How do I configure Office 365 support?

Zscaler provides the following features to support Office 365 traffic:

  • Office 365 One Click configuration
    When you enable this feature, the Zscaler service automatically performs the necessary configurations so your users can seamlessly use all Office 365 applications. Additionally, Zscaler monitors the Office 365 IP addresses and URLs, fingerprints the apps, and adjusts the configurations accordingly, so you don't need to manage any future IP address or URL changes.
  • The Office 365 apps are grouped together as a cloud app in the Enterprise Productivity category. Therefore, you can easily configure a Cloud App policy or DLP policy for all Office 365 web apps.
  • The Office 365 apps are grouped together as a network application, so you can easily define granular access-control policies for Office 365 apps with the Zscaler Next Generation Firewall
  • Granular, priority-based bandwidth control for Office 365 apps
  • Supports road warrior protection through the Zscaler app

Enabling the Office 365 One Click Configuration

If your organization uses any of the Office 365 applications, you can send all Office 365 traffic from all your locations, including road warrior traffic, through the Zscaler service to the Microsoft cloud. To learn about Forwarding Office 365 traffic to the Zscaler service and the recommended deployment options and guidelines, Office 365 Guidelines.

When Office365 applications are used within a web browser, most of the browser-based Office 365 traffic is handled by the Zscaler service when authentication is enabled, allowing the Zscaler service to enforce corporate compliance policies, such as Security, DLP and Bandwidth Controls policies, on Office365 traffic. When the Zscaler outbound firewall is also enabled, the Zscaler service can also handle non-web ports and protocols to provide granular access control and visibility for all Office365 traffic.

However, enterprises prefer to deploy native Office 365 applications such as Outlook, Skype for Business, and OneDrive, instead of using these applications within a web browser. While these native applications provide a better user experience, they also present additional challenges from a security solutions viewpoint. With the Office 365 One Click Configuration feature, the Zscaler service automatically configures authentication exemption and decryption exemtion rules required for the service to seamlessly support and secure your Office 365 traffic. Additionally, because the service fingerprints all Office 365 applications, you won't have to worry about any URL changes in the Office 365 applications.

If Office 365 One Click Configuration is enabled, the service automatically does not decrypt the following URLs:

  • login.microsoftonline.com
  • outlook.office365.com
  • .online.lync.com
  • .infra.lync.com
  • .officeapps.live.com
  • clientconfig.microsoftonline-p.net

The service also automatically exempts the following URLs from cookie-based authentication, in case your organization does not deploy Kerberos:

  • clientconfig.microsoftonline-p.net   (This URL is used for Register and Subscription validation.)
  • cdn.sharepointonline.com   (This URL is used with Flash/Silverlight plugins that do not support cookie based authentication.)
  • login.microsoftonline.com (Used for logging into a Microsoft service.)

To enable the Office 365 configuration, log into the admin portal and do the following:

  1. Go to Policy > URL & Cloud App Control.
  2. Go to the Advanced Policy Settings tab.
  3. Select Enable Office 365 One Click Configuration.
  4. Click Save, and then activate the changes.

NOTE: Zscaler does not automatically include the following URL in the authentication exemption list when the Office 365 One Click feature is enabled. Depending on your business requirements, you can manually add the following URL to the authentication exemption list as described in the next section:

  • .autodiscover.domainname.com (Used by clients for discovering an EWS node associated with the company domain. Domainname parameter will vary from company to company. This exemption is not required if you use EWS managed API to do autodiscovery)

Configuring the Authentication and Decryption Exemption Lists

Alternatively,if you do not want to automatically add the Office 365 URLs to both the authentication and decryption exemption lists with the Office 365 One Click feature, you can manually add the Office 365 apps to either the authentication or decryption exemption list. For example, if your organization uses Kerberos, you do not need to exempt any of the Office 365 apps from authentication. Therefore, you may want to add Office 365 to the decryption exemption list, but not the authentication list.

To add Office 365 URLs and apps to the authentication exemption list, log in to the admin portal and do the following:

  1. Go to Administration > Advanced Settings
  2. In the Exempted URLs field, enter autodiscover.domainname.com
  3. From the Exempted Applications list, select Office365.
  4. Click Save, and then activate the changes.

To add the Office 365 apps to the decryption exemption list, log in to the admin portal and do the following:

  1. Go to Policy > SSL Inspection.
  2. Under Do Not Inspect these Applications, select Office365.
  3. Click Save, and then activate the changes.