[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Office 365 Restrict External Access Server 2012 R2 ADFS Policy

Posted on 2016-08-10
10
Medium Priority
?
491 Views
Last Modified: 2016-08-12
I have followed followed "Scenario 4: Block all external access to Office 365 except for designated Active Directory groups" using the link I have provided at the bottom, but it is not working.  Is there something else I need to do?  I believe I have the correct entries which I have provided below.  I have the rules in the correct order per instructions with the default Permit Access to All Users at the bottom.  You can see I have internal ip address ranges for 192.168.1.1 to 192.168.1.255,10.0.0.1 to 10.0.0.255, and lastly 172.16.1.1 to 172.16.1.255 for the x-ms-forwarded-client-ip values and built them using the online regex builder (i.e., http://www.analyticsmarket.com/freetools/ipregex).  I obtained the AD Group SID using powershell command (i.e., Get-ADGroup -Filter {Name -like "pa*"} | Select Name,SID | Format-Table -Auto) .  Please help.

c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "^192\.168\.1\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^10\.0\.0\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^172\.16\.1\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$"] && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type = "http://custom/ipoutsiderange", Value = "true");
NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-0220945662-3111232555-725789543-38967718"]) => add(Type = "http://custom/groupsid", Value = "fail");
c1:[Type == "http://custom/ipoutsiderange", Value == "true"] && c2:[Type == "http://custom/groupsid", Value == "fail"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "DenyUsersWithClaim");


Configuring Client Access Policies
0
Comment
Question by:Nathan Vanderwyst
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 43

Expert Comment

by:Vasil Michev (MVP)
ID: 41750485
Check the event logs, you should see all the claims/values there. For Exchange Online related traffic, the forwarded IP might be that of the MS serves, depending on the client in use.
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41753361
I did the traces but I don't understand how to read them.

ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip Value 70.198.50.124 ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid Value https://login.microsoftonline.com/login.srf ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id Value 6a59ee2a-bf1f-4bd0-b00f-77b0b5a0aac4 ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork Value true ValueType http://www.w3.org/2001/XMLSchema#boolean Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path Value /adfs/ls/ ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent Value Mozilla/5.0 (iPad; CPU OS 9_3_4 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G35 Safari/601.1 ValueType http://www.w3.org/2001/XMLSchema#string Issuer CLIENT CONTEXT OriginalIssuer CLIENT CONTEXT ClaimType http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid Value S-1-18-2 ValueType http://www.w3.org/2001/XMLSchema#string Issuer AD AUTHORITY OriginalIssuer AD AUTHORITY Value S-1-5-21-1915377267-1208286587-1902094214-1157 Value S-1-5-21-1915377267-1208286587-1902094214-1155 Value S-1-5-21-1915377267-1208286587-1902094214-1151 Value S-1-5-21-1915377267-1208286587-1902094214-1123 Value S-1-5-21-1915377267-1208286587-1902094214-1147 Value S-1-5-15 Value S-1-5-11 Value S-1-5-2 Value S-1-5-32-554 Value S-1-5-32-574 Value S-1-5-32-545 Value S-1-1-0
0
 
LVL 43

Expert Comment

by:Vasil Michev (MVP)
ID: 41753410
Simply look for the claim and its value. In the above example, the http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork claim has a value True, so the rule will not act upon it.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Nathan Vanderwyst
ID: 41753734
How can this be since I was testing using an iPad over a cellular connection. It should have evaluated to FALSE.  Where can I see the values being passed that are evaluated?
0
 
LVL 43

Expert Comment

by:Vasil Michev (MVP)
ID: 41753924
This claim in particular is added by the WAP, so check there. If you are using any 3rd party product for replacement of the AD FS proxy, most likely they dont support the claim.
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41754000
we host adfs on premises and there is no WAP.
0
 
LVL 43

Expert Comment

by:Vasil Michev (MVP)
ID: 41754214
Well there's your problem. You need to have a WAP server in order to distinguish external/internal requests. Otherwise the http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork claim will always evaluate to True and you need to remove the corresponding checks for the claims rule.
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41754251
That doesn't make sense, why would Office 365 need to use WAP?  I never even seen anywhere in any of the configuration of ADFS or Office 365 or AAD Connect or in Azure for WAP.  I never ran across any documentation for it either. What am I not understanding?  Do you have any suggested URL's to follow specifically for O365 ADFS claims rules with WAP configuration?
0
 
LVL 43

Accepted Solution

by:
Vasil Michev (MVP) earned 2000 total points
ID: 41754333
Every "proper" AD FS configuration needs WAP for publishing the relevant endpoints externally. Office 365 does not *need* to use WAP, but if you want to be able to distinguish external/internal request based on the presence of the insidecorporatenetwork, you must use WAPs (or compatible 3rd party tool).
0
 

Author Closing Comment

by:Nathan Vanderwyst
ID: 41754394
Thank you for your help.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question