Address range to permit imap/993 to outlook.office365.com?

I have a client that wants to run imap to outlook.office365.com:993.
The problem I am running into is that when I look at firewall logs I
see his traffic going to addresses not seen in the nslookup of
outlook.office365.com. So my question: what is the range of addresses
required to permit imap to outlook.office365.com?

https://itservices.usc.edu/office365/emailclients/
LVL 2
amigan_99Network EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
The only list Microsoft publishes is here: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#bkmk_exo

It's not "just IMAP" you need anyway, at the very least you need authentication as well. Make sure to allow *all* the URLs and IP ranges listed there, unless you want to play the exclusion game on a per-entry basis.

In addition, make sure to add the EOP IP ranges as well: https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MichelangeloConsultantCommented:
One note:
To check IMAP you just need IMAP port open which is 993. Authentication is done on that port only (proxy authentication)
Find details here
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_security-mso_o365b/office-365-imap-and-pop3-authentication-flow/8f214fd6-5434-4a1f-bd2b-c414b810d0fa
IMAP/POP clients use basic authentication. For AD FS, what basic authentication have in common is that Exchange Online does the authentication with AD FS on behalf of the client, which is also known as proxy authentication.

More specifically, the client sends the Basic authentication credentials to exchange Online over SSL/TLS and Exchange Online sends the authentication credentials to Azure AD (Office 365 Identity Platform) using something called proxy authentication. Azure AD returns the respective endpoint for the on-premise AD FS for Exchange Online. Then Exchange Online contacts the on-premise AD FS server for authentication, which afterwards authenticate with Active Directory and is provided with a logon token containing the necessary user claims. Then AD FS server sends this token back to Exchange Online, which again sends it to Azure AD. Then Azure AD returns another token to Exchange Online which can be used to authenticate the client.
0
amigan_99Network EngineerAuthor Commented:
Thanks for the replies! I was mostly looking for the IP blocks. But thanks for the confirmation on the 993 port.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Palo Alto Networks

From novice to tech pro — start learning today.