Teams Survivable Branch Appliance firewall ports to Microsoft 365

Copper Contributor

Looking for information on the specific MSFT 365 ranges that a Teams Survivable Branch Appliance requires access to.

The planning guide, Direct Routing SBA - Microsoft Teams | Microsoft Docs, details that tcp/443 is used by Microsoft SBA Server to communicate with Microsoft 365 and should be allowed on the firewall.

Customer does not allow unfiltered access to the internet from the server on tcp/443 - can anyone help with the specific service tags that a Teams SBA requires access to ?

3 Replies
Hi, far from an expert on this particular topic, but two things jump out at me to check first:

1). On your customers web filtering device, have they tried putting in an exclusion for port 443 against the IP ranges for Teams as per - https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...

2). Have they fulfilled all the required pre-requisites detailed in the URL you provided - https://docs.microsoft.com/en-us/microsoftteams/direct-routing-survivable-branch-appliance#prerequis...

@PeterRising Thanks for the reply Peter.

 

The customer in question does not allow servers default access to the internet as rule.  Access is allowed based on application to specific IP / IP ranges.

I have not yet attempted to add the IP ranges referenced in point 1 (mostly the two 52.x.x.x /14 ranges) as I suspect that the SBA is specifically talking to Azure AD given that you have to created the application instance for the SBAs

The MSFT documentation you reference in your second point is rather vague as it mentions

  • Port 443 is used by Microsoft SBA Server to communicate with Microsoft 365 and should be allowed on the firewall.

  • Azure IP Ranges and Service Tags for the Public Cloud should be defined according to the guidelines described at: https://www.microsoft.com/download/details.aspx?id=56519

    Which is still vague and does provide me with the specifics required for this customer.
Hey Gavin, sorry I could not offer any more helpful guidance on this. Please will you post again here should you find a satisfactory solution so it can benefit others in the community? Thank you.