dcurwin
commented
1 year ago Thank you for your comment. We'll investigate and get back to you.
Closed loaderladdy-work closed 6 months ago
dcurwin
commented
1 year ago Thank you for your comment. We'll investigate and get back to you.
batamig
commented
6 months ago Thanks for your dedication to our documentation. Unfortunately, at this time we have been unable to review your issue in a timely manner and we sincerely apologize for the delayed response.
The requested updates have not been made since the creation of this issue, and the timeline for resolution may vary based on resourcing, so we've created an internal work item to incorporate your suggestions. We are closing this issue for now, but feel free to comment here as necessary.
https://github.com/MicrosoftDocs/CloudAppSecurityDocs/issues
Sorry about the snappy title. I have been reading this guide as my org believes this is relevant to making MDCAS work in a more performant way. The document contains some assumptions as well i.e., line 30 contains this text
While it is true that a Next Gen Firewall has capabilities that can use DNS names to build firewall egress rules in a corporate environment typically the source of DNS will be provided to client devices by other services, either dedicated or as part of other infrastructure components, for instance with Active Directory Integrated DNS. Such environments use Proxy Auto-Config rules to direct traffic to proxy services and firewalls, so I think the article could be improved to reflect those other potential configurations and how administrators might optimise their infrastructure to account for some of those issues.
I also recommend that the article could be improved by highlight the circumstances under which admins might want to consider adopting the strategies contained within this document. By way of example, your colleagues in the Office 365 Product Group have created a web service that is documented at https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide. Office 365 product group highlight that some components are sensitive to latency introduced by network equipment such as proxy servers, especially those that actively inspect HTTPS traffic using man-in-the-middle techniques like SSL Inspection/Break & Inspect. For those reasons your colleagues explain that some Office 365 components need to be "Optimized" and this is achieved through proxy bypass. Other O365 components that are less susceptible to latency are recommended to bypass the proxy via the web service "Allow" category. Then there is the "Default" category that states this traffic can go to the proxy with no impact on end user experience.
I do not get any of those top level concerns an admin might worry about from this article and I think the article could be turned in to a great technical article if it discussed those issues and what the recommended approach might be that enterprises might use to tackle them in a direct manner.
I hope this is useful to you.
I am currently trying to understand if MDCAS needs any of this suggested infrastructure configuration, or if the web accessible elements in a browser are perfectly fine when accessed via a proxy server.