In this article I would like to talk about the deployment of Office 365.
We can prepare, automate, customize, etc. a lot in our Microsoft Admin Portals.

Nevertheless, it happens again and again that parts of the service do not work. My experience has shown me that in more than 90% of the cases, one of these 2 points was responsible.


Firewall exceptions

During one of my last installations we deployed Microsoft 365 via autopilot. This basically worked very well. Only the office package could not be installed.

In another case, the Office applications were already installed, but could not be updated.

Both customers had one general thing in common. This was the used firewall. In this case we are talking about Sophos Astaro UTM.
I am not saying that this problem can only occur with a Sophos UTM firewalls, but in my example I am using that firewall.

The reason why Office could not be installed is that the firewall requires an exception.
Here is how this can be done:

We logged on to the Sophos Firewall.
After the successful logon we browse to:

Web Protection > Filtering Options

Here we click on

+New Exeption List…

Then we create a new exception according to the template in the picture.

Of course, individual settings can be adjusted according to the infrastructure. But I recommend using this configuration whenever possible.

The most important step is the “Target Zone”. Here we define the domains for which we want to do the excluding.

In our case we need the following value:






At the end confirm with Save, and the new exeption is ready.

This is what the created exception will look like on Sophos.

Note: Please note that this is only an example with a Sophos Astaro Firewall. Other vendors with similar issues will have similar procedures. What matters most is the information that this must be taken and what value we must use to make it work.


General Firewall Ports

Another possible reason for service problems with Office 365 can be the classic firewall ports.
I have already described the ports for Exchange and Skype for Business in more detail in a previous article.

In this part of my blog article I would like to keep it a bit more general, but you will still recognize some entries in the following list:

Server/Service Port Protocol Direction
ADFS   (Internal) 443 TCP Inbound/Outbound
ADFS (Proxy DMZ) or WAP Server 443 TCP Inbound/Outbound
Microsoft Online Portal (Website) 443 TCP Inbound/Outbound
Outlook Web Access (Website) 443 TCP Inbound/Outbound
Lync/Skype for Business Client 443 TCP Inbound/Outbound
SharePoint Online (Website) 443 TCP Inbound/Outbound
Outlook for Mac 443 TCP Inbound/Outbound
Outlook Client 443 TCP Inbound/Outbound
Mail Routing 25 TCP Inbound/Outbound
SMTP Relay (requires TLS) 587 TCP Inbound/Outbound
Simple IMAP4 migration Tool 143/993 TCP Inbound/Outbound
POP3 (requires SSL) 995 TCP Inbound/Outbound
DirSync/Azure Active Directory Sync 80/443 TCP Inbound/Outbound
Exchange Migration Tool 80/443 TCP Inbound/Outbound
IMAP Migration Tool 80/443 TCP Inbound/Outbound
Exchange Management Console 80/443 TCP Inbound/Outbound
Exchange Management Shell 80/443 TCP Inbound/Outbound
Lync (Data Sharing Sessions) 443 TCP Outbound
Lync (Video, Audio, Application Sharing) 443 TCP Outbound
Lync (Audio & Video) 3478 UDP Outbound
Lync (Audio & Video) 50000-59999 TCP/UDP Outbound
Lync Mobile Push iOS Only 5223 TCP Outbound



As mentioned at the beginning of this article, these two chapters in this article cover over 90% of the problems that occur when Office 365 installations or updates fail.
I hope this article has helped some of them.


Photo by Maud Bocquillod on Unsplash