Office 365 Ports and Firewall Challenges

In this article I would like to talk about the deployment of Office 365.
We can prepare, automate, customize, etc. a lot in our Microsoft Admin Portals.

Nevertheless, it happens again and again that parts of the service do not work. My experience has shown me that in more than 90% of the cases, one of these 2 points was responsible.


Firewall exceptions

During one of my last installations we deployed Microsoft 365 via autopilot. This basically worked very well. Only the office package could not be installed.

In another case, the Office applications were already installed, but could not be updated.

Both customers had one general thing in common. This was the used firewall. In this case we are talking about Sophos Astaro UTM.
I am not saying that this problem can only occur with a Sophos UTM firewalls, but in my example I am using that firewall.

The reason why Office could not be installed is that the firewall requires an exception.
Here is how this can be done:

We logged on to the Sophos Firewall.
After the successful logon we browse to:

Web Protection > Filtering Options

Here we click on

+New Exeption List…

Then we create a new exception according to the template in the picture.

Of course, individual settings can be adjusted according to the infrastructure. But I recommend using this configuration whenever possible.

The most important step is the “Target Zone”. Here we define the domains for which we want to do the excluding.

In our case we need the following value:






At the end confirm with Save, and the new exeption is ready.

This is what the created exception will look like on Sophos.

Note: Please note that this is only an example with a Sophos Astaro Firewall. Other vendors with similar issues will have similar procedures. What matters most is the information that this must be taken and what value we must use to make it work.


General Firewall Ports

Another possible reason for service problems with Office 365 can be the classic firewall ports.
I have already described the ports for Exchange and Skype for Business in more detail in a previous article.

In this part of my blog article I would like to keep it a bit more general, but you will still recognize some entries in the following list:

ADFS   (Internal)443TCPInbound/Outbound
ADFS (Proxy DMZ) or WAP Server443TCPInbound/Outbound
Microsoft Online Portal (Website)443TCPInbound/Outbound
Outlook Web Access (Website)443TCPInbound/Outbound
Lync/Skype for Business Client443TCPInbound/Outbound
SharePoint Online (Website)443TCPInbound/Outbound
Outlook for Mac443TCPInbound/Outbound
Outlook Client443TCPInbound/Outbound
Mail Routing25TCPInbound/Outbound
SMTP Relay (requires TLS)587TCPInbound/Outbound
Simple IMAP4 migration Tool143/993TCPInbound/Outbound
POP3 (requires SSL)995TCPInbound/Outbound
DirSync/Azure Active Directory Sync80/443TCPInbound/Outbound
Exchange Migration Tool80/443TCPInbound/Outbound
IMAP Migration Tool80/443TCPInbound/Outbound
Exchange Management Console80/443TCPInbound/Outbound
Exchange Management Shell80/443TCPInbound/Outbound
Lync (Data Sharing Sessions)443TCPOutbound
Lync (Video, Audio, Application Sharing)443TCPOutbound
Lync (Audio & Video)3478UDPOutbound
Lync (Audio & Video)50000-59999TCP/UDPOutbound
Lync Mobile Push iOS Only5223TCPOutbound



As mentioned at the beginning of this article, these two chapters in this article cover over 90% of the problems that occur when Office 365 installations or updates fail.
I hope this article has helped some of them.


Photo by Maud Bocquillod on Unsplash

Leave a Reply

Your email address will not be published. Required fields are marked *