4.15. Implementing Office 365 URL Categorization¶
4.15.1. What it is¶
SSL Orchestrator 10.1 introduces an Office 365 URL management feature. Microsoft maintains the set of active Office 365 resource URLs in an API-accessible data set that gets updated roughly every 30 days. The new SSL Orchestrator feature periodically polls this data set for changes, and if any are detected, automatically downloads and updates local custom URL categories. These categories are natively accessible in the SSL Orchestrator security policy to enable precise control over access to Office 365 resources.
4.15.2. How to build it¶
To enable the Office 365 updater function, click on the Office 365 logo in the top right of the SSL Orchestrator UI configuration page.
Office 365 URL/Datagroup Updater |
User Input |
---|---|
Frequency |
Specify how often you would like SSLO to fetch the O365 URLs. |
Fetch Now |
Authorize SSLO to fetch the O365 URLs and save data to custom URL categories/data groups on clicking Save. |
Endpoint |
Specify the endpoints for which you will fetch the O365 URLs. |
User Required URLs Only |
Specify whether to fetch the minimum URLs required for O365 connectivity. Clear this checkbox to fetch all URLs, including required ones. |
Include URLs |
Enter a URL not categorized as an O365 URL that you would like to include. Then, add additional URLs using the + icon. The URL entry supports either an exact match or ends with a match. For example, www.f5.com or .f5.com. |
Exclude URLs |
Enter a URL that you would like to omit from this fetch request. Then, add additional URLs using the + icon. The URL entry supports either an exact match or ends with a match. For example, www.f5.com or .f5.com. Note: When excluding a URL, ensure that the counter wildcard URL is also removed from the list; else, the traffic would still pass. Since Office365 URL categories may contain wildcard URLs such as https://*.office365.com/, in some instances, for example, https://smtp.office365.com/, a specifically excluded URL may still match a wildcard |
Create IP Datagroups |
Select this option to create IP data groups consisting of IP addresses after fetching URLs. |
Exclude IPs |
Enter an IP address you would like to omit from this fetch request. Then, add additional IP addresses using the + icon. The IP address must be an exact match to the IP existing in the JSON record. The IP/CIDR mask cannot be modified. |
Trusted Certificate Authority |
Specify a trusted certificate authority:
|
O365 Categories |
Select the required Office 365 categories.
|
Service Area |
Select the required Office 365 Service Areas:
|
Run Information |
This window provides a running log of script activity, including updates and any errors encountered. |
Once configured, you can use the Office 365 URL categories in SSL Orchestrator policy rules as category lookup conditions. The utility will, depending on configuration, create four custom URL categories:
Office_365_Optimized(Managed): Contains the set of URL endpoints required for connectivity to every Office 365 service and represent over 75% of Office 365 bandwidth, connections, and volume of data. These endpoints represent Office 365 scenarios that are the most sensitive to network performance, latency, and availability. The list of URLs in this category is short, only containing the resources that are the most sensitive to latency:
outlook.office.com
outlook.office365.com
*.sharepoint.com
Office_365_Allow(Managed): Contains the set of URL endpoints required for connectivity to specific Office 365 services and features but are not as sensitive to network performance and latency as those in the Optimize category.
Office_365_Default(Managed): Contains the set of URL endpoints that represent Office 365 services and dependencies that do not require any optimization and can be treated by customer networks as normal Internet bound traffic.
Office_365_All(Managed): Contains the set of all URL endpoints.
It will also optionally create two IP data groups that can be used in policy rule IP conditions:
Office_365_Managed_IPv4
Office_365_Managed_IPv6
This feature is also supported in previous versions of SSL Orchestrator through installation of a Python script found here: https://github.com/f5devcentral/sslo-o365-update
For additional details on the Microsoft Office 365 URL endpoints: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide