search cancel

Microsoft services won't work without HTTP/HTTPS 1.1 method enabled

book

Article ID: 253942

calendar_today

Updated On:

Products

SG-S400 ProxySG Software - SGOS ISG Proxy Advanced Secure Gateway Software - ASG

Issue/Introduction

Customer has allowed the MS services domains for HTTPS traffic but the services still are not working on the client for Azure Cloud Active Directory and Onedrive

Policy set up:

  • "No authenticate" attributes set
  • "No SSL-interception" attributes set
  • "ALLOW" set to bypass on Proxy
  • Customer is using very restrictive Policy rules
  • MS Services are set to connect only using HTTPS protocol:

 

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=INz13CPcv2N7Kh9NCI7Kow==

List of domains:

  • admin.na.aadrm.com
  • aka.ms
  • api.aadrm.com
  • dataservice.protection.outlook.com
  • ipv6.msftconnecttest.com
  • config.edge.skype.com

Environment

Release : 6.7.4.14

Cause

No HTTP/HTTPS 1.1 connect method allowed for the Microsoft Services

Resolution

Rules for HTTP/HTTPS HTTP1.1 Connect for MS services were applied on ProxySG.

When service was changed to Protocol method HTTP/HTTPS with HTTP1.1 tcp-connect the services was able to communicate with Microsoft Server.

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=YNch6KkZ7qt3zSBgax4f7A==

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=hPe22U/tnGW9ynqXeKo6Tw==

 

Forcing the HTTP/HTTPS 1.1 Connect method to only use the port 443 via CPL (no port 80 allowed):

<proxy>
client.address=<CLIENT IP> http.method=CONNECT url.host=admin.na.aadrm.com url.port=443 ALLOW
client.address=<CLIENT IP> http.method=CONNECT url.host=aka.ms url.port=443 ALLOW
client.address=<CLIENT IP> http.method=CONNECT url.host=api.aadrm.com url.port=443 ALLOW
client.address=<CLIENT IP> http.method=CONNECT url.host=dataservice.protection.outlook.com url.port=443 ALLOW
client.address=<CLIENT IP> http.method=CONNECT url.host=ipv6.msftconnecttest.com url.port=443 ALLOW
client.address=<CLIENT IP> http.method=CONNECT url.host=config.edge.skype.com url.port=443 ALLOW