Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2138
  • Last Modified:

Whitelisting Exchange 365 IP ranges

For accessing exchange 365, there is a whole list of IPs that needs to be bypassed via firewall:

http://help.outlook.com/en-us/140/gg263350.aspx

But still microsoft maintains that the IPs are dynamic and subject to change and we need to subscribe to an RSS feed to keep track of these IP changes.

http://technet.microsoft.com/en-us/library/hh852522.aspx

Is there an easier way out to let our Firewall / proxy access office 365 un-hindred? microsoft suggests to configure firewall rules based on DNS rather than IP but Cisco's ASA series doesn't support that.

Also, any other security precautions we need to consider while opening up these access IPs/ ports to microsoft DCs?
0
fahim
Asked:
fahim
  • 4
  • 3
1 Solution
 
Mohammed HamadaSenior IT ConsultantCommented:
You can ask Microsoft directly to provide you with CIDR for their networks! and for further security you can setup an IDS or if you have it already on your ASA Firewall then you can configure it.

The IDS is very effective and secure but you may want to do some alterations to change some things in relatation with how restricted is the policy.
0
 
fahimAuthor Commented:
Microsoft has indeed provided the CIDRs. The issue is that there are IP ranges of /16, /24 ranges and that's about 15 of them. Moreover, Microsoft recommends to open outbound ports 80 as well as 443 to all of these hundreds of thousands of IPs ( http://onlinehelp.microsoft.com/en-in/office365-enterprises/hh373144.aspx ). With no IPS in the middle, how safe would be this outbound access? What are the threats?
0
 
Mohammed HamadaSenior IT ConsultantCommented:
For an outbound connection I don't think there would be threats if they were owned by Microsoft.

I mean you said those IPs are dynamic which means they'll change but probably in the scope of Microsoft's CIDR! right?

If so then I don't think there will be a risk for an outbound connection since you know the ranges that connection is going to! and as I said for more security you can setup your IDS to filter all packets.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
fahimAuthor Commented:
If it's an https (443) connection, what would be the benefit of an IDS?
0
 
Mohammed HamadaSenior IT ConsultantCommented:
The IDS will work for HTTP only, but for HTTPS If the CIDRs of Microsoft doesn't change then I don't think you will need to worry unless Microsoft's infrastructure gets infected.
0
 
fahimAuthor Commented:
Thanks..my related query was also that Microsoft suggests to configure firewall rules based on DNS rather than IP but Cisco's ASA series doesn't support that....

This becomes an administrative issue to keep track of RSS feeds and knowing which all IPs to poke holes for within the firewall. Any other better mechanism around?
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Then I'd suggest an open source firewall that would work and wouldn't cost you much at the same time.

I'm using Pfsense firewall, I have already set it up in multiple customers based infrastructure and it's doing a great job. it has been up for a really long time.

Check this question
http://forum.pfsense.org/index.php?topic=29037.0
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now