Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DirtyBlueshirt
New Contributor II

Allow Office365 Outlook.com email but block Free outlook.com email

We have a scenario where we block webmail in our environment, except for corporate webmail sites. With a hosted Exchange option and OWA this is easy. However we are getting contractors who are shifting their email to Office365, which authenticates users via outlook.com. Is there a way to allow Office365 authentication to outlook.com without allowing the user to log into the free version of outlook webmail as well? Our environment is using FortiOS v5.0.11.

--- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
--- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
7 REPLIES 7
damiri
New Contributor

Contractors are usually in separate VLAN. So you can create policy for that VLAN?

DirtyBlueshirt

damiri wrote:

Contractors are usually in separate VLAN. So you can create policy for that VLAN?

In our environment they are not, though the users will have reserved DHCP addresses. We also have an offshore office where this would be applied to the entire site.

 

The issue isn't segregation of policy. The issue is that for Office365 to authenticate, you need to allow access on HTTPS to the root outlook.com domain as well. On its own this would also grant access to the free webmail component of outlook.com. We want to prevent access to the free webmail component while still letting the user authenticate and log in to the Office365 business version of Outlook webmail.

--- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
--- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
damiri
New Contributor

Then I would copy existing policy and use it on that IP range you have reserved for contractors if this type of operations isn't actually doable thru web or application filter. With this, you will have one policy for them and you can apply whatever you want for them while you are keeping your internal users policies in order. That's how I would do it.

gschmitt
Valued Contributor

Basically you want https://www.youtube.com/watch?v=-G19h1poSoA this with Office365...

I don't think that will be doable without allowing all of Outlook.com but we'll try...

Are you blocking Web Mail with a Web Filter?

 

Make sure the Multiple Security Profiles feature is enabled for that one.

Go to Security Profiles > Application Control and select Create New in the top right corner

Name it "O365"

Select the action for all categories to Block

In Application Overrides select Add Signatures and search for these three:

[ul]
  • Microsoft.Office.365
  • Microsoft.Office.365.Login
  • Microsoft.Office.365.Outlook.Web.App[/ul]

    Select them and hit User Selected Signatures

    Set action to Allow

    Create a new policy without your Web Filter profile and use this Application Filter

     

    Move it on top of your other policy

  • Big_Abe

    You beat me by 2 hours!

     

    I was looking forward to providing a smart answer in the fourms. 

     

    FCNSP

    -------------------------------------

    "They have us surrounded again, those poor bastards."

    -Unnamed Medic

    FCNSP ------------------------------------- "They have us surrounded again, those poor bastards." -Unnamed Medic
    DirtyBlueshirt

    gschmitt wrote:

    Basically you want https://www.youtube.com/watch?v=-G19h1poSoA this with Office365...

    I don't think that will be doable without allowing all of Outlook.com but we'll try...

    Are you blocking Web Mail with a Web Filter?

     

    Make sure the Multiple Security Profiles feature is enabled for that one.

    Go to Security Profiles > Application Control and select Create New in the top right corner

    Name it "O365"

    Select the action for all categories to Block

    In Application Overrides select Add Signatures and search for these three:

    [ul]
  • Microsoft.Office.365
  • Microsoft.Office.365.Login
  • Microsoft.Office.365.Outlook.Web.App[/ul]

    Select them and hit User Selected Signatures

    Set action to Allow

    Create a new policy without your Web Filter profile and use this Application Filter

     

    Move it on top of your other policy

  • Thanks, I'll try that and let you know!

    --- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
    --- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
    ciap123

    Hi, I need the same on my company, did the application control option work for you?

     

    Thank you.

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors