Address range to permit imap/993 to outlook.office365.com?

I have a client that wants to run imap to outlook.office365.com:993.
The problem I am running into is that when I look at firewall logs I
see his traffic going to addresses not seen in the nslookup of
outlook.office365.com. So my question: what is the range of addresses
required to permit imap to outlook.office365.com?

https://itservices.usc.edu/office365/emailclients/
LVL 1
amigan_99Network EngineerAsked:
Who is Participating?
 
Vasil Michev (MVP)Commented:
The only list Microsoft publishes is here: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#bkmk_exo

It's not "just IMAP" you need anyway, at the very least you need authentication as well. Make sure to allow *all* the URLs and IP ranges listed there, unless you want to play the exclusion game on a per-entry basis.

In addition, make sure to add the EOP IP ranges as well: https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx
0
 
MichelangeloConsultantCommented:
One note:
To check IMAP you just need IMAP port open which is 993. Authentication is done on that port only (proxy authentication)
Find details here
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_security-mso_o365b/office-365-imap-and-pop3-authentication-flow/8f214fd6-5434-4a1f-bd2b-c414b810d0fa
IMAP/POP clients use basic authentication. For AD FS, what basic authentication have in common is that Exchange Online does the authentication with AD FS on behalf of the client, which is also known as proxy authentication.

More specifically, the client sends the Basic authentication credentials to exchange Online over SSL/TLS and Exchange Online sends the authentication credentials to Azure AD (Office 365 Identity Platform) using something called proxy authentication. Azure AD returns the respective endpoint for the on-premise AD FS for Exchange Online. Then Exchange Online contacts the on-premise AD FS server for authentication, which afterwards authenticate with Active Directory and is provided with a logon token containing the necessary user claims. Then AD FS server sends this token back to Exchange Online, which again sends it to Azure AD. Then Azure AD returns another token to Exchange Online which can be used to authenticate the client.
0
 
amigan_99Network EngineerAuthor Commented:
Thanks for the replies! I was mostly looking for the IP blocks. But thanks for the confirmation on the 993 port.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.