cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 4
‎08-20-2019 07:25 AM

O365 MWG Filter Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenants

Jump to solution

Best practice is to bypass SSL decrypt for OneDrive and Sharepoint, but what if I still want to inspect for malware and DLP purposes when connecting to a third-party tenant's OneDrive or Sharepoint instance?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?
0 Kudos
Reply
1 Solution

Accepted Solutions
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎08-20-2019 07:47 AM

Re: MWG Filtering Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenant

Jump to solution

Updated to close security hole. This version maintains flexibility and separation of unique tenant names from the host list. Each new tenant only needs an added event. Each new host name only needs single entry in two lists. 

Standard O365 SSL Bypass from ruleset library starts like this:

Bypass Microsoft (Office 365) Services

[This rule set contains rules to bypass Office 365 and/or other Microsoft services.]

[✔] Enabled [✔] Enabled in Cloud
Applies to: [✔] Requests [✔] Responses [✘] Embedded Objects
Always

Enabled

Rule

Action

Events

Comments

[✔] Enabled

Shortcut Microsoft Service in Response
1: Cycle.Name equals "Response"
2: AND User-Defined.Shortcut_Microsoft_Service equals true

Stop Cycle

    

[✔] Enabled

Bypass Exchange Online
1: URL.Destination.IP is in range list Exchange Online IP Addresses°
2: OR URL.Destination.IP is in range list Exchange Online Protection IP addresses°
3: OR URL.Host matches in list Exchange Online URLs°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

[✔] Enabled

Bypass Microsoft Federation Gateway
1: URL.Destination.IP is in range list The Microsoft Federation Gateway IP Addresses°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

[✔] Enabled

Bypass Lync/Skype for Business Online
1: URL.Destination.IP is in range list Lync Online IPv4 Addresses°
2: OR URL.Destination.IP is in range list Lync Online IPv6 Addresses°
3: OR URL.Host matches in list Lync Online URLs°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

 

Standard URL Filter from ruleset library starts like this:

URL Filtering by Category

[Provides access to the web content you choose]

[✔] Enabled [✘] Disabled in Cloud
Applies to: [✔] Requests [✘] Responses [✘] Embedded Objects
Always

Enabled

Rule

Action

Events

Comments

[✔] Enabled

Allow URLs That Match in URL Whitelist
1: URL matches in list URL Whitelist°

Stop Rule Set

    

[✔] Enabled

Block URLs That Match in URL Blocklist
1: URL matches in list URL Blocklist°

Block<URL Blocked>

Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>

  

[✔] Enabled

Enable SafeSearchEnforcer
Always

Continue

Enable SafeSearch Enforcer<Default>

  

[✔] Enabled

Allow Uncategorized URLs
1: List.OfCategory.IsEmpty(URL.Categories<Default>) equals true

Stop Rule Set

  

This rule allows all URLs that are uncategorized by the GTI web database.

 

I recommend creating multiple lists and using string manipulation to create UDPs with normalized versions of URL.Host to check against a normal string list.

Tenant Restricted Suffix SSL Bypass (second entry isn't necessary because it is covered by first)

    *.sharepoint.com

    *-my.sharepoint.com

Tenant Restricted Suffix URL Whitelist

    *-files.sharepoint.com

    *-myfiles.sharepoint.com

O365 Tenant SSL Bypass List (for Sharepoint in general)

    tenant.sharepoint.com

    tenant-my.sharepoint.com

O365 Tenant URL Whitelist (for OneDrive specifically)

    tenant-files.sharepoint.com

    tenant-myfiles.sharepoint.com

Normalizing the UDP is accomplished with string manipulation of an exact match replacing specific tenant names found at the beginning of URL.Host with generic "tenant" as used in lists above 

Add Rules at top of O365 Bypass first normalizing, then  checking with action of Stop Ruleset 

    URL.Host matches in list Tenant Restricted Suffix SSL Bypass

        Continue - Normalize corporate tenant names in Events

    User-Defined.NormalizedHostSSLBypass does not match in list O365 Tenant SSL Bypass

        Stop Ruleset

Ruleset only allows bypass for tenant restricted sites starting with mytenant and mytenant1. The ruleset would now start like this:

Bypass Microsoft (Office 365) Services with Tenant
[This rule set contains rules to bypass Office 365 and/or other Microsoft services.]
[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled Normalize Tenants when Host Matches Tenant Restricted Suffix SSL Bypass
1: URL.Host matches in list Tenant Restricted Suffix SSL Bypass		 Continue Set User-Defined.NormalizedHostSSLBypass = String.ReplaceFirstMatch(URL.Host,regex(^mytenant),"tenant")
Set User-Defined.NormalizedHostSSLBypass = String.ReplaceFirstMatch(URL.Host,regex(^mytenant1),"tenant")		  
[✔] Enabled Don't Bypass if Normalized Tenant Is Not in O365 Tenant SSL Bypass List
1: User-Defined.NormalizedHostSSLBypass is not in list O365 Tenant SSL Bypass List		 Stop Rule Set    
[✔] Enabled Shortcut Microsoft Service in Response
1: Cycle.Name equals "Response"
2: AND User-Defined.Shortcut_Microsoft_Service equals true		 Stop Cycle    
[✔] Enabled Bypass Exchange Online
1: URL.Destination.IP is in range list Exchange Online IP Addresses°
2: OR URL.Destination.IP is in range list Exchange Online Protection IP addresses°
3: OR URL.Host matches in list Exchange Online URLs°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true  
[✔] Enabled Bypass Microsoft Federation Gateway
1: URL.Destination.IP is in range list The Microsoft Federation Gateway IP Addresses°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true  
[✔] Enabled Bypass Lync/Skype for Business Online
1: URL.Destination.IP is in range list Lync Online IPv4 Addresses°
2: OR URL.Destination.IP is in range list Lync Online IPv6 Addresses°
3: OR URL.Host matches in list Lync Online URLs°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true

 

String
# O365 Tenant SSL Bypass List  
  String Comment
1 tenant.sharepoint.com  
2 tenant-my.sharepoint.com  

 

Wildcard Expression
# Tenant Restricted Suffix SSL Bypass  
  Wildcard Expression Comment
1 *.sharepoint.com  
2 *-my.sharepoint.com  

 

Add rules at top of URL Filtering first normalizing, then checking with action of Stop Ruleset

    URL.Host matches in list Tenant Restricted Suffix URL Whitelist

        Continue Normalize corporate tenant names with Events

    User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant  URL Whitelist

        Stop Ruleset

    URL.Host matches in list Tenant Restricted Suffix URL Whitelist

        Continue Normalize third party tenant names with Events

    User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant  URL Whitelist

         Stop Ruleset

Obviously you can add other criteria and additional rules if you want to add authentication criteria for other tenant access.

In the example below mytenant and mytenant1 matches always bypass and thirdtenant and thirdtenant1 matches only bypass for administrators.

URL Filtering by Category with Tenant
[Provides access to the web content you choose]
[✔] Enabled [✘] Disabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled Normalize Tenants when Host Matches Tenant Restricted Suffix URL Whitelist
1: URL.Host matches in list Tenant Restricted Suffix URL Whitelist		 Continue Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^mytenant),"tenant")
Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^mytenant1),"tenant")		  
[✔] Enabled OneDrive URL Whitelist for Normalized Company Tenants
1: User-Defined.NormalizedHostURLWhitelist is in list O365 Tenant URL Whitelist		 Stop Rule Set    
[✔] Enabled Normalize Third Party Tenants when Host Matches Tenant Restricted Suffix URL Whitelist
1: URL.Host matches in list Tenant Restricted Suffix URL Whitelist		 Continue Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^thirdtenant),"tenant")
Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^thirdtenant1),"tenant")		  
[✔] Enabled OneDrive URL Whitelist for Third-Party Tenants
1: User-Defined.NormalizedHostURLWhitelist is in list O365 Tenant URL Whitelist
2: AND Authentication.UserGroups at least one in list Third Party Tenant Authorized Groups		 Stop Rule Set    
[✔] Enabled Allow URLs That Match in URL Whitelist
1: URL matches in list URL Whitelist°		 Stop Rule Set    
[✔] Enabled Block URLs That Match in URL Blocklist
1: URL matches in list URL Blocklist°		 Block<URL Blocked> Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>  
[✔] Enabled Enable SafeSearchEnforcer
Always		 Continue Enable SafeSearch Enforcer<Default>  
[✔] Enabled Allow Uncategorized URLs
1: List.OfCategory.IsEmpty(URL.Categories<Default>) equals true		 Stop Rule Set

 

String
# O365 Tenant URL Whitelist  
  String Comment
1 tenant-files.sharepoint.com  
2 tenant-myfiles.sharepoint.com  
# Third Party Tenant Authorized Groups  
  String Comment
1 Administrators  

 

Wildcard Expression
# Tenant Restricted Suffix URL Whitelist  
  Wildcard Expression Comment
1 *-files.sharepoint.com  
2 *-myfiles.sharepoint.com  

 

Please post if you have a better solution without the security hole noted below from the first version.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?

View solution in original post

Tenantv2.zip
0 Kudos
Reply
3 Replies
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎08-20-2019 07:47 AM

Re: MWG Filtering Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenant

Jump to solution

Updated to close security hole. This version maintains flexibility and separation of unique tenant names from the host list. Each new tenant only needs an added event. Each new host name only needs single entry in two lists. 

Standard O365 SSL Bypass from ruleset library starts like this:

Bypass Microsoft (Office 365) Services

[This rule set contains rules to bypass Office 365 and/or other Microsoft services.]

[✔] Enabled [✔] Enabled in Cloud
Applies to: [✔] Requests [✔] Responses [✘] Embedded Objects
Always

Enabled

Rule

Action

Events

Comments

[✔] Enabled

Shortcut Microsoft Service in Response
1: Cycle.Name equals "Response"
2: AND User-Defined.Shortcut_Microsoft_Service equals true

Stop Cycle

    

[✔] Enabled

Bypass Exchange Online
1: URL.Destination.IP is in range list Exchange Online IP Addresses°
2: OR URL.Destination.IP is in range list Exchange Online Protection IP addresses°
3: OR URL.Host matches in list Exchange Online URLs°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

[✔] Enabled

Bypass Microsoft Federation Gateway
1: URL.Destination.IP is in range list The Microsoft Federation Gateway IP Addresses°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

[✔] Enabled

Bypass Lync/Skype for Business Online
1: URL.Destination.IP is in range list Lync Online IPv4 Addresses°
2: OR URL.Destination.IP is in range list Lync Online IPv6 Addresses°
3: OR URL.Host matches in list Lync Online URLs°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

 

Standard URL Filter from ruleset library starts like this:

URL Filtering by Category

[Provides access to the web content you choose]

[✔] Enabled [✘] Disabled in Cloud
Applies to: [✔] Requests [✘] Responses [✘] Embedded Objects
Always

Enabled

Rule

Action

Events

Comments

[✔] Enabled

Allow URLs That Match in URL Whitelist
1: URL matches in list URL Whitelist°

Stop Rule Set

    

[✔] Enabled

Block URLs That Match in URL Blocklist
1: URL matches in list URL Blocklist°

Block<URL Blocked>

Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>

  

[✔] Enabled

Enable SafeSearchEnforcer
Always

Continue

Enable SafeSearch Enforcer<Default>

  

[✔] Enabled

Allow Uncategorized URLs
1: List.OfCategory.IsEmpty(URL.Categories<Default>) equals true

Stop Rule Set

  

This rule allows all URLs that are uncategorized by the GTI web database.

 

I recommend creating multiple lists and using string manipulation to create UDPs with normalized versions of URL.Host to check against a normal string list.

Tenant Restricted Suffix SSL Bypass (second entry isn't necessary because it is covered by first)

    *.sharepoint.com

    *-my.sharepoint.com

Tenant Restricted Suffix URL Whitelist

    *-files.sharepoint.com

    *-myfiles.sharepoint.com

O365 Tenant SSL Bypass List (for Sharepoint in general)

    tenant.sharepoint.com

    tenant-my.sharepoint.com

O365 Tenant URL Whitelist (for OneDrive specifically)

    tenant-files.sharepoint.com

    tenant-myfiles.sharepoint.com

Normalizing the UDP is accomplished with string manipulation of an exact match replacing specific tenant names found at the beginning of URL.Host with generic "tenant" as used in lists above 

Add Rules at top of O365 Bypass first normalizing, then  checking with action of Stop Ruleset 

    URL.Host matches in list Tenant Restricted Suffix SSL Bypass

        Continue - Normalize corporate tenant names in Events

    User-Defined.NormalizedHostSSLBypass does not match in list O365 Tenant SSL Bypass

        Stop Ruleset

Ruleset only allows bypass for tenant restricted sites starting with mytenant and mytenant1. The ruleset would now start like this:

Bypass Microsoft (Office 365) Services with Tenant
[This rule set contains rules to bypass Office 365 and/or other Microsoft services.]
[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled Normalize Tenants when Host Matches Tenant Restricted Suffix SSL Bypass
1: URL.Host matches in list Tenant Restricted Suffix SSL Bypass		 Continue Set User-Defined.NormalizedHostSSLBypass = String.ReplaceFirstMatch(URL.Host,regex(^mytenant),"tenant")
Set User-Defined.NormalizedHostSSLBypass = String.ReplaceFirstMatch(URL.Host,regex(^mytenant1),"tenant")		  
[✔] Enabled Don't Bypass if Normalized Tenant Is Not in O365 Tenant SSL Bypass List
1: User-Defined.NormalizedHostSSLBypass is not in list O365 Tenant SSL Bypass List		 Stop Rule Set    
[✔] Enabled Shortcut Microsoft Service in Response
1: Cycle.Name equals "Response"
2: AND User-Defined.Shortcut_Microsoft_Service equals true		 Stop Cycle    
[✔] Enabled Bypass Exchange Online
1: URL.Destination.IP is in range list Exchange Online IP Addresses°
2: OR URL.Destination.IP is in range list Exchange Online Protection IP addresses°
3: OR URL.Host matches in list Exchange Online URLs°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true  
[✔] Enabled Bypass Microsoft Federation Gateway
1: URL.Destination.IP is in range list The Microsoft Federation Gateway IP Addresses°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true  
[✔] Enabled Bypass Lync/Skype for Business Online
1: URL.Destination.IP is in range list Lync Online IPv4 Addresses°
2: OR URL.Destination.IP is in range list Lync Online IPv6 Addresses°
3: OR URL.Host matches in list Lync Online URLs°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true

 

String
# O365 Tenant SSL Bypass List  
  String Comment
1 tenant.sharepoint.com  
2 tenant-my.sharepoint.com  

 

Wildcard Expression
# Tenant Restricted Suffix SSL Bypass  
  Wildcard Expression Comment
1 *.sharepoint.com  
2 *-my.sharepoint.com  

 

Add rules at top of URL Filtering first normalizing, then checking with action of Stop Ruleset

    URL.Host matches in list Tenant Restricted Suffix URL Whitelist

        Continue Normalize corporate tenant names with Events

    User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant  URL Whitelist

        Stop Ruleset

    URL.Host matches in list Tenant Restricted Suffix URL Whitelist

        Continue Normalize third party tenant names with Events

    User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant  URL Whitelist

         Stop Ruleset

Obviously you can add other criteria and additional rules if you want to add authentication criteria for other tenant access.

In the example below mytenant and mytenant1 matches always bypass and thirdtenant and thirdtenant1 matches only bypass for administrators.

URL Filtering by Category with Tenant
[Provides access to the web content you choose]
[✔] Enabled [✘] Disabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled Normalize Tenants when Host Matches Tenant Restricted Suffix URL Whitelist
1: URL.Host matches in list Tenant Restricted Suffix URL Whitelist		 Continue Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^mytenant),"tenant")
Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^mytenant1),"tenant")		  
[✔] Enabled OneDrive URL Whitelist for Normalized Company Tenants
1: User-Defined.NormalizedHostURLWhitelist is in list O365 Tenant URL Whitelist		 Stop Rule Set    
[✔] Enabled Normalize Third Party Tenants when Host Matches Tenant Restricted Suffix URL Whitelist
1: URL.Host matches in list Tenant Restricted Suffix URL Whitelist		 Continue Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^thirdtenant),"tenant")
Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^thirdtenant1),"tenant")		  
[✔] Enabled OneDrive URL Whitelist for Third-Party Tenants
1: User-Defined.NormalizedHostURLWhitelist is in list O365 Tenant URL Whitelist
2: AND Authentication.UserGroups at least one in list Third Party Tenant Authorized Groups		 Stop Rule Set    
[✔] Enabled Allow URLs That Match in URL Whitelist
1: URL matches in list URL Whitelist°		 Stop Rule Set    
[✔] Enabled Block URLs That Match in URL Blocklist
1: URL matches in list URL Blocklist°		 Block<URL Blocked> Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>  
[✔] Enabled Enable SafeSearchEnforcer
Always		 Continue Enable SafeSearch Enforcer<Default>  
[✔] Enabled Allow Uncategorized URLs
1: List.OfCategory.IsEmpty(URL.Categories<Default>) equals true		 Stop Rule Set

 

String
# O365 Tenant URL Whitelist  
  String Comment
1 tenant-files.sharepoint.com  
2 tenant-myfiles.sharepoint.com  
# Third Party Tenant Authorized Groups  
  String Comment
1 Administrators  

 

Wildcard Expression
# Tenant Restricted Suffix URL Whitelist  
  Wildcard Expression Comment
1 *-files.sharepoint.com  
2 *-myfiles.sharepoint.com  

 

Please post if you have a better solution without the security hole noted below from the first version.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?

View solution in original post

Tenantv2.zip
0 Kudos
Reply
AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4
‎08-20-2019 08:35 AM

Re: MWG Filtering Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenant

Jump to solution
My only feedback is in the MyCompany Tenant List. I would recommend explicitly stating your tenants without the wildcard
For example, if you allow mycompany* as an authorized tenant, then mycompanyfakesite would also match as a tenant.

0 Kudos
Reply
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4
‎08-20-2019 09:54 AM

Re: MWG Filtering Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenant

Jump to solution

Good point. But we are matching against URL.Host, so I couldn't think of a simple way to accommodate a proper conjunction of the two lists to avoid this issue. Will have to think about it some more. Without the wildcard it will not match against URL.Host.

I came up with a better but still flexible solution, without the security hole, and updated the original solution above. If someone has a better way please post.

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC