Share via

What firewall ports do I need open to connect to Office 365 for Education?

  • Article

This was a question for a large university in Arizona moving faculty, staff and students to Office 365.

Here are the ports from the deployment guide (note: these are subject to change so refer here to the latest Port and IP list):

image

 

* SMTP Relay with Exchange Online requires TCP port 587 and requires TLS. See TechNet for details on how to configure SMTP Relay with Exchange Online. Note: you will need to provide the SMTP server which is specific to the mailbox used for relay. See the TechNet article Set Up Outlook 2007 for IMAP or POP Access to Your E-Mail Account .

** POP3 access with Exchange Online requires TCP port 995 ) and requires SSL. See TechNet for details on how to configure POP3 with Exchange Online.

 

Can I lock it down to certain IP ranges, URLs/servers?

Yes, here are the IP ranges and URLs/Servers:

Office 365 portal

image

 

Microsoft online services sign in:

image

 

Exchange Online sign in and authentication:

207.46.150.128/25
157.55.59.128/25
*.microsoftonline.com
*.microsoftonline-p.com
*.microsoftonline-p.net
*.microsoftonlineimages.com
*.microsoftonlinesupport.net

 

Exchange Online servers: note: only need IP ranges for your geographic region

Americas

65.54.62.0/25
65.55.39.128/25
65.55.78.128/25
65.55.94.0/25
65.55.113.64/26
65.55.126.0/25
65.55.174.0/25
65.55.181.128/25
70.37.151.128/25
157.55.49.0/25
157.55.49.128/25
157.55.61.0/25
157.55.61.128/25
157.55.157.128/25
157.56.24.0/25
157.56.234.0/28
157.56.234.16/29
157.56.234.24/29
157.56.234.32/28
157.56.234.48/28
157.56.234.64/28
157.56.236.0/28
157.56.236.16/28
157.56.236.32/29
157.56.236.40/29
157.56.236.48/28
157.56.236.64/28
157.56.240.0/28
157.56.240.16/28
157.56.240.32/29
157.56.240.40/29
157.56.240.48/28
157.56.240.64/28
157.56.244.0/28
157.56.244.16/29
157.56.244.24/29
157.56.244.32/28
157.56.244.48/28
157.56.244.64/28
207.46.4.128/25
207.46.198.0/25
207.46.203.128/26

Europe

94.245.117.128/25
157.55.9.128/25
157.55.11.0/25
157.55.47.0/25
157.55.47.128/25
157.55.224.128/25
157.55.225.0/25
213.199.174.0/25
213.199.177.0/26

Asia-Pacific

111.221.23.128/25
111.221.66.0/25
111.221.69.128/25
207.46.58.128/25

Microsoft Federation Gateway – required for federated delegation and hybrid deployments

207.46.150.128/25
207.46.164.0/24
*.microsoftonline-p.com
*.live.com
*.microsoftonline.com
*.microsoftonlinesupport.net

FOPE URLs and IP addresses

  • 12.129.20.0/24
  • 12.129.199.61
  • 12.129.219.155
  • 63.241.222.0/24
  • 65.55.88.0/24
  • 94.245.120.64/26
  • 206.16.57.70
  • 207.46.51.64/26
  • 207.46.163.0/24
  • 213.199.154.0/24
  • 213.199.180.128/26
  • 216.32.180.0/24
  • 216.32.181.0/24

CIDR format

  • 12.129.20.0/24 = 12.129.20.1 - 12.129.20.254
  • 63.241.222.0/24 = 63.241.222.1 - 63.241.222.254
  • 65.55.88.0/24 = 65.55.88.1 - 65.55.88.254
  • 94.245.120.64/26 = 94.245.120.65 – 94.245.120.126
  • 207.46.51.64/26 = 207.46.51.65 - 207.46.51.126
  • 207.46.163.0/24 = 207.46.163.1 - 207.46.163.254
  • 213.199.154.0/24 = 213.199.154.1 - 213.199.154.254
  • 213.199.180.128/26 = 213.199.180.129 – 213.199.180.190
  • 216.32.180.0/24 = 216.32.180.1 - 216.32.180.254
  • 216.32.181.0/24 = 216.32.181.1 - 216.32.181.254

Lync Online URLs and Servers

IP Ranges

  • 111.221.17.128/27
  • 111.221.22.64/26
  • 111.221.23.0/25
  • 157.55.104.96/27
  • 157.55.229.128/27
  • 157.55.238.0/25
  • 157.55.40.128/25
  • 157.55.46.0/27
  • 157.55.46.64/26
  • 207.46.5.0/24
  • 207.46.57.0/25
  • 207.46.7.128/27
  • 65.54.54.128/25
  • 65.55.121.128/27
  • 65.55.127.0/24

Lync Online URLs

  • *.online.lync.com
  • *.onmicrosoft.com
  • *.infra.lync.com
  • *.lync.com

Comments

  • Anonymous
    January 01, 2003
    The * next to the ports is for a footnote listed below the ports.  SMTP relay info and POP3 info.

  • Anonymous
    January 01, 2003
    Gavin, For our federation services using ADFS it is using TCP port 443. I don't know if F5 APM SAML is tested or supported with Office 365. See here for a list of tested 3rd party STS/IdPs: technet.microsoft.com/.../jj679342.aspx  and this for Shibb as an STS/IdP: www.microsoft.com/.../confirmation.aspx. Typically, the request for SAML tokens occurs directly to the STS (ADFS, Shibb, or other tested STS/IdPs) in some cases the token request will come from Office 365 or directly from the requesting client to the STS via 443 when request is made from off network (Internet) e.g. mobile device, Outlook, remote web or Lync, etc.

  • Anonymous
    January 01, 2003
    @Hasan - safest bet would be to open both especially if you enable URL blocking/restrictions.

  • Anonymous
    January 24, 2012
    What does the * next to the ports mean? Bidirectional?

  • Anonymous
    March 28, 2012
    The comment has been removed

  • Anonymous
    July 09, 2012
    Hi, so are there additional ip addresses for Exchange Online Powershell.

  • Anonymous
    May 22, 2013
    Hi there, Sorry if the answer is already on the page staring at me, but I'm just not 100% which of these ranges applies to my scenario... I'm configuring Office 365 for federated security using our inhouse F5 APM SAML Service as a SAML IdP. I need to know which IP ranges to allow into our site so that Office 365 can redirect clients to our IdP for authentication, and of course the reverse for my outbound rule. Is it the range for Exchange online or Office 365 Portal? Where will these authentication requests come from? And wha ports? Just 443? Thanks in advance!

  • Anonymous
    August 02, 2013
    List of IPs: onlinehelp.microsoft.com/.../hh373144.aspx

  • Anonymous
    October 08, 2013
    When will Microsoft finally start to publish all thes IP lists in ONE place and up to date with IP's/ranges added BEFORE they are used in production. We manage Firewalls for many customers and these customers don't like to open the Internet for all ports required for all Office365 services. It would be useful for anyone supporting these solutions if there would be a mailinglist you could subscribe to that would tell you when a new IP block is taken to production. WPAD.DAT or Proxy.pac zfiles need to be updated, to allow access while bypassing proxies.

  • Anonymous
    August 21, 2014
    We observed during Lync Meetings client systems are trying to reach 132.245.x.x IP ranges on sharing any resource like Desktop/ Presentation, etc., however no-where mentioned any information on these IP's....

  • Anonymous
    January 20, 2015
    Dear Sir,
    Can we open either URL or IP's? Do we need both to be opened?

  • Anonymous
    March 22, 2015
    Which direction must the ports be open in our local Network? should this ports be open from internal to external or from external to internal Network? or just both directions?
    Please answer me. thanks in advance.

  • Anonymous
    September 08, 2015
    The comment has been removed