P. 1
Windows Live EDU Firewall IPs Troubleshoot WITH Full IPs

Windows Live EDU Firewall IPs Troubleshoot WITH Full IPs

|Views: 284|Likes:

More info:

Published by: Roberto Júnior Guedes Rodrigues on Nov 26, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less





MIIS Firewall IPs

In order to secure transactions between your institution and the Windows Live provisioning system, Microsoft will need to add your schools MIIS server source IP to the permit list on our network firewall. The IP address that you give us must be a dedicated static internet addressable IP address. Routing your MIIS Server through a dedicated firewall/proxy server is acceptable. Run the tests below BEFORE giving us your IP address to be sure that your network is properly configured. It is difficult for us to troubleshoot network routing issues in your own equipment. Once you have configured your IP and run the tests below, send your IP to ed-desk@microsoft.com with the email title being “MIIS/Firewall IP for MAv2 - <university name>”. Once we get this IP from you, we put it in our systems on our side. We will send you email to ask you to test it when the IP is added to our permit list.

Setting up and Testing the MIIS/Firewall IPs
The IP addresses you give us must be • Static - DHCP assigned IP addresses will not work • Internet routable - 10.x.x.x and 192.168.x.x addresses handed out by most internal routers cannot be used on the internet. • Dedicated to Windows Live calls - Due to the nature of the data we host for our partners, we would prefer that the source IP(s) provided are dedicated to calls to the Windows Live provisioning system. This is to prevent connectivity from other services that you may proxy from the same source IP that are unrelated to the Windows Live provisioning functionality. Giving us the general firewall or proxy server of your institution may result in your access to our provisioning server being turned off. If there is other non Windows Live traffic going over this IP address to the server IP we give you, your IP may be locked out without notice. • Open over port 443 (https) and port 80 (http) - You will need to allow two way communications over these ports.

Once you have your MIIS server and IP rules setup, run the following tests BEFORE sending us your IP address. 1. From your MIIS server, go to this web site below. Your server’s IP address as seen on the Internet will be displayed. It’s the IP that our servers will see. If it’s not what you expected, then resolve this issue. If may be showing the IP address of your router, proxy server or general network firewall. If this URL does not work for you, this is a list of other web sites that will show your IP address near the end of this document. http://www.mediacollege.com/internet/utilities/show-ip.shtml

If you cannot view this web page, then you probably do not have port 80 open. As a result, the telnet test over port 80 in a later step will probably fail as well. Reconfigure your network to allow access over port 80 and rerun this test. If the URL above does not work, you can use these alternate web sites to test your IP. http://www.2privacy.com/www/privacy-protection/ip-check-privacy-test.html http://www.proxyway.com/cgi-bin/Check-IP-Proxy-Judge-Privacy-Test.pl 2. From your MIIS server, go to the URL above again. The IP address should be consistent whenever you visit this site, regardless of reboots. If the IP address changes, then reconfigure your network and retest this step. 3. From your MIIS server, open up a command window to run the following commands.

4. Confirm ability to telnet over port 443.

telnet www.microsoft.com 433

Success will appear as a blank screen as shown above.

Failure will give you an error message such as shown above. Wait for 2 minutes for the connection to either go through or fail. www.microsoft.com allows telnet connection over port 443 regardless of your IP address. If the connection fails, then you do not have the proper connectivity over port 443. Reconfigure your network until this test works 5. Confirm network connectivity and test ability to telnet over port 80. Open another command window and type telnet www.microsoft.com 80. You will obtain the same success or failure indications as for port 443. 6. If all these tests pass, submit your IP address to ed-desk@microsoft.com as indicated in the instructions above. We will send you notification when we’ve loaded your IP into our system. Then you will run telnet test again to the IP address that we send you. It will be of the form Type >>telnet 443 1. If connectivity to this new succeeds, notify us that it’s succeeded at eddesk@microsoft.com. YOU ARE DONE! You are ready to move to the next step. 2. If connectivity fails, perform the following checks. Remember that we have over 100 other universities already working in our system. Most problems can be traced to either fatfingering IPs during the transfer process or problems on the university side.

a. Did you submit the right IP? Check the IP that you emailed to ed-desk against the actual IP. Check the URL location given above to check your actual IP. Many problems are simply a typo in the IP address you sent to us. If this is the problem, notify us of the correct IP at ed-desk@microsoft.com and we will file the correct IP address. b. Are you typing the right command? You have to be checking over port 443. Other ports will not work. Type *only* the command c:\>telnet 443 c. Check your network settings to be sure that you allow connectivity to the new IP we’ve given you. You may have a firewall or proxy server that is getting in the way of outgoing traffic to or return traffic from d. Perform a tracert to the IP address we give you. It will look something like below.
C:\Documents and Settings\a-robb>tracert Tracing route to ssapi.msn.com [] over a maximum of 30 hops: 1 * * 2 12 ms * 3 * * 4 14 ms 11 5 43 ms 41 6 37 ms 37 7 38 ms 37 8 33 ms 33 9 52 ms 35 10 35 ms 33 11 48 ms 35 12 33 ms 33 13 * * 14 * * 15 ^C C:\Documents * Request timed out. 11 ms GE-1-10-ur01.wa.seattle.comcast.net [] * Request timed out. 11 ms 37 ms 38 ms tbr2-cl10.sffca.ip.att.net [] 38 ms 33 ms 34 ms ge-7-3-0-57.sjc-64cb-1b.ntwk.msn.net [] 35 ms pos6-1.tuk-76cb-1b.ntwk.msn.net [] 43 ms ten2-1.tuk-76c-1a.ntwk.msn.net [] 44 ms gig3-16.tuk-6nf-5b.ntwk.msn.net [] * Request timed out. * Request timed out.

ms ms ms ms ms ms ms ms ms

and Settings\a-robb>

You will never see the IP in the tracert because ICMP is not active past a certain point. e. If your trace is not getting to ntwk.msn.net at, then there is some problem between your MIIS server and our network. f. If your trace is getting to ntwk.msn.net at then there is one of a couple issues i. We have not properly put your IP in our firewall. We will check this. ii. You are not coming from the right IP or over the right port. iii. You are blocking return traffic from our server. g. We can check to see if we are getting hit counts from the IP we filed for you. If we are, then your traffic is using the wrong port. .

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->