Guides
ProductDeveloperPartnerPersonal
ProductDeveloperPartnerPersonal

Manage Global Settings

Suggest Edits

The Web policy's Global Settings affect all rules and rulesets. Global settings can be enabled and disabled for Microsoft 365 Compatibility and for Protected File Bypass. Microsoft 365 Compatibility exempts Microsoft 365-related domains, marked as Optimize and Allow in Microsoft's endpoint categories, to bypass inspection and policy enforcement. Protected File Bypass overrides Umbrella's default setting that blocks the downloading of encrypted files.

Table of Contents

Microsoft 365 Compatibility

The Microsoft 365 Compatibility feature exempts Microsoft 365-related domains, marked as Optimize and Allow in Microsoft's endpoint categories, to bypass inspection and policy enforcement, allowing those domains to pass through the Umbrella infrastructure unaltered. The domains are excluded from HTTPS decryption and content filtering. The Microsoft 365 traffic appears in Umbrella reporting, however, because HTTPS inspection is disabled, traffic is logged only at the host/domain level and will not show the full URL.

Tenant Controls

Microsoft 365 Compatibility is compatible with Tenant Controls. However, when Tenant Controls are configured for Microsoft 365, Umbrella decrypts four Microsoft login domains (login.microsoftonline.com, login.live.com, login.microsoft.com, and login.windows.net) for the purpose of tenant enforcement. The domain is detected by analyzing the SNI (Server Name Indication) TLS extension. Some applications may not send SNI information in which case the exclusion does not apply.

Limitations

  • Microsoft 365 traffic is still sent to Umbrella's web proxy service in all deployment methods (Tunnel, AnyConnect, PAC). To stop this traffic from hitting Umbrella entirely, add manual 'External Domain' entries or route the traffic direct to the internet from your connecting devices.
  • File Inspection will no longer apply to this traffic.
  • This will not change geo-location behavior for Microsoft 365
  • This will not prevent the Microsoft 365 traffic egressing from an Umbrella IP address
  • This does not apply to all Microsoft/Microsoft 365 domains. Only those categorized as important for performance by Microsoft.
  • Allows a number of important Microsoft 365 domains so web policies and filtering do not apply to them and prevents these domains from triggering Umbrella SAML authentication.

Note: MS Intune sync requires "manage.microsoft.com" to be added to the Selective Decryption List even when the Microsoft 365 Compatibility feature is enabled.
For more information, see the official Microsoft documentation.

Procedure

  1. Navigate to Policies > Management > Web Policy and click Global Settings.
1217
  1. Enable Microsoft 365 Compatibility.
2312

Protected Files Bypass

Umbrella’s security protection is unable to scan protected files because these files are encrypted. Thus, Umbrella considers encrypted files to be a high risk security threat. Therefore, by default, Umbrella and by extension the Web policy, blocks identities from downloading encrypted files. Enabling the Web policy's Protected File Bypass global setting allows you to override Umbrella's default global setting and permits the downloading of protected files.

2312

How Protected Files Bypass is Enabled and Disabled

  • When enabled globally, Protected Files Bypass is enabled for all rules in all rulesets. Protected File Bypass is automatically enabled when adding new rules.
  • When enabled globally, Protected Files Bypass cannot be disabled for individual rules. Protected Files Bypass is always enabled for all rules.
  • When disabled globally, Protected Files Bypass can be enabled for individual rules. Protected Files Bypass can be either enabled or disabled for all rules.
  • When disabled globally, Protected Files Bypass can be disabled for individual rules that had previously been set to enabled. Protected Files Bypass can be either enabled or disabled for all rules.

For more information and the procedure to manually enable or disable at the rule level, see Protected File Bypass.

Procedure

Note: Enable with caution as Umbrella will not scan protected files. Cisco recommends downloading and opening files from trusted sources only.

  1. Navigate to Policies > Management > Web Policy and click Global Settings.
1217
  1. Enable Protected File Bypass.
2312

Best Practices for the Web Policy and Rulesets < Manage Global Settings > Confirm SafeSearch for a Web Policy Ruleset

Updated 4 months ago