Firewall Ports for Office 365

I have been asked many times for the port information and tried many ways to try and portray this in a manner which is simple to understand. For further URL’s IP’s please review the following Microsoft information – I will maintain the separate workloads from this blog but it sometimes it is not always kept up to date 100%!

Server/Service Port Protocol Direction
ADFS   (Internal) 443 TCP Inbound/Outbound
ADFS (Proxy DMZ) or WAP Server 443 TCP Inbound/Outbound
Microsoft Online Portal (Website) 443 TCP Inbound/Outbound
Outlook Web Access (Website) 443 TCP Inbound/Outbound
Lync/Skype for Business Client 443 TCP Inbound/Outbound
SharePoint Online (Website) 443 TCP Inbound/Outbound
Outlook for Mac 443 TCP Inbound/Outbound
Outlook Client 443 TCP Inbound/Outbound
Mail Routing 25 TCP Inbound/Outbound
SMTP Relay (requires TLS) 587 TCP Inbound/Outbound
Simple IMAP4 migration Tool 143/993 TCP Inbound/Outbound
POP3 (requires SSL) 995 TCP Inbound/Outbound
DirSync/Azure Active Directory Connect 80/443 TCP Inbound/Outbound
Exchange Migration Tool 80/443 TCP Inbound/Outbound
IMAP Migration Tool 80/443 TCP Inbound/Outbound
Exchange Management Console 80/443 TCP Inbound/Outbound
Exchange Management Shell 80/443 TCP Inbound/Outbound
SfB (Data Sharing Sessions) 443 TCP Outbound
SfB (Video, Audio, Application Sharing) 443 TCP Outbound
SfB (Audio & Video) 3478 UDP Outbound
SfB (Audio & Video) 50000-59999 TCP/UDP Outbound
SfB/Lync Mobile Push iOS Only 5223 TCP Outbound

It should be noted that 3rd party certificate revocation will be required which is carried out normally anonymously on port 80 so any proxies/firewalls routing the traffic should expect this. Depending on your provider you may be able to get the CRL URL in advance but for Office 365 this is not as simple.

6 thoughts on “Firewall Ports for Office 365

  1. What about 5061, out for Lync (logon) ?
    Is it correct you nee inbound, 443 for the Microsoft Online Portal (Website) ?

    1. For Lync Online logon is TCP 443 and not 5061.
      The MS portal website requires a stateful bi-directional firewall rule (443) to allow traffic to flow freely between the client and the portal.

  2. Hi There,

    Maybe you can help me. I’ve logged a support call with MS and got nothing back and posted on the MS forum with no positive feedback.

    I’m trying to connect to Exchange Online using the EMC but it’s just not working. I keep getting an error saying “The attempt to connect to using “Basic authentication failed……..”

    I have NO on-premise exchange but I have successfully installed the EMC (ran schema and AD updates etc). I connect to the internet via a proxy and although I have federation in place I am using a non-federated account (as suggested by a forum member) to authenticate with the EMC.

    The correct firewall ports are open as I can successfully connect to Exchange online from the same server with PS using the same credentials that I use with the EMC. Which seems strange as the EMC is just a GUI to push PS commands out.

    Any ideas?

    1. Hi Craig

      The command I always use to connect is as follows:

      import-module msonline
      $Sess = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Cred -Authentication Basic -AllowRedirection
      Import-PSSession $Sess

      Using this in PS and you should connect successfully if you are using the correct credentials.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.