Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1627 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excel Timoeouts in SharePoint and office 365

David Jumbi

Hi

I have a Sophos XG 125. Users in the office experience a lot of timeouts and sluggish behavior when using online excel documents more so those on SharePoint. I have included the required exemptions as per the below link but the problem persists. Users who are working from home do not experience this issue so has to be something in the office premise network. Kindly help in troubleshooting this

support.sophos.com/.../KB-000038173



This thread was automatically locked due to age.
  • 0

    the Sophos template is outdated (May) and they do not publish updates to the list as soon as MS is changing things. you may need to add/remove some URL and IP ranges into the exceptions.

    Compare with the list here: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

    What did you import?

    • API-O365-all.tar – this is a comprehensive set of 108 exceptions, every web URL that Microsoft list
    • API-O365-required.tar – this a subset of 50 exceptions corresponding to the groups that Microsoft says are ‘required’
    • API-O365-minimal.tar – this is a subset of 10 exceptions that correspond to the groups Microsoft says are

    To debug: recreate the issue with one user, check the logviewer and look for requests without filtering exceptions. as already posted here shortly: community.sophos.com/.../skype-chat

    Then evaluate if those requests belong to O365 and update exceptions accordingly.

  • 0 in reply to LHerzog

    sorry for the delay , I'll review the exceptions and revert here 

  • 0 in reply to LHerzog

    I imported API-O365-all.tar but only enable all the urls with SharePoint and all the the URLs marked as required

  • 0

    I've added all the relevant sharepoint and office online links as per the Microsoft link , even went ahead to create a new rule just for these links and exempt them from certain profile checks. Now the issue has shifted from being permanent to being intermittent which is worse in my opinion. one day everyone is cool the next day everyone is raising issues.

  • 0 in reply to David Jumbi

    Hi, you need to narrow it down by checking the logs:

    1. Firewall: anything blocked on the VoIP Ports used by MSO365 programs? (probably not used by Excel and Sharepoint)

    2. Firewall: blocked packets to Microsoft servers from the endpoints during times of  app hang? Check the IP and to which IP Range from the MSO365 site it belongs.

    3. IPS: anything like UDP flood blocked in IPS logs? Also check this on any other upstream firewall if there is one.

    4. Webfilter or DPI: check all URL the clients are accessing during time of all hang. Do they belong to MSO365? Check wil any mentioned here. ALL of this requests may not be proxied or DPI/SSL scanned. You need webfilter exceptions for all of them.

    No exceptions? Fail.

    Check your MSO Exception lists.

    Example1: fail

    Example2: fail

    Also note a recent huge change from Microsoft on the URL lists :-/

  • 0 in reply to LHerzog

    Hi 

    the one url that's contant when working with excel is https://cac-excel.officeapps.live.com. every request to begins with this and they are very lengthy and complex  url. Just a copy and paste generates almost 10 URLs requests. Scrolling the same up and down generates multiples requests as well but they begin with above URL

  • 0 in reply to David Jumbi

    and is it excluded when you review the logs?

    how does your Exception rule look like for this? And the according firewall rule? You could start posting some logs or Screenshots.

  • 0 in reply to LHerzog

    I'm analyzing the traffic using developer tools in the browser (all users are on chrome). So from the developer tools when this url  https://cac-excel.officeapps.live.com is generated most traffic are ok(200). Some of it delays and are highlighted pending and this is what causes issues to my users. Some traffic remains pending for long and eventually highlighted red indicating some sort of 404. My guess is that this is because the traffic times out. Now all this is on chrome developer tools. 

    Lets come back to Sophos, the exceptions in your screenshot are exempted as  ^([A-Za-z0-9.-]*\.)?officeapps.live\.com\.?/ and ^([A-Za-z0-9.-]*\.)?online.office\.com\.?/     among other relevant Microsoft URLs On my firewall rules, traffic to *.officeapps.live.com  and other Microsoft services have  their own rule which is active as I can see lots of GBs going through it. When I go to the logs all traffic using this rule is allowed nothing seems to be blocked from the log viewer unless there are other ways to check.

  • 0 in reply to David Jumbi

    You should not look for blocked packets, you need to be sure, they are caught by proxy/scanning exceptions. See my previous posts.

    This is an example of the required web exception:

      <WebFilterException transactionid="">
    <Name>O365 - 46 (Common - Allow)</Name>
    <Desc>ID: 46 - Allow - Microsoft 365 Common and Office Online (Required)</Desc>
    <NewName>O365 - 46 (Common - Allow)</NewName>
    <Enabled>on</Enabled>
    <HttpsDecrypt>on</HttpsDecrypt>
    <CertValidation>on</CertValidation>
    <VirusScan>on</VirusScan>
    <Sandstorm>on</Sandstorm>
    <PolicyCheck>on</PolicyCheck>
    <EnableSrcIP>no</EnableSrcIP>
    <EnableDstIP>yes</EnableDstIP>
    <EnableURLRegex>yes</EnableURLRegex>
    <EnableWebCat>no</EnableWebCat>
    <IsDefault>no</IsDefault>
    <DomainList>
      <DstIp>13.107.6.171</DstIp>
      <DstIp>13.107.18.15</DstIp>
      <DstIp>13.107.140.6</DstIp>
      <DstIp>52.108.0.0/14</DstIp>
      <DstIp>52.238.106.116</DstIp>
      <DstIp>52.244.37.168</DstIp>
      <DstIp>52.244.203.72</DstIp>
      <DstIp>52.244.207.172</DstIp>
      <DstIp>52.244.223.198</DstIp>
      <DstIp>52.247.150.191</DstIp>
      <DstIp>2603:1010:2::cb</DstIp>
      <DstIp>2603:1010:200::c7</DstIp>
      <DstIp>2603:1020:200::682f:a0fd</DstIp>
      <DstIp>2603:1020:201:9::c6</DstIp>
      <DstIp>2603:1020:600::a1</DstIp>
      <DstIp>2603:1020:700::a2</DstIp>
      <DstIp>2603:1020:800:2::6</DstIp>
      <DstIp>2603:1020:900::8</DstIp>
      <DstIp>2603:1030:7::749</DstIp>
      <DstIp>2603:1030:800:5::bfee:ad3c</DstIp>
      <DstIp>2603:1030:f00::17</DstIp>
      <DstIp>2603:1030:1000::21a</DstIp>
      <DstIp>2603:1040:200::4f3</DstIp>
      <DstIp>2603:1040:401::762</DstIp>
      <DstIp>2603:1040:601::60f</DstIp>
      <DstIp>2603:1040:a01::1e</DstIp>
      <DstIp>2603:1040:c01::28</DstIp>
      <DstIp>2603:1040:e00:1::2f</DstIp>
      <DstIp>2603:1040:f00::1f</DstIp>
      <DstIp>2603:1050:1::cd</DstIp>
      <DstIp>2620:1ec:c::15</DstIp>
      <DstIp>2620:1ec:8fc::6</DstIp>
      <DstIp>2620:1ec:a92::171</DstIp>
      <DstIp>2a01:111:f100:2000::a83e:3019</DstIp>
      <DstIp>2a01:111:f100:2002::8975:2d79</DstIp>
      <DstIp>2a01:111:f100:2002::8975:2da8</DstIp>
      <DstIp>2a01:111:f100:7000::6fdd:6cd5</DstIp>
      <DstIp>2a01:111:f100:a004::bfeb:88cf</DstIp>
      <URLRegex>^([a-zA-Z0-9.-]*\.)?officeapps\.live\.com\/</URLRegex>
      <URLRegex>^([a-zA-Z0-9.-]*\.)?online\.office\.com\/</URLRegex>
      <URLRegex>^office\.live\.com\/</URLRegex>
    </DomainList>
  </WebFilterException>

    working exception example:

    post the fw rule, that matches the traffic and show the settings for:

    Security features / Web filtering

  • 0 in reply to LHerzog

    Here is my exception list , it has many more urls but I do not know how to generate an XML file as you have done