How to configure Office 365 connector in a proxy-enabled environment or firewall
This article describes how the Office 365 (deprecated) and new Microsoft 365 connector works with proxy setting and what sites (URLs) does it need online access to.
Important: This article was written prior to the release of FlexNet Manager Suite 2018 R2, in which proxy support was added to FlexNet Manager Suite PowerShell adapters. With releases of FlexNet Manager Suite 2018 R2 and later, in order to utilize proxy support, use the "Proxy Settings" section of the "Create PowerShell Source Connection" FlexNet Beacon dialog to enter proxy server, username and password information. The information in this article regarding whitelisting URLs that are needed for our Microsoft connectors applies to all versions of FlexNet Manager Suite.
Office 365 (deprecated) and new Microsoft 365 connector will use the proxy configuration for whichever user is launching the ComplianceReader.exe executable.
This effectively means that whichever service user account is set for the FlexNet Beacon Engine Service in the Services Manager, the proxy configuration for that user will be used when connecting to these connectors.
If the Service is kept as using the Local System account, then the Proxy settings need to be distributed for the whole machine through Active Directory Group Policy.
Office 365 (deprecated)
For the Office 365 (deprecated) connector to be able to pull data from the Office 365 Cloud environment, the FlexNet Beacon needs access to these sites/URLs which are required by Microsoft. Please refer this Microsoft KB article (Office 365 URLs and IP address ranges) -- https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
Both FlexNet Beacon and Microsoft require access to HTTPS over TCP port 443 and HTTPS over TCP port 80.
On that page you can find under ID 56 the following URLs:
For the initial connection to O365 the beacon will require at minimum the access to the below URLs. You may also need additional URL to be open per to the Microsoft KB (Office 365 URLs and IP address ranges)
https://outlook.office365.com (Microsoft Hosted instance)
https://*.prod.outlook.com (Microsoft's Exchange Server)
https://login.windows.net (Acquires an authentication token)
https://*.YourLoginDomain.com (whatever is after the @ symbol for the user set on the Beacon to run this task)
https://*.onMicrosoft.com (If you are using a locally hosted Lync or Skype / Hybrid Office 365 environment)
https://*.online.lync.com (Access Skype for Business Usage)
http://ocsp.digicert.com, crl3.digicert.com, crl4.digicert.com, crl.microsoft.com and mscrl.microsoft.com (To access the CRL repositories needed for the Certificate Revocation Check during the SSL handshake)
For the new Microsoft 365 connector to be able to pull data from the Microsoft 365 Cloud environment, the FlexNet Beacon needs access to these sites/URLs which are required by Microsoft. Please refer this Microsoft KB article (Office 365 URLs and IP address ranges) -- https://docs.microsoft.com/en-gb/office365/enterprise/urls-and-ip-address-ranges
For the initial connection to O365, the beacon will require at minimum the access to the below URLs.
https://graph.microsoft.com (Catch-all for all that is required for the Microsoft 365 connector)
https://login.microsoftonline.com/common/oauth2 (for authentication)
To gain the full functionality of the Microsoft 365 connector the connector will require access to all the URLs and IPs contained in the following website.
The endpoints data is updated at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active.
For additional information on how Microsoft supports the updating of URLs/IPs they have published the below document.
In order to configure the proxy configuration for the Service Account, simply launch Internet Options as that user (or login to the device with that user) from Internet Explorer's Tools Menu or from the Control Panel.
Enter the Proxy Settings needed for the Beacon to be able to go online and access Office 365.
If the FlexNet Beacon Engine Service login is using the Local System account, which is the scenario by default, there are a couple of options to overcome that:
- Change the FlexNet Beacon Engine Logon As setting to use your Service Account, then use the above options to set your proxy settings. The downside is that this setting would revert to default after every Beacon upgrade.
- Have your Windows Admin set the correct Proxy Settings in the Group Policy and give access on the Proxy Server to allow the Machine to links above, which would work when using the Local System account.
As we are utilising the Microsoft O365 API we can't provide an absolute list of URLs/IPs that will be used so it is suggested to allow access for all URLs/IPs contained in the URLs in the above sections and to also automate the updating of this information using the method recommended by Microsoft.