In this article I would like to talk about the deployment of Office 365.
We can prepare, automate, customize, etc. a lot in our Microsoft Admin Portals.
Nevertheless, it happens again and again that parts of the service do not work. My experience has shown me that in more than 90% of the cases, one of these 2 points was responsible.
Firewall exceptions
During one of my last installations we deployed Microsoft 365 via autopilot. This basically worked very well. Only the office package could not be installed.
In another case, the Office applications were already installed, but could not be updated.
Both customers had one general thing in common. This was the used firewall. In this case we are talking about Sophos Astaro UTM.
I am not saying that this problem can only occur with a Sophos UTM firewalls, but in my example I am using that firewall.
The reason why Office could not be installed is that the firewall requires an exception.
Here is how this can be done:
 |
We logged on to the Sophos Firewall. |
 |
After the successful logon we browse to:
Web Protection > Filtering Options |
 |
Here we click on
+New Exeption List… |
 |
Then we create a new exception according to the template in the picture.
Of course, individual settings can be adjusted according to the infrastructure. But I recommend using this configuration whenever possible. The most important step is the “Target Zone”. Here we define the domains for which we want to do the excluding. In our case we need the following value:
^https?://([A-Za-z0-9.-]*\.)?officecdn\.microsoft\.com\.edgesuite\.net/
At the end confirm with Save, and the new exeption is ready. |
 |
This is what the created exception will look like on Sophos. |
Note: Please note that this is only an example with a Sophos Astaro Firewall. Other vendors with similar issues will have similar procedures. What matters most is the information that this must be taken and what value we must use to make it work.
General Firewall Ports
Another possible reason for service problems with Office 365 can be the classic firewall ports.
I have already described the ports for Exchange and Skype for Business in more detail in a previous article.
In this part of my blog article I would like to keep it a bit more general, but you will still recognize some entries in the following list:
| Server/Service | Port | Protocol | Direction |
| ADFS (Internal) | 443 | TCP | Inbound/Outbound |
| ADFS (Proxy DMZ) or WAP Server | 443 | TCP | Inbound/Outbound |
| Microsoft Online Portal (Website) | 443 | TCP | Inbound/Outbound |
| Outlook Web Access (Website) | 443 | TCP | Inbound/Outbound |
| Lync/Skype for Business Client | 443 | TCP | Inbound/Outbound |
| SharePoint Online (Website) | 443 | TCP | Inbound/Outbound |
| Outlook for Mac | 443 | TCP | Inbound/Outbound |
| Outlook Client | 443 | TCP | Inbound/Outbound |
| Mail Routing | 25 | TCP | Inbound/Outbound |
| SMTP Relay (requires TLS) | 587 | TCP | Inbound/Outbound |
| Simple IMAP4 migration Tool | 143/993 | TCP | Inbound/Outbound |
| POP3 (requires SSL) | 995 | TCP | Inbound/Outbound |
| DirSync/Azure Active Directory Sync | 80/443 | TCP | Inbound/Outbound |
| Exchange Migration Tool | 80/443 | TCP | Inbound/Outbound |
| IMAP Migration Tool | 80/443 | TCP | Inbound/Outbound |
| Exchange Management Console | 80/443 | TCP | Inbound/Outbound |
| Exchange Management Shell | 80/443 | TCP | Inbound/Outbound |
| Lync (Data Sharing Sessions) | 443 | TCP | Outbound |
| Lync (Video, Audio, Application Sharing) | 443 | TCP | Outbound |
| Lync (Audio & Video) | 3478 | UDP | Outbound |
| Lync (Audio & Video) | 50000-59999 | TCP/UDP | Outbound |
| Lync Mobile Push iOS Only | 5223 | TCP | Outbound |
Conclution
As mentioned at the beginning of this article, these two chapters in this article cover over 90% of the problems that occur when Office 365 installations or updates fail.
I hope this article has helped some of them.
Photo by Maud Bocquillod on Unsplash