Quels domaines doivent être ignorés pour que MS Teams et Outlook Thick Apps fonctionnent avec le proxy de l’agent ?
8911
Created On 01/17/24 20:53 PM - Last Modified 02/02/24 05:45 AM
Question
Quels domaines doivent être ignorés pour que MS Teams et Outlook Thick Apps fonctionnent avec le proxy de l’agent ?
Environment
- Prisma Access 4.0, 4.1, 4.2, 5.0
- Proxy de l’agent
Answer
Liste des domaines
ccs.login.microsoftonline.com *.live.com *.auth.microsoft.com *.msftidentity.com *.msidentity.com account.activedirectory.windowsazure.com accounts.accesscontrol.windows.net adminwebservice.microsoftonline.com api.passwordreset.microsoftonline.com autologon.microsoftazuread-sso.com becws.microsoftonline.com *.azure.com *.msauth.net *.microsoftazuread-sso.com *.msftauth.net *.microsoft.com *.office.net *.notifications.skype.com *.microsoftonline.com *.outlook.com outlook.com outlook.office365.com
Additional Information
Il existe trois options : remplacer les variables intermédiaires < >
Option 1 : Exemple PAC pour contourner directement l’agent
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "DIRECT";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "PROXY <Tenant FQDN-see below for details>:8080";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}
Nous devons utiliser le nom de domaine complet du locataire (en rouge ci-dessous).
~> nslookup nfcu.proxy.prismaaccess.com
Server: 10.47.98.1
Address: 10.47.98.1#53
Non-authoritative answer:
nfcu.proxy.prismaaccess.com canonical name = prisma-gpo22sysn5c5.proxy.prismaaccess.com. < TENANT FQDN
prisma-gpo22sysn5c5.proxy.prismaaccess.com canonical name = us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com.
Name: us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com
Address: 130.41.253.21
Vous pouvez voir que le nom de domaine complet du locataire nous permet de conserver GSLB.
~> nslookup prisma-gpo22sysn5c5.proxy.prismaaccess.com
Server: 10.47.98.1
Address: 10.47.98.1#53
Non-authoritative answer:
prisma-gpo22sysn5c5.proxy.prismaaccess.com canonical name = us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com.
Name: us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com
Address: 130.41.253.21
Option 3 : Utilisez le mode hybride et envoyez ce trafic via la passerelle MU
Cette option suppose que le tunnel GP prendra le trafic destiné à ces domaines et qu’il est configuré en conséquence, nous contournons le proxy avec l’action DIRECTE ci-dessous, ce qui signifie que le tunnel peut transporter ce trafic en conséquence.
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "DIRECT";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}