Solved

Whitelisting Exchange 365 IP ranges

Posted on 2013-12-18
7
1,536 Views
Last Modified: 2014-01-02
For accessing exchange 365, there is a whole list of IPs that needs to be bypassed via firewall:

http://help.outlook.com/en-us/140/gg263350.aspx

But still microsoft maintains that the IPs are dynamic and subject to change and we need to subscribe to an RSS feed to keep track of these IP changes.

http://technet.microsoft.com/en-us/library/hh852522.aspx

Is there an easier way out to let our Firewall / proxy access office 365 un-hindred? microsoft suggests to configure firewall rules based on DNS rather than IP but Cisco's ASA series doesn't support that.

Also, any other security precautions we need to consider while opening up these access IPs/ ports to microsoft DCs?
0
Comment
Question by:fahim
  • 4
  • 3
7 Comments
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39728555
You can ask Microsoft directly to provide you with CIDR for their networks! and for further security you can setup an IDS or if you have it already on your ASA Firewall then you can configure it.

The IDS is very effective and secure but you may want to do some alterations to change some things in relatation with how restricted is the policy.
0
 

Author Comment

by:fahim
ID: 39735447
Microsoft has indeed provided the CIDRs. The issue is that there are IP ranges of /16, /24 ranges and that's about 15 of them. Moreover, Microsoft recommends to open outbound ports 80 as well as 443 to all of these hundreds of thousands of IPs ( http://onlinehelp.microsoft.com/en-in/office365-enterprises/hh373144.aspx ). With no IPS in the middle, how safe would be this outbound access? What are the threats?
0
 
LVL 23

Accepted Solution

by:
Mohammed Hamada earned 500 total points
ID: 39735546
For an outbound connection I don't think there would be threats if they were owned by Microsoft.

I mean you said those IPs are dynamic which means they'll change but probably in the scope of Microsoft's CIDR! right?

If so then I don't think there will be a risk for an outbound connection since you know the ranges that connection is going to! and as I said for more security you can setup your IDS to filter all packets.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:fahim
ID: 39735765
If it's an https (443) connection, what would be the benefit of an IDS?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39735870
The IDS will work for HTTP only, but for HTTPS If the CIDRs of Microsoft doesn't change then I don't think you will need to worry unless Microsoft's infrastructure gets infected.
0
 

Author Comment

by:fahim
ID: 39737983
Thanks..my related query was also that Microsoft suggests to configure firewall rules based on DNS rather than IP but Cisco's ASA series doesn't support that....

This becomes an administrative issue to keep track of RSS feeds and knowing which all IPs to poke holes for within the firewall. Any other better mechanism around?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39738134
Then I'd suggest an open source firewall that would work and wouldn't cost you much at the same time.

I'm using Pfsense firewall, I have already set it up in multiple customers based infrastructure and it's doing a great job. it has been up for a really long time.

Check this question
http://forum.pfsense.org/index.php?topic=29037.0
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question