SharePoint Stuff



Posts Tagged ‘Office 365’

UDP and TCP port tester / Skype for Business Testing

Written by Luke Smith. Posted in Microsoft

Recently I have been working with a customer who has Skype for Business Online (SfB) part of Office 365. The customer is successfully using the Skype for Business client (Windows\mac) and is extending the use of SfB to their meeting rooms using the Polycom RealPresence Trio 8800 (UC Software version: 5.5.2.11217).

ISSUE:
The Polycom fails to connect to SfB on the corporate network, however works from a home network or guest WiFi.

PROBLEM:
Different to the SfB client (works over TCP port 443) the Polycom requires UDP outbound to Office 365 this is used for accessing a time server (NTP – UDP port 123) and Lync Edge services (SIP\A&V range of ports 5060\61, 3478\81, 50,000\40)

TESTING:
Using the PowerShell script porttest.ps1 you can test the outbound UDP ports to SfB:

Test-Port -comp 0.uk.pool.ntp.org -port 123 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 443 -TCPtimeout 10000 -tcp
Test-Port -comp config.edge.skype.com -port 80 -TCPtimeout 10000 -tcp
Test-Port -comp 1-courier.push.apple.com -port 5223 -TCPtimeout 10000 -tcp
Test-Port -comp config.edge.skype.com -port 3478 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 3479 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 3480 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 3481 -UDPtimeout 10000 -udp
Test-Port -comp sipfed.online.lync.com -port 5061 -TCPtimeout 10000 -tcp
Test-Port -comp config.edge.skype.com -port 50000 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 50019 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 50029 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 50039 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 50049 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 50059 -UDPtimeout 10000 -udp
Test-Port -comp config.edge.skype.com -port 59999 -UDPtimeout 10000 -udp
Test-Port -comp 52-114-125-8.relay.teams.microsoft.com -port 50001 -TCPtimeout 10000 -tcp
Test-Port -comp 52-114-125-8.relay.teams.microsoft.com -port 50019 -TCPtimeout 10000 -tcp
Test-Port -comp 52-114-125-8.relay.teams.microsoft.com -port 50029 -TCPtimeout 10000 -tcp
Test-Port -comp 52-114-125-8.relay.teams.microsoft.com -port 50039 -TCPtimeout 10000 -tcp
Test-Port -comp 52-114-125-8.relay.teams.microsoft.com -port 50049 -TCPtimeout 10000 -tcp
Test-Port -comp 52-114-125-8.relay.teams.microsoft.com -port 50059 -TCPtimeout 10000 -tcp
Test-Port -comp 52-114-125-8.relay.teams.microsoft.com -port 59999 -TCPtimeout 10000 -tcp

Failed Output:

Server : 0.uk.pool.ntp.org
Port : 123
TypePort : UDP
Open : False
Notes : Unable to verify if port is open or if host is unavailable.

Server : config.edge.skype.com
Port : 3478
TypePort : TCP
Open : False
Notes : Connection to Port Timed Out

Server : config.edge.skype.com
Port : 50019
TypePort : TCP
Open : False
Notes : Connection to Port Timed Out

Server : config.edge.skype.com
Port : 5060
TypePort : TCP
Open : False
Notes : Connection to Port Timed Out

Server : config.edge.skype.com
Port : 5061
TypePort : TCP
Open : False
Notes : Connection to Port Timed Out

RESOLUTION:

Allow UDP outbound from the firewall to Office 365. more information here:
Polycom Ports
Office 365 Ports and URLs
Skype Port Changes

Microsoft Cloud App Security (MCAS) Q&A

Written by Luke Smith. Posted in Microsoft

Q: How quick can the MACS log collector ingest data
A 50GB\hr, main limitations are bandwidth and processing can be overcome by increasing the compute\bandwidth\adding more collectors
Q: What happens is the MCAS log collector can’t process the data quick enough
A: Data is dropped (DD to confirm), adding more collectors are recommended
Q: Do you need a MCAS log collector per device
A: no can use the same one
Q: Can I add more MCAS log collectors
A: Yes (DD to confirm if they can be load balanced, I think they can but couldn’t find an article
Q: What do I need to do to protect my end users when using the MCAS Proxy
A: Need devices to be Azure AD Joined, as it uses conditional access
Q: Does the MCAS proxy work with non-Windows 10 devices
A: Yes using conditional access from MDM for macOS, Android and iOS – Windows 8.1 or below TBC
Q: If the details of a cloud vendor is in correct how can these be updated
A: Microsoft Support Request from the portal
Q: Do you need to license every user for MCAS to view the activity
A: Not for proxy\firewall logs
Q: Do you need to licenses every user for MCAS is you need to control access using the proxy
A: Yes
Q: Can we create our own application and vendor classification
A: TBC
Q: Can we integrate MCAS with a SIEM
A: Yes
Q: Can we integrate MCAS and ATP (Defender and Office 365) together
A: TBC
Q: Can we integrate AIP with MAS
A: Yes

Useful Links:
Docs.Microsoft: https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security