How to configure the Microsoft and Office 365 connectors to connect to the Internet through a proxy or firewall
Summary
This article describes the following information related to the Microsoft 365 and Office 365 (deprecated) FlexNet Manager Suite connectors:
- How to configure proxy details that are used to connect to the Internet.
- What Internet sites (URLs) the connectors must be able to access.
Configuring proxy server details
For FlexNet Manager Suite 2018 R2 (13.1.x) and newer beacon versions:
Use the Proxy Settings section in the Create PowerShell Source Connection FlexNet Beacon dialog to enter proxy server, username and password information.
For FlexNet Manager Suite 2018 R1 (13.0.x) and earlier beacon versions:
The Microsoft 365 and Office 365 (deprecated) connectors use the proxy configuration for whichever user account runs ComplianceReader.exe process that makes a connection to Microsoft or Office 365 APIs.
This process is commonly executed by the service account used for the FlexNet Beacon Engine Windows service. The proxy details configured in the Windows profile for that user will be used when connecting to these connectors.
Proxy settings may be set for all users through Active Directory Group Policy or another similar mechanism. This would typically be required if the service is configured to run as the Local System account (the default) or a non-interactive named account.
If the service is configured to run as a interactive named account, proxy details may also be configured interactively. Launch Internet Options as that user from Internet Explorer's Tools Menu or from the Control Panel. Enter the proxy settings needed to be able to go online and access Microsoft or Office 365 APIs:
Additional information: Running the Beacon Engine Service using a named user account
The FlexNet Beacon Engine service is configured to run as the Local System account by default. This can be changed to run as a named user account with local administrator rights on the beacon. Be aware that this configuration will likely be lost and need to be manually reapplied whenever the beacon component is upgraded or reinstalled.
Internet URLs accessed by the connectors
The following Microsoft article details URLs and IP address ranges used by APIs that the connector uses to retrieve data from the Microsoft 365 and Office 365 Cloud environment: Office 365 URLs and IP address ranges
Also be aware of the following practice detailed on the Microsoft article:
Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This allows for customers who do not yet have automated updates to complete their processes before new connectivity is required.
While the information in that article should be considered as definitive, a summary of some key URLs which may be used during the connector operations are noted below.
Microsoft 365 connector
The beacon will require at minimum the access to the below URLs for the initial connection to Microsoft 365:
- https://graph.microsoft.com (Catch-all for all that is required for the Microsoft 365 connector)
- https://login.microsoftonline.com/common/oauth2 (for authentication)
To gain the full functionality of the Microsoft 365 connector the connector will require access to all the URLs and IPs contained in the following website.
Office 365 (deprecated) connector
The beacon will require at minimum the access to the below URLs for the initial connection to Office 365:
- https://outlook.office365.com (Microsoft Hosted instance)
- https://*.prod.outlook.com (Microsoft's Exchange Server)
- https://login.windows.net (Acquires an authentication token)
- https://*.YourLoginDomain.com (whatever is after the @ symbol for the user set on the Beacon to run this task)
- https://*.onMicrosoft.com (If you are using a locally hosted Lync or Skype / Hybrid Office 365 environment)
- https://*.online.lync.com (Access Skype for Business Usage)
- http://ocsp.digicert.com, crl3.digicert.com, crl4.digicert.com, crl.microsoft.com and mscrl.microsoft.com (To access the CRL repositories needed for the Certificate Revocation Check during the SSL handshake)