Smoothwall Filter already has 'Office 365' already as a built-in category for use in policies, and in most cases you can include this category in the 'What' of a 'Who', 'What', 'Where', 'When' policy with action of 'Allow' to permit unrestricted access to Office 365.
Sometimes it is also necessary to include the IP address ranges into destination exception settings, or domains in proxy exclusion lists (when using proxy settings).
Microsoft provide a list here, but needs to be formatted and combined before it can be used, so below is a summary of these addresses.
Note: This list may change, please refer to Microsoft for the latest information. In the domain list we have often used parent domains instead of multiple subdomains e.g. using officeapps.microsoft.com to cover both excel.officeapps.microsoft.com and word.officeapps.microsoft.com.
Warning: Adding these rules will cause all Office 365 and related traffic to be unfiltered and not logged by Smoothwall Filter.
Instructions and background
The domains go into proxy exceptions when using proxy settings on clients. They can be pasted directly into the exception list in Web Proxy - Web Proxy - Automatic Configuration Page for inclusion into the proxy.pac and wpad.dat file that Smoothwall Filter serves to clients.
The IP addresses can be added to the transparent destination exceptions field in Guardian - Web Filter - Exceptions.
It is normally not needed to add the IP ranges to the proxy exceptions on the client. As a rule, applications that honour proxy settings generally use hostnames as destinations. Applications that use IP addresses as destinations will generally not honour proxy settings. Not a hard and fast rule, just our experience.
If proxy settings are not used, just add the IP addresses to the transparent destination exceptions.
Domains in client proxy exceptions and IP addresses in Guardian transparent proxy exceptions will minimize Office 365 traffic being sent via or intercepted by the proxy.
Domain list
office.com
office365.com
office.net
onedrive.com
sharepoint.com
optimizely.com
microsoftonline.com
production.us.trafficmanager.net
microsoft.com
live.com
oneclient.sfx.ms
sharepointonline.com
spoprod-a.akamaihd.net
prod.msocdn.com
svc.ms
lync.com
broadcast.skype.com
skypeforbusiness.com
sfbassets.com
skypemaprdsitus.trafficmanager.net
windows.net
msecnd.net
aspnetcdn.com
live.net
aka.ms
azure.net
windows.com
windows.net
msedge.net
mstea.ms
skypeassets.com
azureedge.net
tenor.com
microsoftstream.com
assets-yammer.com
azureedge.net
onenote.com
onenote.net
aspnetcdn.com
optimizely.com
msappproxy.net
msftidentity.com
msidentity.com
windowsazure.com
microsoftazuread-sso.com
microsoftonline-p.net
msauth.net
msauthimages.net
msftauth.net
msftauthimages.net
phonefactor.net
visualstudio.com
cloudapp.net
staffhub.ms
gfx.ms
appex.bing.com
appex-rf.msn.com
getmicrosoftkey.com
atdmt.com
yammer.com
yammerusercontent.com
sway-cdn.com
sway-extensions.com
sway.com
IP Ranges list (include local subnets if not present already)
104.146.128.0/17
104.42.230.91
104.44.218.128/25
104.44.254.128/25
104.44.255.0/25
104.47.0.0/17
13.91.91.243
13.106.4.128/25
13.106.56.0/25
13.107.128.0/22
13.107.136.0/22
13.107.140.6
13.107.18.10/31
13.107.6.152/31
13.107.6.156/31
13.107.6.171
13.107.7.190/31
13.107.9.155/31
13.80.125.22
131.253.33.215
132.245.0.0/16
134.170.172.128/25
134.170.67.0/25
150.171.32.0/22
150.171.40.0/22
157.55.130.0/25
157.55.145.0/25
157.55.155.0/25
157.55.227.192/26
157.55.45.128/25
191.232.2.128/25
191.234.140.0/22
20.190.128.0/18
204.79.197.215
23.103.160.0/20
40.96.0.0/13
40.104.0.0/15
40.107.0.0/16
40.108.128.0/17
40.126.0.0/18
40.81.156.154
40.92.0.0/15
40.90.218.198
52.108.0.0/14
52.100.0.0/14
52.104.0.0/14
52.174.56.180
52.183.75.62
52.184.165.82
52.238.106.116
52.238.78.88
52.247.150.191
52.96.0.0/14
65.54.170.128/25
For the Teams app, these additional IP ranges are needed.
13.107.64.0/18
52.112.0.0/14
52.120.0.0/14