As Office 365 (Cloud) Solution & Services are getting very common to most organization, restricting and controlling of bandwidth to ensure users’ experience are not impacted – as compared to the traditional method where internal communications are deemed to be seamless, where connectivity are between 100 Mbps to 1 Gbps.

This time around, I’ll be sharing a recent implementation that involves with Office 365 and Symantec Cloud Web Proxy:

In this engagement, the client has subscribe onto a mixture of Office 365 Business Essential, Exchange Online Plan 1 and Exchange Online Kiosk, with a total of 600 users within the organization. The plan was to migrate the existing on-premise Exchange Server 2007 to Exchange Online, activate all workloads and subsequently enforce the web browsing usage – this is to ensure the users’ experience while using the Cloud are not impacted by non-productive web browsing during office hours. (e.g. Audio & Video Streaming). Hence, two (2) elements are involve – The firewall and cloud-based web proxy.

To get things started, the following components has been deployed in the infrastructure:

  1. Active Directory – GPOs are highly used for this deployment
  2. WPAD script which has been customized and published onto a Windows Server 2012 R2 Internet Information Services (IIS)
  3. DHCP with option 252 enabled and mapped to the Web Server
  4. Symantec .Cloud Web Gateway subscription
  5. Symantec Directory Synchronization Tool (SCHEMUS)
  6. Symantec Client Side Proxy with customized configuration with the bypass URLs. The Symantec CSP underlying core runs on SQUID Services where most of the configuration are highly customizable
  7. Fortinet Firewall

Working mechanism:


  1. The DHCP Servers distributes the WPAD script as part of leasing IP addresses to the endpoints (during boot-up). The browsers will then make HTTP / HTTPS requests either directly to the Server Farm (Internal Web Servers) or through the Symantec Client Side Proxy (CSP).
  2. Based on the configuration and policies (ACL) within the Symantec SCP, the browsers either gets to entirely bypass without any authentication OR basically passes through the Symantec .Cloud Web Gateway for web filtering.
  3. In this scenario, we’ve set ALL Office 365 URLs and a set of the organization’s permitted web sites (e.g. Banking Sites) where web traffics will basically bypass the Symantec .Cloud Web Gateway filtering policies while the rest will be tunneled to the Cloud Gateway before reaching to the Internet

Before starting Part 2, is it important to identify the list of frequent URLs with their associated user groups to it, types of non-browser based applications and services, IP subnets and Web Browsers used within the organization; so far, Internet Explorer, Microsoft Edge, Google Chrome & Safari doesn’t impose any compatibility issues with the above infrastructure, however Mozilla Firefox requires attention and additional steps in order to get the browser working with the Cloud Proxy.