cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1278
Views
5
Helpful
4
Replies
keithsauer507
Contributor

How to allow Office 365 program activation through S600v on 11.5.1-124

We have an S600v running 11.5.1-124.  All of a sudden we've had some calls where Microsoft Office (word, excel, outlook) are asking to activate.  The users do have an account with o365 for the sole purpose of registring the apps to their computer.  They have been activated months or maybe a year ago in some cases but for some reason the apps are starting to ask again.

 

No matter what they do with internet activation, it just goes back to the first screen again, asking to activate.  If we temporarally put their computer IP address in the proxy bypass list in the S600v, then they can complete activation.  Once this is done we can take them out of Proxy bypass.

 

What can we do to automatically trust the Microsoft servers with our http and https filtering?  Aparently they change IP addresses so often they have a URL web service that publishes Office 365 endpoints.  Its a REST-based web service for all IP and FQDN entries.  Details are here: https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service  How can I get this list integrated in the S600v so that no further office activation are blocked?  We would like to avoid these types of calls, and the added legwork of pinging their machine to get their IP address and putting it into the webfilter proxy bypass and saving, committing, confirming, times 200 machines.

 

Thanks!

4 REPLIES 4
Ken Stieers
Engager

I have a list of sites we put in a custom category that is set to not require authentication and also set to not require decryption. I will post it here in a couple of hours.

Also, while running the beta for 11.7, we ran into an issue with one of the the root certs that MS is using not being trusted. And this was specifically Office activation (though not O365). So tail the access log for a specific ip and try to activate office and see if NJ its having decryption issues.

And finally, there's an option in the creation of a custom category to point the WSA at the MS endpoint to download the list. 11.5 can make the api call, not just the older XML download.

Here's my list that I put in a category that doesn't require auth or decryption:

 

.apps.microsoft.com
.delivery.mp.microsoft.com

.download.windowsupdate.com
.update.microsoft.com
.windowsupdate.com
.ws.microsoft.com
apps.microsoft.com
aq.v4.a.dl.ws.microsoft.com
crl.microsoft.com
login.microsoftonline.com
watson.telemetry.microsoft.com

 

The cert that the WSA is missing is titled "Microsoft Root Certificate Authority 2011"

 

Well Ken, I'm not sure if I can say this is resolved but so far the activation prompt came up on another user's machine and I was able to walk them through it sucessfully.

 

We have a list similar to yours but it was not applied to bypass decryption.  Quite possibly it was being decrypted (by default) and used our domain ca cert as a man in the middle.  Perhaps Microsoft did not like that.

 

I'm wondering if that was the issue as I only had one test so far.  For whatever reason people are slowly being asked to re-activate office again.  I guess thats untrusting Microsoft being Orwellian again. 

I did not realize when you go to custom url categories and hit add new, you had a radio button for Office 365 live feed!

 

I was just editing existing categories and since the UI does not have this radio button, I had no idea it was even an option.

 

So I created this Office365LiveFeed category and it did update from Microsoft!  I edited it to updated every 12 hours.  I applied it to the decryption policies and set it to pass through.  Then for Identity, I put it in our top entry as a category which is exempt from authentication.  If that wasn't enough, in Access policy I put it in our Global Policy as allow.  I removed my manual Office365 list from all of the above, as to not confuse it.  So hopefully fingers crossed, this stuff just works.

Content for Community-Ad

This widget could not be displayed.