Your IT Online

IT Products, Training +More

Sophos XG URL Exceptions

Posted in Sophos By deltaPosted on Tagged , ,

Sophos XG URL Exceptions

When (Sophos XG) Firewalls are configured to inspect http(s) traffic you will often find then even with the root certificate installed correctly on the device, some sites such as Microsoft’s M365 SaaS suite, Google Workspace, or even uniFLOW Online may not work correctly. There are a few reasons for this such as HSTS or timeouts while loading pages.

When this happens you may wish to exclude the website from being inspected.

Manually Adding Exceptions

  • From the Sophos XG web interface
  • Go to Web > Exceptions then click Add exception
  • Enter a name for the new exception
  • Select HTTPS decryption, Malware and content scanning, and URL pattern matches. Note that HTTPS certificate validation and Zero-day protection will be automatically selected.
  • Enter the URL pattern(s) Note: You need to use regular expressions. See: Sophos UTM / Sophos Firewall: Regular expressions for defining URL patterns or Use a site like https://regexr.com/ to help build / test your expression
    EG. ^([A-Za-z0-9.-]*\.)?officeapps\.live\.com/
  • Click Save

You can add many different URL patterns for each exception. or even import a pre built exception.

Most software vendors publish the URLs that need to be whitelisted on their support pages or will provide to you via a support ticket.

Below are a few examples:

Office 365 URLs and IP address ranges – Microsoft 365 Enterprise | Microsoft Learn

Set up a hostname allowlist – Chrome Enterprise and Education Help (google.com)

https://www.uniflowonline.com/en/trust-center/reliability/dns-and-ip-addresses/

Importing Exceptions

For the example of Microsoft M365 there are dozens of URLs that need to be excluded this can vary depending on the products within the suite you use.

Sophos has pre built 3 different sets of exceptions for M365, you can download them from here then import the set you require.

FileDetails
API-O365-all.tarThis is every web URL that Microsoft lists on the support page. (Over 100)
API-O365-required.tarThis is a subset of 50 exceptions that Microsoft says are “required”.
API-O365-minimal.tar10 exceptions that correspond to the URLs that Microsoft says are “required” and flag as “optimize” or “allow”.
Details of File

To import these exceptions:

  • From the Sophos XG web interface.
  • Go to Backup & firmware > Import export.
  • Click Choose File and browse for the .tar file.
  • Select and import the file.
  • Turn on the exceptions in Web > Exceptions once the file is imported.
  • NOTE: each exception needs to be activated / enabled separately.

URL Lists

Note: These need to be copied 1 line at a time:

Microsoft / Office 365

^([A-Za-z0-9.-]*.)?officeapps.live.com/

^([A-Za-z0-9.-]*.)?online.office.com/

^([A-Za-z0-9.-]*.)?office.live.com/

^([A-Za-z0-9.-]*.)?cdn.office.net/

^([A-Za-z0-9.-]*.)?contentstorage.osi.office.net/

^([A-Za-z0-9.-]*.)?onenote.com/

^([A-Za-z0-9.-]*.)?cdn.onenote.net/

^([A-Za-z0-9.-]*.)?ajax.aspnetcdn.com/

^([A-Za-z0-9.-]*.)?apis.live.net/

^([A-Za-z0-9.-]*.)?www.onedrive.com/

^([A-Za-z0-9.-]*.)?auth.microsoft.com/

^([A-Za-z0-9.-]*.)?msftidentity.com/

^([A-Za-z0-9.-]*.)?msidentity.com/

^([A-Za-z0-9.-]*.)?account.activedirectory.windowsazure.com/

^([A-Za-z0-9.-]*.)?accounts.accesscontrol.windows.net/

^([A-Za-z0-9.-]*.)?adminwebservice.microsoftonline.com/

^([A-Za-z0-9.-]*.)?api.passwordreset.microsoftonline.com/

^([A-Za-z0-9.-]*.)?autologon.microsoftazuread-sso.com/

^([A-Za-z0-9.-]*.)?becws.microsoftonline.com/

^([A-Za-z0-9.-]*.)?ccs.login.microsoftonline.com/

^([A-Za-z0-9.-]*.)?clientconfig.microsoftonline-p.net/

^([A-Za-z0-9.-]*.)?companymanager.microsoftonline.com/

^([A-Za-z0-9.-]*.)?device.login.microsoftonline.com/

^([A-Za-z0-9.-]*.)?graph.microsoft.com/

^([A-Za-z0-9.-]*.)?graph.windows.net/

^([A-Za-z0-9.-]*.)?login.microsoft.com/

^([A-Za-z0-9.-]*.)?login.microsoftonline.com/

^([A-Za-z0-9.-]*.)?login.microsoftonline-p.com/

^([A-Za-z0-9.-]*.)?login.windows.net/

^([A-Za-z0-9.-]*.)?logincert.microsoftonline.com/

^([A-Za-z0-9.-]*.)?loginex.microsoftonline.com/

^([A-Za-z0-9.-]*.)?login-us.microsoftonline.com/

^([A-Za-z0-9.-]*.)?nexus.microsoftonline-p.com/

^([A-Za-z0-9.-]*.)?passwordreset.microsoftonline.com/

^([A-Za-z0-9.-]*.)?provisioningapi.microsoftonline.com/

^([A-Za-z0-9.-]*.)?hip.live.com/

^([A-Za-z0-9.-]*.)?microsoftonline.com/

^([A-Za-z0-9.-]*.)?microsoftonline-p.com/

^([A-Za-z0-9.-]*.)?msauth.net/

^([A-Za-z0-9.-]*.)?msauthimages.net/

^([A-Za-z0-9.-]*.)?msecnd.net/

^([A-Za-z0-9.-]*.)?msftauth.net/

^([A-Za-z0-9.-]*.)?msftauthimages.net/

^([A-Za-z0-9.-]*.)?phonefactor.net/

^([A-Za-z0-9.-]*.)?enterpriseregistration.windows.net/

^([A-Za-z0-9.-]*.)?management.azure.com/

^([A-Za-z0-9.-]*.)?policykeyservice.dc.ad.msft.net/

^([A-Za-z0-9.-]*.)?compliance.microsoft.com/

^([A-Za-z0-9.-]*.)?protection.office.com/

^([A-Za-z0-9.-]*.)?security.microsoft.com/

^([A-Za-z0-9.-]*.)?defender.microsoft.com/

^([A-Za-z0-9.-]*.)?account.office.net/

^([A-Za-z0-9.-]*.)?portal.cloudappsecurity.com/

^([A-Za-z0-9.-]*.)?suite.office.net/

^([A-Za-z0-9.-]*.)?aria.microsoft.com/

^([A-Za-z0-9.-]*.)?events.data.microsoft.com/

^([A-Za-z0-9.-]*.)?o365weve.com/

^([A-Za-z0-9.-]*.)?amp.azure.net/

^([A-Za-z0-9.-]*.)?appsforoffice.microsoft.com/

^([A-Za-z0-9.-]*.)?assets.onestore.ms/

^([A-Za-z0-9.-]*.)?auth.gfx.ms/

^([A-Za-z0-9.-]*.)?c1.microsoft.com/

^([A-Za-z0-9.-]*.)?dgps.support.microsoft.com/

^([A-Za-z0-9.-]*.)?docs.microsoft.com/

^([A-Za-z0-9.-]*.)?msdn.microsoft.com/

^([A-Za-z0-9.-]*.)?platform.linkedin.com/

^([A-Za-z0-9.-]*.)?prod.msocdn.com/

^([A-Za-z0-9.-]*.)?shellprod.msocdn.com/

^([A-Za-z0-9.-]*.)?support.content.office.net/

^([A-Za-z0-9.-]*.)?support.microsoft.com/

^([A-Za-z0-9.-]*.)?technet.microsoft.com/

^([A-Za-z0-9.-]*.)?videocontent.osi.office.net/

^([A-Za-z0-9.-]*.)?videoplayercdn.osi.office.net/

^([A-Za-z0-9.-]*.)?office365.com/

^([A-Za-z0-9.-]*.)?aadrm.com/

^([A-Za-z0-9.-]*.)?azurerms.com/

^([A-Za-z0-9.-]*.)?informationprotection.azure.com/

^([A-Za-z0-9.-]*.)?ecn.dev.virtualearth.net/

^([A-Za-z0-9.-]*.)?informationprotection.hosting.portal.azure.net/

^([A-Za-z0-9.-]*.)?o15.officeredir.microsoft.com/

^([A-Za-z0-9.-]*.)?officepreviewredir.microsoft.com/

^([A-Za-z0-9.-]*.)?officeredir.microsoft.com/

^([A-Za-z0-9.-]*.)?r.office.microsoft.com/

^([A-Za-z0-9.-]*.)?activation.sls.microsoft.com/

^([A-Za-z0-9.-]*.)?crl.microsoft.com/

^([A-Za-z0-9.-]*.)?office15client.microsoft.com/

^([A-Za-z0-9.-]*.)?officeclient.microsoft.com/

^([A-Za-z0-9.-]*.)?insertmedia.bing.office.net/

^([A-Za-z0-9.-]*.)?go.microsoft.net/

^([A-Za-z0-9.-]*.)?cdn.odc.officeapps.live.com/

^([A-Za-z0-9.-]*.)?officecdn.microsoft.com/

^([A-Za-z0-9.-]*.)?officecdn.microsoft.com.edgesuite.net/

^([A-Za-z0-9.-]*.)?entrust.net/

^([A-Za-z0-9.-]*.)?geotrust.com/

^([A-Za-z0-9.-]*.)?omniroot.com/

^([A-Za-z0-9.-]*.)?public-trust.com/

^([A-Za-z0-9.-]*.)?symcb.com/

^([A-Za-z0-9.-]*.)?symcd.com/

^([A-Za-z0-9.-]*.)?verisign.com/

^([A-Za-z0-9.-]*.)?verisign.net/

^([A-Za-z0-9.-]*.)?apps.identrust.com/

^([A-Za-z0-9.-]*.)?cacerts.digicert.com/

^([A-Za-z0-9.-]*.)?cert.int-x3.letsencrypt.org/

^([A-Za-z0-9.-]*.)?crl.globalsign.com/

^([A-Za-z0-9.-]*.)?crl.globalsign.net/

^([A-Za-z0-9.-]*.)?crl.identrust.com/

^([A-Za-z0-9.-]*.)?crl3.digicert.com/

^([A-Za-z0-9.-]*.)?crl4.digicert.com/

^([A-Za-z0-9.-]*.)?isrg.trustid.ocsp.identrust.com/

^([A-Za-z0-9.-]*.)?mscrl.microsoft.com/

^([A-Za-z0-9.-]*.)?ocsp.digicert.com/

^([A-Za-z0-9.-]*.)?ocsp.globalsign.com/

^([A-Za-z0-9.-]*.)?ocsp.msocsp.com/

^([A-Za-z0-9.-]*.)?ocsp2.globalsign.com/

^([A-Za-z0-9.-]*.)?ocspx.digicert.com/

^([A-Za-z0-9.-]*.)?secure.globalsign.com/

^([A-Za-z0-9.-]*.)?www.digicert.com/

^([A-Za-z0-9.-]*.)?www.microsoft.com/

^([A-Za-z0-9.-]*.)?config.office.net/

^([A-Za-z0-9.-]*.)?manage.microsoft.com/

^([A-Za-z0-9.-]*.)?office.com/

^([A-Za-z0-9.-]*.)?cdnprod.myanalytics.microsoft.com/

^([A-Za-z0-9.-]*.)?myanalytics.microsoft.com/

^([A-Za-z0-9.-]*.)?myanalytics-gcc.microsoft.com/

^([A-Za-z0-9.-]*.)?workplaceanalytics.cdn.office.net/

^([A-Za-z0-9.-]*.)?azure-apim.net/

^([A-Za-z0-9.-]*.)?flow.microsoft.com/

^([A-Za-z0-9.-]*.)?powerapps.com/

^([A-Za-z0-9.-]*.)?activity.windows.com/

^([A-Za-z0-9.-]*.)?ocsp.int-x3.letsencrypt.org/

^([A-Za-z0-9.-]*.)?cortana.ai/

^([A-Za-z0-9.-]*.)?admin.microsoft.com/

^([A-Za-z0-9.-]*.)?cdn.uci.officeapps.live.com/

uniFLOW Online

^([A-Za-z0-9.-]*.)?download.nt-ware.net/

^([A-Za-z]*.)?nt-ware.com/

^([A-Za-z]*.)?uniflowonline.com/

^([A-Za-z]*.)?azure-devices.net/

^([A-Za-z.]*)?manualemergencymode.azurewebsites.net/

Sophos XG URL Exceptions
Scroll to top