Best practice is to bypass SSL decrypt for OneDrive and Sharepoint, but what if I still want to inspect for malware and DLP purposes when connecting to a third-party tenant's OneDrive or Sharepoint instance?
Solved! Go to Solution.
Updated to close security hole. This version maintains flexibility and separation of unique tenant names from the host list. Each new tenant only needs an added event. Each new host name only needs single entry in two lists.
Standard O365 SSL Bypass from ruleset library starts like this:
Bypass Microsoft (Office 365) Services [This rule set contains rules to bypass Office 365 and/or other Microsoft services.] |
|||||||||||||||||||||||||
[✔] Enabled [✔] Enabled in Cloud |
|||||||||||||||||||||||||
|
Standard URL Filter from ruleset library starts like this:
URL Filtering by Category [Provides access to the web content you choose] |
|||||||||||||||||||||||||
[✔] Enabled [✘] Disabled in Cloud |
|||||||||||||||||||||||||
|
I recommend creating multiple lists and using string manipulation to create UDPs with normalized versions of URL.Host to check against a normal string list.
Tenant Restricted Suffix SSL Bypass (second entry isn't necessary because it is covered by first)
*.sharepoint.com
*-my.sharepoint.com
Tenant Restricted Suffix URL Whitelist
*-files.sharepoint.com
*-myfiles.sharepoint.com
O365 Tenant SSL Bypass List (for Sharepoint in general)
tenant.sharepoint.com
tenant-my.sharepoint.com
O365 Tenant URL Whitelist (for OneDrive specifically)
tenant-files.sharepoint.com
tenant-myfiles.sharepoint.com
Normalizing the UDP is accomplished with string manipulation of an exact match replacing specific tenant names found at the beginning of URL.Host with generic "tenant" as used in lists above
Add Rules at top of O365 Bypass first normalizing, then checking with action of Stop Ruleset
URL.Host matches in list Tenant Restricted Suffix SSL Bypass
Continue - Normalize corporate tenant names in Events
User-Defined.NormalizedHostSSLBypass does not match in list O365 Tenant SSL Bypass
Stop Ruleset
Ruleset only allows bypass for tenant restricted sites starting with mytenant and mytenant1. The ruleset would now start like this:
|
|
|
Add rules at top of URL Filtering first normalizing, then checking with action of Stop Ruleset
URL.Host matches in list Tenant Restricted Suffix URL Whitelist
Continue Normalize corporate tenant names with Events
User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant URL Whitelist
Stop Ruleset
URL.Host matches in list Tenant Restricted Suffix URL Whitelist
Continue Normalize third party tenant names with Events
User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant URL Whitelist
Stop Ruleset
Obviously you can add other criteria and additional rules if you want to add authentication criteria for other tenant access.
In the example below mytenant and mytenant1 matches always bypass and thirdtenant and thirdtenant1 matches only bypass for administrators.
|
|
|
Please post if you have a better solution without the security hole noted below from the first version.
Updated to close security hole. This version maintains flexibility and separation of unique tenant names from the host list. Each new tenant only needs an added event. Each new host name only needs single entry in two lists.
Standard O365 SSL Bypass from ruleset library starts like this:
Bypass Microsoft (Office 365) Services [This rule set contains rules to bypass Office 365 and/or other Microsoft services.] |
|||||||||||||||||||||||||
[✔] Enabled [✔] Enabled in Cloud |
|||||||||||||||||||||||||
|
Standard URL Filter from ruleset library starts like this:
URL Filtering by Category [Provides access to the web content you choose] |
|||||||||||||||||||||||||
[✔] Enabled [✘] Disabled in Cloud |
|||||||||||||||||||||||||
|
I recommend creating multiple lists and using string manipulation to create UDPs with normalized versions of URL.Host to check against a normal string list.
Tenant Restricted Suffix SSL Bypass (second entry isn't necessary because it is covered by first)
*.sharepoint.com
*-my.sharepoint.com
Tenant Restricted Suffix URL Whitelist
*-files.sharepoint.com
*-myfiles.sharepoint.com
O365 Tenant SSL Bypass List (for Sharepoint in general)
tenant.sharepoint.com
tenant-my.sharepoint.com
O365 Tenant URL Whitelist (for OneDrive specifically)
tenant-files.sharepoint.com
tenant-myfiles.sharepoint.com
Normalizing the UDP is accomplished with string manipulation of an exact match replacing specific tenant names found at the beginning of URL.Host with generic "tenant" as used in lists above
Add Rules at top of O365 Bypass first normalizing, then checking with action of Stop Ruleset
URL.Host matches in list Tenant Restricted Suffix SSL Bypass
Continue - Normalize corporate tenant names in Events
User-Defined.NormalizedHostSSLBypass does not match in list O365 Tenant SSL Bypass
Stop Ruleset
Ruleset only allows bypass for tenant restricted sites starting with mytenant and mytenant1. The ruleset would now start like this:
|
|
|
Add rules at top of URL Filtering first normalizing, then checking with action of Stop Ruleset
URL.Host matches in list Tenant Restricted Suffix URL Whitelist
Continue Normalize corporate tenant names with Events
User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant URL Whitelist
Stop Ruleset
URL.Host matches in list Tenant Restricted Suffix URL Whitelist
Continue Normalize third party tenant names with Events
User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant URL Whitelist
Stop Ruleset
Obviously you can add other criteria and additional rules if you want to add authentication criteria for other tenant access.
In the example below mytenant and mytenant1 matches always bypass and thirdtenant and thirdtenant1 matches only bypass for administrators.
|
|
|
Please post if you have a better solution without the security hole noted below from the first version.
Good point. But we are matching against URL.Host, so I couldn't think of a simple way to accommodate a proper conjunction of the two lists to avoid this issue. Will have to think about it some more. Without the wildcard it will not match against URL.Host.
I came up with a better but still flexible solution, without the security hole, and updated the original solution above. If someone has a better way please post.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA