bcs sb proxysg office365 en v1c
TRANSCRIPT
-
8/10/2019 Bcs Sb ProxySG Office365 en v1c
1/4
-
8/10/2019 Bcs Sb ProxySG Office365 en v1c
2/4
SecurityEmpowersBusiness
2 ProxySG-based DLP scanning is not performed for dedicated Outlook email clients (e.g. Outlook Anywhere) or other clients using rpc over https.3 ProxySG-based malware scanning is not performed in cases where Office365 uses RPC over https.
S OL
UT I ON B RI E F
traffic bypasses the proxy, it will not be logged, potentially resultingin compliance violations and limiting your ability to respond to attack
incidents.Data Loss Prevention (DLP)Many organizations use Internet Content Adaptation Protocol (ICAP)to integrate ProxySG with enterprise DLP solutions from Blue Coat,Symantec, and other vendors. These integrations enforce DLP policyfor Web 2.0 applications like Office 365, social media, Webmail, etc. IfOffice 365 is configured to bypass the proxy, then it will bypass DLPcontrols. For organizations with proxy-based DLP integrations, there aretwo core Office 365 use cases to consider: document filesand email.
Document Files Document files stored on the Office 365 cloud
drives and SharePoint servers may or may not be considered outsidecorporate data loss boundaries. It depends on the extent to which
your organization trusts Microsoft infrastructure, provides 3rd partyaccess (contractor, etc.) to Office 365, and uses native Office 365
security tools such as rights management, transport rules, etc. Ifafter considering these factors, you decide that DLP for Office 365 isrequired, then make sure that Office 365 traffic does not bypass proxyinfrastructure. Your ICAP DLP integration can cover Office 365 filetransfers.
Email Many organizations apply on-premise DLP by forwardingemail from their Exchange server to a mail transfer agent (MTA) forscanning. However, Office 365 moves the Exchange server into thecloud, so firms with this architecture will need to find another solution.ProxySG DLP integrations provide an ideal solution for Outlook Web
App (OWA) and Exchange Activ eSync (mobile email) 2 traffic. Thisarchitecture leverages you existing infrastructure and streamlines theDLP deployment. A single DLP enforcement point, policy, logging, andreporting system covers both Web and email channels.
ProxySG
Users
Firewall
Content AnalysisSystem
Data LossPrevention
Valuable security and network performan ce advantages are lost when Office 365 tr affic bypasses the proxy.
-
8/10/2019 Bcs Sb ProxySG Office365 en v1c
3/4
SecurityEmpowersBusiness
S OL
UT I ON B RI E F
Note that Microsoft offers DLP capabilities as part of premium Office365 enterprise bundles. However, this not only can add license cost, itmeans having to manage two separate DLP systems one for Office
365 and one for the rest of your enterprise.Malware Scanning
ProxySG, in combination with the Blue Coat Content Analysis Systemor Blue Coat ProxyAV appliances, can perform malware scanning forfiles downloaded from Office365 SharePoint, Office applications (Word,Excel, etc.), Outlook Web App (OWA), and Exchange ActiveSync (formobile email) 3. This can be particularly valuable in environments wheremobile devices not protected by client virus software are uploading anddownloading files. Malware scanning also provides protection against acompromise to Office 365 infrastructure. For example, login credentialscan be phished from employees or the Office 365 infrastructure itselfcan be hacked any number of ways. By enabling malware scanning,you can prevent malware posted by attackers from spreading to othersystems and identify which files need to be removed from Office 365servers. For more information on Office 365 compromises, see http:// support.microsoft.com/kb/2551603 .
Reverse Proxy for Hybrid Deployments
Hybrid SharePoint deployments combine SharePoint Server resourceswith Office 365 SharePoint resources. In this case, search results fromboth sources can be combined to present users with a unified view ofSharePoint resources in both locations. However, enabling this unifiedview requires inbound SSL connectivity from Office 365 to on-premiseSharePoint servers. In this case, the reverse proxy capability of ProxySG
can play an important role in securing these connections by providingan inbound SSL endpoint in the DMZ authenticating, and decryptingtraffic before passing it to SharePoint servers on the internal network.Direct (non-proxied) inbound connections from Internet resources shouldnot be allowed to reach internal resources.
Network Performance and Management
Firewall Operations Costs and Service Availability
Firewall rule sets typically limit outbound Internet access to a single(or a few) static proxy IP addresses. Bypassing the proxy, however,requires that the firewall team open holes in the firewall from all clientsubnets to Office 365 IPs. To assist network managers in this task,Microsoft publishes the 175+ IP addresses necessary to support Office365. However, these addresses constantly change. From January 2014through August 2014, they changed 216 times. Therefore, bypassing theproxy commits your firewall team to manually synchronizing a firewallrule set covering 175+ constantly changing IP addresses forever. Thisis a difficult task for any firewall team. Any time the rule set falls outof synch or simple misconfigurations occur, Office 365 services canbe disrupted. Passing Office 365 traffic through the proxy completelyavoids this firewall operations cost and availability risk.
Network Content Caching
Many organizations are concerned with increased bandwidth costs andlatency associated with migrating from on-premise Office to Office 365in the cloud. ProxySG provides content caching for CIFS file transfersas well as objects embedded in HTTP and HTTPs sessions. Becauseservices in the cloud can have high latency, access to local content canmake Office 365 applications much more responsive. Caching will beparticularly effective in Office 365 SharePoint and other environmentsin which the same objects (e.g. video, pictures, presentations, etc.) aredownloaded by many users. In these environments, performance can beimproved by up to 25%. If Office 365 traffic bypasses the proxy, these
gains are lost.
AD VAN TAGES OF US IN G PR OX YS G TO SE CU RE AN D EN HA NC E OF FICE 365SECURITY NETWORK MANAGEMENT AND PERFORMANCE
Consistent policy compliance Lower rewall operations costCerticate status verication Lower service disruption risk Web application controls Content cachingFull breach response/audit logs IP address management
Malware scanning Connection optimizationData Loss PreventionReverse-proxy for hybrid deployments
http://support.microsoft.com/kb/2551603http://support.microsoft.com/kb/2551603http://support.microsoft.com/kb/2551603http://support.microsoft.com/kb/2551603 -
8/10/2019 Bcs Sb ProxySG Office365 en v1c
4/4
SecurityEmpowersBusiness
S OL
UT I ON B RI E F
2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient,SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, See Everything. Know Everything., Security Empowers Business, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its afliates in the U.S. and certainother countries. This list may not be co mplete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third partiesare the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical datareferenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, andacknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.SB-PROXYSG-OFFICE365-EN-v1c-1014
Blue Coat Systems Inc.www.bluecoat.com
Corporate HeadquartersSunnyvale, CA
+1.408.220.2200
EMEA HeadquartersHampshire, UK
+44.1252.554600
APAC HeadquartersSingapore
+65.6826.7000
IP Address Management
Microsoft recommends limiting the number of users behind eachpublic IP address to less than 2000 users. Aggregating too many users
behind a single IP creates port exhaustion problems that degradeperformance. Depending upon your network design, compliance withthis recommendation can be a challenge. While this requirement couldbe met with network restructuring, this process can be very disruptiveand expensive. ProxySG can help you easily meet this requirement byload balancing users across a series of public IP addresses based uponvarious source selectors (e.g. client IP subnet).
Connection Optimization
Office 365 traffic is connection heavy. Outlook alone typicallyconsumes 4-8 persistent connections per user. Connections from other
applications, such as Office, SharePoint and Lync, can drive per userconnections into the 32 connections per user range (depending uponusage). A conservative model allocates at least 10 connections peruser. Therefore, a 30,000 user deployment results in roughly 300,000connections. ProxySG optimizes these connections using multipletechniques (combining short connections, protocol enforcement, etc.)embedded in the proxys proprietary TCP stack.