4

We have just migrated our corporate email to office365. In order to give access to our outlook exchange servers it was necessary for us to open up our web filtering, allowing a number of additional Microsoft domains. This included domains such as outlook.com, live.com, office356.com, office.com etc.

However this also allows staff to access personal webmail accounts stored on the outlook.com servers. Reviewing the data traffic when running the windows client shows that the desktop client is using the same domains to sync with exchange. All of the access is over ssl, which would make deep inspection of the traffic going through the proxy a lot harder.

As it is company policy to block webmail access to our users, is there any way we can configure the access lists to allow the desktop client to access our exchange instance on office365, while blocking all other webmail access for our users?

Being able to reduce the access to just business accounts would help, but ideally we would want users to only be able to access their company email on company systems.

We use squid currently for our web proxy rather than any large commercial platform so ideally we would prefer to continue with that if possible, but if anyone knows of a commercial webproxy/filter that has this kind of fine control out of the box we would be interested.

I have seen some products capable of doing this with business gmail accounts but it as gmail runs business email accounts on separate domains based on the business in question thats a lot easier. Microsoft is operating all the office365 mail services in the same external servers backing onto azure I believe.

Vagnerr
  • 1,265
  • 1
  • 15
  • 20
  • The only difference is effectively the auth they are using to connect to 365 or not. Could you instead restrict access to the site via GPO for the browser? – Drifter104 Jul 29 '15 at 12:05
  • You could block the other sites via firewall rules, but GP seems best at the browser level for the outlook.com domain. – htm11h Jul 29 '15 at 13:51
  • I looked at how a commercial firewall handles it. It requires SSL inspection enabled for their method. – eKKiM Jun 04 '19 at 07:27

2 Answers2

0

If you don't want to lock down client machines you need to control this at the edge thru your firewall or proxy. You stated you are using Squid - so if all clients are required to pass traffic there you should be fine. I don't have a lot of experience with Squid - but I believe you can create an ACL that can block access based on URL. If you want something that blocks per category and using smart filtering you will need a different device or service (WebSense, Sophos, etc).

If you have full control over the workstations you can do this via Group Policy and restrict use of 3rd party browsers. This is just like above however and you need to have the URL's to block or approve.

If you are using a 3rd party centrally managed malware package - some of these provide methods for blocking via categories as well - and it would work for all browsers and applications on the machine. The benefit of these is that the rules travel with the machines.

You can also look into a service like OpenDNS which offers content filtering, or open source client proxies like DansGaurdian.

Jesus Shelby
  • 1,284
  • 9
  • 14
-2

yes just disable webmail functionality in office365, then it will only work with an email client

user430766
  • 1