Add firewall settings to business-vm

[shamma-alblooshi1]

Description of changes

Supports the trusted browsing use case Includes a firewall support for the business vm to allow users to only browse specific sites which include: MIcrosoft365 websites and in addition to TII intranet site. Includes Microsoft365, Outlook and Teams applications that run in the business-vm.

Checklist for things done

• [x] Summary of the proposed changes in the PR description
• [x] More detailed description in the commit message(s)
• [x] Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
• [x] Contribution guidelines followed
• [ ] Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• [ ] PR linked to architecture documentation and requirement(s) (ticket id)
• [x] Test procedure described (or includes tests). Select one or more:
  • [x] Tested on Lenovo X1 x86_64
  • [ ] Tested on Jetson Orin NX or AGX aarch64
  • [ ] Tested on Polarfire riscv64
• [x] Author has run nix flake check --accept-flake-config and it passes
• [x] All automatic Github Action checks pass - see actions
• [x] Author has added reviewers and removed PR draft status

Testing

The User should open the trusted browser application from the menu. The only sites that can be accessed are microsoft365 sites that include : outlook and teams. In addition, TII's intranet site can be accessed. If the user tries to access any other website for example : youtube or github..etc it should not allow it.

In addition, the applications Microsoft365, Outlook and Teams should also work and able to connect.

[milva-unikie]

Tested on Lenovo-X1 (nix build github:shamma-alblooshi1/ghaf/trusted-browser#lenovo-x1-carbon-gen11-debug, last commit 73c3943)

Found issues:

• I was not able to open Teams. Tried both through Teams-icon and with trusted browser.

• I can not login into Microsoft365-app. In trusted browser side login to office.com with that same account works.

Working:

• Outlook works. Can send/receive emails and open attachments.
• Trusted browser only allows mentioned pages.
• Test-automation passes.

Also one question: is it intentional that for example word and powerpoint documents can not be opened from Microsoft365?

[shamma-alblooshi1]

Tested on Lenovo-X1 (nix build github:shamma-alblooshi1/ghaf/trusted-browser#lenovo-x1-carbon-gen11-debug, last commit 73c3943)

Found issues:

• I was not able to open Teams. Tried both through Teams-icon and with trusted browser.
• I can not login into Microsoft365-app. In trusted browser side login to office.com with that same account works.

Working:

• Outlook works. Can send/receive emails and open attachments.
• Trusted browser only allows mentioned pages.
• Test-automation passes.

Also one question: is it intentional that for example word and powerpoint documents can not be opened from Microsoft365?

[brianmcgillion]

1. Logged into outlook (no reason to select outlook, just one of the MS apps)
2. Opened Teams (it auto logged in)
3. Opened MS365 (needed to click login, though it used the SSO after this - so no need to reenter credentials)
4. Opened Trusted Browser
   1. Tried to access YouTube, Github, news, google search - denied access
   2. Opened outlook - url was prompted in the location bar and SSO worked

With TII accounts it is working now.

[milva-unikie]

Microsoft365 login is working for me now, but Teams is still refusing to work. It does not even give an option to login, only the same error message that previously. @leivos-unikie had the same result.

When using the "normal" chromium browser in Ghaf, I am able to login to Teams with no problems.

[brianmcgillion]

Microsoft365 login is working for me now, but Teams is still refusing to work. It does not even give an option to login, only the same error message that previously. @leivos-unikie had the same result.

When using the "normal" chromium browser in Ghaf, I am able to login to Teams with no problems.

Can you try ctrl+shift+c in the Trusted Browser to see if it is being blocked by the firewall. It might be that the firewall rules have missed a regional setting.

dig can also help from the terminal in the business-vm to see what it is trying to resolve the URL as.

[leivos-unikie]

After that b90644e69cecca927efe43e2fa8a23474c690157 Teams App is now working for me.

[leivos-unikie]

but Teams still does not work from Microsoft 365 or from the trusted browser (microsoft365.com)

[leivos-unikie]

Also cannot open files in Microsoft 365 app or in trusted browser / microsoft365.com

[milva-unikie]

I had the same results as Samuli. Teams is now working in app and in the trusted browser when you use teams.microsoft.com. It can not be opened from microsoft365.com even though Outlook can be opened from there.

[shamma-alblooshi1]

I had the same results as Samuli. Teams is now working in app and in the trusted browser when you use teams.microsoft.com. It can not be opened from microsoft365.com even though Outlook can be opened from there.

Yes i am aware of this issue, opening teams from the PWA or just using teams.microsoft.com it works , but when you open it from microsoft365 there is an issue which is because it first opens a website "aka.ms" then re-directs you to teams, i allowed the aka.ms website, and this worked for me ( but this website has a very big range of ips i hopefully included all of them) . Maybe you can try the last commit now ?

[milva-unikie]

Yes i am aware of this issue, opening teams from the PWA or just using teams.microsoft.com it works , but when you open it from microsoft365 there is an issue which is because it first opens a website "aka.ms" then re-directs you to teams, i allowed the aka.ms website, and this worked for me ( but this website has a very big range of ips i hopefully included all of them) . Maybe you can try the last commit now ?

It is working. Teams can be opened from both Microsoft365-app and from Microsoft365.com in trusted browser.

Everything is working now with this PR!