Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Herselman
Collaborator

Azure AD Application Proxy - Updatable objects

We are experiencing problems trying to use Azure AD updatable objects to allow an Azure AD Application Proxy host to phone home.

Two issues:

  • Is there a reference document somewhere that explains what the various updatable objects actually reference. Each comment is currently simply a copy & paste to the same statement 'This is a Microsoft object, blah blah https://www.microsoft.com/en-us/download/details.aspx?id=56519'
  • We constantly have to supplement the updatable objects with additional IPs. I presume CheckPoint have contacts at Microsoft that they can address this with?

 

Two examples:

  • We use 802.1X for both wireless and wired (port based) authentication where we want users to utilise Azure AD as a MFA method of registering their devices to the network. We subsequently created a rule that allows access to 'Azure Active Directory Domain Public Services' and 'Azure Active Directory Public Services' but many requests flow to destinations not covered by these.
  • We drop requests to unknown or uncategorised sites and want to allow 'Azure AD Connect' and 'Azure AD Application Proxy' hosts to connect back to Microsoft. There are again never ending hosts that we have to continually manually add to allowed network group objects.

 

My impression is that the current implementation is really half baked and whilst it ticks some boxes isn't reliable. Herewith some of the IPs we've had to add:

updatable_object_azure_ad.png

 

Regards

David Herselman

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

All Updatable Objects are backed by a feed provided by the relevant vendor (MSFT in this case).
You use the Domains Tool to see what is covered in a given Updatable Object.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
David_Herselman
Collaborator

Unfortunately doesn't help:

 

[Expert@fwcp1:0]# domains_tool -uo "Azure Active Directory Domain Public Services"

Domain tool looking for domains for 'Azure Active Directory Domain Public Services' and its children objects:

The updatable object Azure Active Directory Domain Public Services does not hold any domains
[Expert@fwcp1:0]# domains_tool -uo "Azure Active Directory Public Services"

Domain tool looking for domains for 'Azure Active Directory Public Services' and its children objects:

The updatable object Azure Active Directory Public Services does not hold any domains

 

0 Kudos
PhoneBoy
Admin
Admin

Digging into this a bit more, it looks like you can find the IPs in $CPDIR/database/ONLINE_SERVICES/1.0/<version>/azure.C on the gateway.
In any case, Microsoft is ultimately responsible for updating the feed.

0 Kudos
David_Herselman
Collaborator

Undocumented switches and incomplete address lists. Does CheckPoint not have contact at Microsoft they could address this with?

updatable_object_search.png

 

My original question also hasn't been answered so I presume the answer is 'No, CheckPoint do not provide a clue anywhere at to what subnets are chosen from Microsoft's lists to create the updatable objects'.

ie: You can try figure out yourself what someone in R&D cooked together?

 

My impression is that functionality of this nature is of great interest, but unusable in it's current state = half baked...

0 Kudos
PhoneBoy
Admin
Admin

Like I said, Microsoft provide these lists, which are categorized.
There are, in fact, multiple lists.
For Azure US, it’s something like the following: https://www.microsoft.com/en-us/download/details.aspx?id=56519
See also: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...
@Micky_Michaeli do we have a backchannel with Microsoft for matters like this?

0 Kudos
PhoneBoy
Admin
Admin

FYI, I just went through a similar exercise with a customer trying to troubleshoot an issue with Azure-related services and Updatable Objects.
We were able to confirm that the ranges specified in the JSON file available from Microsoft correspond to what shows when using the relevant object in the rulebase and you execute dynamic_objects -uo_show.
The trick in our case was figuring out which Updatable Objects to include based on the services they were trying to access.
Between the JSON file and looking at $CPDIR/database/downloads/ONLINE_SERVICES/1.0/<ver>/azure.C, I could see what objects needed to be included for this specific customer.

0 Kudos