Firewall Ports for Office 365

All the port requirements for Office 365 connectivity

Skype for Business Online for Office 365 Firewall Requirements

Adam Hand - ahandyblog Leave a comment

The following are the requirements of Skype for Business Online for Office 365, note this information can change as the service evolves. This is from the clients machine to Office 365

Firewall Ports

Port Destination Protocol Client Usage Direction

443

TCP

SIP Signalling

Outbound

443

TCP

Audio, Video, Application sharing sessions and Web Conferencing

Outbound

3478

UDP

Audio and Video Sessions

Outbound

5223

TCP

SfB Mobile push notifications –  iOS Only

Outbound

50000 TO 59999 INCLUSIVE

RTC/UDP/TCP

Audio and Video Sessions

Outbound

50000 TO 59999 INCLUSIVE

TCP

Application Sharing and File   Transfer

Outbound

The following is the URL’s that SfB Online from the client will use to get to the SfB Online servers so if the traffic is going through internet proxies and you are having issues these URL’s will be helpful:

*.lync.com
crl.microsoft.com
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

Finally the last point is if your firewall guys want to lock down access to specific IP addresses (although NOT recommended due to the fact these can be changed) Please refer here:

https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_LYO

Firewall Ports for Office 365

Adam Hand - ahandyblog 6 Comments

I have been asked many times for the port information and tried many ways to try and portray this in a manner which is simple to understand. For further URL’s IP’s please review the following Microsoft information – https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity. I will maintain the separate workloads from this blog but it sometimes it is not always kept up to date 100%!

Server/Service Port Protocol Direction
ADFS   (Internal) 443 TCP Inbound/Outbound
ADFS (Proxy DMZ) or WAP Server 443 TCP Inbound/Outbound
Microsoft Online Portal (Website) 443 TCP Inbound/Outbound
Outlook Web Access (Website) 443 TCP Inbound/Outbound
Lync/Skype for Business Client 443 TCP Inbound/Outbound
SharePoint Online (Website) 443 TCP Inbound/Outbound
Outlook for Mac 443 TCP Inbound/Outbound
Outlook Client 443 TCP Inbound/Outbound
Mail Routing 25 TCP Inbound/Outbound
SMTP Relay (requires TLS) 587 TCP Inbound/Outbound
Simple IMAP4 migration Tool 143/993 TCP Inbound/Outbound
POP3 (requires SSL) 995 TCP Inbound/Outbound
DirSync/Azure Active Directory Connect 80/443 TCP Inbound/Outbound
Exchange Migration Tool 80/443 TCP Inbound/Outbound
IMAP Migration Tool 80/443 TCP Inbound/Outbound
Exchange Management Console 80/443 TCP Inbound/Outbound
Exchange Management Shell 80/443 TCP Inbound/Outbound
SfB (Data Sharing Sessions) 443 TCP Outbound
SfB (Video, Audio, Application Sharing) 443 TCP Outbound
SfB (Audio & Video) 3478 UDP Outbound
SfB (Audio & Video) 50000-59999 TCP/UDP Outbound
SfB/Lync Mobile Push iOS Only 5223 TCP Outbound

It should be noted that 3rd party certificate revocation will be required which is carried out normally anonymously on port 80 so any proxies/firewalls routing the traffic should expect this. Depending on your provider you may be able to get the CRL URL in advance but for Office 365 this is not as simple.