Windows Live EDU Firewall IPs Troubleshoot WITH Full IPs

8/14/2019 Windows Live EDU Firewall IPs Troubleshoot WITH Full IPs

1/4

MIIS Firewall IPs

In order to secure transactions between your institution and the Windows Live provisioning system,Microsoft will need to add your schools MIIS server source IP to the permit list on our networkfirewall.

The IP address that you give us must be a dedicated static internet addressable IP address. Routingyour MIIS Server through a dedicated firewall/proxy server is acceptable.

Run the tests below BEFORE giving us your IP address to be sure that your network is properlyconfigured. It is difficult for us to troubleshoot network routing issues in your own equipment.

Once you have configured your IP and run the tests below, send your IP to [email protected] the email title being MIIS/Firewall IP for MAv2 - . Once we get this IP fromyou, we put it in our systems on our side. We will send you email to ask you to test it when the IP isadded to our permit list.

Setting up and Testing the MIIS/Firewall IPs

The IP addresses you give us must be

Static - DHCP assigned IP addresses will not work Internet routable - 10.x.x.x and 192.168.x.x addresses handed out by most internal routers

cannot be used on the internet.

Dedicated to Windows Live calls - Due to the nature of the data we host for our partners, wewould prefer that the source IP(s) provided are dedicated to calls to the Windows Liveprovisioning system. This is to prevent connectivity from other services that you may proxyfrom the same source IP that are unrelated to the Windows Live provisioning functionality.Giving us the general firewall or proxy server of your institution may result in your access toour provisioning server being turned off. If there is other non Windows Live traffic going overthis IP address to the server IP we give you, your IP may be locked out without notice.

Open over port 443 (https) and port 80 (http) - You will need to allow two way communicationsover these ports.


2/4

Once you have your MIIS server and IP rules setup, run the following tests BEFORE sending us yourIP address.

1. From your MIIS server, go to this web site below. Your servers IP address as seen on theInternet will be displayed. Its the IP that our servers will see. If its not what you expected, then

resolve this issue. If may be showing the IP address of your router, proxy server or generalnetwork firewall. If this URL does not work for you, this is a list of other web sites that will showyour IP address near the end of this document.http://www.mediacollege.com/internet/utilities/show-ip.shtml

If you cannot view this web page, then you probably do not have port 80 open. As a result, thetelnet test over port 80 in a later step will probably fail as well. Reconfigure your network to allowaccess over port 80 and rerun this test.

If the URL above does not work, you can use these alternate web sites to test your IP.http://www.2privacy.com/www/privacy-protection/ip-check-privacy-test.html

http://www.proxyway.com/cgi-bin/Check-IP-Proxy-Judge-Privacy-Test.pl

2. From your MIIS server , go to the URL above again. The IP address should be consistent

whenever you visit this site, regardless of reboots. If the IP address changes, then reconfigureyour network and retest this step.

3. From your MIIS server , open up a command window to run the following commands.
http://www.mediacollege.com/internet/utilities/show-ip.shtmlhttp://www.2privacy.com/www/privacy-protection/ip-check-privacy-test.htmlhttp://www.proxyway.com/cgi-bin/Check-IP-Proxy-Judge-Privacy-Test.plhttp://www.mediacollege.com/internet/utilities/show-ip.shtmlhttp://www.2privacy.com/www/privacy-protection/ip-check-privacy-test.htmlhttp://www.proxyway.com/cgi-bin/Check-IP-Proxy-Judge-Privacy-Test.pl


3/4

4. Confirm ability to telnet over port 443.

telnet www.microsoft.com 433

Success will appear as a blank screen as shown above.

Failure will give you an error message such as shown above.

Wait for 2 minutes for the connection to either go through or fail. www.microsoft.com allowstelnet connection over port 443 regardless of your IP address. If the connection fails, then youdo not have the proper connectivity over port 443. Reconfigure your network until this test

works

5. Confirm network connectivity and test ability to telnet over port 80. Open another commandwindow and type telnetwww.microsoft.com 80. You will obtain the same success or failureindications as for port 443.

6. If all these tests pass, submit your IP address to [email protected] as indicated in theinstructions above.

We will send you notification when weve loaded your IP into our system. Then you will run telnettest again to the IP address that we send you. It will be of the form 65.54.158.26. Type

>>telnet 65.54.158.26 443

1. If connectivity to this new 65.54.158.26 succeeds, notify us that its succeeded at [email protected]. YOU ARE DONE! You are ready to move to the next step.

2. If connectivity fails, perform the following checks. Remember that we have over 100 otheruniversities already working in our system. Most problems can be traced to either fat-fingering IPs during the transfer process or problems on the university side.
http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/mailto:[email protected]:[email protected]:[email protected]://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/mailto:[email protected]:[email protected]:[email protected]


4/4

a. Did you submit the right IP? Check the IP that you emailed to ed-desk against theactual IP. Check the URL location given above to check your actual IP. Manyproblems are simply a typo in the IP address you sent to us. If this is the problem,notify us of the correct IP at [email protected] and we will file the correct IPaddress.

b. Are you typing the right command? You have to be checking over port 443. Otherports will not work. Type *only* the command c:\>telnet 65.54.158.26 443c. Check your network settings to be sure that you allow connectivity to the new

65.54.158.26 IP weve given you. You may have a firewall or proxy server that isgetting in the way of outgoing traffic to 65.54.158.26 or return traffic from65.54.158.26.

d. Perform a tracert to the 65.54.158.26 IP address we give you. It will look somethinglike below.

C:\Documents and Settings\a-robb>tracert 65.54.158.26

Tracing route to ssapi.msn.com [65.54.158.26]

over a maximum of 30 hops:

1 * * * Request timed out.

2 12 ms * 11 ms GE-1-10-ur01.wa.seattle.comcast.net [68.86.177.33]


4 14 ms 11 ms 11 ms 12.118.60.5

5 43 ms 41 ms 37 ms 12.127.6.90

6 37 ms 37 ms 38 ms tbr2-cl10.sffca.ip.att.net [12.122.12.113]

7 38 ms 37 ms 38 ms 12.122.80.41

8 33 ms 33 ms 33 ms 12.126.40.6

9 52 ms 35 ms 34 ms ge-7-3-0-57.sjc-64cb-1b.ntwk.msn.net [207.46.37.201]

10 35 ms 33 ms 35 ms pos6-1.tuk-76cb-1b.ntwk.msn.net [207.46.34.170]

11 48 ms 35 ms 43 ms ten2-1.tuk-76c-1a.ntwk.msn.net [207.46.36.197]

12 33 ms 33 ms 44 ms gig3-16.tuk-6nf-5b.ntwk.msn.net [207.46.39.102]



15 ^C

C:\Documents and Settings\a-robb>

You will never see the 65.54.158.26 IP in the tracert because ICMP is not active past acertain point.

e. If your trace is not getting to ntwk.msn.net at 207.46.37.201, then there is someproblem between your MIIS server and our network.

f. If your trace is getting to ntwk.msn.net at 207.46.37.201 then there is one of acouple issues

i. We have not properly put your IP in our firewall. We will check this.ii. You are not coming from the right IP or over the right port.iii. You are blocking return traffic from our 65.54.158.26 server.

g. We can check to see if we are getting hit counts from the IP we filed for you. If weare, then your traffic is using the wrong port.

.
mailto:[email protected]:[email protected]