We have a scenario where we block webmail in our environment, except for corporate webmail sites. With a hosted Exchange option and OWA this is easy. However we are getting contractors who are shifting their email to Office365, which authenticates users via outlook.com. Is there a way to allow Office365 authentication to outlook.com without allowing the user to log into the free version of outlook webmail as well? Our environment is using FortiOS v5.0.11.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Contractors are usually in separate VLAN. So you can create policy for that VLAN?
damiri wrote:Contractors are usually in separate VLAN. So you can create policy for that VLAN?
In our environment they are not, though the users will have reserved DHCP addresses. We also have an offshore office where this would be applied to the entire site.
The issue isn't segregation of policy. The issue is that for Office365 to authenticate, you need to allow access on HTTPS to the root outlook.com domain as well. On its own this would also grant access to the free webmail component of outlook.com. We want to prevent access to the free webmail component while still letting the user authenticate and log in to the Office365 business version of Outlook webmail.
Then I would copy existing policy and use it on that IP range you have reserved for contractors if this type of operations isn't actually doable thru web or application filter. With this, you will have one policy for them and you can apply whatever you want for them while you are keeping your internal users policies in order. That's how I would do it.
Basically you want https://www.youtube.com/watch?v=-G19h1poSoA this with Office365...
I don't think that will be doable without allowing all of Outlook.com but we'll try...
Are you blocking Web Mail with a Web Filter?
Make sure the Multiple Security Profiles feature is enabled for that one.
Go to Security Profiles > Application Control and select Create New in the top right corner
Name it "O365"
Select the action for all categories to Block
In Application Overrides select Add Signatures and search for these three:
[ul]Select them and hit User Selected Signatures
Set action to Allow
Create a new policy without your Web Filter profile and use this Application Filter
Move it on top of your other policy
You beat me by 2 hours!
I was looking forward to providing a smart answer in the fourms.
FCNSP
-------------------------------------
"They have us surrounded again, those poor bastards."
-Unnamed Medic
gschmitt wrote:Basically you want https://www.youtube.com/watch?v=-G19h1poSoA this with Office365...
I don't think that will be doable without allowing all of Outlook.com but we'll try...
Are you blocking Web Mail with a Web Filter?
Make sure the Multiple Security Profiles feature is enabled for that one.
Go to Security Profiles > Application Control and select Create New in the top right corner
Name it "O365"
Select the action for all categories to Block
In Application Overrides select Add Signatures and search for these three:
[ul]Microsoft.Office.365 Microsoft.Office.365.Login Microsoft.Office.365.Outlook.Web.App[/ul] Select them and hit User Selected Signatures
Set action to Allow
Create a new policy without your Web Filter profile and use this Application Filter
Move it on top of your other policy
Thanks, I'll try that and let you know!
Hi, I need the same on my company, did the application control option work for you?
Thank you.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.