4.15. Implementing Office 365 URL Categorization

4.15.1. What it is

SSL Orchestrator 10.1 introduces an Office 365 URL management feature. Microsoft maintains the set of active Office 365 resource URLs in an API-accessible data set that gets updated roughly every 30 days. The new SSL Orchestrator feature periodically polls this data set for changes, and if any are detected, automatically downloads and updates local custom URL categories. These categories are natively accessible in the SSL Orchestrator security policy to enable precise control over access to Office 365 resources.


4.15.2. How to build it

To enable the Office 365 updater function, click on the Office 365 logo in the top right of the SSL Orchestrator UI configuration page.

Office 365 URL/Datagroup Updater

User Input

Frequency

Specify how often you would like SSLO to fetch the O365 URLs.

Fetch Now

Authorize SSLO to fetch the O365 URLs and save data to custom URL categories/data groups on clicking Save.

Endpoint

Specify the endpoints for which you will fetch the O365 URLs.

User Required URLs Only

Specify whether to fetch the minimum URLs required for O365 connectivity. Clear this checkbox to fetch all URLs, including required ones.

Include URLs

Enter a URL not categorized as an O365 URL that you would like to include. Then, add additional URLs using the + icon. The URL entry supports either an exact match or ends with a match. For example, www.f5.com or .f5.com.

Exclude URLs

Enter a URL that you would like to omit from this fetch request. Then, add additional URLs using the + icon. The URL entry supports either an exact match or ends with a match. For example, www.f5.com or .f5.com.

Note: When excluding a URL, ensure that the counter wildcard URL is also removed from the list; else, the traffic would still pass. Since Office365 URL categories may contain wildcard URLs such as https://*.office365.com/, in some instances, for example, https://smtp.office365.com/, a specifically excluded URL may still match a wildcard

Create IP Datagroups

Select this option to create IP data groups consisting of IP addresses after fetching URLs.

Exclude IPs

Enter an IP address you would like to omit from this fetch request. Then, add additional IP addresses using the + icon. The IP address must be an exact match to the IP existing in the JSON record. The IP/CIDR mask cannot be modified.

Trusted Certificate Authority

Specify a trusted certificate authority:

  • None: Specifies that no CA is trusted for server-side processing.

  • ca-bundle: Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for server-side processing.

  • default: Specifies that the trusted CA for server-side processing is the default certificate on the system.

O365 Categories

Select the required Office 365 categories.

  • Default: Select this option to create a data set containing O365 “Default” endpoints. Default category endpoints represent Office 365 services that do not require optimization.

  • Optimize: Select this option to create a data set containing O365 “Optimize” endpoints. Optimize category endpoints are required for every Office 365 service connectivity and represent scenarios most sensitive to network performance, latency, and availability.

  • Allow: Select this option to create a data set containing O365 “Allow” endpoints. Allow category endpoints are required for specific Office 365 services but are not as sensitive to latency as the Optimize URLs.

Service Area

Select the required Office 365 Service Areas:

  • Exchange: Select this option to import endpoints from the Exchange service area.

  • Sharepoint: Select this option to import endpoints from the SharePoint service area.

  • Skype: Select this option to import endpoints from the Skype service area.

Run Information

This window provides a running log of script activity, including updates and any errors encountered.


Once configured, you can use the Office 365 URL categories in SSL Orchestrator policy rules as category lookup conditions. The utility will, depending on configuration, create four custom URL categories:

  • Office_365_Optimized(Managed): Contains the set of URL endpoints required for connectivity to every Office 365 service and represent over 75% of Office 365 bandwidth, connections, and volume of data. These endpoints represent Office 365 scenarios that are the most sensitive to network performance, latency, and availability. The list of URLs in this category is short, only containing the resources that are the most sensitive to latency:

    • outlook.office.com

    • outlook.office365.com

    • *.sharepoint.com


  • Office_365_Allow(Managed): Contains the set of URL endpoints required for connectivity to specific Office 365 services and features but are not as sensitive to network performance and latency as those in the Optimize category.


  • Office_365_Default(Managed): Contains the set of URL endpoints that represent Office 365 services and dependencies that do not require any optimization and can be treated by customer networks as normal Internet bound traffic.


  • Office_365_All(Managed): Contains the set of all URL endpoints.


It will also optionally create two IP data groups that can be used in policy rule IP conditions:

  • Office_365_Managed_IPv4


  • Office_365_Managed_IPv6


This feature is also supported in previous versions of SSL Orchestrator through installation of a Python script found here: https://github.com/f5devcentral/sslo-o365-update


For additional details on the Microsoft Office 365 URL endpoints: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide