0

The Way Things Were–EOP IP Ranges October 2018

When discussing network configuration for Office 365, there will be a series of issues and challenges that need to be addressed.  Ideally this is all done in a proactive manner, with the final items addressed in the POC phase.

One of the cornerstone issues is around how access to and from Office 365 will be managed.  This has to address end user access from workstations and publishing your on-premises infrastructure to the Internet.  Specifically for this post, the discussion is around how Exchange Online Protection (EOP) connects to on-premises Exchange for SMTP.

If we look at the current Office 365 URLs and IP address ranges article, there are a couple of things to point out.  This article is focused on end user access from their workstation or device.  You need to ensure that you are looking at the correct flavour of Office 365, typically this is WW commercial but if you manage a sovereign cloud instance or a US federal instance please ensure you refer to the correct article.

There is also the Other endpoints article, which is meant to facilitate the network discussion of hybrid services such as Exchange and SharePoint.  It is not 100% complete, hence the point about facilitating the discussion for your hybrid servers.

On this point, back to EOP and the IP ranges that it uses.

Current EOP IP Ranges

The EOP SMTP endpoints have been included in the the main Office 365 URLs and IP addresses article for sometime now.  You can see them under the Exchange Online section, at the time of writing they are ID 10.

EOP IP Ranges In Current Documentation

These are pretty large netblocks, note the /14 /15 /16 and /17 ranges for the IPv4 space.

That is roughly 490,000 IP addresses.  It sounds a lot, but remember this is WW commercial so that has to scale for a few million mailboxes and allow for HA and DR.

From a firewall admin’s perspective, it’s a simple rule as there are only those 4 CIDR ranges to add to include all the WW commercial EOP addresses.

Previous EOP IP Ranges - 2018

Compare this to before October 2018, where the list of EOP IPs that had to be allowed was much larger.  In those days there was a unique page for the EOP addresses:

https://docs.microsoft.com/en-us/office365/SecurityCompliance/eop/exchange-online-protection-ip-addresses

While that page is no longer with us, we can use the Wayback Machine to set the time circuits to 2018.  The below is a drive by scrolling of the old IPs, note that there were considerably more…

EOP IP Ranges From 2018

If you want a high resolution of the above, click here.

Previous EOP IP Ranges 2015

For even older iterations of the EOP IP documentation, there used to be another separate page on TechNet.  Remember TechNet???

https://technet.microsoft.com/library/dn163583(v=exchg.150).aspx

Link to Wayback When.

Note that there were 31 separate IPv4 ranges.

EOP IP Ranges From 2016

And two IPv6 ranges

EOP IP Ranges From 2016 - IPv6

Previous EOP IP Ranges – 2014

Jumping back to when Exchange 2010 servers still walked the Earth…

Link to Wayback When.

EOP IP Ranges From 2014

And a single IPv6 range:

EOP IP Ranges From 2014 - IPv6

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published.