Prisma Access
App-Based Office 365 Integration with Explicit Proxy
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
App-Based Office 365 Integration with Explicit Proxy
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
Learn how to integrate the browser-based version
of Office 365 with Explicit Proxy.
Cloud Management
Cloud Management
Prisma Access
Explicit Proxy supports the
browser-based and app-based version of Office 365 (M365), including
Office Online (office.com). Web-based (browser-based)
Office 365 is supported with no additional configuration required
on Explicit Proxy; to use app-based version of Office 365, complete
the following steps. - Visit the EDL Hosting Service and identify the Feed URL for your SaaS application.Review the Microsoft 365 documentation for more information which Feed URL is best for your use case. Additionally, consider the SaaS application and location of users accessing the SaaS application when identifying a Feed URL to use. For example, if you have a branch in Germany that only needs to access Exchange Online, select a Feed URL from theService Area: Exchange OnlineforGermany.
- (Best Practices) Create a certificate profile to authenticate the EDL Hosting Service.
- Download the GlobalSign Root R1 certificate.
- Import the GlobalSign Root R1 certificate from Cloud ManagedPrisma Access.
- InPrisma Access (Cloud Management), go to, set the scope toManageConfigurationObjectsCertificate ManagementExplicit Proxy, andImporta new certificate.If you're using Strata Cloud Manager, go to, set the configuration scope toManageConfigurationNGFW andPrisma AccessObjectsCertificate Management, andPrisma AccessMobile Users ContainerExplicit ProxyImporta new certificate.
- Enter a descriptiveCertificate Name.
- For theCertificate File, selectChoose Fileand select the certificate you converted in the previous step.
- For the fileFormat, selectBase64 Encoded Certificate (PEM).
- Saveyour changes.
- Create a certificate authority (CA) certificate profile.
- Add Profilein theCertificate Profilesarea.
- Enter a descriptiveName.
- For theCA Certificate,Addthe certificate you imported in the previous step.
- Saveyour changes.
- Create an EDL using a Feed URL from the EDL Hosting Service.
- Go toandManageConfigurationObjectsExternal Dynamic ListsAdd External Dynamic List, making sure that the scope is still set toExplicit Proxy.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW andPrisma AccessObjectsExternal Dynamic ListsAdd External Dynamic List. Set the configuration scope to.Prisma AccessMobile Users ContainerExplicit Proxy
- Enter a descriptiveNamefor the EDL.
- Select aTypeofURL List.
- (Optional) Enter aDescription for the EDL
- Enter the Feed URL as the EDLSource.Enforce all endpoints within a specific Feed URL. Adding an excluding a specific endpoint from a Feed URL can cause connectivity issues to the SaaS application.
- (Best Practices) Select theCertificate Profileyou created in the previous step.
- Specify the frequency the firewall shouldCheck for updatesto match the update frequency of the Feed URL.For example, if the Feed URL is updated daily by Palo Alto Networks then configure the EDL to check for updatesDaily.Palo Alto Networks displays the update frequency for each Feed URL in the EDL Hosting Service. Feed URLs are automatically updated with any new endpoints.
- Saveyour changes.
- Add a decryption policy to prevent decryption for the EDL Feed URLs.
- Select, set the scope toManageConfigurationDecryptionExplicit Proxy, andAdd Rule.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW andPrisma AccessSecurity ServicesDecryptionAdd Rule. Set the configuration scope to.Prisma AccessMobile Users ContainerExplicit Proxy
- Enter a descriptiveNamefor the policy.
- In theServices and URLsarea,Add External Dynamic Listsand specify the EDL you created in an earlier step.
- Select anAction and Advanced InspectionofDo Not Decrypt.
- Add a security policy rule to allow traffic from the EDL Feed URLs.
- Select, making sure that the scope is set toManageConfigurationDecryptionExplicit Proxy, andAdd Rule.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW andPrisma AccessSecurity ServicesDecryptionAdd Rule. Set the configuration scope to.Prisma AccessMobile Users ContainerExplicit Proxy
- Enter a descriptiveNamefor the policy.
- In theURL Category Entitiesarea,Add External Dynamic Listsand specify the EDL you created in an earlier step.
- Select anAction and Advanced InspectionofAllow.
- Push Configto save your changes toPrisma Access.
List of URLs to Enable Office 365 Integration with Prisma
Access Explicit Proxy
One option you can use to integrate non-browser
Office 365 apps with Explicit Proxy is to specify the Office 365-related
URLs and bypass those URLs in the Explicit Proxy PAC file. Use one
of the following methods to obtain the list of URLs to bypass:
- Use the EDL URL from the Palo Alto Networks EDL Hosting Service for Microsoft 365 apps.Using the hosting service eases the operational burden of securing traffic to your SaaS applications by utilizing a Feed URL as the EDL source. When a SaaS provider adds a new endpoint for a SaaS application, the corresponding Feed URL is updated.For worldwide Microsoft 365 URLs, use the https://saasedl.paloaltonetworks.com/feeds/m365/worldwide/any/all/url URL. Other URLs are provided for IPv4 and IPv6 and for country-specific and governmental applications.
- Retrieve the list of Office 365 IP addresses and URLs provided by Microsoft at https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges. Microsoft also provides an Office 365 IP address and URL web service at https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service.
Panorama
Panorama
Prisma Access
Explicit Proxy supports the browser-based version of Office 365 (M365),
including Office Online (office.com). Follow these steps to integrate the browser-based version of
Office 365 with Explicit Proxy.While Explicit Proxy does not support the app-based version of Office 365, you can
follow these guidelines to use Explicit Proxy with
Office 365 app-based policies.
Set up Browser-Based Office 365 Integration with Prisma Access Explicit Proxy
Prisma Access
Explicit ProxyIf you use the browser-based version of Office 365, complete the following task
to integrate Office 365 with Explicit Proxy.
- (Optional) if you want to use tenant-based restrictions (restrict access control to Office 365 for only a certain number of tenants), use HTTP header insertion with a Custom URL category to allow specific tenants access to Office 365.
- Add decryption policies for the URLs that are used for Office 365.
- SelectandObjectsCustom ObjectsURL CategoryAdda Custom URL Category.Be sure that you are in theExplicit_Proxy_Device_Group.
- Specify aTypeofURL List.
- Addthe list of sites to enable Office 365 integration.To simplify the uploading of the URLs, you can copy the list of Office 365 URLs at https://saasedl.paloaltonetworks.com/feeds/m365/worldwide/any/all/url, save those URLs to a file, andImportthe file to the Custom URL category.
- SelectandPoliciesDecryptionPre RulesAdda decryption policy rule.
- Specify theURL Categoryyou created.
- Add decryption policies for Data and Threat Protection capabilities such as Enterprise Data Loss Prevention (Enterprise DLP), WildFire, Threat Prevention, or SaaS Security.
- Use the EDL Hosting Service to create an external dynamic list.
Set up App-Based Office 365 Integration with Explicit
Proxy
Explicit Proxy does not support the full client-based (app) version of Office
365, because Office 365 uses non-web ports and protocols and pinned
certificates, which prevents the use of decryption. If you need to secure
traffic from Office 365 client apps, you can use one of the following Prisma
Access capabilities to do so:
- Deploy a Mobile Users—GlobalProtect deployment with Explicit Proxy and use GlobalProtect split tunnel options to route traffic from the Office 365 apps to the GlobalProtect tunnel, while specifying other internet traffic to be sent to the GlobalProtect tunnel, direct to the internet, or to Explicit Proxy, based on your PAC file and GlobalProtect tunnel include and exclude options.
- If your organization requires that internet-bound traffic go through an Explicit Proxy, or if your network does not have a default route, you can deploy a Remote Network deployment with Explicit ProxyRemote Network deployment with Explicit Proxy. In this deployment, Explicit Proxy provides you with a list of Anycast and unicast addresses, and you configure your CPE to route traffic through those addresses to the remote network and, from there, to Explicit Proxy and to the internet.To use Office 365 with this deployment type, specify PAC file rules to bypass the non-web Office 365 directly to the internet.
- If you are not able to deploy GlobalProtect or aPrisma AccessRemote Network in your environment, you can configure the Explicit Proxy PAC file to bypass Office 365 traffic. Use the URL list to bypass.
List of URLs to Enable Office 365 Integration with Prisma Access Explicit
Proxy
Prisma Access
Explicit
ProxyOne option you can use to integrate non-browser Office 365 apps with Explicit
Proxy is to specify the Office 365-related URLs and bypass those URLs in the
Explicit Proxy PAC file. Use one of the following methods to obtain the list
of URLs to bypass:
- Use the EDL URL from the Palo Alto Networks EDL Hosting Service for Microsoft 365 apps.Using the hosting service eases the operational burden of securing traffic to your SaaS applications by utilizing a Feed URL as the EDL source. When a SaaS provider adds a new endpoint for a SaaS application, the corresponding Feed URL is updated.For worldwide Microsoft 365 URLs, use the https://saasedl.paloaltonetworks.com/feeds/m365/worldwide/any/all/url URL. Other URLs are provided for IPv4 and IPv6 and for country-specific and governmental applications.
- Retrieve the list of Office 365 IP addresses and URLs provided by Microsoft at https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges. Microsoft also provides an Office 365 IP address and URL web service at https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service.