CASB correctly blocks file uploads to Sharepoint when using WSS Agent but messages sent via Teams are not blocked when they should.
search cancel

CASB correctly blocks file uploads to Sharepoint when using WSS Agent but messages sent via Teams are not blocked when they should.

book

Article ID: 278032

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing Websites via Cloud SWG using WSS Agent.

For additional security, Cloud SWG integration with CASB also exists.

Office 365 gatelet enabled where all uploads to Office 365 services are blocked for certain users.

Some users, when testing, confirmed that file uploads to Office 365 Sharepoint are blocked correctly; however, when sending messages with attachments via Teams, the messages are not blocked when policy suggests it should.

CASB logs not showing any log entries for the uploaded messages.

HAR files confirm that no CASB response seems to have been triggered for the uploaded messages.

 

 

Environment

Cloud SWG.

WSS Agents.

CASB/CloudSOC integration with Office 365 gatelet.

Cause

SSL interception default "Mobile App Bypass" destination had an entry for the Teams endpoint domain users were sending messages to.

Resolution

Removed the teams.microsoft.com domain from the  "Mobile App Bypass" URL list via the Cloud SWG Portal:

The device we were testing with was not a mobile device but for some reason was being picked up as one.

Additional Information

When troubleshooting issues like this, HAR file is always useful to see what endpoints the user is going to.

After accessing the endpoint messages were being sent to (emea.ng.msg.teams.microsoft.com), verify that the Cloud SWG access logs in reporting confirm that this domain is SSL intercepted (should see https scheme with the SSL_Intercept_1 flag as highlighted below).

2024-01-10 15:42:00 "DP2-GGBLO99_proxysg2" 328 #.#.#.# "xxxxx" "xxxxx" - - - OBSERVED "Chat (IM)/SMS;Office/Business Applications" - 401 TCP_NC_MISS GET - https emea.ng.msg.teams.microsoft.com 443 / - - "curl/8.0.1" 192.168.2.85 582 94 elastica_reqmod elastica_respmod - - no - - - 0 "client" client_connector "Office 365 Skype for Business" "Chat/Instant Messaging" #.#.#.# "Sweden" CERT_VALID none - - TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 msgapi.teams.microsoft.com "Chat (IM)/SMS;Office/Business Applications" TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 - ICAP_REPLACED - - ICAP_REPLACED - - - HTTP/1.1 HTTP/1.1 - 0 #.#.#.# "Sweden" - "Turkey" 1 1 wss-agent architecture=x86_64%20name=Windows%2010%20Pro%20version=xxxx xxxx - xxxxx-xxxx-xxxx-xxxx-xxxx xxxx  - - - - SSL_Intercept_1 - - - - #:#:#:#:#:#:#:# xxxx-xxxx-xxxx #.#.#.# #.#.#.# "GB" "United Kingdom" - - - client #.#.#.# 

CASB integration should SSL intercept CASB domains but did not in this case. In our case, the scheme was SSL and no SSL _Intercept_1 flag was set.

Trying to understand why this happened, a policy trace was run where we found the Mobile App Bypass category was the source of the SSL inspection exemption

[Rule] miss:      condition=BC_SSL_Rule_666512_destination_SSL-Intercept
MATCH:             condition=BC_MobileAppBypass_UrlList variable.BC_SSL_Intercept_exempt(true) variable.BC_SSL_Intercept_exempt.rationale(SSL-2)
Powered by Wolken Software