Forum Discussion
PaulAndrew
Microsoft
MicrosoftFeedback on Office 365 IP/URL Web Services Preview
Please share your feedback or questions on the new Office 365 IP/URL Web Services preview as announced here: https://aka.ms/ipurlblog
24 Replies
I like the powershell method of collecting the info / changes.
it would be very helpful if the data was outputted to a csv and have the option for either CIDR or ip subnet format (some Cisco devices still need the latter). I would make generating the input for the CLI a bit easier.
Thanks
S
- PaulAndrew
Hello netshush,
You can get CSV format using the format=CSV parameter to the web service. Here's an example:
Regards,
Paul
Paul,
I've written myself a PAC file generator which includes the URLs in the Allow and Optimize categories.
I have a question regarding "ExpressRoute" which my company does not use at present. The list of URLs in Allow and Optimize for non ExpressRoute is as follows:
o15.officeredir.microsoft.com
ocsredir.officeapps.live.com
officepreviewredir.microsoft.com
officeredir.microsoft.com
r.office.microsoft.com
ea-000.ocws.officeapps.live.com
eus2-000.ocws.officeapps.live.com
ncus-000.ocws.officeapps.live.com
neu-000.ocws.officeapps.live.com
ocws.officeapps.live.com
scus-000.ocws.officeapps.live.com
weu-000.ocws.officeapps.live.com
wus-000.ocws.officeapps.live.com
eus-odc.officeapps.live.com
ncus-odc.officeapps.live.com
neu-odc.officeapps.live.com
odc.officeapps.live.com
scus-odc.officeapps.live.com
sea-odc.officeapps.live.com
weu-odc.officeapps.live.com
wus-odc.officeapps.live.com
ea-roaming.officeapps.live.com
eus2-roaming.officeapps.live.com
ncus-roaming.officeapps.live.com
neu-roaming.officeapps.live.com
scus-roaming.officeapps.live.com
sea-roaming.officeapps.live.com
weu-roaming.officeapps.live.com
Only in other endpoint sets where ExpressRoute is true do you get other URLs which need to go DIRECT e.g. in endpoint set 46:
*broadcast.officeapps.live.com
*excel.officeapps.live.com
*onenote.officeapps.live.com
*powerpoint.officeapps.live.com
*view.officeapps.live.com
*visio.officeapps.live.com
*word-edit.officeapps.live.com
*word-view.officeapps.live.com
office.live.com
Are these not required to go DIRECT when not using ExpressRoute?
The URLs are listed as to go DIRECT in the PAC file described in the Managing Office 365 endpoints web page.
Also Endpoint set 11 has IP addresses and UDP ports 3478,3479,3480,3481 which need to route DIRECT but are listed as ExpressRoute.
Can you please clarify the use of ExpressRoute in the web service? Do I need to include all Allow and Optimize endpoint sets regardless of the ExpressRoute setting?
Thanks
- PaulAndrew
Hi Ian,
First, we are planning to create a supported PAC file generator that uses the web services. Probably within the next month.
Next, the ExpressRoute flag indicates that the endpoint is supported over ExpressRoute for Office 365 approved ExpressRoute customers. For Endpoint sets with IP Addresses this literally means we advertise routes to those over ExpressRoute route prefixes. For Endpoint sets with URLs it still means the URL is supported when routed over ExpressRoute. It also means that the IP Address resolved from a DNS lookup of the URL will be routed over ExpressRoute. But it does not mean that if a URL Endpoint set has ExpressRoute as false that the IP Address resolved from the DNS will not be routed over ExpressRoute.
The choice of a PAC file selecting DIRECT or a Proxy Server is complicated when you have ExpressRoute. For non-ExpressRoute you would ideally route all Optimize and Allow network traffic bypassing a proxy server and this would typically be using DIRECT, with a firewall on the perimeter that passes Optimize and Allow traffic. If you have ExpressRoute for Office 365 you would need to ensure that this traffic goes to the ExpressRoute circuit, and you'll need to restrict the PAC file to only ExpressRoute supported Optimize and Allow endpoints. We're looking at improving the alignment of Optimize and Allow with ExpressRoute.
The UDP traffic you mentioned needs to bypass proxy servers. It can be routed over ExpressRoute if you have that for Office 365 or it can be routed direct to the Internet.
You should not sent Allow network traffic to an ExpressRoute circuit where it is listed as ExpressRoute is false.
Regards,
Paul
We have previously asked Microsoft premier support team in japan to confirm the new Web service, however we couldn’t receive support because the new Web service is in preview now.
They informed us that this page is possible to accept questions or feedback.
Therefore, we got to post some questions here.First of all, will you stop publishing the current HTML, XML, and RSS format of data as scheduled on October 2nd?
If the current HTML, XML, and RSS format of data will be stopped as scheduled on October 2nd, it is difficult to respond to the new Web service currently because the published information is so insufficient.Could you please answer below questions?
--------------------------------------------------
1. About service area
--------------------------------------------------
a. XML file (Current method)
<Available over Internet & ExpressRoute circuits>:
shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | OneNote | Dynamics CRM IP | Dynamics CRM URI | Power BI
<Available over Internet circuits only>:
Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flowb. Web service (New method)
The service area that this is part of : Common, Exchange, SharePoint, Skype.*Question
There is something we would like to confirm.
For example:
-The new Web service “Exchange” contains “Exchange Online, Exchange Online Protection” of current item.
-The new Web service “Skype” contains “Skype for Business Online” of current item.
-The new Web service “SharePoint” contains “SharePoint Online and OneDrive” of current item.
-The new Web service “Common” contains the other items.
How the each service area of the current item will be applied in the service area of the new item, please inform us in more detail.--------------------------------------------------
2. About the effect of three categories (Optimize, Allow, and Default)
--------------------------------------------------We are aware that the current XML File and the tables with Office 365 URLs and IP address range in the HTML page will be replaced with the new Web service.
a. XML file
https://support.content.office.net/en-us/static/O365IPAddresses.xml
b. Web service
https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a...This URL of new Web service is posted in [Web service] - [For the data on the Office 365 URLs and IP address ranges page for firewalls and proxy servers] section.
https://support.office.com/en-us/article/99cab9d4-ef59-4207-9f2b-3728eb46bf9aThere are three categories (Optimize, Allow, and Default) in a downloaded file from the above new Web service URL.
However, we can’t find three categories (Optimize, Allow, and Default) in the current XML file.*Question
At present, we have allowed all the Office 365 URLs and IP address range provided by the current XML file to the firewalls/proxy servers.When the current XML file will be replaced with the new Web service in future, do we need to change something in allow the setting of firewalls/proxy servers about three categories (Optimize, Allow, and Default)?
Otherwise, in the same way as now, would it be OK for firewalls/proxy servers to allow all Office 365 URLs and IP address range in the new Web service without regard for three categories (Optimize, Allow, and Default)?
- PaulAndrew
Kyounghwan Lee here are answers to your questions:
>> First of all, will you stop publishing the current HTML, XML, and RSS format of
>> data as scheduled on October 2nd?
Yes.
>> How the each service area of the current item will be applied in the service area
>> of the new item, please inform us in more detail.
This reduction in the service areas is intended to simplify network connectivity work required for Office 365. It also avoids support issues related to unpublished dependencies between services.
Old XML Product New JSON ServiceArea
WAC Common
Sway Common
Planner Common
ProPlus Common
Ex-Fed Deprecated
Yammer Common
Teams Skype
OfficeiPad Common
OfficeMobile Common
RCA Deprecated
OneNote Common
EXO Exchange
SPO SharePoint
Office365Video Common
LYO Skype
Identity Common
CRLs Common
o365 Common
EOP Exchange
>> When the current XML file will be replaced with the new Web service in future,
>> do we need to change something in allow the setting of firewalls/proxy servers
>> about three categories (Optimize, Allow, and Default)?
The only change that you are required to do is to start taking changes from the web services instead of from the XML/RSS published data. All future changes to Office 365 network endpoints will be advertised through the web services.
>> Otherwise, in the same way as now, would it be OK for firewalls/proxy servers
>> to allow all Office 365 URLs and IP address range in the new Web service without
>> regard for three categories (Optimize, Allow, and Default)?
The new categories make firewall, proxy server, and other network perimeter device configuration simpler. In particular, the default category can be directed to the default Internet egress location with any other employee web browser traffic. However, you can simply permit connectivity and bypass for all Office 365 network traffic and disregard the categories. Please review details of the new categories at http://aka.ms/pnc
Regards,
Paul
I really appreciate all the advice you gave me on how to update new Web service.
>>The only change that you are required to do is to start taking changes from the >>web services instead of from the XML/RSS published data.
Simply, I understand that the XML/ RSS data that has been published so far will be switched to new Web service.
I understand that I can permit connectivity and bypass for all Office 365 network traffic and disregard the categories (Optimize, Allow, and Default).
As for the factors you pointed out, we will certainly correspond them when we update the next new Web service.
Regards,
Kyounghwan Lee
In the Changes Web Method we need an EffectiveDate for the "remove" structure.
We need to see what will be removed in the future. The "add" structure includes this.
- PaulAndrew
Ian Williams wrote:
In the Changes Web Method we need an EffectiveDate for the "remove" structure.
We need to see what will be removed in the future. The "add" structure includes this.
Hi Ian, we don't publish items to remove in the future because of the risk of customers removing firewall entries while the servers are still live. Instead we only publish endpoints to remove after the endpoint no longer has live service on it. Hence no future date is required.
Regards, Paul
- This looks great. Will it cater for Next Generation Layer 7 firewalls (like from PaloAlto). They tend to use App IDs rather than just listing URLs.
Also, how safe is it to use this service, considering it is in preview? Is there any intended date yet for when it will "go live"- PaulAndrew
Thom McKiernan we're talking with most of the top firewall vendors about this. In preview, the data is accurate, but we don't recommend using it in production. GA is a little bit away and we'll release as soon as we can.
- + any swagger contract around for your REST api ?
- PaulAndrew
Sebastien Person we don't have swagger docs. Our docs are here. Also, thanks for the interest in PAC files. They're not yet available
- wainting for the *SOON* to be released pac generator :D. Any beta link or program for it ?
Hi Paul,
this is a great initiative! Is there a programmatic way to understand if the IPs/URLs of a record belong to Microsoft or to a 3rd party app (Facebook, ...)?
This information seems to be included in the optionalImpact field, but it is only human readable.
- PaulAndrew
Hi Luigi, this isn't possible in the preview. Can you tell me what you want to do with information that would indicate that an endpoint is hosted by Microsoft or a third party? Note that there are some third party hosted endpoints which are required such as a public content delivery network.
Some security administrator would like to enable only URLs/IPs that are strictly necessary to access the O365 services and have a good O365 experience. They don't want to enable 3rd party integrations. It would be nice if there was a programmatic way to identify these integrations and filter them.
- *allowing us to see at a glance what is going to happen*
- Please keep the RSS feed alive. Makes things easier when humans are involved in the process. I understand how great the Web service is for automation, but there is no way we are going to relinquish human control over this, and the RSS feed is key in allowing at a glance what is going to happen.
- PaulAndrew
Hi Xavier, we're planning a couple of simple scripts that format the /changes web method output for human review. How and with what tools do you use today to do that with the RSS?
We use a set of Python scripts, to compare data between sources (XML page, web page, our own .pac files), and also rely on the RSS feed for a quick overview of what was changed. The thing, is the RSS gets delivered directly to my Outlook inbox, and as such acts as a reminder to everyone.
I had a look at the scripts provided, especially the Python one, and while it is rather clear, I still have not figured out why we do not get the ports in the output... Need to spend more time on this.
