If you have a proxy server in your environment and are using (or thinking about using) Office 365 then you will hit some pain barriers. As awesome as Office 365 is, she just isn’t a fan of proxies.
We used to be left to our own initiative, creating complex proxy bypass rules and guessing which URLs we had to exclude. This process is compounded if you also maintain a strict CIDR range on your Firewall for Office 365 endpoints.
Introducing Get-PacFile
This script will access updated information to create a PAC file to prioritize Microsoft 365 Urls for better access to the service. This script will allow you to create different types of files depending on how traffic needs to be prioritized.
Microsoft Gallery Comment
Head over to the Gallery to view the script https://www.powershellgallery.com/packages/Get-PacFile/1.0.4
Go ahead and install it by using the command:-
|
1 |
Install-Script -Name Get-PacFile |
You will be prompted to also install the “NuGet Provider”. Go ahead.
Parameters
Below is a list of parameters you can pass to the script to customize the generated PAC.
Type – The type of the proxy PAC file that you want to generate.
- 1 – Send Optimize endpoint traffic direct and everything else to the proxy server.
- 2 – Send Optimize and Allow endpoint traffic direct and everything else to the proxy server. This type can also be used to send all supported ExpressRoute for Office 365 traffic to ExpressRoute network segments and everything else to the proxy server.
ClientRequestID – This is required and is a GUID passed to the web service that represents the client machine making the call.
b10c5ed1-bad1-445f-b386-b919946339a7
Instance – The Office 365 service instance which defaults to Worldwide. Also passed to the web service.
- Worldwide
- Germany
- China
- USGovDoD
- USGovGCCHigh
Tenant Name – Your Office 365 tenant name. Passed to the web service and used as a replaceable parameter in some Office 365 URLs.
DefaultProxySettings – Your Proxy Server and Port preceded with the word “PROXY”
“PROXY 10.11.12.13:8080”
DirectProxySettings – The direct proxy settings for priority traffic.
ServiceAreas – What Services do you want defined in the PAC
- Exchange – Exchange Online and Exchange Online Protection
- SharePoint – SharePoint Online and OneDrive for Business
- Skype – Skype for Business and Microsoft Teams
- Common – Office 365 Pro Plus, Office Online, Azure AD and other common network endpoints
LowerCase – Flag this to include lowercase transformation into the PAC file for the host name matching.
Examples
.EXAMPLE
Examples given in the script
.\Get-PacFile.ps1 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -DefaultProxySettings “PROXY 4.4.4.4:70” > type1.pac
.EXAMPLE
.\Get-PacFile.ps1 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Instance China -Type 2 -DefaultProxySettings “PROXY 4.4.4.4:70” > type2.pac
.EXAMPLE
.\Get-PacFile.ps1 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Instance WorldWide -Lowercase -TenantName tenantName -ServiceAreas Sharepoint,Skype
Don’t forget to export the PAC to a file using >file.txt
|
1 |
Get-PacFile.ps1 -type 2 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Instance Worldwide -DefaultProxySettings "PROXY 10.11.12.13:8080" -LowerCase -TenantName byteben -ServiceAreas Sharepoint,Skype,Exchange,Common > D:\pac.pac |
I only get a few lines when running the script:
if(shExpMatch(host, “outlook.office.com”)
|| shExpMatch(host, “outlook.office365.com”)
|| shExpMatch(host, “webhelpgroup.sharepoint.com”)
|| shExpMatch(host, “webhelpgroup-my.sharepoint.com”))
Any ideas?
Hey Robert, thanks for stopping by the post. At a guess, the “-ServiceAreas Common” parameter isn’t parsing.
Can you share what command you are using to generate that file? Ill see if I can help.
Get-PacFile -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -TenantName webhelpgroup
is that the whole command? Are you not outputting to a file?
Here is the example I gave again, you need to pass the “ServiceAreas” parameter to populate the PAC with all Office 365 URLs
Get-PacFile -type 2 -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Instance Worldwide -DefaultProxySettings “PROXY 10.11.12.13:8080” -LowerCase -TenantName byteben -ServiceAreas Sharepoint,Skype,Exchange,Common > D:\pac.pac
That worked a lot better. Thanks!
It seems a bit short though. I ran a different PS script earlier that used the XML feed that is discontinued now. Then there was also a long list of IP subnets. Is those no longer needed?
The PAC file generally deals with required DNS entires for Office 365 services. There is a maintained list of IPs/CIDR Ranges that should be applied at the Firewall. A complete list can be found at https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
Hi,
In the JSON file that the script uses some of the URLs are marked with a category of “DEFAULT”. the script only processes URLs with ALLOWED and OPTOMISED into a type 2 PAC file. What is the reason for the Default category URLs?
Hi John,
Hope this explanation helps:-
Optimize
For a small number of endpoints that require low latency unimpeded connectivity which should bypass proxy servers, network SSL break and inspect devices, and network hairpins.
Allow
For a larger number of endpoints that benefit from low latency unimpeded connectivity. Although not expected to cause failures, we also recommend bypassing proxy servers, network SSL break and inspect devices, and network hairpins. Good connectivity to these endpoints is required for Office 365 to operate normally.
Default
For other Office 365 endpoints which can be directed to the default internet egress location for the company WAN.
https://blogs.technet.microsoft.com/onthewire/2018/04/06/new-office-365-url-categories-to-help-you-optimize-the-traffic-which-really-matters/
Hello Ben
can you tell me where to find the ClientRequestId?
Thanks for the good post.
run the following in PowerShell:
[guid]::NewGuid()