Partager via


Exchange Online: Keeping your 'Inbound From Office 365' Receive Connector Current with Microsoft Public IP's

Background:

It's not uncommon for Exchange Online support to receive the occasional call where customers want to know how to stay on top of our public IP's. They change occasionally and unless customers are current with our RSS feeds on THIS page, then they'll likely find out that they're out of date when they start observing mail delays. Obviously, there is a better way to go about this. 

Disclaimer:
If you leverage your Firewall to Restrict/Allow Microsoft Public IPs, running this will likely break hybrid mail flow and should not be attempted. It's also worth noting that the ranges listed at https://technet.microsoft.com/en-us/library/hh373144.aspx will be slightly different than the results you get from running Get-HybridMailFlowDatacenterIPs. This is because the cmdlet only lists IP ranges that are specifically leveraged for mail flow and the website lists all IP ranges that the Exchange Online service uses for all of it's public facing functions, such as Client Access, EAC/ECP, Free/Busy, Migrations and of course, Mail Flow.

Manual Method:

1. Connect Exchange Management Shell to your tenant in Exchange Online (Refer to this link for help, https://blogs.technet.com/b/mitchelatmicrosoft/archive/2014/12/23/connecting-powershell-to-your-tenant.aspx )

2. Create a variable to pipe over to your Set-ReceiveConnector cmdlet

$FormatEnumerationLimit =-1
$ip = Get-HybridMailflowDatacenterIPs

3. You can run Get-HybridMailFlowDatacenterIPs by itself to verify the results. If you don't run $FormatEnumerationLimit =-1 prior to running this, you'll see that the IP range list is not enumerated:
Example:

DatacenterIPs : {65.55.88.0/24, 94.245.120.64/26, 207.46.51.64/26, 207.46.163.0/24...}

After running $FormatEnumerationLimit =-1 and running Get-HybridMailFlowDatacenterIPs, you should see the entire list:
Example:

DatacenterIPs : {65.55.88.0/24, 94.245.120.64/26, 207.46.51.64/26, 207.46.163.0/24, 213.199.154.0/24,
213.199.180.128/26, 216.32.180.0/24, 216.32.181.0/24, 2a01:111:f400:7c00::/54, 23.103.128.0/20,
23.130.156.0/22, 23.103.128.0/19, 104.47.0.0/17, 23.103.198.0/23, 23.103.200.0/21, 23.103.191.0/24,
2a01:111:f400:fc00::/54, 64.4.22.64/26, 65.55.169.0/24, 65.55.83.128/27, 134.170.132.0/24,
134.170.140.0/24, 134.170.171.0/24, 157.55.133.160/27, 157.55.158.0/23, 157.55.234.0/24,
157.55.206.0/23, 157.56.73.0/24, 157.56.87.192/26, 157.56.108.0/24, 157.56.110.0/24, 157.56.111.0/24,
157.56.112.0/24, 157.56.206.0/24, 157.56.208.0/22, 207.46.100.0/24, 207.46.101.128/26}

4. Once you have verified that you're seeing all of the IP ranges, you can feed them into a Set-ReceiveConnector cmdlet

Get-ReceiveConnector "Inbound From Office 365" | Set-ReceiveConnector -RemoteIPRanges $ip.DatacenterIPs

5. Run Get-ReceiveConnector "Inbound From Office 365" | fl Identity,RemoteIPRanges to verify that the IP ranges are current

Entire Script to paste into EMS:

$FormatEnumerationLimit =-1
$ip = Get-HybridMailflowDatacenterIPs
Get-ReceiveConnector "Inbound From Office 365" | Set-ReceiveConnector -RemoteIPRanges $ip.DatacenterIPs

Scripted Method:
Would you like to just run a script to do this? No problem!

1. Compile this script into a .PS1 file and modify the identity of the receive connector accordingly as well as the username after Get-Credential

$FormatEnumerationLimit =-1
$O365Cred = Get-Credential YourTenantAdmin@tenant.onmicrosoft.com
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
$ip = Get-HybridMailflowDatacenterIPs
Get-ReceiveConnector "Receive Connector Name" | Set-ReceiveConnector -RemoteIPRanges $ip.datacenterips

2. Once you have this saved into .ps1 file, simply run it in Exchange Management Shell, type in your password and wait for it to complete, it should only take a matter of seconds.

Script/Scheduled Task Method:
Want it to just run for you? No problem! It involves caching a Tenant Admin password in your powershell script though.

1.  Compile this script into a .PS1 file, name it HybridIPs.PS1, throw it in the folder C:\Scripts (or change the file location in the script) and modify the identity of the receive connector accordingly as well as the username and password:

$FormatEnumerationLimit =-1
$Pass = ConvertTo-SecureString "ReplaceWithPlainTextPassword" -AsPlainText -Force
$O365Cred = New-Object System.Management.Automation.PSCredential ("YourTenantAdmin@tenant.onmicrosoft.com", $Pass)
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
$ip = Get-HybridMailflowDatacenterIPs
Get-ReceiveConnector "Receive Connector Name" | Set-ReceiveConnector -RemoteIPRanges $ip.datacenterips
Start-Sleep -S 10
Exit

2. Run powershell as an Administrator on your Hybrid Server and run the following command:
Set-ExecutionPolicy Unrestricted

3. Create a Basic Task, name it appropriately, set your desired time and interval and select it to Start a Program. In the Program/script field, paste in the following:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

A. If you're on Exchange 2013 Hybrid, add the following into 'Add arguments (optional)' field:

-command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\Scripts\.\hybridips.ps1"

B. If you're on Exchange 2010 Hybrid, add the following into 'Add arguments (optional)' field:

-version 2.0 -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\scripts\.\hybridips.ps1"

Then give it a try. You should see Powershell open and run through its' motions. If you run into any issues, feel free to ask me in the comments section.

I hope this helps! I may be updating this in the very near future with a script to account for any/all potential failures as well as logging changes.

-Mitchel

Comments

  • Anonymous
    January 01, 2003
    Hey Ryan,

    Great question! I don't have an answer on the inconsistencies yet. However, if you look at the subnets listed, there's some overlap. /19 = 8,192 hosts and is all encompassing of the top two EOP ranges. 23.103.128.0 - 23.103.159.255 is the complete range for 23.103.128.0/19.

    I'll follow up soon.

    Cheers,

    Mitchel
  • Anonymous
    January 01, 2003
    Thanks for sharing the code. Automating the update of the remote IP address ranges simplifies admins life a lot.
  • Anonymous
    January 01, 2003
    My pleasure! Hopefully this solution won't be necessary as time progresses and more network solutions support URL based filtering. Let me know how it works out for you.

    Cheers,

    Mitchel
  • Anonymous
    January 01, 2003
    Hey Robert,

    I apologize for the late reply. This scenario doesn't take Lync into consideration and I do not think it will provide a complete range of Lync IP's.

    Cheers,

    Mitchel
  • Anonymous
    January 02, 2015
    Hi Mitchel -

    Thanks for the informative post - the information will come in handy. As I was creating a script to automate updating receive connectors, I compared the IP addresses obtained from Get-HybridMailflowDatacenterIPs with what is posted athttp://technet.microsoft.com/library/dn163583.aspx . While they are the same list for the most part, there are a few differences... specifically, the first few IPs are inconsistent (see below).

    Should the lists be identical? Which should be considered correct?

    Get-HybridMailflowDatacenterIPs:
    23.103.128.0/19
    23.103.128.0/20

    Technet (Exchange Online Protection IP addresses):
    23.103.132.0/23
    23.103.134.0/23
    23.103.144.0/19
  • Anonymous
    January 12, 2015
    Could this be used with Lync to monitor Lync ranges as well?