Microsoft Teams which ports

Anyone know how to get the dreaded microsoft teams to be allowed through IPFIRE. without compromising security?

Hi,

Anyone know how to get the dreaded microsoft teams to be allowed through IPFIRE.

let me google that for you:

[…] without compromising security?

Well, looking at the ports and IP networks MS Teams requires: No.

Honestly, the link above lists a /14 to be allowed, which covers 262,144 single IPv4 addresses. Speaking of security if a vendor forces you to permit traffic to a network that big is naive.

At least for microsoft.com and msn.com, Microsoft is not even able to keep track of their subdomains, allowing them to be hijacked for malicious purposes:

In my opinion, Microsoft products are intrinsically insecure.

Thanks, and best regards,
Peter Müller

2 Likes

Tell me about it. I have to deal with all kinds of trouble once microsoft is needed. Microsoft is absolute junk in my opinion, but that is my opinion. That said I will have to make it work as that is required.

I can also google for the ports. In the end you get 65536 ports needed to be open if you google long enough. It is non sensical.

My question was directed to someone who is in the same situation as I and have to deal with getting Teams to work through IPFire securely and who done so successfully.
Not if I can or want to google. Dont trust the google port info. Makes little sense.

Teams works without any change in ipfire…
And even worked with 90% of countries in blocklist… (exit traffic blocked based on country destination - which was literally a pain in the rear for all Microsoft apps!).

At that time I had to add this rule in FW CUSTUMFORWARD chain to allow the access to Microsoft IP ranges…

msft=curl -k https://rdap.arin.net/registry/entity/MSFT 2>/dev/null |grep v4prefix -A1 |tr -d '",: \n-' |sed -e 's/v4prefix/,/g' |sed -e 's/length/\//g' |sed -e 's/^,//g'
iptables --wait -t filter -A CUSTOMFORWARD -p tcp --dport 443 -d $msft -j ACCEPT
iptables --wait -t filter -A CUSTOMFORWARD -p tcp --dport 80 -d $msft -j ACCEPT

1 Like

This is very helpful thanks.

Educate me.

The curl/sed bash command fetches ranges of ip addresses.
Which Ip addresses are these for?
The countries you mention ?
I see in the iptables string that these are then set to be accepted and port forwarded to somewhere.
In my case it would be great to just forward them to exactly the machines who needs this and runs Teams and not made available to other servers who do not need such connection.

Hi,

These are ALL Microsoft public registered IP addresses.

Because I blocked 90% of the countries, this means I blocked also Microsoft IP ranges registered in those countries! And with DNS responses not being always GeoIP aware, I was getting sometimes IP address from countries I blocked (like Italy). For these cases the apps did not worked… until DNS responded back with a new IP from another country.
Therefore the only solution was to permit Microsoft IP ranges explicitly in the one of the FW Chains Prior to the Chain where country block was enforced.

Those are just Permit TCP 443 and TCP 80 for OUTGOING traffic. This was enough for all MS Apps to work properly - including Teams.
I am not a Microsoft expert, but I believe they use some kind of HTTPS proxy for all their apps… At least this is what I see in Outlook Connection tracker. I assume that rest of apps use same transport: an SSL bearer…

Hope it helps!

This REALLY helps thanks. It would have taken an eternity to figure this out.

Here is my intermediary script that check all Microsoft RDAP database entries and extract from there the CIDR ranges

#!/bin/bash

curl -o MSFT-RDAP https://rdap.arin.net/registry/entity/MSFT
grep v4prefix -A 1 MSFT-RDAP | awk ‘{gsub(/--/,","); printf $0}’|awk ‘{gsub(/ “v4prefix” : “/,”"); printf $0}’|awk ‘{gsub(/ “length” : /,"/"); printf $0}’|awk ‘{gsub(/",/,""); printf $0}’ > MSFT-RDAP2CIDR
cat MSFT-RDAP2CIDR

Thats a neat script and very helpful thanks.
I will sure use it !

I always try to avoid sed/awk in my scripts but it is very useful as this demonstrates. I just cant get used to the extreme cryptic commands.

You obviously mastered them well.
It runs properly for about 4 seconds, then;
It gives me a syntax error "syntax error near unexpected token `(’ "
, but I will figure out whats wrong. I have to figure out how it works anyway.

 ./deleteme.scr 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  354k    0  354k    0     0  95806      0 --:--:--  0:00:03 --:--:-- 95786
./deleteme.scr: line 6: syntax error near unexpected token `('
./deleteme.scr: line 6: `    grep v4prefix -A 1 MSFT-RDAP | awk ‘{gsub(/--/,","); printf $0}’|awk ‘{gsub(/ “v4prefix” : “/,”"); printf $0}’|awk ‘{gsub(/ “length” : /,"/"); printf $0}’|awk ‘{gsub(/",/,""); printf $0}’ > MSFT-RDAP2CIDR'

Hi Guys ! I am using IPfire with web proxy(without transparent mode) and URL filtering I need Microsoft teams work for my network. I have added all IP addresses(from Microsoft website for teams) in my firewall proxy and URL filter unrestricted IP addresses. I have also added URLs for MS-teams in custom white list. But teams desktop app still give me error. Any help? any one can suggest how to make IPfire work with Microsoft teams desktop .

error message i am getting now on team desktop is
“desktop-10416bd0-6a28-418d-a022-49d7bd78edb2
Error code - 6
There’s a more permanent way to sign in to Microsoft Teams. If you’re having trouble completing the process, talk to your IT admin”

For once Microsoft actually did something useful with Teams. It actually works, but these kinds of questions how to make it work with firewalls is going to pop up more and more.
It would be really great and in the benefit of IPFire to create a general setup script or functionality that can solve all these questions and make it easy out of the box to get teams working on IPFire.
It will just get way more users for IPFire.
I dont like M$, but Teams is going to be a game changer and caught the Open Source community completely off guard.
Best is to support it and make it easy for users to use IPFire with it

Here is what I Found hope it helps.

thanks shaun. I have tried that.Teams works for all other domains but now problem seems to i have on site AD server for authentication of users from AD FS server 2012 so even i try to login from web version of teams it first gives me certificate error(as i am using https web proxy with url filtering in IPFIRE). Can some one help me how to solve this certificate warning error? all other https websites working fine but as this office365 redirects user to my organization login page which is on AD FS server 2012 certificate warning comes up. I have added that link (xyz.myorg.com) in proxy and url filter also unrestrict ip list but still certificate warning comes up mean man in middle being detected… Thanks

Hi,

Can some one help me how to solve this certificate warning error?

since IPFire’s web proxy is not capable of intercepting HTTPS traffic for security reasons (we’ve compiled Squid without SSL/TLS support), I am pretty sure this is not related to IPFire.

[…] which is on AD FS server 2012 certificate warning comes up.

If I got this setup right, your AD server is serving the certificate in question. In this case, receiving a certificate warning does not surprise me, since it is most probably not issued by a publicly trusted CA.

I have added that link (xyz.myorg.com) in proxy and url filter also unrestrict ip list but still certificate warning comes up mean man in middle being detected

Again, this is not necessary.

Thanks, and best regards,
Peter Müller

Hi,

in my opinion, this is not the right approach to the problem.

At IPFire, we neither can nor want to provide scripts/documentation/how-tos for making 3rd party applications work with IPFire. Their behaviour can change at any time, and maintaining such guides or scripts simply goes beyond our capabilities.

Worse, it releases the user from the burden of thinking by themselves and reading the firewall documentation, which I consider to be fatal in terms of security, as the user has no idea about what he/she/it is doing and how the affected system works in detail - some thoughts which I wrote down a while ago here:

Best is to support it and make it easy for users to use IPFire with it

The ultimate goal (gaining more IPFire users) does not justify the means. MS Teams indeed is an ongoing topic heavily advertised my Microsoft themselves, and many people want to use it - although I often get the feeling that they do not know what to use it for, but rather want to have it because it is cool.

At least within Europe, legal trouble is an elephant in the room as well, as it is not clear whether it is even legal (GDPR compliant) to use cloud-based Microsoft software, as there is no sufficient privacy level in the US. Taking advantage of the CLOUD act, US intelligence and law enforcement agencies are allowed to demand access to data stored overseas, as long as the data center, servers or whatever is owned by an US-based company.

If I may speak for the IPFire project as such: At this point, besides the ongoing efforts for maintaining scripts or documentation to “make MS Teams work with IPFire” without spending a single thought on how a firewall works and how to write rules for it, is not wise, since we cannot give any legal advice whether a user should even use MS Teams.

Thanks, and best regards,
Peter Müller

1 Like

Thanks Peter,
As for " whether a user should even use MS Teams. " … Employees have no choice. If they refuse to use it they WILL lose their livelihood.
That is a dubious/bogus consideration.

Teams is here to stay and here to stay in a BIG way unfortunately.
I dislike TEAMS, and I lay the blame on us the open source community for not first developing such a suite.

We are getting slack.

Hello @zimbodel,

Sorry for taking this in a new direction. I am just trying to learn something about MS Teams and the firewall.

I’ve been sitting on the sidelines watching this discussion. My wife uses the client side of MS Teams most all day long without issues. I did not change anything from the out-of-the-box IPFire setup. And I did not need to open any ports for MS Teams. It just works.

So what is open on my side that is closed on your side?