Before you begin, you will need to have BIG-IP devices with the SSLO service discovered and imported. You will also need to ensure that all devices you wish to add to the Office 365 fetch schedule run the same SSLO RPM version.
To configure the fetch schedule and Office 365 URL categories, do the following:
Navigate to SSL Orchestrator > Configuration > Office 365 URL Updater at the top right. It appears as a link when you do not have a topology configured and an icon
when you do.
For Frequency, specify how often you would like to fetch O365 URL categories. Select a cadence of Daily, Weekly or Monthly from the dropdown menu and its corresponding time values.
Daily: Specify the time in a 24-hour format, HH: MM.
Weekly: Select the day you want to run the report and the time in a 24-hour format.
Monthly: Select a number for the day of the month you want to run the report and the time in a 24-hour format.
To authorize SSLO to fetch O365 URL categories on clicking Save, select the checkbox Fetch Now.
Specify an Endpoint from the dropdown menu from which to fetch the URL categories.
Select the Use required URLs only checkbox to fetch the minimum required URLs for O365 connectivity. Not selecting this option fetches all URLs, including the minimum required ones.
For Include URLs, enter a URL not categorized as an O365 URL that you would like to fetch. Then, add additional URLs using the + icon.
To exclude URLs or domain extensions from this fetch, enter the URL or extension in the Exclude URLs.
For example, if you want to exclude google.com from your fetch and all addresses ending in .net, enter google.com in the field, select the + icon to add an additional line. Then, on the next line, enter .net.
Select the Create IP Datagroups checkbox to create IP data groups consisting of IP addresses after fetching URLs.
For Exclude IPs, enter IP address that you would like to omit from this fetch request. Add additional IP addresses using the + icon.
From the Trusted Certificate Authority list, choose a trusted certificate authority.
None: Specifies that no CA is trusted for server-side processing.
ca-bundle: Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates for server-side processing.
default: Specifies that the trusted CA for server-side processing is the default certificate on the system.
In the O365 Categories section, specify whether you want to create a single URL data set and/or separate data sets for O365 Optimize/Default/Allow categories.
Default: If you add the Default category to a policy, the package will be inspected.
All: If you fetch All categories, you can add URLs from all categories to a security policy. The All option is not editable and is selected by default. The BIG-IP will always create a data set containing all O365 URLs.
Optimize: If you select the Optimize category to add to a security policy, you choose to optimize traffic speed for critical Microsoft endpoints such as Outlook and Sharepoint.
Allow: If you add the Allow category of O365 URLs to a security policy, the traffic will not be inspected.
Refer Office 365 endpoint categories for more information.
Select the service area from which you would like to fetch URLs. Available options are Common, Exchange, Sharepoint, and Skype. The Common option is not editable and is selected by default. The BIG-IP will always fetch the common O365 URLs.
The Run Information section displays the last run time, the upcoming run schedule, and the current status of the O365 URL update.
Select Save to save this schedule.
After finishing configuration, you can add the Office 365 URL categories to a security policy rule when the network traffic matches all categories. You can then deploy the security policy on target BIG-IP devices.
