需要跳过哪些域才能使 MS Teams 和 Outlook 胖应用程序与代理代理一起使用?

需要跳过哪些域才能使 MS Teams 和 Outlook 胖应用程序与代理代理一起使用?

8850
Created On 01/17/24 20:53 PM - Last Modified 02/02/24 05:43 AM


Question


需要跳过哪些域才能使 MS Teams 和 Outlook 胖应用程序与代理代理一起使用?

Environment


  • Prisma Access 4.0、4.1、4.2、5.0
  • 代理代理

Answer


域名列表 
ccs.login.microsoftonline.com
*.live.com
*.auth.microsoft.com
*.msftidentity.com
*.msidentity.com
account.activedirectory.windowsazure.com
accounts.accesscontrol.windows.net
adminwebservice.microsoftonline.com
api.passwordreset.microsoftonline.com
autologon.microsoftazuread-sso.com
becws.microsoftonline.com
*.azure.com
*.msauth.net
*.microsoftazuread-sso.com
*.msftauth.net
*.microsoft.com
*.office.net
*.notifications.skype.com
*.microsoftonline.com
*.outlook.com
outlook.com
outlook.office365.com

 

Additional Information


有三个选项 - 替换介于两者之间的变量 < >

选项 1:直接绕过代理的示例 PAC 
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "DIRECT";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}
 
选项 2:要发送到 PA 代理绕过代理的示例 PAC 文件 
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "PROXY <Tenant FQDN-see below for details>:8080";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}

应使用租户 FQDN(下面红色)。 
~> nslookup nfcu.proxy.prismaaccess.com
Server:		10.47.98.1
Address:	10.47.98.1#53


Non-authoritative answer:
nfcu.proxy.prismaaccess.com	canonical name = prisma-gpo22sysn5c5.proxy.prismaaccess.com.   < TENANT FQDN
prisma-gpo22sysn5c5.proxy.prismaaccess.com	canonical name = us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com.
Name:	us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com
Address: 130.41.253.21


您可以看到租户 FQDN 允许我们保留 GSLB。

~> nslookup prisma-gpo22sysn5c5.proxy.prismaaccess.com
Server:		10.47.98.1
Address:	10.47.98.1#53


Non-authoritative answer:
prisma-gpo22sysn5c5.proxy.prismaaccess.com	canonical name = us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com.
Name:	us-east-1.prisma-gpo22sysn5c5.proxy.prismaaccess.com
Address: 130.41.253.21

选项 3: 使用混合模式并通过 MU 网关发送此流量
此选项假设 GP 隧道将接收发往这些域的流量,并进行相应的配置,我们使用下面的 DIRECT 操作绕过代理,这意味着隧道可以相应地传输此流量。
function FindProxyForURL(url, host) {
// Bypass localhost and Private IPs
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass FTP
if (url.substring(0,4) == "ftp:")
return "DIRECT";
// Bypass GlobalProtect Portal FQDN
if (shExpMatch(host, "<Your Portal FQDN>"))
return "DIRECT";
// Bypass GlobalProtect Gateway FQDNs
if (shExpMatch(host, "*.gw.lab.gpcloudservice.com"))
return "DIRECT";
// Bypass ACS Domain for Authentication Purposes
if (shExpMatch(host, "*.prismaaccess.com"))
return "DIRECT";
// Bypass M365 Domains for Teams and Outlook
if (shExpMatch(host, "ccs.login.microsoftonline.com") ||
shExpMatch(host, "*.live.com") ||
shExpMatch(host, "*.auth.microsoft.com") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "account.activedirectory.windowsazure.com") ||
shExpMatch(host, "accounts.accesscontrol.windows.net") ||
shExpMatch(host, "adminwebservice.microsoftonline.com") ||
shExpMatch(host, "api.passwordreset.microsoftonline.com") ||
shExpMatch(host, "autologon.microsoftazuread-sso.com") ||
shExpMatch(host, "becws.microsoftonline.com") ||
shExpMatch(host, "*.azure.com") ||
shExpMatch(host, "*.msauth.net") ||
shExpMatch(host, "*.microsoftazuread-sso.com") ||
shExpMatch(host, "*.msftauth.net") ||
shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.office.net") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "outlook.com") ||
shExpMatch(host, "outlook.office365.com") ||
shExpMatch(host, "*.notifications.skype.com"))
return "DIRECT";
// Send everything else to the Proxy
return "PROXY <Proxy FQDN>:8080";
}
 
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhWYCA0&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language