cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
jebeling
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 1 of 4
‎08-20-2019 07:25 AM

O365 MWG Filter Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenants

Jump to solution

Best practice is to bypass SSL decrypt for OneDrive and Sharepoint, but what if I still want to inspect for malware and DLP purposes when connecting to a third-party tenants OneDrive or Sharepoint instance?

0 Kudos
Reply
1 Solution

Accepted Solutions
jebeling
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎08-20-2019 07:47 AM

Re: MWG Filtering Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenant

Jump to solution

Updated to close security hole. This version maintains flexibility and separation of unique tenant names from the host list. Each new tenant only needs an added event. Each new host name only needs single entry in two lists. 

Standard O365 SSL Bypass from ruleset library starts like this:

Bypass Microsoft (Office 365) Services

[This rule set contains rules to bypass Office 365 and/or other Microsoft services.]

[✔] Enabled [✔] Enabled in Cloud
Applies to: [✔] Requests [✔] Responses [✘] Embedded Objects
Always

Enabled

Rule

Action

Events

Comments

[✔] Enabled

Shortcut Microsoft Service in Response
1: Cycle.Name equals "Response"
2: AND User-Defined.Shortcut_Microsoft_Service equals true

Stop Cycle

    

[✔] Enabled

Bypass Exchange Online
1: URL.Destination.IP is in range list Exchange Online IP Addresses°
2: OR URL.Destination.IP is in range list Exchange Online Protection IP addresses°
3: OR URL.Host matches in list Exchange Online URLs°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

[✔] Enabled

Bypass Microsoft Federation Gateway
1: URL.Destination.IP is in range list The Microsoft Federation Gateway IP Addresses°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

[✔] Enabled

Bypass Lync/Skype for Business Online
1: URL.Destination.IP is in range list Lync Online IPv4 Addresses°
2: OR URL.Destination.IP is in range list Lync Online IPv6 Addresses°
3: OR URL.Host matches in list Lync Online URLs°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

 

Standard URL Filter from ruleset library starts like this:

URL Filtering by Category

[Provides access to the web content you choose]

[✔] Enabled [✘] Disabled in Cloud
Applies to: [✔] Requests [✘] Responses [✘] Embedded Objects
Always

Enabled

Rule

Action

Events

Comments

[✔] Enabled

Allow URLs That Match in URL Whitelist
1: URL matches in list URL Whitelist°

Stop Rule Set

    

[✔] Enabled

Block URLs That Match in URL Blocklist
1: URL matches in list URL Blocklist°

Block<URL Blocked>

Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>

  

[✔] Enabled

Enable SafeSearchEnforcer
Always

Continue

Enable SafeSearch Enforcer<Default>

  

[✔] Enabled

Allow Uncategorized URLs
1: List.OfCategory.IsEmpty(URL.Categories<Default>) equals true

Stop Rule Set

  

This rule allows all URLs that are uncategorized by the GTI web database.

 

I recommend creating multiple lists and using string manipulation to create UDPs with normalized versions of URL.Host to check against a normal string list.

Tenant Restricted Suffix SSL Bypass (second entry isn't necessary because it is covered by first)

    *.sharepoint.com

    *-my.sharepoint.com

Tenant Restricted Suffix URL Whitelist

    *-files.sharepoint.com

    *-myfiles.sharepoint.com

O365 Tenant SSL Bypass List (for Sharepoint in general)

    tenant.sharepoint.com

    tenant-my.sharepoint.com

O365 Tenant URL Whitelist (for OneDrive specifically)

    tenant-files.sharepoint.com

    tenant-myfiles.sharepoint.com

Normalizing the UDP is accomplished with string manipulation of an exact match replacing specific tenant names found at the beginning of URL.Host with generic "tenant" as used in lists above 

Add Rules at top of O365 Bypass first normalizing, then  checking with action of Stop Ruleset 

    URL.Host matches in list Tenant Restricted Suffix SSL Bypass

        Continue - Normalize corporate tenant names in Events

    User-Defined.NormalizedHostSSLBypass does not match in list O365 Tenant SSL Bypass

        Stop Ruleset

Ruleset only allows bypass for tenant restricted sites starting with mytenant and mytenant1. The ruleset would now start like this:

Bypass Microsoft (Office 365) Services with Tenant
[This rule set contains rules to bypass Office 365 and/or other Microsoft services.]
[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled Normalize Tenants when Host Matches Tenant Restricted Suffix SSL Bypass
1: URL.Host matches in list Tenant Restricted Suffix SSL Bypass		 Continue Set User-Defined.NormalizedHostSSLBypass = String.ReplaceFirstMatch(URL.Host,regex(^mytenant),"tenant")
Set User-Defined.NormalizedHostSSLBypass = String.ReplaceFirstMatch(URL.Host,regex(^mytenant1),"tenant")		  
[✔] Enabled Don't Bypass if Normalized Tenant Is Not in O365 Tenant SSL Bypass List
1: User-Defined.NormalizedHostSSLBypass is not in list O365 Tenant SSL Bypass List		 Stop Rule Set    
[✔] Enabled Shortcut Microsoft Service in Response
1: Cycle.Name equals "Response"
2: AND User-Defined.Shortcut_Microsoft_Service equals true		 Stop Cycle    
[✔] Enabled Bypass Exchange Online
1: URL.Destination.IP is in range list Exchange Online IP Addresses°
2: OR URL.Destination.IP is in range list Exchange Online Protection IP addresses°
3: OR URL.Host matches in list Exchange Online URLs°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true  
[✔] Enabled Bypass Microsoft Federation Gateway
1: URL.Destination.IP is in range list The Microsoft Federation Gateway IP Addresses°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true  
[✔] Enabled Bypass Lync/Skype for Business Online
1: URL.Destination.IP is in range list Lync Online IPv4 Addresses°
2: OR URL.Destination.IP is in range list Lync Online IPv6 Addresses°
3: OR URL.Host matches in list Lync Online URLs°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true

 

String
# O365 Tenant SSL Bypass List  
  String Comment
1 tenant.sharepoint.com  
2 tenant-my.sharepoint.com  

 

Wildcard Expression
# Tenant Restricted Suffix SSL Bypass  
  Wildcard Expression Comment
1 *.sharepoint.com  
2 *-my.sharepoint.com  

 

Add rules at top of URL Filtering first normalizing, then checking with action of Stop Ruleset

    URL.Host matches in list Tenant Restricted Suffix URL Whitelist

        Continue Normalize corporate tenant names with Events

    User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant  URL Whitelist

        Stop Ruleset

    URL.Host matches in list Tenant Restricted Suffix URL Whitelist

        Continue Normalize third party tenant names with Events

    User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant  URL Whitelist

         Stop Ruleset

Obviously you can add other criteria and additional rules if you want to add authentication criteria for other tenant access.

In the example below mytenant and mytenant1 matches always bypass and thirdtenant and thirdtenant1 matches only bypass for administrators.

URL Filtering by Category with Tenant
[Provides access to the web content you choose]
[✔] Enabled [✘] Disabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled Normalize Tenants when Host Matches Tenant Restricted Suffix URL Whitelist
1: URL.Host matches in list Tenant Restricted Suffix URL Whitelist		 Continue Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^mytenant),"tenant")
Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^mytenant1),"tenant")		  
[✔] Enabled OneDrive URL Whitelist for Normalized Company Tenants
1: User-Defined.NormalizedHostURLWhitelist is in list O365 Tenant URL Whitelist		 Stop Rule Set    
[✔] Enabled Normalize Third Party Tenants when Host Matches Tenant Restricted Suffix URL Whitelist
1: URL.Host matches in list Tenant Restricted Suffix URL Whitelist		 Continue Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^thirdtenant),"tenant")
Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^thirdtenant1),"tenant")		  
[✔] Enabled OneDrive URL Whitelist for Third-Party Tenants
1: User-Defined.NormalizedHostURLWhitelist is in list O365 Tenant URL Whitelist
2: AND Authentication.UserGroups at least one in list Third Party Tenant Authorized Groups		 Stop Rule Set    
[✔] Enabled Allow URLs That Match in URL Whitelist
1: URL matches in list URL Whitelist°		 Stop Rule Set    
[✔] Enabled Block URLs That Match in URL Blocklist
1: URL matches in list URL Blocklist°		 Block<URL Blocked> Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>  
[✔] Enabled Enable SafeSearchEnforcer
Always		 Continue Enable SafeSearch Enforcer<Default>  
[✔] Enabled Allow Uncategorized URLs
1: List.OfCategory.IsEmpty(URL.Categories<Default>) equals true		 Stop Rule Set

 

String
# O365 Tenant URL Whitelist  
  String Comment
1 tenant-files.sharepoint.com  
2 tenant-myfiles.sharepoint.com  
# Third Party Tenant Authorized Groups  
  String Comment
1 Administrators  

 

Wildcard Expression
# Tenant Restricted Suffix URL Whitelist  
  Wildcard Expression Comment
1 *-files.sharepoint.com  
2 *-myfiles.sharepoint.com  

 

Please post if you have a better solution without the security hole noted below from the first version.

Tenantv2.zip
0 Kudos
Reply
3 Replies
jebeling
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎08-20-2019 07:47 AM

Re: MWG Filtering Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenant

Jump to solution

Updated to close security hole. This version maintains flexibility and separation of unique tenant names from the host list. Each new tenant only needs an added event. Each new host name only needs single entry in two lists. 

Standard O365 SSL Bypass from ruleset library starts like this:

Bypass Microsoft (Office 365) Services

[This rule set contains rules to bypass Office 365 and/or other Microsoft services.]

[✔] Enabled [✔] Enabled in Cloud
Applies to: [✔] Requests [✔] Responses [✘] Embedded Objects
Always

Enabled

Rule

Action

Events

Comments

[✔] Enabled

Shortcut Microsoft Service in Response
1: Cycle.Name equals "Response"
2: AND User-Defined.Shortcut_Microsoft_Service equals true

Stop Cycle

    

[✔] Enabled

Bypass Exchange Online
1: URL.Destination.IP is in range list Exchange Online IP Addresses°
2: OR URL.Destination.IP is in range list Exchange Online Protection IP addresses°
3: OR URL.Host matches in list Exchange Online URLs°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

[✔] Enabled

Bypass Microsoft Federation Gateway
1: URL.Destination.IP is in range list The Microsoft Federation Gateway IP Addresses°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

[✔] Enabled

Bypass Lync/Skype for Business Online
1: URL.Destination.IP is in range list Lync Online IPv4 Addresses°
2: OR URL.Destination.IP is in range list Lync Online IPv6 Addresses°
3: OR URL.Host matches in list Lync Online URLs°

Stop Cycle

Set User-Defined.Shortcut_Microsoft_Service = true

  

 

Standard URL Filter from ruleset library starts like this:

URL Filtering by Category

[Provides access to the web content you choose]

[✔] Enabled [✘] Disabled in Cloud
Applies to: [✔] Requests [✘] Responses [✘] Embedded Objects
Always

Enabled

Rule

Action

Events

Comments

[✔] Enabled

Allow URLs That Match in URL Whitelist
1: URL matches in list URL Whitelist°

Stop Rule Set

    

[✔] Enabled

Block URLs That Match in URL Blocklist
1: URL matches in list URL Blocklist°

Block<URL Blocked>

Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>

  

[✔] Enabled

Enable SafeSearchEnforcer
Always

Continue

Enable SafeSearch Enforcer<Default>

  

[✔] Enabled

Allow Uncategorized URLs
1: List.OfCategory.IsEmpty(URL.Categories<Default>) equals true

Stop Rule Set

  

This rule allows all URLs that are uncategorized by the GTI web database.

 

I recommend creating multiple lists and using string manipulation to create UDPs with normalized versions of URL.Host to check against a normal string list.

Tenant Restricted Suffix SSL Bypass (second entry isn't necessary because it is covered by first)

    *.sharepoint.com

    *-my.sharepoint.com

Tenant Restricted Suffix URL Whitelist

    *-files.sharepoint.com

    *-myfiles.sharepoint.com

O365 Tenant SSL Bypass List (for Sharepoint in general)

    tenant.sharepoint.com

    tenant-my.sharepoint.com

O365 Tenant URL Whitelist (for OneDrive specifically)

    tenant-files.sharepoint.com

    tenant-myfiles.sharepoint.com

Normalizing the UDP is accomplished with string manipulation of an exact match replacing specific tenant names found at the beginning of URL.Host with generic "tenant" as used in lists above 

Add Rules at top of O365 Bypass first normalizing, then  checking with action of Stop Ruleset 

    URL.Host matches in list Tenant Restricted Suffix SSL Bypass

        Continue - Normalize corporate tenant names in Events

    User-Defined.NormalizedHostSSLBypass does not match in list O365 Tenant SSL Bypass

        Stop Ruleset

Ruleset only allows bypass for tenant restricted sites starting with mytenant and mytenant1. The ruleset would now start like this:

Bypass Microsoft (Office 365) Services with Tenant
[This rule set contains rules to bypass Office 365 and/or other Microsoft services.]
[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled Normalize Tenants when Host Matches Tenant Restricted Suffix SSL Bypass
1: URL.Host matches in list Tenant Restricted Suffix SSL Bypass		 Continue Set User-Defined.NormalizedHostSSLBypass = String.ReplaceFirstMatch(URL.Host,regex(^mytenant),"tenant")
Set User-Defined.NormalizedHostSSLBypass = String.ReplaceFirstMatch(URL.Host,regex(^mytenant1),"tenant")		  
[✔] Enabled Don't Bypass if Normalized Tenant Is Not in O365 Tenant SSL Bypass List
1: User-Defined.NormalizedHostSSLBypass is not in list O365 Tenant SSL Bypass List		 Stop Rule Set    
[✔] Enabled Shortcut Microsoft Service in Response
1: Cycle.Name equals "Response"
2: AND User-Defined.Shortcut_Microsoft_Service equals true		 Stop Cycle    
[✔] Enabled Bypass Exchange Online
1: URL.Destination.IP is in range list Exchange Online IP Addresses°
2: OR URL.Destination.IP is in range list Exchange Online Protection IP addresses°
3: OR URL.Host matches in list Exchange Online URLs°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true  
[✔] Enabled Bypass Microsoft Federation Gateway
1: URL.Destination.IP is in range list The Microsoft Federation Gateway IP Addresses°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true  
[✔] Enabled Bypass Lync/Skype for Business Online
1: URL.Destination.IP is in range list Lync Online IPv4 Addresses°
2: OR URL.Destination.IP is in range list Lync Online IPv6 Addresses°
3: OR URL.Host matches in list Lync Online URLs°		 Stop Cycle Set User-Defined.Shortcut_Microsoft_Service = true

 

String
# O365 Tenant SSL Bypass List  
  String Comment
1 tenant.sharepoint.com  
2 tenant-my.sharepoint.com  

 

Wildcard Expression
# Tenant Restricted Suffix SSL Bypass  
  Wildcard Expression Comment
1 *.sharepoint.com  
2 *-my.sharepoint.com  

 

Add rules at top of URL Filtering first normalizing, then checking with action of Stop Ruleset

    URL.Host matches in list Tenant Restricted Suffix URL Whitelist

        Continue Normalize corporate tenant names with Events

    User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant  URL Whitelist

        Stop Ruleset

    URL.Host matches in list Tenant Restricted Suffix URL Whitelist

        Continue Normalize third party tenant names with Events

    User-Defined.NormalizedHostURLWhitelist matches in list O365 Tenant  URL Whitelist

         Stop Ruleset

Obviously you can add other criteria and additional rules if you want to add authentication criteria for other tenant access.

In the example below mytenant and mytenant1 matches always bypass and thirdtenant and thirdtenant1 matches only bypass for administrators.

URL Filtering by Category with Tenant
[Provides access to the web content you choose]
[✔] Enabled [✘] Disabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
Enabled Rule Action Events Comments
[✔] Enabled Normalize Tenants when Host Matches Tenant Restricted Suffix URL Whitelist
1: URL.Host matches in list Tenant Restricted Suffix URL Whitelist		 Continue Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^mytenant),"tenant")
Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^mytenant1),"tenant")		  
[✔] Enabled OneDrive URL Whitelist for Normalized Company Tenants
1: User-Defined.NormalizedHostURLWhitelist is in list O365 Tenant URL Whitelist		 Stop Rule Set    
[✔] Enabled Normalize Third Party Tenants when Host Matches Tenant Restricted Suffix URL Whitelist
1: URL.Host matches in list Tenant Restricted Suffix URL Whitelist		 Continue Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^thirdtenant),"tenant")
Set User-Defined.NormalizedHostURLWhitelist = String.ReplaceFirstMatch(URL.Host,regex(^thirdtenant1),"tenant")		  
[✔] Enabled OneDrive URL Whitelist for Third-Party Tenants
1: User-Defined.NormalizedHostURLWhitelist is in list O365 Tenant URL Whitelist
2: AND Authentication.UserGroups at least one in list Third Party Tenant Authorized Groups		 Stop Rule Set    
[✔] Enabled Allow URLs That Match in URL Whitelist
1: URL matches in list URL Whitelist°		 Stop Rule Set    
[✔] Enabled Block URLs That Match in URL Blocklist
1: URL matches in list URL Blocklist°		 Block<URL Blocked> Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>  
[✔] Enabled Enable SafeSearchEnforcer
Always		 Continue Enable SafeSearch Enforcer<Default>  
[✔] Enabled Allow Uncategorized URLs
1: List.OfCategory.IsEmpty(URL.Categories<Default>) equals true		 Stop Rule Set

 

String
# O365 Tenant URL Whitelist  
  String Comment
1 tenant-files.sharepoint.com  
2 tenant-myfiles.sharepoint.com  
# Third Party Tenant Authorized Groups  
  String Comment
1 Administrators  

 

Wildcard Expression
# Tenant Restricted Suffix URL Whitelist  
  Wildcard Expression Comment
1 *-files.sharepoint.com  
2 *-myfiles.sharepoint.com  

 

Please post if you have a better solution without the security hole noted below from the first version.

Tenantv2.zip
0 Kudos
Reply
AaronT
AaronT
Level 9
Report Inappropriate Content
Message 3 of 4
‎08-20-2019 08:35 AM

Re: MWG Filtering Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenant

Jump to solution
My only feedback is in the MyCompany Tenant List. I would recommend explicitly stating your tenants without the wildcard
For example, if you allow mycompany* as an authorized tenant, then mycompanyfakesite would also match as a tenant.

0 Kudos
Reply
jebeling
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 4 of 4
‎08-20-2019 09:54 AM

Re: MWG Filtering Access to Third Party Sharepoint and Onedrive while Bypassing for Corporate Tenant

Jump to solution

Good point. But we are matching against URL.Host, so I couldn't think of a simple way to accommodate a proper conjunction of the two lists to avoid this issue. Will have to think about it some more. Without the wildcard it will not match against URL.Host.

I came up with a better but still flexible solution, without the security hole, and updated the original solution above. If someone has a better way please post.

 

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC