Affected URL: Power app domain

Issue description: Delayed loading of the page

SG/ISG-Proxy ver. 7.3.x.x & 7.4.x.x

Do not send the traffic from endpoint user to the vendor's Power Apps platform consisting (custom apps, Power Bi, Sharepoint etc.) via a proxy. The Power Apps web application isn’t designed to be proxied by any device in the middle of communication - traffic needs to go from endpoint user through firewall then straight to the vendor's service. The direct communication with the Power Apps platform is already secured.

Workarounds:

1. Do not detect protocol for all the URLs/domains
   
   

   ;===========For Explicit Deployments ===========================================
   <proxy>
     condition=powerapps_Allow detect_protocol(no) authenticate(no) ALLOW

   define condition powerapps_Allow
   url.domain= <power_app_domain>
   url.domain=#######
   url.domain=#######
   .
   .
   .
   
   url.address=##.##.##.#/#
   url.address=##.##.##.#/#
   url.address=##.##.##.#/#
   .
   .
   .
   end

   ;=============================================================================================

   For the details of the URLs/Domains/IPs used by powerapp, please refer to the the resource doc. with the URL below.
   
   Power Platform URLs and IP address ranges
   
   The above should also bypass server certificate validation. To specificall disable server certificate validation, refer to the steps below.
   
   
   1. Launch the Visual Policy Manager
   2. Add SSL Access Layer
   3. Add a new rule
   4. Leave Source as Any
   5. Right·click under Destination column > Set... > New... > Request URL...
   6. Type in the hostname of the website
   7. Click Add > Click Close > Click OK
   8. Right·click under Action column > Set... > New... > Set Server Certificate Validation...
   9. Select Disable server certificate validation
   10. Click OK > Install policy
       
       
2. Redirect all the powerapps URLs/domains/IPs from the Proxy, using the "return direct" script, in a PAC.
   

   To implement direct URL access in a ProxySG using a PAC file, you’ll need to define rules in the PAC file that bypass the Proxy and allow traffic to go directly to the firewall for specific URLs.

   Here’s how you can create a PAC file that implements this behavior:
   
   1. Define the PAC File Structure

   A PAC (Proxy Auto-Config) file is a JavaScript function that determines which proxy (or direct) should be used for a given request. The function FindProxyForURL() is the core of this file.
   
   2. Basic Structure of the PAC File
   
   function FindProxyForURL(url, host) {
       // Direct URL access to specific domains (bypass proxy)
       if (shExpMatch(url, "http://#############/*") || shExpMatch(url, "https://#############/*")) {
           return "DIRECT"; // Bypass Proxy and go direct to the firewall
       }
       
       // Additional URLs can be added here
       if (shExpMatch(url, "http://another-###########/*") || shExpMatch(url, "https://another-##########/*")) {
           return "DIRECT"; // Bypass Proxy for this domain as well
       }
       
       // Default to proxy for all other traffic
       return "PROXY proxy.###########:8080"; // Replace with your actual proxy server and port
   }
   
   3. Explanation:

   • shExpMatch(url, pattern): This is used to match the URL based on patterns. In this case, we are looking for specific URLs that you want to bypass the proxy.

   • DIRECT: This tells the browser to bypass the Proxy and directly reach the destination (the firewall in this case).

   • PROXY proxy.############:8080: This sets the proxy to be used for all other requests (you should replace this with your actual proxy server and port).

   4. Modify the PAC File with More URLs:

   You can add as many URLs or patterns as needed, such as:
   
   if (shExpMatch(url, "http://firewall.###########/*") || shExpMatch(url, "https://firewall.#########/*")) {
       return "DIRECT"; // Direct access to the firewall
   }
   
   5. Steps to Deploy the PAC File in ProxySG:

   1. Create the PAC File:

      • Save the above script as a .pac file (e.g., proxy_bypass.pac).

   2. Upload the PAC File to ProxySG:
      
      Ref.: Create or edit proxy auto-configuration (PAC) files

   3. Ensure Correct Proxy Rules in ProxySG:
      
      Ref.: Configure the ProxySG to serve multiple PAC files
      
      Note: You can still modify the rules above, for a single PAC file usage.

   4. Test the PAC File:

      • After applying the PAC file, test by browsing the URLs defined in your PAC file to ensure they bypass the proxy and go directly to the firewall.

      • You can test by checking logs or network traffic to confirm the routing behavior.
        
        Ref: Set Up the Explicit Proxy to Use a PAC File

   6. Example of Extended PAC File with Multiple Direct URL Accesses:

   function FindProxyForURL(url, host) {
       // Bypass proxy for specific URLs
       if (shExpMatch(url, "http://#########/*") || shExpMatch(url, "https://##########/*")) {
           return "DIRECT";
       }

       if (shExpMatch(url, "http://another-##########/*") || shExpMatch(url, "https://another-##########/*")) {
           return "DIRECT";
       }

       // More examples of URLs bypassing proxy
       if (shExpMatch(url, "http://firewall.#########/*") || shExpMatch(url, "https://firewall.#########/*")) {
           return "DIRECT";
       }

       // Default proxy for all other traffic
       return "PROXY proxy.#############:8080"; // Replace with actual proxy details
   }

3. The PAC file helps define which traffic will go directly to the firewall, bypassing the proxy.

4. URLs matching the patterns in shExpMatch will be directed directly (using DIRECT), while other traffic will use the proxy (PROXY).

5. Note: Where the workarounds still do not fix the issue, the given/documented resolution should be executed, and to do that, you will have to create exemptions in the proxy setting, in the browsers for all the endpoints, for all the Powerapps URLs/domains/IPs.
   
   
6. For the query raised in the last update, please see our response below.
   
   
7. SSL Interception and PowerPlatform Apps
   
   
8. What SSL Interception Does:

• • SSL Interception on a ProxySG means the proxy decrypts HTTPS traffic to inspect it for security threats (e.g., malware, inappropriate content) and enforce policies (e.g., URL filtering, data loss prevention).

  • This process involves decrypting and re-encrypting traffic to inspect the contents of secure communications, which can cause issues with some secure websites or apps if not configured properly.

Common Misunderstanding:

• Users seem to believe that SSL Interception automatically syncs with the vendor to ensure that traffic to PowerPlatform apps (like PowerApps, PowerBI, Power Automate, etc.) is not intercepted.

Clarification:

1. PowerPlatform App URLs and SSL Interception:

   • The vendor does not automatically exempt URLs for PowerPlatform apps from SSL interception by the proxy. In other words, SSL interception does not auto-disable for the vendor services unless explicitly configured.

   • If you are intercepting SSL traffic for all HTTPS requests by default, the PowerPlatform URLs need to be explicitly exempted from SSL interception to avoid issues (like broken connections or failed login attempts).

2. Why You Need to Manually Exempt PowerPlatform URLs:

   • The vendor publishes a list of URLs used by PowerPlatform apps, and those need to be excluded from SSL interception manually.

   • These URLs should be exempted because:

     • PowerPlatform apps rely on SSL/TLS for secure communication, and intercepting the SSL traffic could cause the apps to malfunction due to issues like certificate mismatches or dropped sessions.

     • The vendor also uses services like OAuth and other authentication mechanisms that require uninterrupted encrypted traffic.

   • Exempting PowerPlatform URLs from SSL interception involves creating exceptions in your ProxySG policy for those URLs.