Microsoft Products not signing into the new network.
Microsoft Products not signing into the new network.
Hello all, we implemented a new network, that is behind a firewall.
when I image a machine newly, I try to open outlook , it fails to connect, I tries onedrive, same thing. word and excel can't activate.
I connect to a different wifi (without the firewall and corporate connectivity) they all work fine. I activate and authnitcate and configure all products fine.
I switch back to corporate, they continue to work fine, for hours, or days. and suddenly the error happens again.
I have to switch to unprotected wifi, open the applications (or at least one of them) and get back to corporate network, where all will work fine again for a while.
I am thinking of the following scnarios:
1- it could be one of the many firewall rules missing on the firewall. that is used to authenticate or check the license of MS products.
2- expected it could be outdated drivers of WLAN, I updated those, but problem continued.
any ideas where should I start looking?
Hello all, we implemented a new network, that is behind a firewall.
when I image a machine newly, I try to open outlook , it fails to connect, I tries onedrive, same thing. word and excel can't activate.
I connect to a different wifi (without the firewall and corporate connectivity) they all work fine. I activate and authnitcate and configure all products fine.
I switch back to corporate, they continue to work fine, for hours, or days. and suddenly the error happens again.
I have to switch to unprotected wifi, open the applications (or at least one of them) and get back to corporate network, where all will work fine again for a while.
I am thinking of the following scnarios:
1- it could be one of the many firewall rules missing on the firewall. that is used to authenticate or check the license of MS products.
2- expected it could be outdated drivers of WLAN, I updated those, but problem continued.
any ideas where should I start looking?
Is the assumption here that all other traffic works fine? Such as accessing Google?
Typically firewalls do not automatically block any outbound traffic (LAN -> WAN) unless they are specifically configured to do so. Your Microsoft products would act like an agent - putting out a request to be responded to. Unless you've specified rules to block inbound traffic (WAN -> LAN) on specific protocols/ports entirely, it shouldn't be a problem.
Also make sure DNS is working. Ping out to the names and IP's, to make sure you're getting resolution.
Typically firewalls do not automatically block any outbound traffic (LAN -> WAN) unless they are specifically configured to do so. Your Microsoft products would act like an agent - putting out a request to be responded to. Unless you've specified rules to block inbound traffic (WAN -> LAN) on specific protocols/ports entirely, it shouldn't be a problem.
Also make sure DNS is working. Ping out to the names and IP's, to make sure you're getting resolution.
ASKER
hello both,
using O365, and the firewall blocks all outgoing and incoming traffic except what is permitted by rules.
I am wondering, what could it be that O365 or outlook is doing every now and then? could it be authenticating? if yes, I deleted the profile and recreated, that would’ve re-triggered the problem immediately (but it didn’t).
could it be trying to activate again ? maybe... how can I manually trigger activation process to see if that is what is happening and causing the problem?
I had my doubts into reaching autodiscover !! as that’s what the o365 troubleshooting application I got from Microsoft marked as a warning.
and yes, everything else is fine.
using O365, and the firewall blocks all outgoing and incoming traffic except what is permitted by rules.
I am wondering, what could it be that O365 or outlook is doing every now and then? could it be authenticating? if yes, I deleted the profile and recreated, that would’ve re-triggered the problem immediately (but it didn’t).
could it be trying to activate again ? maybe... how can I manually trigger activation process to see if that is what is happening and causing the problem?
I had my doubts into reaching autodiscover !! as that’s what the o365 troubleshooting application I got from Microsoft marked as a warning.
and yes, everything else is fine.
Open Outlook -> File -> Office Account -> Delete the account and sign-in again with your account.
ASKER
that wouldn’t reinitiate the activation process
Do you have a proxy or web filter? It sounds like you need to whitelist Microsoft's IPs. This is with respect to allowed sites and outbound traffic. No need to open up inbound ports. Also make sure that SSL decryption isn't occuring with traffic to those domains and IPs.
Also, do you have sort of NAC system in place like Cisco ISE? There could be something screwy there. If you have Cisco Firepower, check in there too.
Also, do you have sort of NAC system in place like Cisco ISE? There could be something screwy there. If you have Cisco Firepower, check in there too.
ASKER
we do have a web proxy, but all O365 traffic are bypassed.
we do have meraki router, and meraki AP’s (method of connection)
meraki supposedly have all O365 traffic whitelisted and allowed (which looks like the case) in the corporate VLAN. there is no restriction on the non-corporate vlan and hence the problem doesn’t happen there.
we are trying to know , on the corporate vlan, which restriction is blocking this connectivity and what connectivity is it ? (activation? authentication? autodiscover settings, dns...etc?)
nothing showed up on a packet capture.
and difficult to troubleshoot, as the moment we connect the laptop to any other network (including corporate with a cable instead of WiFi) the problem is resolved for hours or days. and that puts down the troubleshoot process.
any idea how to know what was outlook doing when it was blocked? and how to recreate whatever that is.
we do have meraki router, and meraki AP’s (method of connection)
meraki supposedly have all O365 traffic whitelisted and allowed (which looks like the case) in the corporate VLAN. there is no restriction on the non-corporate vlan and hence the problem doesn’t happen there.
we are trying to know , on the corporate vlan, which restriction is blocking this connectivity and what connectivity is it ? (activation? authentication? autodiscover settings, dns...etc?)
nothing showed up on a packet capture.
and difficult to troubleshoot, as the moment we connect the laptop to any other network (including corporate with a cable instead of WiFi) the problem is resolved for hours or days. and that puts down the troubleshoot process.
any idea how to know what was outlook doing when it was blocked? and how to recreate whatever that is.
we do have a web proxy, but all O365 traffic are bypassed.Double check for safety.
meraki supposedly have all O365 traffic whitelisted and allowed (which looks like the case) in the corporate VLAN. there is no restriction on the non-corporate vlan and hence the problem doesn’t happen there.Are you able to validate this? Sometimes people forget to whitelist everything that needs to be whitelisted, and those machines left out are enough to impact things.
nothing showed up on a packet capture.Are you doing the capture while a machine is having issues? And is the traffic you're capturing from a machine that's having issues? You should at least see something, even if it isn't necessarily obvious to you. No signs of failed connections?
and difficult to troubleshoot, as the moment we connect the laptop to any other network (including corporate with a cable instead of WiFi) the problem is resolved for hours or days. and that puts down the troubleshoot process.You have more information than the rest of us, so that's not an easy one to guess. It may be worth even checking your conditional access policies if you have any, as well as getting Microsoft involved for troubleshooting. Packet captures are still generally likely to need to be involved, because someone will need to see what you're see or at least what it happening.
any idea how to know what was outlook doing when it was blocked? and how to recreate whatever that is.
ASKER
masnrock
I truly appreciate your effort, but I do understand how confusing it is. we did validate all the above, of course, but we think we did whitelist all that needs white listing.
this is what I am hoping to achieve here.
what is it, that happens frequently, that could re-trigger this problem.
I can only think of two things, not sure if you can add more.
is it outlook trying check the license of outlook? or is it, trying to authenticate the account?
and to know if it is any of the above. I need to manually trigger that action. how can I manually force outlook to do (whatever) that frequent thing it does every few hours and cause it to fail.
once we know , what is the problem, we will troubleshoot it better, and validate its settings.
I truly appreciate your effort, but I do understand how confusing it is. we did validate all the above, of course, but we think we did whitelist all that needs white listing.
this is what I am hoping to achieve here.
what is it, that happens frequently, that could re-trigger this problem.
I can only think of two things, not sure if you can add more.
is it outlook trying check the license of outlook? or is it, trying to authenticate the account?
and to know if it is any of the above. I need to manually trigger that action. how can I manually force outlook to do (whatever) that frequent thing it does every few hours and cause it to fail.
once we know , what is the problem, we will troubleshoot it better, and validate its settings.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
on the protected network.. you are able to access login.microsoftonline.com ?
Url and IP address required for Office 365 services are listed below.. One which is under Microsoft 365 Common and Office Online are required for your scenario.. ensure you have access to those IP addresses and Urls.
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges