App-Based Office 365 Integration with Explicit Proxy
Focus
Focus
Prisma Access

App-Based Office 365 Integration with Explicit Proxy

Table of Contents

App-Based Office 365 Integration with Explicit Proxy

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • Prisma Access
    license
Learn how to integrate the browser-based version of Office 365 with Explicit Proxy.

Cloud Management

Prisma Access
Explicit Proxy supports the browser-based and app-based version of Office 365 (M365), including Office Online (office.com). Web-based (browser-based) Office 365 is supported with no additional configuration required on Explicit Proxy; to use app-based version of Office 365, complete the following steps.
  1. Visit the EDL Hosting Service and identify the Feed URL for your SaaS application.
    Review the Microsoft 365 documentation for more information which Feed URL is best for your use case. Additionally, consider the SaaS application and location of users accessing the SaaS application when identifying a Feed URL to use. For example, if you have a branch in Germany that only needs to access Exchange Online, select a Feed URL from the
    Service Area: Exchange Online
    for
    Germany
    .
  2. (
    Best Practices
    ) Create a certificate profile to authenticate the EDL Hosting Service.
    1. Import the GlobalSign Root R1 certificate from Cloud Managed
      Prisma Access
      .
      1. In
        Prisma Access (Cloud Management)
        , go to
        Manage
        Configuration
        Objects
        Certificate Management
        , set the scope to
        Explicit Proxy
        , and
        Import
        a new certificate.
        If you're using Strata Cloud Manager, go to
        Manage
        Configuration
        NGFW and
        Prisma Access
        Objects
        Certificate Management
        , set the configuration scope to
        Prisma Access
        Mobile Users Container
        Explicit Proxy
        , and
        Import
        a new certificate.
      2. Enter a descriptive
        Certificate Name
        .
      3. For the
        Certificate File
        , select
        Choose File
        and select the certificate you converted in the previous step.
      4. For the file
        Format
        , select
        Base64 Encoded Certificate (PEM)
        .
      5. Save
        your changes.
    2. Create a certificate authority (CA) certificate profile.
      1. Add Profile
        in the
        Certificate Profiles
        area.
      2. Enter a descriptive
        Name
        .
      3. For the
        CA Certificate
        ,
        Add
        the certificate you imported in the previous step.
      4. Save
        your changes.
  3. Create an EDL using a Feed URL from the EDL Hosting Service.
    1. Go to
      Manage
      Configuration
      Objects
      External Dynamic Lists
      and
      Add External Dynamic List
      , making sure that the scope is still set to
      Explicit Proxy
      .
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      Objects
      External Dynamic Lists
      and
      Add External Dynamic List
      . Set the configuration scope to
      Prisma Access
      Mobile Users Container
      Explicit Proxy
      .
    2. Enter a descriptive
      Name
      for the EDL.
    3. Select a
      Type
      of
      URL List
      .
    4. (
      Optional
      ) Enter a
      Description for the EDL
    5. Enter the Feed URL as the EDL
      Source
      .
      Enforce all endpoints within a specific Feed URL. Adding an excluding a specific endpoint from a Feed URL can cause connectivity issues to the SaaS application.
    6. (
      Best Practices
      ) Select the
      Certificate Profile
      you created in the previous step.
    7. Specify the frequency the firewall should
      Check for updates
      to match the update frequency of the Feed URL.
      For example, if the Feed URL is updated daily by Palo Alto Networks then configure the EDL to check for updates
      Daily
      .
      Palo Alto Networks displays the update frequency for each Feed URL in the EDL Hosting Service. Feed URLs are automatically updated with any new endpoints.
    8. Save
      your changes.
  4. Add a decryption policy to prevent decryption for the EDL Feed URLs.
    1. Select
      Manage
      Configuration
      Decryption
      , set the scope to
      Explicit Proxy
      , and
      Add Rule
      .
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      Decryption
      and
      Add Rule
      . Set the configuration scope to
      Prisma Access
      Mobile Users Container
      Explicit Proxy
      .
    2. Enter a descriptive
      Name
      for the policy.
    3. In the
      Services and URLs
      area,
      Add External Dynamic Lists
      and specify the EDL you created in an earlier step.
    4. Select an
      Action and Advanced Inspection
      of
      Do Not Decrypt
      .
  5. Add a security policy rule to allow traffic from the EDL Feed URLs.
    1. Select
      Manage
      Configuration
      Decryption
      , making sure that the scope is set to
      Explicit Proxy
      , and
      Add Rule
      .
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      Security Services
      Decryption
      and
      Add Rule
      . Set the configuration scope to
      Prisma Access
      Mobile Users Container
      Explicit Proxy
      .
    2. Enter a descriptive
      Name
      for the policy.
    3. In the
      URL Category Entities
      area,
      Add External Dynamic Lists
      and specify the EDL you created in an earlier step.
    4. Select an
      Action and Advanced Inspection
      of
      Allow
      .
  6. Push Config
    to save your changes to
    Prisma Access
    .

List of URLs to Enable Office 365 Integration with Prisma Access Explicit Proxy

One option you can use to integrate non-browser Office 365 apps with Explicit Proxy is to specify the Office 365-related URLs and bypass those URLs in the Explicit Proxy PAC file. Use one of the following methods to obtain the list of URLs to bypass:

Panorama

Prisma Access
Explicit Proxy supports the browser-based version of Office 365 (M365), including Office Online (office.com). Follow these steps to integrate the browser-based version of Office 365 with Explicit Proxy.
While Explicit Proxy does not support the app-based version of Office 365, you can follow these guidelines to use Explicit Proxy with Office 365 app-based policies.

Set up Browser-Based Office 365 Integration with
Prisma Access
Explicit Proxy

If you use the browser-based version of Office 365, complete the following task to integrate Office 365 with Explicit Proxy.
  1. (
    Optional
    ) if you want to use tenant-based restrictions (restrict access control to Office 365 for only a certain number of tenants), use HTTP header insertion with a Custom URL category to allow specific tenants access to Office 365.
  2. Add decryption policies for the URLs that are used for Office 365.
    1. Select
      Objects
      Custom Objects
      URL Category
      and
      Add
      a Custom URL Category.
      Be sure that you are in the
      Explicit_Proxy_Device_Group
      .
    2. Specify a
      Type
      of
      URL List
      .
    3. Add
      the list of sites to enable Office 365 integration.
      To simplify the uploading of the URLs, you can copy the list of Office 365 URLs at https://saasedl.paloaltonetworks.com/feeds/m365/worldwide/any/all/url, save those URLs to a file, and
      Import
      the file to the Custom URL category.
    4. Select
      Policies
      Decryption
      Pre Rules
      and
      Add
      a decryption policy rule.
    5. Specify the
      URL Category
      you created.
  3. Add decryption policies for Data and Threat Protection capabilities such as Enterprise Data Loss Prevention (Enterprise DLP), WildFire, Threat Prevention, or SaaS Security.

Set up App-Based Office 365 Integration with Explicit Proxy

Explicit Proxy does not support the full client-based (app) version of Office 365, because Office 365 uses non-web ports and protocols and pinned certificates, which prevents the use of decryption. If you need to secure traffic from Office 365 client apps, you can use one of the following Prisma Access capabilities to do so:
  • Deploy a Mobile Users—GlobalProtect deployment with Explicit Proxy and use GlobalProtect split tunnel options to route traffic from the Office 365 apps to the GlobalProtect tunnel, while specifying other internet traffic to be sent to the GlobalProtect tunnel, direct to the internet, or to Explicit Proxy, based on your PAC file and GlobalProtect tunnel include and exclude options.
  • If your organization requires that internet-bound traffic go through an Explicit Proxy, or if your network does not have a default route, you can deploy a Remote Network deployment with Explicit ProxyRemote Network deployment with Explicit Proxy. In this deployment, Explicit Proxy provides you with a list of Anycast and unicast addresses, and you configure your CPE to route traffic through those addresses to the remote network and, from there, to Explicit Proxy and to the internet.
    To use Office 365 with this deployment type, specify PAC file rules to bypass the non-web Office 365 directly to the internet.
  • If you are not able to deploy GlobalProtect or a
    Prisma Access
    Remote Network in your environment, you can configure the Explicit Proxy PAC file to bypass Office 365 traffic. Use the URL list to bypass.

List of URLs to Enable Office 365 Integration with
Prisma Access
Explicit Proxy

One option you can use to integrate non-browser Office 365 apps with Explicit Proxy is to specify the Office 365-related URLs and bypass those URLs in the Explicit Proxy PAC file. Use one of the following methods to obtain the list of URLs to bypass:

Recommended For You