• EN

O365 Reverse proxy - how to exclude Windows365

  • 17 August 2023
  • 2 replies
  • 72 views
N
Badge +1

Hey,

We have reverse proxy in place for O365 apps for devices without Netskope client. Now we finally want move away from providing physical hardware to consultants / external project members and replace it with providing virtual machines via Windows365. This ensures all these third parties needing access to our environment are doing this from machines we control.

 

All works fine when an employee with a managed device wants to access such a virtual machine (because reverse proxy is bypassed by having NS installed) but as soon as a non-company person now wants to access W365 machines we provide, reverse proxy kicks in and causes an error what prevents these users to continue and start these machines (see screenshot). 

How can we exclude Windows365 traffic from reverse proxy? Is this something to configure on Netskope or IdP (Okta)? Thanks!

Nadja

1 Attachment

2 replies

S
Rank
Userlevel 6
Badge +16

Hello @nadkick

Are these machines in a dedicated subnet that you control?  There's a few different ways to bypass the Reverse Proxy.  You could install a client on those machines and only steer the Office365 and Okta traffic for those contractors.  You can also bypass the Reverse Proxy based on the IP address of the user:

 

 

This would bypass the Reverse Proxy for traffic from the specified IP addresses where these virtual desktops egress from.  Hopefully one of these options helps but I'm happy to answer any additional questions. 




Sam ShiflettNetskope Solution Architect - North America
N
Badge +1

Hey, 

Sorry for not getting back earlier. In fact we do not want to bypass M365 traffic, as it turned out that Reverse proxy does work with M365, but not with our current user group set up. If anyone is facing the same issue: after weeks of analysis, it turned out that we sync all group memberships of our users to the NS tenant. Due to legacy settings, most of our users have 40+ (up to 120 group memberships). This fact is breaking the Reverse proxy request, as all these memberships are apparently packed in some post/requests and getting too large. Solution: we are (finally) moving from AD to Okta sync and will only sync the needed group memberships, so this gets fixed and everyone can use M365 - even without NS installed (what would not be possible to do on a third party device anyway).

Regards,

Reply


Terms & ConditionsCookie settings