Blocking MS Teams

SOLVED
Dunky
A model citizen

Blocking MS Teams

Dear community,

I am losing the will to live here.

What started out as something I expected to be quite straight forward has taken me over 6 hours with no result as yet.

I have a VLAN that is subject to a group policy.

In that policy I have a number of whitelisted URLs/domains - one of those is microsoft.com.

 

What I need to do and cannot fathom out, is how to block MS Teams (I also need to look at OneDrive which I guess may be a similar issue).

Any suggestions will be most welcome.

I've tried adding a L3 rule to block teams.microsoft.com but that has no effect (and yes, the MX is acting as a DNS server for the VLAN in question).

 

The path I started down was removing microsoft.com from the whitelist and trying to whitelist everything needed for windows update, defender ATP etc and gave up!

 

Here hoping 🙂

 

 

1 ACCEPTED SOLUTION

You could just create a Deny L3 Firewall rule for that VLAN in the MX's firewall and block the VLAN's subnet from all traffic to the IP's listed in this site:

 

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...

 

Teams seems to use these IP ranges:  13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32

View solution in original post

8 REPLIES 8
ww
Kind of a big deal
Kind of a big deal

Are you running 16.x fw code that has nbar2.

You should be able  to select/deny ms teams at the l7 firewall

Dunky
A model citizen

I am running 16.16

I see there is a Microsoft Office Web Applications in the Productivity category.

 

Not sure that would bloc the Teams app though?

 

The problem I have is all the L3 rules for the site sit in Firewall & SD-WAN>Firewall section.  In the Group Policy I have Firewall and traffic shaping set to "Use network firewall & traffic shaping rules" which greys out L7 in the Group Policy.

 

You could just create a Deny L3 Firewall rule for that VLAN in the MX's firewall and block the VLAN's subnet from all traffic to the IP's listed in this site:

 

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...

 

Teams seems to use these IP ranges:  13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32

Thats worked a treat, thanks!

I've now passed it over to our Microsoft guys to see if they can circumvent it 🙂

Will add the subnets as an organization-wide Policy Object.

ww
Kind of a big deal
Kind of a big deal

You could get layer3 rules with api. And put into a group policy.

 

At VoIP & Video conferencing category there a Microsoft Teams  entry. You could try that one.

Dunky
A model citizen

I cannot apply L7 rules in the Group Policy as its greyed out due to it being greyed out 

Dunky_0-1651670365202.png

All L3 rules are in the main Firewall section, i.e. not within Group Policies.  We took the decision at the outset just to have one firewall ruleset per site, not amended within Group Policies.

 

NJNetworkGuy100
Getting noticed

I just looked this up, and for some reason, Teams is a category to use in Layer 7 Deny rules in the MX firewall settings (under VoIP/VideoConferencing), but isn't an option when updating a Group Policy object.  Very odd.  

 

 

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world... 

This is the page that lists all of the FQDN and IP's used for O365 services, including Teams.  You can use Group Policy to block the IP ranges for Teams. 

 

In your Group Policy Object, I would suggest testing a Custom Layer 7 Deny rule that blocks traffic to the Remote IP ranges needed for Teams use.

 

These seem to be the IP ranges needed for Teams use:  13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32,

 

Hope this helps...

My understanding is that the NBAR categories only function in the "Normal" setting. Group Policy objects do not use the NBAR filtering at this point. The Meraki tech I was talking with didn't know if or when that functionality would arrive.

 

It would be nice though. We generally use group policy to open or close services and having more granularity would be nice to have there.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels