Security

Empowers
Business

Organizations around the world are migrating from on-premise Microsoft Office to cloud-based Office 365
deployments. The economic advantages gained both on the desktop and in the data center make a compelling
case for Office 365. In addition, Office 365 makes information seamlessly available to office, home, and mobile
users running a variety of client platforms.
As part of the migration process, Microsoft may suggest that Office 365 traffic bypass web proxy infrastructure.
However, its important to consider the security and network performance advantages lost if Office 365 traffic
bypasses the proxy. Security advantages include: policy compliance, certificate status verification, application
controls, logging, malware scanning, data loss prevention, and reverse proxy security for hybrid deployments.
Network performance advantages include: lower firewall management costs, lower service disruption risk, content
caching, IP address management, and connection optimization. This brief outlines these advantages so that you
can make an informed decision regarding proxy bypass of Office 365 traffic.
Security Advantages
Security Policy Compliance
Security best practice and most enterprise security policies prohibit
direct Internet access from internal network clients. In other words,
all client traffic, including Office 365, must pass through a proxy. This
guidance exists for a reason proxies provide valuable security benefits
and well detail those benefits in the following sections. However,
consistent policy compliance alone is an important consideration.
Bypassing the proxy violates policy, forcing organizations to document
an exception, justify the exception, and accept a lower security posture
for this segment of Internet traffic. According to Verizons 2012 Data
Breach Incident Report, 97% of data breaches could be avoided with
consistent implementation of simple or intermediate controls. Proxy
bypass is a perfect example of inconsistent control implementation.
Over time, accumulated exceptions are lost, becoming a source of
security holes that attackers eventually exploit.

Certificate Status Verification

The reach of their software makes Microsoft a common target for
certificate attacks. In fact, Microsoft certificate compromises known to
the public have occurred in 2001, 2008, and 2012.1 To protect your users
1

http://csrc.nist.gov/groups/SMA/forum/documents/october-2012_fcsm_pturner.pdf

against such attacks, Blue Coat ProxySG applies the Online Certificate
Status Protocol (OCSP) to verify the status of Office 365 certificates in
real-time. If a certificate has been compromised and revoked, the proxy
blocks the request and alerts your users.

Web Application Controls

ProxySG provides Web Application Controls for Web 2.0 applications
like Office 365. These controls not only give you control over which
users can access which Office 365 applications, but which application
operations are available. For example, you could meet least privilege
access requirements by allowing a contractor to access SharePoint but
deny Exchange. You could further allow that contractor to download
files, but prevent a SharePoint infection from an unmanaged contractor
device by blocking uploads. These controls maximize Office 365
effectiveness as a collaboration tool, while ensuring the integrity of your
infrastructure.

Full Incident Response and Compliance Logging

ProxySG provides critical log data not available via Office 365 log
records. For example, real client IP addresses are not be recorded
by Office 365. If an internal client uses Office 365, the source IP
address will be NATd at the Internet Firewall. Therefore, if Office 365

SOLUTION BRIEF

USING PROXYSG TO SECURE

AND ENHANCE OFFICE 365

SOLUTION BRIEF

Security
Empowers
Business

Content Analysis
System

Data Loss
Prevention

Users

ProxySG

Firewall

Valuable security and network performance advantages are lost when Office 365 traffic bypasses the proxy.

traffic bypasses the proxy, it will not be logged, potentially resulting

in compliance violations and limiting your ability to respond to attack
incidents.

Data Loss Prevention (DLP)

Many organizations use Internet Content Adaptation Protocol (ICAP)
to integrate ProxySG with enterprise DLP solutions from Blue Coat,
Symantec, and other vendors. These integrations enforce DLP policy
for Web 2.0 applications like Office 365, social media, Webmail, etc. If
Office 365 is configured to bypass the proxy, then it will bypass DLP
controls. For organizations with proxy-based DLP integrations, there are
two core Office 365 use cases to consider: document files
and email.
Document Files Document files stored on the Office 365 cloud
drives and SharePoint servers may or may not be considered outside
corporate data loss boundaries. It depends on the extent to which
2
3

your organization trusts Microsoft infrastructure, provides 3rd party

access (contractor, etc.) to Office 365, and uses native Office 365
security tools such as rights management, transport rules, etc. If
after considering these factors, you decide that DLP for Office 365 is
required, then make sure that Office 365 traffic does not bypass proxy
infrastructure. Your ICAP DLP integration can cover Office 365 file
transfers.
Email Many organizations apply on-premise DLP by forwarding
email from their Exchange server to a mail transfer agent (MTA) for
scanning. However, Office 365 moves the Exchange server into the
cloud, so firms with this architecture will need to find another solution.
ProxySG DLP integrations provide an ideal solution for Outlook Web
App (OWA) and Exchange ActiveSync (mobile email)2 traffic. This
architecture leverages you existing infrastructure and streamlines the
DLP deployment. A single DLP enforcement point, policy, logging, and
reporting system covers both Web and email channels.

ProxySG-based DLP scanning is not performed for dedicated Outlook email clients (e.g. Outlook Anywhere) or other clients using rpc over https.
ProxySG-based malware scanning is not performed in cases where Office365 uses RPC over https.

SOLUTION BRIEF

Security
Empowers
Business

Note that Microsoft offers DLP capabilities as part of premium Office

365 enterprise bundles. However, this not only can add license cost, it
means having to manage two separate DLP systems one for Office
365 and one for the rest of your enterprise.

Malware Scanning
ProxySG, in combination with the Blue Coat Content Analysis System
or Blue Coat ProxyAV appliances, can perform malware scanning for
files downloaded from Office365 SharePoint, Office applications (Word,
Excel, etc.), Outlook Web App (OWA), and Exchange ActiveSync (for
mobile email)3. This can be particularly valuable in environments where
mobile devices not protected by client virus software are uploading and
downloading files. Malware scanning also provides protection against a
compromise to Office 365 infrastructure. For example, login credentials
can be phished from employees or the Office 365 infrastructure itself
can be hacked any number of ways. By enabling malware scanning,
you can prevent malware posted by attackers from spreading to other
systems and identify which files need to be removed from Office 365
servers. For more information on Office 365 compromises, see http://
support.microsoft.com/kb/2551603.

Reverse Proxy for Hybrid Deployments

Hybrid SharePoint deployments combine SharePoint Server resources
with Office 365 SharePoint resources. In this case, search results from
both sources can be combined to present users with a unified view of
SharePoint resources in both locations. However, enabling this unified
view requires inbound SSL connectivity from Office 365 to on-premise
SharePoint servers. In this case, the reverse proxy capability of ProxySG
can play an important role in securing these connections by providing
an inbound SSL endpoint in the DMZ authenticating, and decrypting
traffic before passing it to SharePoint servers on the internal network.
Direct (non-proxied) inbound connections from Internet resources should
not be allowed to reach internal resources.

Network Performance and Management

Firewall Operations Costs and Service Availability
Firewall rule sets typically limit outbound Internet access to a single
(or a few) static proxy IP addresses. Bypassing the proxy, however,
requires that the firewall team open holes in the firewall from all client
subnets to Office 365 IPs. To assist network managers in this task,
Microsoft publishes the 175+ IP addresses necessary to support Office
365. However, these addresses constantly change. From January 2014
through August 2014, they changed 216 times. Therefore, bypassing the
proxy commits your firewall team to manually synchronizing a firewall
rule set covering 175+ constantly changing IP addresses forever. This
is a difficult task for any firewall team. Any time the rule set falls out
of synch or simple misconfigurations occur, Office 365 services can
be disrupted. Passing Office 365 traffic through the proxy completely
avoids this firewall operations cost and availability risk.

Network Content Caching

Many organizations are concerned with increased bandwidth costs and
latency associated with migrating from on-premise Office to Office 365
in the cloud. ProxySG provides content caching for CIFS file transfers
as well as objects embedded in HTTP and HTTPs sessions. Because
services in the cloud can have high latency, access to local content can
make Office 365 applications much more responsive. Caching will be
particularly effective in Office 365 SharePoint and other environments
in which the same objects (e.g. video, pictures, presentations, etc.) are
downloaded by many users. In these environments, performance can be
improved by up to 25%. If Office 365 traffic bypasses the proxy, these
gains are lost.

ADVANTAGES OF USING PROXYSG TO SECURE AND ENHANCE OFFICE 365

SECURITY

NETWORK MANAGEMENT AND PERFORMANCE

Consistent policy compliance

Certificate status verification
Web application controls
Full breach response/audit logs
Malware scanning
Data Loss Prevention
Reverse-proxy for hybrid deployments

Lower firewall operations cost

Lower service disruption risk
Content caching
IP address management
Connection optimization

SOLUTION BRIEF

Security
Empowers
Business

IP Address Management

Connection Optimization

Microsoft recommends limiting the number of users behind each

public IP address to less than 2000 users. Aggregating too many users
behind a single IP creates port exhaustion problems that degrade
performance. Depending upon your network design, compliance with
this recommendation can be a challenge. While this requirement could
be met with network restructuring, this process can be very disruptive
and expensive. ProxySG can help you easily meet this requirement by
load balancing users across a series of public IP addresses based upon
various source selectors (e.g. client IP subnet).

Office 365 traffic is connection heavy. Outlook alone typically

consumes 4-8 persistent connections per user. Connections from other
applications, such as Office, SharePoint and Lync, can drive per user
connections into the 32 connections per user range (depending upon
usage). A conservative model allocates at least 10 connections per
user. Therefore, a 30,000 user deployment results in roughly 300,000
connections. ProxySG optimizes these connections using multiple
techniques (combining short connections, protocol enforcement, etc.)
embedded in the proxys proprietary TCP stack.

Blue Coat Systems Inc.

www.bluecoat.com
Corporate Headquarters
Sunnyvale, CA
+1.408.220.2200
EMEA Headquarters
Hampshire, UK
+44.1252.554600
APAC Headquarters
Singapore
+65.6826.7000

2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient,
SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, See Everything. Know Everything., Security Empowers Business, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain
other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties
are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data
referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and
acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.SB-PROXYSG-OFFICE365-EN-v1c-1014