For years CISCO had 'validated designs' to cover 'all' circumstances, but they have avoided this one completely (as far as I can tell)
TBH I have been looking for 'proper / serious' recommendations on this from CISCO for some time, and do not think that community written scripts with no CISCO support is an acceptable answer.
This is a common problem, where MSOFT seem to have set the O365 access policy in direct contravention of many corporate security policies (they are assuming everyone is SME or SOHO).
Cisco Firewalls are not great for allowing the MSoft traffic, some Firewall vendors actually integrate into the MSoft URLs list themselves and provide objects that are auto updated CISCO seem to recommend using 3rd scripts on the FMC / FTD, and they don't provide support for this.
You need to check your proxy service and the wording on the MSoft web sites for Optimise.
MSoft give different answers when you quiz them about this:
1. Proxy traffic, with no SSL offload or AV scanning (many proxy vendors integrate with MSoft URLs and have a 'bypass' function - does this count as 'bypass?' they then mention the number of long lived connections that proxies are not 'design for', so they never have resolution only more problems.
2. MSoft also require that no more than a specific number (I think about 3k) connections are NAT'ed behind a single IP address (so a large corporate that NATs all users behind a single IP on the Firewall will have problems).
3. IP Routing on your internal Network is another issue. One comment above states they have setup ID 11 only on the Firewall. We have something similar (to allow VOIP direct only) - but do not have a default route to the FWall (to avoid the Fwall getting swamped), and as such IP routes for the subnets in id 11 directing to the Fwall are also needed - again no automation for that really - but then ID 11 doesn't change much.
I agree that "Most organizations' firewall rules allow outbound Internet traffic by default" but as a personal opinion this is bad practice and only really applies to SOHO / SMEs - and is why many orgs get hit with zero day Malware, that can find an egress to WWWLand.
The only device that needs a default route to the Internet is the proxy service that gives access to 'other' WWWLand resources (see below).
Multiple virtual proxy clusters is a valid strategy -
1 for MSoft stuff (with MSoft bypass applied) (see comment about number of users behind a single NAT - where you can apply QoS on your Network for this traffic
2. For High priority systems (Cloud Services with mission criticality - Finance or CRM - again QoS could be applied)
3. Known / registered WWWLand resources (Business systems that are known but not 'mission critical)
4. 'Other' WWWLand resources - where this cluster could have bandwidth limitation policies applied on the WWWLand connection (to stop streaming world cup / cricket from swamping the business services).
Use a proxy.pac file to direct the users to the correct proxy.
So in short for O365 to work correctly - Automation is required for
- Firewall Rules (URLs and/or IPs)
- IP routing on the Internal Network
- Proxy.pac file updates
MSoft do try and help towards the proxy.pac - but leave the Fwall and routing to other vendors.
On an another but related tack - I also recommend that Networks adopt a default route that points to an anomaly detection system in the Data Centre centrally - then any Malware traffic that assumes a default route to WWWLand will exist is thwarted / detected.
