Firewall exceptions required for ADAL.NET

Question

Our prod app is behind a very strict firewall. We are seeing that during login, the ADAL.NET+AzureAD web app tries to talk to an IP Address in the Microsoft Azure network (most likely to validate the auth request). While this is understandable, we need to know what IP Addresses/Ports/Protocols we need to allow in the firewall. And I can't find any definitive documentation about it.

The best bit of info I can find so far is * https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2 .. which is like 500IPaddresses, and a ridiculous # of firewall exceptions that no IT admin will allow (impossible to manage).

Is there a simple guide that I'm missing? I've google/bing'ed the crap out of it with no avail. TIA!

S

Answer 1

I was able to work around this issue by routing all traffic through a proxy. The server with the WebAPI can be onprem and the proxy (if you wish) can be in Azure. Here is the solution for the next poor soul butting heads with their IT Admins - http://blah.winsmarts.com/2016-5-Routing_all_application_traffic_through_a_proxy.aspx

Answer 2

ADAL.NET speaks OpenID Connect. Which is a standard protocol based on the OAuth 2.0 framework. This is pure Web protocol and talks exclusively and only over HTTPS - so you need an outgoing TCP connection on port 443.

As for concrete IP Address - no. This is cloud. You cannot get a single IP adress, not even a range, for a service and rely it will remain the same. The best you can do, and which is doable on Firewalls, is to all outgoing TCP connections on port 443 with destnation DNS name including:

• login.microsoftonline.com
• login.windows.net

These are relatively simple to implement.