PDF(305.7 KB) View with Adobe Reader on a variety of devices
ePub(379.2 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(314.4 KB) View on Kindle device or Kindle app on multiple devices
Updated:August 14, 2019
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This article describes the process involved to exempt Office 365 traffic from authentication and decryption on the Web Security Appliance (WSA). There are several known compatibility issues with Office 365 and proxies, and exempting Office 365 traffic authentication and decryption can help with some of these issues.
Note: This is not a full bypass from web proxy, and exempting traffic from decryption prevents the WSA from inspecting the encrypted HTTPS traffic generated by Office 365 clients.
Create a Custom URL Category using the Office365 External Feed
Create an Identification Profile for the Office 365 traffic
Exempt the Office 365 traffic from Decryption Policy
Note: This process requires use of the dynamically updating Office 365 external JSON feed which contains all the URLs/IP addresses associated to Office 365.
Note: Support for this feed is present in AsyncOS version 10.5.3 onwards and 11.5 onwards versions.
1. Create a Custom URL Category using the Office365 External Feed
Navigate to Web Security Manager->Custom and External URL Categories
Click "Add Category"
Assign a name to the category, select the category type as "External Live Feed Category", and select the "" option.
At the bottom, set the "Auto Update the Feed" option to "Hourly" with an interval of 00:05 (every 5 minutes)
Click the "Submit" button.
2. Create an Identification Profile for the Office 365 traffic
Navigate to Web Security Manager->Identitifcation Profiles
Click "Add Identification Profile"
Assign a name, set "Identification and Authentication" to "Exempt from authentication/identification".
Click the "Advanced" button, and click the link next to "URL Categories"
Find the category you created in the previous step, and select that category, and then scroll to the bottom of the page and click the "Done" button.
The Identification Profile should now look as follows:
Click the "Submit" button at the bottom of the screen.
3. Exempt the Office 365 traffic from Decryption Policy
Navigate to Web Security Manager->Decryption Policies
Click "Add Policy"
Assign a name, and then in the "Identification Profiles and Users" field, choose the "Select One or More Identification Profiles" option and select your Office 365 identity from the previous step.
Click on the "Submit" button.
Click on the link under "URL Filtering" that says "Monitor: 1"
Set the Office 365 category to "Passthrough" and click the "Submit" button.
Finally, commit your changes by clicking the yellow "Commit Changes" button at the top right-hand corner of the GUI.
More official Cisco documentation on How to enable Office 365 External Feeds and How to exempt Office 365 from Decryption Policy in WSA: