Lock down Microsoft Office 365 to Symantec.cloud IP address ranges

Products

Email Security.cloud

Issue/Introduction

Steps on how to ensure Microsoft Office 365 is locked down to only accept connections from Symantec Email Cloud IP ranges.

Resolution

To restrict the flow of email between your Office 365 organization and the Symantec.cloud service, set up connectors in Exchange Online or Exchange Online Protection (EOP) to use only the Symantec.cloud IP address range.

To specify multiple IP addresses, use Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 32.

Note: By configuring the connector in this manner, any email that does not originate from Symantec.cloud IP address ranges will be rejected.

To require that all emails are sent from a specific IP address range, please create a connector that ensures mail is accepted only from Symantec IP ranges from all domains. Please check Configure Microsoft® Office 365™ for inbound mail for further details.

IPV4 IP addresses and Classless Inter-Domain Routing (CIDR)

IPV4 IP addresses must be specified in the format nnn.nnn.nnn.nnn, where nnn is a number from 0 to 255.

You can also specify Classless Inter-Domain Routing (CIDR) ranges in the format nnn.nnn.nnn.nnn/rr, where rr is a number from 24 to 32, as shown in Table 1. To help you with this, we have provided all Symantec.cloud IP address ranges up to /24 for each region below.

Table 1 Symantec.cloud IP address ranges to /24 - All regions

216.82.240.0/24

216.82.241.0/24

216.82.242.0/24

216.82.243.0/24

216.82.244.0/24

216.82.245.0/24

216.82.246.0/24

216.82.247.0/24

216.82.248.0/24

216.82.249.0/24

216.82.250.0/24

216.82.251.0/24

216.82.252.0/24

216.82.253.0/24

216.82.254.0/24

216.82.255.0/24

85.158.136.0/24

85.158.137.0/24

85.158.138.0/24

85.158.139.0/24

85.158.140.0/24

85.158.141.0/24

85.158.142.0/24

85.158.143.0/24

95.131.104.0/24

95.131.105.0/24

95.131.106.0/24

95.131.107.0/24

95.131.108.0/24

95.131.109.0/24

95.131.110.0/24

95.131.111.0/24

46.226.48.0/24

46.226.49.0/24

46.226.50.0/24

46.226.51.0/24

46.226.52.0/24

46.226.53.0/24

46.226.54.0/24

46.226.55.0/24

117.120.16.0/24

117.120.17.0/24

117.120.18.0/24

117.120.19.0/24

117.120.20.0/24

117.120.21.0/24

117.120.22.0/24

117.120.23.0/24

67.219.240.0/24

67.219.241.0/24

67.219.242.0/24

67.219.243.0/24

67.219.244.0/24

67.219.245.0/24

67.219.246.0/24

67.219.247.0/24

67.219.248.0/24

67.219.249.0/24

67.219.250.0/24

67.219.251.0/24

67.219.252.0/24

67.219.253.0/24

67.219.254.0/24

67.219.255.0/24

194.106.220.0/24

194.106.221.0/24

195.245.230.0/24

195.245.231.0/24

193.109.254.0/24

193.109.255.0/24

103.9.96.0/24

103.9.97.0/24

103.9.98.0/24

103.9.99.0/24

Creating connectors using a PowerShell script

To speed up the process of entering IP addresses, you can use the following PowerShell script.

Note: We recommend that you use the Exchange Online PowerShell V2 module to connect to Exchange Online PowerShell.

<#

Synopsis

This script contains all Symantec.cloud IP address ranges converted to a Classless Inter-Domain Routing (CIDR) range of IP addresses to /24, allowing for quick entry into Office 365.

Note: Office 365 allows CIDR ranges from /24 to /32.

Description This script creates a new connector for Office 365 that is restricted to Symantec.cloud IP addresses based on http://www.symantec.com/docs/INFO4532.

The connector is named "Symantec.cloud IP Address Ranges".

Notes - When prompted for a username and password, enter your Office 365 admin credentials. - New connectors will be disabled by default.

#>

Set-ExecutionPolicy RemoteSigned -Force

#Checks if the ExchangeOnlineManagement module is present if (Get-Module -ListAvailable -Name ExchangeOnlineManagement) { Import-Module ExchangeOnlineManagement } else { Install-Module ExchangeOnlineManagement }

$UserCredential = Connect-ExchangeOnline

New-InboundConnector -Enable $False -Name "Symantec.cloud IP Address Ranges" -SenderDomains * -RestrictDomainsToIPAddresses $true -RequireTls $false -SenderIPAddresses 216.82.240.0/24, 216.82.241.0/24, 216.82.242.0/24, 216.82.243.0/24, 216.82.244.0/24, 216.82.245.0/24, 216.82.246.0/24, 216.82.247.0/24, 216.82.248.0/24, 216.82.249.0/24, 216.82.250.0/24, 216.82.251.0/24, 216.82.252.0/24, 216.82.253.0/24, 216.82.254.0/24, 216.82.255.0/24, 67.219.240.0/24, 67.219.241.0/24, 67.219.242.0/24, 67.219.243.0/24, 67.219.244.0/24, 67.219.245.0/24, 67.219.246.0/24, 67.219.247.0/24, 67.219.248.0/24, 67.219.249.0/24, 67.219.250.0/24, 67.219.251.0/24, 67.219.252.0/24, 67.219.253.0/24, 67.219.254.0/24, 67.219.255.0/24, 85.158.136.0/24, 85.158.137.0/24, 85.158.138.0/24, 85.158.139.0/24, 85.158.140.0/24, 85.158.141.0/24, 85.158.142.0/24, 85.158.143.0/24, 95.131.104.0/24, 95.131.105.0/24, 95.131.106.0/24, 95.131.107.0/24, 95.131.108.0/24, 95.131.109.0/24, 95.131.110.0/24, 95.131.111.0/24, 46.226.48.0/24, 46.226.49.0/24, 46.226.50.0/24, 46.226.51.0/24, 46.226.52.0/24, 46.226.53.0/24, 46.226.54.0/24, 46.226.55.0/24, 117.120.16.0/24, 117.120.17.0/24, 117.120.18.0/24, 117.120.19.0/24, 117.120.20.0/24, 117.120.21.0/24, 117.120.22.0/24, 117.120.23.0/24, 193.109.254.0/24, 193.109.255.0/24, 194.106.220.0/24, 194.106.221.0/24, 195.245.230.0/24, 195.245.231.0/24, 103.9.96.0/24, 103.9.97.0/24, 103.9.98.0/24, 103.9.99.0/24

Disconnect-ExchangeOnline -Confirm:$false -InformationAction Ignore -ErrorAction SilentlyContinue

Note: Please enable the connector via the O365 console when you are ready to start routing emails via Symantec Email Security.Cloud.

Additional information

See Configure mail flow using connectors in Office 365 at Microsoft.com for more information.

See Set up connectors for secure mail flow with a partner organization at Microsoft.com for more information.

See Additional considerations when configuring IP Allow lists at Microsoft.com to specify ranges outside of the 24 to 32 range.