• Home
  • The Song
  • The Avatar
  • The Cat
  • Contact the Cat

Gyp the Cat dot Com

Enforcing Microsoft Office 365 and Azure Tennancy with McAfee Web Gateway (MWG)
Business, internet

Enforcing Microsoft Office 365 and Azure Tennancy with McAfee Web Gateway (MWG)

McAfee Web Gateway (MWG) is a pretty phenominal product, if you’re looking for a commercial web filtering solution then MWG should certainly be something you should investigate.  If however you already have a MWG and are looking at a rule base to make sure that your users can only logon to your approved Microsoft Office 365 domains then read on.

Microsoft Office 365 (O365) is a pretty phenominal product, if you’re looking for a collaboration system then O365 should be something you should investigate.  If however you want to make sure that only your organisation can log on to O365 via your network then read on.

Say you’ve invested in Office 365 and your work email address is [email protected] and you don’t want someone to logon on your network as [email protected] this rule set is for you. This method allows you to whitelist domains you want to allow to access services through your MWG and therefore will block personal Hotmail or Live accounts unless you specify these domains accordingly.

In other words you block and control access to Office 365 by blocking domains.

Please note you will need to do at least some HTTPS decryption for this to work, but it does work across Office 365, Azure Applications and things like One Drive.  If you’ve whitelisted the O365 ranges you’ll need to fine tune those rules to allow decryption of the login portal at login.microsoftonline.com.  Any service which uses the host login.microsoftonline.com will be checked.

Micosoft tell us you own your own data and they make it easy to do so with the likes of strong crypto built in, but they don’t make it easy for us to own our own connectivity.  If like many organisations you’ve moved your email onto Office 365 and you’ve whitelisted it through our proxies and firewalls then those not from our organisation can logon already, it makes moving data off a site fairly trivial.  With the instructions below you’ll be able to control your own information flows better.

Demo

This is what your users will see when they try and logon.  In this demo I’ve used microsoft.com as the allowed domain.

https://www.gypthecat.com/wp-content/uploads/2017/05/Enforce-Office365-Tennancy.webm

Instructions

If you want to download a ready made XML rule set to import, scroll down in this post…

Firstly logon to your MWG as nomal.

Click on “Policy” – “Add” – “Rule Set”

On the box that pops up, give it a sensible name eg “Enable Office 365 Tennancy”, change the “Apply this rule set” to the “URL/Host criteria”.

On the next screen that pops up you’ll want to match “URL.Host” with “equals” and “login.microsoftonline.com” just like this.

Then back on the main screen, be sure to click on “Add Rule” in the right hand panel.

You’ll want to fill these dialogue boxes in like the following (and you can click on the picture for a bigger version):

This next one involves quite a lot of clicking and typing, I won’t walk you through each step, but you want the finished version to look like the following.  Be sure to change the “*@gypthecat.com” string to your own domain, eg the one you use at current.  Click “Next” when you’re done.

Under Action you’ll want to “Redirect”.

Then click “Edit”.

Populate the box like the following, you’ll want to use “https://login.microsoftonline.com/logout.srf” as the redirected URL.  When you’re done click “Ok”.

Then click “Next”.

Leave Events blank, and click “Next”.

Then click “Finish”.

Back on the main screen, make sure to click “Save Changes”.

Give it a test and it should be good to go!

Troubleshooting

If you’ve been through the above (or downloaded my rule base from below) and you’re having issues have a look at the following;

  • If you are whitelisting Office 365 in your MWG policy be sure to have the order of this rule above the whitelist rule.
  • You have to be doing HTTPS inspection at least for some sites.  If you can access https://login.microsoftonline.com and the certificate doens’t match your MWG CA (ie it reflects a proper Microsoft cert) then you’re not doing enough HTTPS inspection for this to work.
  • Microsoft change their O365 domains fairly often, and if they’ve changed the method then you’ll have to do some rule tracing to figure it out.

If you have any other issues feel free to drop a comment below, I will help how I can.

Rule Base Download

If you like please feel free to download the XML file of the rules here:

Enforce-Office365-Tennancy.xml

Uncompress it and import it.

The only thing you’ll need to do is to update the email domain away from “*@gypthecat.com” to the domain of your choice.

Related

Written by gyp - May 27, 2017 - 11032 Views
Tags | internet, linux, mwg, office 365, proxy, security

You Might Also Like

ISC(2) CISSP Revision Notes – Security Architectural Design

November 25, 2013

Installing LEMP on Ubuntu 14.04 with Nginx and NAXSI

June 20, 2015

ISC(2) CISSP Revision Notes – Access Control

November 25, 2013

No Comment

Please Post Your Comments & Reviews
Cancel reply

Your email address will not be published. Required fields are marked *

Previous Post
Next Post

Latest Posts

  • How to Convert CSV to Parquet Easily with Python on Linux Shell
  • Kusto Geolocation IP Lookup
  • Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA
  • HTTP to HTTPS Redirect on Azure CDN
  • Strongswan IPSec (Including Cryptomap) to Microsoft Azure Virtual Network Gateway
  • Black Ops 3 NAT Type Strict & PS4 NAT Type 3 with pfSense Fixed!
  • Sorry for the lack of posts
  • How to Block Internet Access with Group Policy (GPO)
  • Enforcing Microsoft Office 365 and Azure Tennancy with McAfee Web Gateway (MWG)
  • Scanning Subnet for Issuing Certificate Authority with OpenSSL

Top Posts & Pages

  • How to Block Internet Access with Group Policy (GPO)
    How to Block Internet Access with Group Policy (GPO)
  • How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi
    How to Configure Windows 2012 NPS for Radius Authentication with Ubiquiti Unifi
  • Kusto Geolocation IP Lookup
    Kusto Geolocation IP Lookup
  • Tinyproxy A Quick and Easy Proxy Server on Ubuntu
    Tinyproxy A Quick and Easy Proxy Server on Ubuntu
  • Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA
    Monitoring Tor Usage in Azure Sentinel, ASC, MDATP and ALA
  • How to DNSPerf on Ubuntu 14.04 with Installation and Quick Start
    How to DNSPerf on Ubuntu 14.04 with Installation and Quick Start
  • How to Add Different Disclaimers using alterMIME and Postfix based on Domain
    How to Add Different Disclaimers using alterMIME and Postfix based on Domain
  • Blocking Countries on Nginx without the GeoIP Module
    Blocking Countries on Nginx without the GeoIP Module
  • How to Enable Squid Anonymous Stealth Mode
    How to Enable Squid Anonymous Stealth Mode
  • Configuring Suite B, VPN-A and VPN-B in IPSec with Strongswan
    Configuring Suite B, VPN-A and VPN-B in IPSec with Strongswan

Tags

apache2 azure azure log analytics blops business centos cheating cissp cloudflare cryptography dns game google gyp internet iphone ipsec isc linux mac marketing microsoft mw2 mx mysql nginx pfsense postfix proxy ps3 qualification radius revision security seo smtp socks squid ssh strongswan tinyproxy ubuntu windows 2012 wordpress xdecrypt.com
Gyp the Cat dot Com

Some rights retained Gyp the Cat Dot Com