<FQDNHostList>
<FQDNHost>*.aadrm.com</FQDNHost>
<FQDNHost>*.activedirectory.windowsazure.com</FQDNHost>
<FQDNHost>*.adhybridhealth.azure.com</FQDNHost>
</FQDNHostList>
</FQDNHostGroup>
</Set>
</Request>

3) Now you can use FQDN hostgroup O365_domains created in step 2) as destination in LAN to WAN plain firewall rule.

What they dont tell you is that there are challenges importing the FQDN Objects due to pure amount of them. (if you use the full MS List - which we are testing) You can overcome it using CURL.

Despite the result I am not convinced this is a real solution. Its a band-aid. The fact is MS will always be changing & its simply not practical to manually make these changes. 

great just what i been looking for!!! Your a star, Sophos support well web chat tech support agent said it couldnt be done.  I did tell him ive seen it before mentioned but i wasnt able to find the specifics.

anyway ill get on that now.

I have created a feature request for this problem of FQDN lists, we need a way to import FQDN lists from files and web dbs like we can with Web filter URLs.

Hopefully they will add this ASAP. as we both mentioned MS lists are always changing and recently they have changed the lists completely.  

https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-Office-365-endpoint-categories-and-Office-365-IP/ba-p/177638

JK

I had a customer run into this issue.  The rule set did NOT have ANY filtering or scanning on it.  It was driving the customer nuts.  They are an HR outfit and they were missing critical employee emails because of the issue, which is not good when that is you reason for being in business is to answer those emails!  I went back and forth trying to trace down the issue to no avail.  They had a complete city block power outage that ran the UPSs out and shut down the Firewalls for about 5-10 minutes.  It came back up and everything is good now.  This is deeper than a exemption list.

Internally we had the MS Update issue that drive our engineer nuts for about 2 days until he finally figured out that it was FW issue.  He put in the exemptions for MS Updates and that did fix that issue.  And this was fixed in the last FW update.

So while it may seen to be the same issue, it is really two different issues.

To add some context to this post that Adam has shared:

This information was provided by our support to assist with Adam's specific support case and issue. Use the information above at your own discretion. If you had any questions regarding the information and suggestion, I would advise to please contact support for further clarification and confirmation.

Regards,

Flo

Hi All

Below is the update received today (after we had a productive meeting with our appointed Sophos Sales Engineer). We have conveyed some concerns with the blanket approach however as the email suggests its interim whilst the issue is raised with product management. In our eyes this issue goes well beyond just the initial "support" help we have a problem... but more for development / product management teams to factor in a simple yet manageable solution for products such as Office 365.

Cheers

Adam

Sent: Wednesday, 23 May 2018 5:26 PM
Subject: Office 365 domains

Hello Adam, Garth

Following on from our call on Monday, this is the list of domains used by our Pro Services in Office 365 environments, derived from the Microsoft article.  I suspect that there is much on this list that doesn’t actually need to be there for our bypass purposes.

*.cloudappsecurity.com

*.onmicrosoft.com

*.office.net

*.office.com

*.office365.com

*.microsoft.com

*.microsoftonline.com

*.live.com

*.azure.net

*.msecnd.net

*.windows.net

*.windowsazure.com

*.sharepointonline.com

*.visualstudio.com

*.cloudapp.net

*.azureedge.net

I have attached an tarr’ed XML file that you can import.  You will find an FQDN Group that I called “Office 365 Domains”.  You can add an Office 365 as an allowed exception at the top or near the top of your firewall rules.  Your rule would look something like this:

You can import the XML by going Backup & Firmware -> Import Export.   In my experience, using import export can impact performance, particularly on the smaller units, so I wouldn’t import it on a live system.   The log viewer “admin” view will show success of import.

As discussed, this is to help in the near term.  I’ll let you know of any feedback I get from our product management…

Regards"

I want to note that I have now imported the full list of 230+ FQDNs from the list circulating around here; and it did NOT resolve the issue. My clients are still reporting the sync issue. I have a ticket with support but I am still fighting my way up the escalation ladder. 

It seems the approach with adding the massive FQDN list is to just throw everything at it and hope something works. This is disappointing to say the least. 

Joe

Care to share how you have this setup? I am curious as so far across many sites we are now functioning. (Note: we are still slowing progressing our changes through the rest)

I am sure many here are happy to assist

Cheers

Adam