Skip to content

Commit ec61a29

Browse files
authored
Merge pull request #191696 from billmath/fixes1
updating
2 parents aca0001 + 4aa6b71 commit ec61a29

File tree

2 files changed

+52
-24
lines changed

2 files changed

+52
-24
lines changed

articles/active-directory/cloud-sync/how-to-prerequisites.md

Lines changed: 45 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -104,28 +104,10 @@ Run the [IdFix tool](/office365/enterprise/prepare-directory-attributes-for-sync
104104

105105
2. The PowerShell execution policy on the local server must be set to Undefined or RemoteSigned.
106106

107-
3. If there's a firewall between your servers and Azure AD, configure the following items:
108-
- Ensure that agents can make *outbound* requests to Azure AD over the following ports:
109-
110-
| Port number | How it's used |
111-
| --- | --- |
112-
| **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate. |
113-
| **443** | Handles all outbound communication with the service. |
114-
| **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
115-
116-
- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
117-
- If your firewall or proxy allows you to specify safe suffixes, add connections to \*.msappproxy.net and \*.servicebus.windows.net. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
118-
- If you are installing against the **US government** cloud, and your firewall or proxy allows you to specify safe suffixes, add connections to:
119-
- *.microsoftonline.us
120-
- *.microsoft.us
121-
- *.msappproxy.us
122-
- *.windowsazure.us
123-
124-
- Your agents need access to login.windows.net and login.microsoftonline.com for initial registration. Open your firewall for those URLs as well.
125-
- For certificate validation, unblock the following URLs: mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www\.microsoft.com:80. These URLs are used for certificate validation with other Microsoft products, so you might already have these URLs unblocked.
126-
127-
>[!NOTE]
128-
> Installing the cloud provisioning agent on Windows Server Core is not supported.
107+
3. If there's a firewall between your servers and Azure AD, configure see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.
108+
109+
>[!NOTE]
110+
> Installing the cloud provisioning agent on Windows Server Core is not supported.
129111
130112
### Additional requirements
131113

@@ -150,6 +132,47 @@ To enable TLS 1.2, follow these steps.
150132
```
151133
152134
1. Restart the server.
135+
136+
## Firewall and Proxy requirements
137+
If there's a firewall between your servers and Azure AD, configure the following items:
138+
139+
- Ensure that agents can make *outbound* requests to Azure AD over the following ports:
140+
141+
| Port number | How it's used |
142+
| --- | --- |
143+
| **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate. |
144+
| **443** | Handles all outbound communication with the service. |
145+
| **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
146+
147+
- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
148+
- If your firewall or proxy allows you to specify safe suffixes, add connections:
149+
150+
#### [Public Cloud](#tab/public-cloud)
151+
152+
153+
|URL |How it's used|
154+
|-----|-----|
155+
|&#42;.msappproxy.net</br>&#42;.servicebus.windows.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
156+
|&#42;.microsoftonline.com</br>&#42;.microsoft.com</br>&#42;.msappproxy.com</br>&#42;.windowsazure.com|The agent uses these URLs to communicate with the Azure AD cloud service. |
157+
|`mscrl.microsoft.com:80` </br>`crl.microsoft.com:80` </br>`ocsp.msocsp.com:80` </br>`www.microsoft.com:80`| The agent uses these URLs to verify certificates.|
158+
|login.windows.net</br>|The agent uses these URLs during the registration process.
159+
160+
161+
162+
#### [U.S. Government Cloud](#tab/us-government-cloud)
163+
164+
|URL |How it's used|
165+
|-----|-----|
166+
|&#42;.msappproxy.us</br>&#42;.servicebus.usgovcloudapi.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
167+
|`mscrl.microsoft.us:80` </br>`crl.microsoft.us:80` </br>`ocsp.msocsp.us:80` </br>`www.microsoft.us:80`| The agent uses these URLs to verify certificates.|
168+
|login.windows.us </br>secure.aadcdn.microsoftonline-p.com </br>&#42;.microsoftonline.us </br>&#42;.microsoftonline-p.us </br>&#42;.msauth.net </br>&#42;.msauthimages.net </br>&#42;.msecnd.net</br>&#42;.msftauth.net </br>&#42;.msftauthimages.net</br>&#42;.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctldl.windowsupdate.us:80| The agent uses these URLs during the registration process.
169+
170+
171+
172+
173+
- If you are unable to add connections, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
174+
175+
---
153176
## NTLM requirement
154177
155178
You should not enable NTLM on the Windows Server that is running the Azure AD Connect Provisioning Agent and if it is enabled you should make sure you disable it.

articles/active-directory/hybrid/reference-connect-government-cloud.md

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,13 @@ The following information describes implementation of Pass-through Authenticatio
3030

3131
Before you deploy the Pass-through Authentication agent, verify whether a firewall exists between your servers and Azure AD. If your firewall or proxy allows Domain Name System (DNS) blocked or safe programs, add the following connections.
3232

33-
> [!NOTE]
34-
> The following guidance also applies to installing the [Azure AD Application Proxy connector](../app-proxy/what-is-application-proxy.md) for Azure Government environments.
33+
> [!IMPORTANT]
34+
> The following guidance applies only to the following:
35+
> - the pass-through authentication agent
36+
> - [Azure AD Application Proxy connector](../app-proxy/what-is-application-proxy.md)
37+
>
38+
> For information on URLS for the Azure Active Directory Connect Provisioning Agent see the [installation pre-requisites](../cloud-sync/how-to-prerequisites.md) for cloud sync.
39+
3540

3641
|URL |How it's used|
3742
|-----|-----|

0 commit comments

Comments
 (0)