What domains need to be skipped in order for MS Teams and Outlook Thick Apps to work with Agent Proxy?
8852
Created On 01/17/24 20:53 PM - Last Modified 01/17/24 21:10 PM
Question
What domains need to be skipped in order for MS Teams and Outlook Thick Apps to work with Agent Proxy?
Environment
- Prisma Access 4.0, 4.1, 4.2, 5.0
- Agent Proxy
Answer
Domain List
ccs.login.microsoftonline.com *.live.com *.auth.microsoft.com *.msftidentity.com *.msidentity.com account.activedirectory.windowsazure.com accounts.accesscontrol.windows.net adminwebservice.microsoftonline.com api.passwordreset.microsoftonline.com autologon.microsoftazuread-sso.com becws.microsoftonline.com *.azure.com *.msauth.net *.microsoftazuread-sso.com *.msftauth.net *.microsoft.com *.office.net *.notifications.skype.com *.microsoftonline.com *.outlook.com outlook.com outlook.office365.com
Additional Information
There are three options - replace variables in between < >
Option 1: Sample PAC to directly bypassing the agent
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "DIRECT";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "PROXY <Tenant FQDN-see below for details>:8080";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}
We should use the tenant FQDN (in red below).
~> nslookup nfcu.proxy.prismaaccess.com
Server: 10.47.98.1
Address: 10.47.98.1#53
Non-authoritative answer:
nfcu.proxy.prismaaccess.com canonical name = prisma-gpo22sysn5c5.proxy.prismaaccess.com. < TENANT FQDN
prisma-gpo22sysn5c5.proxy.prismaaccess.com canonical name = us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com.
Name: us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com
Address: 130.41.253.21
You can see that the tenant FQDN allows us to keep GSLB.
~> nslookup prisma-gpo22sysn5c5.proxy.prismaaccess.com
Server: 10.47.98.1
Address: 10.47.98.1#53
Non-authoritative answer:
prisma-gpo22sysn5c5.proxy.prismaaccess.com canonical name = us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com.
Name: us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com
Address: 130.41.253.21
Option 3: Use Hybrid Mode and send this traffic through MU gateway
This option assumes the GP tunnel will take traffic destined to these domains and is configured accordingly, we bypass proxy with DIRECT action below which then means the tunnel can transport this traffic accordingly.
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "DIRECT";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}