Welche Domänen müssen übersprungen werden, damit MS Teams und Outlook Thick Apps mit dem Agentenproxy funktionieren?
8909
Created On 01/17/24 20:53 PM - Last Modified 02/02/24 05:43 AM
Question
Welche Domänen müssen übersprungen werden, damit MS Teams und Outlook Thick Apps mit dem Agentenproxy funktionieren?
Environment
- Prisma Access 4.0, 4.1, 4.2, 5.0
- Agenten-Proxy
Answer
Domain-Liste
ccs.login.microsoftonline.com *.live.com *.auth.microsoft.com *.msftidentity.com *.msidentity.com account.activedirectory.windowsazure.com accounts.accesscontrol.windows.net adminwebservice.microsoftonline.com api.passwordreset.microsoftonline.com autologon.microsoftazuread-sso.com becws.microsoftonline.com *.azure.com *.msauth.net *.microsoftazuread-sso.com *.msftauth.net *.microsoft.com *.office.net *.notifications.skype.com *.microsoftonline.com *.outlook.com outlook.com outlook.office365.com
Additional Information
Es gibt drei Optionen: Ersetzen Sie Variablen zwischen < >
Option 1: Beispiel-PAC, um den Agenten direkt zu umgehen
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "DIRECT";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "PROXY <Tenant FQDN-see below for details>:8080";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}
Wir sollten den FQDN des Mandanten (unten in Rot) verwenden.
~> nslookup nfcu.proxy.prismaaccess.com
Server: 10.47.98.1
Address: 10.47.98.1#53
Non-authoritative answer:
nfcu.proxy.prismaaccess.com canonical name = prisma-gpo22sysn5c5.proxy.prismaaccess.com. < TENANT FQDN
prisma-gpo22sysn5c5.proxy.prismaaccess.com canonical name = us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com.
Name: us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com
Address: 130.41.253.21
Sie können sehen, dass der Mandanten-FQDN es uns ermöglicht, GSLB beizubehalten.
~> nslookup prisma-gpo22sysn5c5.proxy.prismaaccess.com
Server: 10.47.98.1
Address: 10.47.98.1#53
Non-authoritative answer:
prisma-gpo22sysn5c5.proxy.prismaaccess.com canonical name = us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com.
Name: us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com
Address: 130.41.253.21
Möglichkeit 3: Verwenden Sie den Hybridmodus, und senden Sie diesen Datenverkehr über das MU-Gateway.
Diese Option geht davon aus, dass der GP-Tunnel Datenverkehr entgegennimmt, der für diese Domänen bestimmt ist, und entsprechend konfiguriert ist, wir umgehen den Proxy mit der DIRECT-Aktion unten, was dann bedeutet, dass der Tunnel diesen Datenverkehr entsprechend transportieren kann.
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "DIRECT";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}