Firewall Ports for Office 365

I was recently working on an Office 365 deployment when the question about firewall ports came up. So I thought I would share this information:

Server/Service Port Protocol Direction
ADFS   (Internal) 443 TCP Inbound/Outbound
ADFS (Proxy DMZ) or WAP Server 443 TCP Inbound/Outbound
Microsoft Online Portal (Website) 443 TCP Inbound/Outbound
Outlook Web Access (Website) 443 TCP Inbound/Outbound
Lync/Skype for Business Client 443 TCP Inbound/Outbound
SharePoint Online (Website) 443 TCP Inbound/Outbound
Outlook for Mac 443 TCP Inbound/Outbound
Outlook Client 443 TCP Inbound/Outbound
Mail Routing 25 TCP Inbound/Outbound
SMTP Relay (requires TLS) 587 TCP Inbound/Outbound
Simple IMAP4 migration Tool 143/993 TCP Inbound/Outbound
POP3 (requires SSL) 995 TCP Inbound/Outbound
DirSync/Azure Active Directory Sync 80/443 TCP Inbound/Outbound
Exchange Migration Tool 80/443 TCP Inbound/Outbound
IMAP Migration Tool 80/443 TCP Inbound/Outbound
Exchange Management Console 80/443 TCP Inbound/Outbound
Exchange Management Shell 80/443 TCP Inbound/Outbound
Lync (Data Sharing Sessions) 443 TCP Outbound
Lync (Video, Audio, Application Sharing) 443 TCP Outbound
Lync (Audio & Video) 3478 UDP Outbound
Lync (Audio & Video) 50000-59999 TCP/UDP Outbound
Lync Mobile Push iOS Only 5223 TCP Outbound

It should be noted that 3rd party certificate revocation will be required which is carried out normally anonymously on port 80 so any proxies/firewalls routing the traffic should expect this. Depending on your provider you may be able to get the CRL URL in advance but for Office 365 this is not as simple.

Advertisements

18 thoughts on “Firewall Ports for Office 365

  1. this problem my firm has in rolling this out if the URL (web) filtering on our Fortigate is blocking Outlook from connecting to 365.

    any one have any issues getting Outlook to connect to hosted exchange?

  2. Hi Andy, if you are moving an on-prem user to online. Will the on-prem front-end require port 80/443 inbound/outbound to move the users data.

    • Hi Danny – By Front end I am assuming Exchange CAS? If so at a minimum you will need 443 open as all the traffic will be over SSL although sometimes an initiation connection may be on port 80 but will always be redirected to 443. I have successfully deployed hybrid with only 443 and 25 (for email flow) open before.

  3. Hi Adam, I have 2 x ADFS in internal network and 2 x ADFS Proxy in DMZ (2 x NIC) and both are using VIP address for load balancer. Can you please advise me what are the source and desntaiton addresses I need to allow in the firewall? I know we need to allow 443 and 49443.

    Cheers
    Merwin

    • Hi Merwin

      In terms of the ADFS configuration it is probably best to break them down into their roles. However first of all what are you using for your Load Balancer is this Windows NLB or a 3rd party software/hardware one? Also in terms of port 49443 this is ONLY required if you are doing client user certificate based authentication if you are fine if not this is not required.

      From the ADFS Proxy servers public facing side the VIP and Proxy servers need to be open from anywhere on the internet to itself via port 443 and 49443 (if required). Then depending on your VIP if this is WNLB then this rule applies to the servers anyway. If anything else then the same rules will apply from the VIP to the ADFS proxies depending on how your DMZ network is constructed. However the public IP for ADFS should be pointing at your VIP only and not the servers.

      Then for the internal traffic ADFS Proxy to the internal VIP, this will be port 443 as well with the source as the ADFS proxy servers and the destination as the internal VIP, however you should also include the ADFS servers as well on the internal firewall.

      Adam

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s