How To Exempt Office 365 Traffic From Authentication and Decryption on Cisco Web Security Appliance (WSA)

Available Languages

Download Options

PDF (305.7 KB)
View with Adobe Reader on a variety of devices
ePub (379.2 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (314.4 KB)
View on Kindle device or Kindle app on multiple devices

Updated:August 14, 2019

Document ID:214746

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

Configuration Steps

1. Create a Custom URL Category using the Office365 External Feed

2. Create an Identification Profile for the Office 365 traffic

3. Exempt the Office 365 traffic from Decryption Policy

Reference

Introduction

This article describes the process involved to exempt Office 365 traffic from authentication and decryption on the Web Security Appliance (WSA). There are several known compatibility issues with Office 365 and proxies, and exempting Office 365 traffic authentication and decryption can help with some of these issues.

Note: This is not a full bypass from web proxy, and exempting traffic from decryption prevents the WSA from inspecting the encrypted HTTPS traffic generated by Office 365 clients.

Configuration Steps

Overview:

Create a Custom URL Category using the Office365 External Feed
Create an Identification Profile for the Office 365 traffic
Exempt the Office 365 traffic from Decryption Policy

Note: This process requires use of the dynamically updating Office 365 external JSON feed which contains all the URLs/IP addresses associated to Office 365.

Note: Support for this feed is present in AsyncOS version 10.5.3 onwards and 11.5 onwards versions.

1. Create a Custom URL Category using the Office365 External Feed

Navigate to Web Security Manager->Custom and External URL Categories
Click "Add Category"
Assign a name to the category, select the category type as "External Live Feed Category", and select the "Office 365 Web Service" option.
Click "Start Test" if you would like to test the WSA's ability to download the Office 365 JavaScript Object Notation (JSON) feed.
At the bottom, set the "Auto Update the Feed" option to "Hourly" with an interval of 00:05 (every 5 minutes)
Click the "Submit" button.

2. Create an Identification Profile for the Office 365 traffic

Navigate to Web Security Manager->Identitifcation Profiles
Click "Add Identification Profile"
Assign a name, set "Identification and Authentication" to "Exempt from authentication/identification".
Click the "Advanced" button, and click the link next to "URL Categories"
Find the category you created in the previous step, and select that category, and then scroll to the bottom of the page and click the "Done" button.

The Identification Profile should now look as follows:

Click the "Submit" button at the bottom of the screen.

3. Exempt the Office 365 traffic from Decryption Policy

Navigate to Web Security Manager->Decryption Policies
Click "Add Policy"
Assign a name, and then in the "Identification Profiles and Users" field, choose the "Select One or More Identification Profiles" option and select your Office 365 identity from the previous step.

Click on the "Submit" button.
Click on the link under "URL Filtering" that says "Monitor: 1"
Set the Office 365 category to "Passthrough" and click the "Submit" button.