Using Group Policy to block all traffic BUT Office 365 licensing

ST_Rob
Conversationalist

Using Group Policy to block all traffic BUT Office 365 licensing

There has to be a simpler way of doing whitelisting.

 

I've got a terminal server that shouldn't have internet access, but I need internet to activate Office 365 Pro Plus.

 

This xml document lists all the necessary IPs, but is just too big to put into the list. 

 

Anyone have any ideas? They already have categories similar to this in layer 7 rules, but from what I see it isn't possible to create layer 3 or layer 7 groups. Even if I could layer 7 only allows deny.

8 REPLIES 8
Uberseehandel
Kind of a big deal


@ST_Rob wrote:

 

 

This xml document lists all the necessary IPs, but is just too big to put into the list. 

 

 


As this list of valid IPs updates monthly, it is an ideal candidate for using the API to update the list. The good news is that the list is distributed in RSS feeds (in xml format) so the RSS feed can be read directly.

 

As this affects virtually all users,  Meraki probably needs encouraging to set this up for general use.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
PhilipDAth
Kind of a big deal
Kind of a big deal

My gut reaction is no.

 

However, you might be able to work around this using group policy and a schedule.  Lets say you know people will only be able to access the terminal server 8am to 8pm.  Then perhaps use group policy to give the terminal server access 8pm to 8am, and during that time it will be able to talk to Microsoft licencing.  Or choose a time users will be highly unlikely to be using the terminal server.


@PhilipDAthwrote:

Then perhaps use group policy to give the terminal server access 8pm to 8am, and during that time it will be able to talk to Microsoft licencing. 


Hopefully, the machines are turned off when not in use. ;-[])

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Haha @Uberseehandel.  Not many people turn there servers off at night time - but it would be great for security as well!

Here is a recent pronouncement from Microsoft - 

Office 365 URLs and IP address ranges
Applies To: Office for business Office 365 Admin Office 365 Small Business Admin Office 2016 for Mac Microsoft 365 Business


Summary: Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 plans, including Government Community Cloud (GCC).

 

Office 365 Worldwide (+GCC) | Office 365 operated by 21 Vianet | Office 365 Germany | Office 365 U.S. Government DoD | Office 365 U.S. Government GCC High |

 

 

Start with managing Office 365 endpoints to understand our recommendations. Except for emergency changes, endpoints are updated at the end of each month.

Please read each service introduction for more info. Wildcards represent all levels under the root domain and we use N/A when information is not available. Destinations are listed with FQDN/domain only, CIDR prefixes only, or a pairing of FQDNs that represent specific CIDR prefixes along with port information. Use our PAC files to implement the principles below.

  • Bypass your proxy for all FQDN/CIDR paired and CIDR prefix only destinations, such as row 2 and 3 in portal and shared.
  • Bypass your proxy or remove inspection, authentication, reputation lookup services for any FQDNs marked required without a CIDR prefix, such as row 5 in portal and shared.
  • For any remaining optional FQDNs, wildcards, DNS, CDN, CRL, or other unpublished destinations requested by Office 365 services, ensure clients can access them over the Internet.

Managing Office 365 endpoints
Applies To: Office 365 Admin

Overview (see link above for Firewalls, Proxies, Integration & FAQ)


Office 365 network connectivity


12/11/2017 Connections to Office 365 consist of high volume, trusted network requests that perform best when they're made over a low-latency egress that is near the user. Some Office 365 connections can benefit from optimizing the connection.

 

  1. Ensure your firewall allow lists allow for connectivity to Office 365 endpoints.
  2. Use your proxy infrastructure to allow Internet connectivity to wildcard and unpublished destinations.
  3. Maintain an optimal perimeter network configuration.
  4. Ensure you're getting the best connectivity.

34d402f3-f502-42a0-8156-24a7c4273fa5[1].png

 

 

 

Many of the Office 365 packages have:

  • A  Terabyte of One Cloud Storage
  • Exchange Server as a service
  • Azure membership

These require continuous access to be useful. It is very easy to arrange matters so that all required working files ares are shared/continuously backed up to the Cloud.

 

In my experience, anything approaching blocking access to the relevant MS sites will cause more problems than are solved. Better to find a way of giving devices access to the MS list of URLS.

 

Given how widespread the use of Office 365 is, it would make sense for Meraki to take this on-board, real soon now.

I'll be busy with field testing during much of March and April, so no opportunity to look at using the dashboard to achieve this. But once May comes along, I'll have a look, but I'd hope that Meraki has delivered a solution by then.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

with the size and intrusive nature of Mickysoft updates and the working hours settings I have my users leave them on for nighttime M$ sillyness.


@Uberseehandelwrote:

@PhilipDAthwrote:

Then perhaps use group policy to give the terminal server access 8pm to 8am, and during that time it will be able to talk to Microsoft licencing. 


Hopefully, the machines are turned off when not in use. ;-[])



24/7 manufacturing, can't turn it off!

LV_MW_MSP
Getting noticed

Unless I am missing something, can't you apply a custom group policy to this machine. Wild card all internet with * so everything is blocked, and whitelist the items you want. Apply that group policy only to your terminal server. You can also set a schedule on this.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels