Squid + Office365 and Outlook
-
Yesterday I have configured my pFsense box with squid , the CA part so I can proxy https and lightsquid for reports. I installed the CA certificate on my machine and thought everything was working well …. until I opened Outlook.
So, the problem seems to be with squid and the certificate. For example If I try to setup an Office365 account , I get a certificate warning. If I accept it anyway it keeps asking me for the password.
On a machine with an Office365 Outlook account already setup, it gives the certificate warning and remains stuck in "trying to connect .... "
I have also tried to add the URLs under : https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-ZA&ad=ZA
to "Do not cache" section in the configuration under "Local Cache" but it seems not to like *.domain.com names. This still did not work.
So the question is : "How do I get Office365 to work with squid?" or "How do I let squid ignore Office365 and let it just go through ?"
-
What ? No one uses Outlook anymore ? :o Please help! :)
-
"How do I let squid ignore Office365 and let it just go through ?"
Create an alias for Office365 and then put that alias under the "Bypass Proxy for These Source IPs" setting under "Package -> Proxy Server -> General Settings -> General".
Do not put the actual domain name in though, please review issue I hit with that on the following post: https://forum.pfsense.org/index.php?topic=112589.0
-
the only way i could get this to work Using WPAD was to create an alias and add outlook.office365.com
see picture
-
I still need some guidance here…...
At this point the firewall section allows everything out. If I go and put outlook.office365.com;autodiscover.mydomain.com under "Bypass Proxy for These Destination IPs"
I still get a certificate waring prompt when attempting to setup an Office365 account in Outlook. This is for the certificate issued by pfsense. So it isn't bypassing the proxy then ?
what to do ??? :-\
-
outlook is very annoying with the alert CA I configured recently a mail server with postfix running on ubuntu server. If the CA is not signed it will keep asking that unless it is installed on the machine also on the server. Also you should not have this issue if your running WPAD? when it shows the alert can you post the img of the alert?
-
follow this for use with creating a dstdom.broken file for use with pinned certificates..
https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
same item however add the
office.com
office.net domains into the folder so everything works and cache for updates still worksacl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny allthis works for me and all updates restored and office use
