Blocking "Web-Based E-mail" through Content Filtering but Allowing Access to Microsoft O365 Sites

SOLVED
JDLambert
New here

Blocking "Web-Based E-mail" through Content Filtering but Allowing Access to Microsoft O365 Sites

Per our financial examiners, they are requesting us block access to web-based e-mail categories on our MX firewalls.  I added this category to global Content Filtering but found out that it was causing our Outlook O365 clients running locally on our systems to be blocked as well connecting out to O365 to get e-mail.  I found an article on Microsoft's site detailing the URLs that need to be opened for connectivity to O365.

 

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...

 

I added all of the URLs on this article to the "Allow list URL patterns" in global Content Filtering but it did not resolve the issue.  Has anyone else had this same issue and was able to correct it?

1 ACCEPTED SOLUTION

Accepted Solutions
Russ_B
Here to help

Re: Blocking "Web-Based E-mail" through Content Filtering but Allowing Access to Microsoft

I just did a basic test here and it seemed to work as expected.  I'm running 14.53 firmware on an MX65W, I went to Security & SD-WAN/Content Filtering, then added Web based email to the list of Blocked website categories.  I waited a few minutes, then tried to access Outlook and it was blocked.  The block page showed that I was trying to access http://outlook.office365.com/, so I added outlook.office365.com to the "Allow list URL patterns", waited a few minutes, and I was able to access Outlook.

 

I would check the "Allow list URL patterns" to make sure they are just plain domain/host names, one thing that tripped me up when I started working with Meraki was that my predecessor had used Content Filtering to block Netflix (not as a category, but specifically in the Blocked URL list) and they had put in "*.netflix.com" instead of just "netflix.com", so it wasn't actually being blocked.

 

One thing I wasn't 100% clear on in your message, are you using the web based Outlook 365 client or the desktop Outlook 365 client?  I did my testing with the web based client, so the results might be different with the desktop client.

 

Russ

 

 

View solution in original post

3 REPLIES 3
Russ_B
Here to help

Re: Blocking "Web-Based E-mail" through Content Filtering but Allowing Access to Microsoft

I just did a basic test here and it seemed to work as expected.  I'm running 14.53 firmware on an MX65W, I went to Security & SD-WAN/Content Filtering, then added Web based email to the list of Blocked website categories.  I waited a few minutes, then tried to access Outlook and it was blocked.  The block page showed that I was trying to access http://outlook.office365.com/, so I added outlook.office365.com to the "Allow list URL patterns", waited a few minutes, and I was able to access Outlook.

 

I would check the "Allow list URL patterns" to make sure they are just plain domain/host names, one thing that tripped me up when I started working with Meraki was that my predecessor had used Content Filtering to block Netflix (not as a category, but specifically in the Blocked URL list) and they had put in "*.netflix.com" instead of just "netflix.com", so it wasn't actually being blocked.

 

One thing I wasn't 100% clear on in your message, are you using the web based Outlook 365 client or the desktop Outlook 365 client?  I did my testing with the web based client, so the results might be different with the desktop client.

 

Russ

 

 

View solution in original post

JDLambert
New here

Re: Blocking "Web-Based E-mail" through Content Filtering but Allowing Access to Microsoft

Perfect.  That was my issue.  I was using the leading * and that is why it was not working.  Thanks for the response.

Warren
Getting noticed

Re: Blocking "Web-Based E-mail" through Content Filtering but Allowing Access to Microsoft

Other common Office 365 urls can be found here - https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges

 

They have this as a web service as well - but Meraki hasn't bothered to add it as something to easily allow. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.