OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: flexi.man on October 06, 2020, 10:17:20 am

Title: Simple way for Exchange Online - Office 365 firewall rules (IP and URL)
Post by: flexi.man on October 06, 2020, 10:17:20 am
Hi

For an exchange and office365 migration , i need to open from lan to the unbelievable url and ip list from Microsoft.
https://docs.microsoft.com/fr-fr/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

Is an easy way to make this rules on opnsense ? Microsoft share a json list , but i don't know is it possible to import on onpsense.

If you have already succeed this rules without spending hours of config , i take the tips.

Thanks


Title: Re: Simple way for Exchange Online - Office 365 firewall rules (IP and URL)
Post by: bartjsmit on October 06, 2020, 12:16:27 pm
Those are mostly outbound connections, aren't they? Do you intend to restrict your users to them?

Bart...
Title: Re: Simple way for Exchange Online - Office 365 firewall rules (IP and URL)
Post by: flexi.man on October 06, 2020, 01:23:11 pm
Yes ( outbound connection only) is for bypass our proxy (Debian Squid on DMZ) for the Office365 IP and URL , for maximum efficiency and to work if the proxy failed.

Title: Re: Simple way for Exchange Online - Office 365 firewall rules (IP and URL)
Post by: bartjsmit on October 06, 2020, 02:03:51 pm
There are some pretty wide ranges in there  :o

To get back to your question - yes, OPNsense is capable of setting an alias by API and these can be used in firewall rules. I wouldn't class the JSON to API logic as easy though. At least it is more future-proof and less error-prone than doing it by hand.

Bart...
Title: Re: Simple way for Exchange Online - Office 365 firewall rules (IP and URL)
Post by: Fright on October 07, 2020, 10:59:21 am
you can modify script from
https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide
to get list like:
#Office 365 IP and UL Web Service data
#Worldwide instance
#
#Version: 2020092900
#
#IPv4 Firewall IP Address Ranges
104.146.128.0/17
104.42.230.91/32
104.47.0.0/17
13.107.128.0/22
13.107.136.0/22
13.107.140.6/32
13.107.18.10/31
13.107.6.152/31
13.107.6.156/31
13.107.6.171/32
13.107.64.0/18
13.107.7.190/31
13.107.9.156/31
13.80.125.22/32
13.91.91.243/32
131.253.33.215/32
132.245.0.0/16
150.171.32.0/22
150.171.40.0/22
157.55.145.0/25
157.55.155.0/25
157.55.227.192/26
20.190.128.0/18
204.79.197.215/32
23.103.160.0/20
40.104.0.0/15
40.107.0.0/16
40.108.128.0/17
40.126.0.0/18
40.81.156.154/32
40.90.218.198/32
40.92.0.0/15
40.96.0.0/13
52.100.0.0/14
52.104.0.0/14
52.108.0.0/14
52.112.0.0/14
52.120.0.0/14
52.174.56.180/32
52.183.75.62/32
52.184.165.82/32
52.238.106.116/32
52.238.119.141/32
52.238.78.88/32
52.244.160.207/32
52.244.203.72/32
52.244.207.172/32
52.244.223.198/32
52.244.37.168/32
52.247.150.191/32
52.96.0.0/14
#
#IPv6 Firewall IP Address Ranges
2603:1006::/40
2603:1016::/36
2603:1026::/36
2603:1036::/36
2603:1046::/36
2603:1056::/36
2603:1096::/38
2603:1096:400::/40
2603:1096:600::/40
2603:1096:a00::/39
2603:1096:c00::/40
2603:10a6:200::/40
2603:10a6:400::/40
2603:10a6:600::/40
2603:10a6:800::/40
2603:10d6:200::/40
2620:1ec:4::152/128
2620:1ec:4::153/128
2620:1ec:8f0::/46
2620:1ec:8f8::/46
2620:1ec:900::/46
2620:1ec:908::/46
2620:1ec:a92::152/128
2620:1ec:a92::153/128
2620:1ec:c::10/128
2620:1ec:c::11/128
2620:1ec:d::10/128
2620:1ec:d::11/128
2a01:111:f400::/48
2a01:111:f402::/48
#
#URLs for Proxy Server
*.broadcast.skype.com
*.lync.com
*.mail.protection.outlook.com
*.manage.office.com
*.msftidentity.com
*.msidentity.com
*.online.office.com
*.outlook.office.com
*.portal.cloudappsecurity.com
*.protection.office.com
*.protection.outlook.com
*.sharepoint.com
*.skypeforbusiness.com
*.teams.microsoft.com
*broadcast.officeapps.live.com
*excel.officeapps.live.com
*onenote.officeapps.live.com
*powerpoint.officeapps.live.com
*rtc.officeapps.live.com
*shared.officeapps.live.com
*view.officeapps.live.com
*visio.officeapps.live.com
*word-edit.officeapps.live.com
account.activedirectory.windowsazure.com
account.office.net
accounts.accesscontrol.windows.net
admin.microsoft.com
adminwebservice.microsoftonline.com
api.passwordreset.microsoftonline.com
autologon.microsoftazuread-sso.com
becws.microsoftonline.com
broadcast.skype.com
clientconfig.microsoftonline-p.net
companymanager.microsoftonline.com
device.login.microsoftonline.com
graph.microsoft.com
graph.windows.net
home.office.com
login.microsoft.com
login.microsoftonline.com
login.microsoftonline-p.com
login.windows.net
logincert.microsoftonline.com
loginex.microsoftonline.com
login-us.microsoftonline.com
manage.office.com
nexus.microsoftonline-p.com
nexus.officeapps.live.com
nexusrules.officeapps.live.com
office.live.com
outlook.office.com
outlook.office365.com
passwordreset.microsoftonline.com
portal.microsoftonline.com
portal.office.com
protection.office.com
provisioningapi.microsoftonline.com
smtp.office365.com
teams.microsoft.com
www.office.com
Title: Re: Simple way for Exchange Online - Office 365 firewall rules (IP and URL)
Post by: flexi.man on October 07, 2020, 03:14:36 pm
Thanks