As mentioned in a previous article, Teams devices should be able to go out over the Internet through the company’s security policy. Policy that more and more forces the exits on the Internet through proxy services. Proxy services in Saas as Websense or Zscaler or traditionally hosted on site.
These proxy services can be set up in 3 types of configuration
– Transparent: On the IP route to the Internet between the device and the service connection point
– Declared and authenticated : Authenticated in Basic mode or others
– Declared and anonymous:
In addition to these 3 types, there are two types of proxy. Either Saas or On premise.
In the case of a Saas service like Zscaler or Websense, one of the interests of the solution is to send all the https flows to the Proxy service which goes according to the urls (0365 or not) to carry out treatments such as inspection for example. In this type of configuration, the company no longer has to manage the numerous Office 365 URLs because they are directly managed by the proxy service provider.
Otherwise the company can use a proxy.pac that will describe whether or not the device should use proxy services. In this case it is the company that updates its configuration files according to the changes in the Office 365 URLs. The routing decision is made in this case or at the device level.
To set up a proxy in a Teams phone, the phone must still allow it. The illustration below shows the Proxy service configuration interface within a Yealink T55 phone with a very recent firmware version.
This configuration, if manageable by auto configuration, would make it possible to make this type of device plug and play within the company network. It remains to be seen whether all the Skype devices you are going to migrate to teams will have the same possibilities.
The other issue you’ll have to manage is that most Saas services like Zscaler or Websense do SSL decryption. In other words,
1 – the https stream of a site like https://www.google.com is sent to websense services that pretend to be it,
2 -Decrypts the stream, inspects it, then re-transmits it to the final site. A bit like a « man in the middle » but one you trust.
This solution is effective but implies that your devices « trust » the websense service. Without this, your workstation will report an SSL error because the certificate presented by Websense is not the one expected. Below is an extract from the documentation of websense
To date we have not been able to configure Teams devices that take this mode of operation into account and we are working with the various parties involved to find a « plug and play » solution if possible.