12-10-2018 05:20 AM
We have an S600v running 11.5.1-124. All of a sudden we've had some calls where Microsoft Office (word, excel, outlook) are asking to activate. The users do have an account with o365 for the sole purpose of registring the apps to their computer. They have been activated months or maybe a year ago in some cases but for some reason the apps are starting to ask again.
No matter what they do with internet activation, it just goes back to the first screen again, asking to activate. If we temporarally put their computer IP address in the proxy bypass list in the S600v, then they can complete activation. Once this is done we can take them out of Proxy bypass.
What can we do to automatically trust the Microsoft servers with our http and https filtering? Aparently they change IP addresses so often they have a URL web service that publishes Office 365 endpoints. Its a REST-based web service for all IP and FQDN entries. Details are here: https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service How can I get this list integrated in the S600v so that no further office activation are blocked? We would like to avoid these types of calls, and the added legwork of pinging their machine to get their IP address and putting it into the webfilter proxy bypass and saving, committing, confirming, times 200 machines.
Thanks!
12-10-2018 06:20 AM
12-10-2018 09:33 AM
Here's my list that I put in a category that doesn't require auth or decryption:
.apps.microsoft.com
.delivery.mp.microsoft.com
.download.windowsupdate.com
.update.microsoft.com
.windowsupdate.com
.ws.microsoft.com
apps.microsoft.com
aq.v4.a.dl.ws.microsoft.com
crl.microsoft.com
login.microsoftonline.com
watson.telemetry.microsoft.com
The cert that the WSA is missing is titled "Microsoft Root Certificate Authority 2011"
12-12-2018 10:27 AM
Well Ken, I'm not sure if I can say this is resolved but so far the activation prompt came up on another user's machine and I was able to walk them through it sucessfully.
We have a list similar to yours but it was not applied to bypass decryption. Quite possibly it was being decrypted (by default) and used our domain ca cert as a man in the middle. Perhaps Microsoft did not like that.
I'm wondering if that was the issue as I only had one test so far. For whatever reason people are slowly being asked to re-activate office again. I guess thats untrusting Microsoft being Orwellian again.
12-12-2018 10:36 AM
I did not realize when you go to custom url categories and hit add new, you had a radio button for Office 365 live feed!
I was just editing existing categories and since the UI does not have this radio button, I had no idea it was even an option.
So I created this Office365LiveFeed category and it did update from Microsoft! I edited it to updated every 12 hours. I applied it to the decryption policies and set it to pass through. Then for Identity, I put it in our top entry as a category which is exempt from authentication. If that wasn't enough, in Access policy I put it in our Global Policy as allow. I removed my manual Office365 list from all of the above, as to not confuse it. So hopefully fingers crossed, this stuff just works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide