Hybrid - network configuration

12 minutes to read - 30 March 2023

Reference table

The following table lists the reference table for products requiring whitelisting and firewall configuration.

Reference Number	Reference URL
R01	https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet
R02	https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/production-deployment
R03	https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-splunk
R04	https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration
R05	https://docs.microsoft.com/en-us/cloud-app-security/network-requirements
R06	https://docs.microsoft.com/en-au/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
R07	https://docs.microsoft.com/en-au/office365/enterprise/additional-office365-ip-addresses-and-urls
R08	https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#-network-name-resolution-nnr-requirements
R09	https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports

Microsoft Advanced Threat Protection (ATP)

Proxy whitelist

The following describes the Microsoft Advanced Threat Protection Proxy Whitelist settings.

Reference	Purpose	Source	Destination	Port
R01, R02	ATP Common URLs for all locations	All ATP Clients	crl.microsoft.com ctldl.windowsupdate.com events.data.microsoft.com notify.windows.com settings-win.data.microsoft.com	TCP 443
R01, R02	ATP URLs for US Region	All ATP Clients	us.vortex-win.data.microsoft.com ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net ussus2eastprod.blob.core.windows.net ussus2westprod.blob.core.windows.net ussus3eastprod.blob.core.windows.net ussus3westprod.blob.core.windows.net ussus4eastprod.blob.core.windows.net ussus4westprod.blob.core.windows.net us-v20.events.data.microsoft.com winatp-gw-cus.microsoft.com winatp-gw-eus.microsoft.com wsus1eastprod.blob.core.windows.net wsus1westprod.blob.core.windows.net wsus2eastprod.blob.core.windows.net wsus2westprod.blob.core.windows.net	TCP 443
R01, R02	ATP US machine proxy and Internet connectivity settings	All ATP Clients	automatedirstrprdcus.blob.core.windows.net
R03, R04	ATP Splunk Integration	Splunk Servers	wdatp-alertexporter-us.securitycenter.windows.com graph.windows.net	TCP 443

Direct firewall exclusion

No firewall exclusions required.

Microsoft Cloud App Security (MCAS)

Proxy whitelist

The following table describes the Microsoft Cloud App Security Proxy Whitelist settings.

Reference	Purpose	Source	Destination	Port
R05	MCAS Portal Access		.us3.portal.cloudappsecurity.com portal.cloudappsecurity.com .portal.cloudappsecurity.com cdn.cloudappsecurity.com adaproddiscovery.azureedge.net .s-microsoft.com .msecnd.net dev.virtualearth.net .cloudappsecurity.com flow.microsoft.com static2.sharepointonline.com dc.services.visualstudio.com .blob.core.windows.net .us3.cas.ms .us3.access-control.cas.ms *.us3.saml.cas.ms	TCP 443
R05	MCAS SIEM Agent Connection	Splunk Servers	ocsp.digicert.com ocsp.msocsp.com	TCP 80

Direct firewall exclusion

The following table describes the Microsoft Cloud App Security direct firewall exclusion settings.

Reference	Purpose	Source	Destination	Port
R05	MCAS Portal Access		13.80.125.22 40.74.1.235 40.74.6.204 40.90.218.196 40.90.218.198 51.143.58.207 52.137.89.147 52.183.75.62	TCP 443
R05	MCAS SIEM Agent Connection	Agency SIEM Servers	13.80.125.22 40.74.1.235 40.74.6.204 40.90.218.196 40.90.218.198 51.143.58.207 52.137.89.147 52.183.75.62	TCP 443
R05	MCAS Access and Session Controls		40.81.62.224 40.81.62.220 40.82.186.168 40.82.186.169 52.155.180.210 52.155.179.84 40.66.59.196 40.66.60.224 40.65.170.80 40.65.170.83 40.81.127.229 40.81.121.66 104.45.170.191 104.45.170.183 40.91.114.40 40.91.114.42 40.81.62.179 40.81.62.223 20.40.162.86 20.40.162.200 40.82.186.182 40.82.186.177 52.139.21.70 52.139.16.105 52.155.177.13 52.155.180.208 52.155.164.131 52.155.167.231 40.66.60.226 40.66.59.193 40.66.61.193 40.66.61.158 40.65.170.113 40.65.170.82 52.139.245.1 52.139.245.21 40.81.120.192 40.81.127.239 51.137.136.34 51.137.137.69 104.45.170.70 104.45.170.180 52.224.190.225 52.224.191.62 40.91.114.41 40.91.78.105 52.148.161.45 52.148.161.53 40.81.62.193 40.81.62.162 40.82.186.166 40.82.186.176 52.155.180.209 52.155.178.247 40.66.59.246 40.66.59.195 40.65.170.81 40.65.170.112 40.81.120.191 40.81.123.157 104.45.170.186 104.45.170.178 40.91.114.43 40.91.74.37 20.40.161.160 20.40.161.161 52.139.2.0 52.139.1.156 52.155.180.211 52.155.182.138 40.66.62.7 40.66.62.9 20.184.63.158 20.184.61.253 20.40.106.51 20.40.107.84 52.224.202.86 52.224.202.91 51.143.122.59 51.143.122.60 40.82.186.168 40.82.186.169 52.139.2.0 52.139.1.156 40.82.186.182 40.82.186.177 52.139.21.70 52.139.16.105 52.139.9.176 52.139.9.198	TCP 443

Mail server

Table 6 describes the Microsoft Cloud App Security Mail Server settings.

Reference	Purpose	Source	Destination	Port
R05	Mail Relay SPAM Exception	Agency Mail Relays	65.55.234.192/26 207.46.200.0/27 65.55.52.224/27 94.245.112.0/27 111.221.26.0/27 207.46.50.192/26	N/A

Office 365 – Common and Office Online

Proxy whitelist

The following table describes the Office 365 Common and Office Online Proxy Whitelist settings.

Reference	Purpose	Source	Destination	Port
R06	Microsoft 365 Common and Office Online		.cdn.office.net contentstorage.osi.office.net .onenote.com cdn.onenote.net ajax.aspnetcdn.com apis.live.net cdn.optimizely.com officeapps.live.com www.onedrive.com apc.delve.office.com aus.delve.office.com can.delve.office.com delve.office.com delve-gcc.office.com eur.delve.office.com gbr.delve.office.com ind.delve.office.com jpn.delve.office.com kor.delve.office.com lam.delve.office.com nam.delve.office.com suite.office.net webshell.suite.office.com .aria.microsoft.com .events.data.microsoft.com .o365weve.com amp.azure.net appsforoffice.microsoft.com assets.onestore.ms auth.gfx.ms az826701.vo.msecnd.net c1.microsoft.com client.hip.live.com contentstorage.osi.office.net dgps.support.microsoft.com docs.microsoft.com msdn.microsoft.com platform.linkedin.com prod.msocdn.com products.office.com r1.res.office365.com r4.res.office365.com res.delve.office.com shellprod.msocdn.com support.content.office.net support.microsoft.com support.office.com technet.microsoft.com templates.office.com videocontent.osi.office.net videoplayercdn.osi.office.net .office365.com .aadrm.com .azurerms.com .informationprotection.azure.com ecn.dev.virtualearth.net informationprotection.hosting.portal.azure.net o15.officeredir.microsoft.com ocsredir.officeapps.live.com officepreviewredir.microsoft.com officeredir.microsoft.com r.office.microsoft.com ocws.officeapps.live.com odc.officeapps.live.com roaming.officeapps.live.com activation.sls.microsoft.com crl.microsoft.com ols.officeapps.live.com office15client.microsoft.com officeclient.microsoft.com ocsa.officeapps.live.com insertmedia.bing.office.net go.microsoft.com support.office.com mrodevicemgr.officeapps.live.com ajax.aspnetcdn.com cdn.odc.officeapps.live.com officecdn.microsoft.com officecdn.microsoft.com.edgesuite.net .entrust.net .geotrust.com .omniroot.com .public-trust.com .symcb.com .symcd.com .verisign.com .verisign.net aia.entrust.net apps.identrust.com cacert.a.omniroot.com cacert.omniroot.com cacerts.digicert.com cdp1.public-trust.com cert.int-x3.letsencrypt.org crl.entrust.net crl.globalsign.com crl.globalsign.net crl.identrust.com crl.microsoft.com crl3.digicert.com crl4.digicert.com evintl-aia.verisign.com evintl-crl.verisign.com evintl-ocsp.verisign.com evsecure-aia.verisign.com evsecure-crl.verisign.com evsecure-ocsp.verisign.com isrg.trustid.ocsp.identrust.com mscrl.microsoft.com ocsp.digicert.com ocsp.entrust.net ocsp.globalsign.com ocsp.int-x3.letsencrypt.org ocsp.msocsp.com ocsp.omniroot.com ocsp2.globalsign.com ocspx.digicert.com s1.symcb.com s2.symcb.com sa.symcb.com sd.symcb.com secure.globalsign.com sr.symcb.com sr.symcd.com su.symcb.com su.symcd.com vassg142.crl.omniroot.com vassg142.ocsp.omniroot.com www.digicert.com www.microsoft.com *.loki.delve.office.com loki.delve.office.com loki.delve-gcc.office.com lpcres.delve.office.com	TCP 443
R06	Microsoft 365 Common and Office Online		ccs.login.microsoftonline.com .microsoftonline.com .microsoftonline-p.com .msauth.net .msauthimages.net .msecnd.net .msftauth.net .msftauthimages.net .phonefactor.net enterpriseregistration.windows.net management.azure.com policykeyservice.dc.ad.msft.net secure.aadcdn.microsoftonline-p.com o15.officeredir.microsoft.com ocsredir.officeapps.live.com officepreviewredir.microsoft.com officeredir.microsoft.com r.office.microsoft.com ocws.officeapps.live.com odc.officeapps.live.com roaming.officeapps.live.com activation.sls.microsoft.com crl.microsoft.com ols.officeapps.live.com office15client.microsoft.com officeclient.microsoft.com ocsa.officeapps.live.com insertmedia.bing.office.net go.microsoft.com support.office.com ajax.aspnetcdn.com cdn.odc.officeapps.live.com officecdn.microsoft.com officecdn.microsoft.com.edgesuite.net .entrust.net .geotrust.com .omniroot.com .public-trust.com .symcb.com .symcd.com .verisign.com .verisign.net aia.entrust.net apps.identrust.com cacert.a.omniroot.com cacert.omniroot.com cacerts.digicert.com cdp1.public-trust.com cert.int-x3.letsencrypt.org crl.entrust.net crl.globalsign.com crl.globalsign.net crl.identrust.com crl.microsoft.com crl3.digicert.com crl4.digicert.com evintl-aia.verisign.com evintl-crl.verisign.com evintl-ocsp.verisign.com evsecure-aia.verisign.com evsecure-crl.verisign.com evsecure-ocsp.verisign.com isrg.trustid.ocsp.identrust.com mscrl.microsoft.com ocsp.digicert.com ocsp.entrust.net ocsp.globalsign.com ocsp.int-x3.letsencrypt.org ocsp.msocsp.com ocsp.omniroot.com ocsp2.globalsign.com ocspx.digicert.com s1.symcb.com s2.symcb.com sa.symcb.com sd.symcb.com secure.globalsign.com sr.symcb.com sr.symcd.com su.symcb.com su.symcd.com vassg142.crl.omniroot.com vassg142.ocsp.omniroot.com www.digicert.com www.microsoft.com .loki.delve.office.com loki.delve.office.com loki.delve-gcc.office.com lpcres.delve.office.com .office.com cdnprod.myanalytics.microsoft.com myanalytics.microsoft.com myanalytics-gcc.microsoft.com workplaceanalytics.cdn.office.net workplaceanalytics.office.com	TCP 80, 443

Direct firewall exclusion

The following table describes the Office 365 Common and Office Online Direct Firewall Exclusion settings.

Reference	Purpose	Source	Destination	Port
R06	Microsoft 365 Common and Office Online		20.190.128.0/18 40.126.0.0/18 13.80.125.22/32 13.91.91.243/32 13.107.6.156/31 13.107.7.190/31 13.107.9.156/31 40.81.156.154/32 40.90.218.198/32 52.108.0.0/14 52.174.56.180/32 52.183.75.62/32 52.184.165.82/32 104.42.230.91/32 157.55.145.0/25 157.55.155.0/25 157.55.227.192/26 13.80.125.22/32 13.91.91.243/32 13.107.6.156/31 13.107.7.190/31 13.107.9.156/31 40.81.156.154/32 40.90.218.198/32 52.108.0.0/14 52.174.56.180/32 52.183.75.62/32 52.184.165.82/32 104.42.230.91/32 157.55.145.0/25 157.55.155.0/25 157.55.227.192/26	TCP 80, 443
R06	Microsoft 365 Common and Office Online		13.107.6.171/32 13.107.140.6/32 52.108.0.0/14 52.238.106.116/32 52.244.37.168/32 52.244.203.72/32 52.244.207.172/32 52.244.223.198/32 52.247.150.191/32 20.190.128.0/18 40.126.0.0/18 13.80.125.22/32 13.91.91.243/32 13.107.6.156/31 13.107.7.190/31 13.107.9.156/31 40.81.156.154/32 40.90.218.198/32 52.108.0.0/14 52.174.56.180/32 52.183.75.62/32 52.184.165.82/32 104.42.230.91/32 157.55.145.0/25 157.55.155.0/25 157.55.227.192/26 13.80.125.22/32 13.91.91.243/32 13.107.6.156/31 13.107.7.190/31 13.107.9.156/31 40.81.156.154/32 40.90.218.198/32 52.108.0.0/14 52.174.56.180/32 52.183.75.62/32 52.184.165.82/32 104.42.230.91/32 157.55.145.0/25 157.55.155.0/25 157.55.227.192/26 13.107.6.171/32 13.107.140.6/32 52.108.0.0/14 52.238.106.116/32 52.244.37.168/32 52.244.203.72/32 52.244.207.172/32 52.244.223.198/32 52.247.150.191/32	TCP 443

Office 365 – Exchange Online

Proxy whitelist

The following table describes the Office 365 Exchange Online Proxy Whitelist settings.

Reference	Purpose	Source	Destination	Port
R07	Exchange Online	Exchange Servers	*.store.core.windows.net asl.configure.office.com mshrcstorageprod.blob.core.windows.net tds.configure.office.com mshybridservice.trafficmanager.net domains.live.com	TCP 443
	Exchange Online	Exchange Servers	r1.res.office365.com r3.res.office365.com r4.res.office365.com .outlook.com .outlook.office.com attachments.office.net	TCP 80, 443

Direct firewall exclusion

The following table describes the Office 365 Exchange Online Direct Firewall Exclusion settings.

Reference	Purpose	Source	Destination	Port
R06	Exchange Online	Exchange Servers	13.107.6.152/31 13.107.18.10/31 13.107.128.0/22 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 52.96.0.0/14 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 191.234.140.0/22 204.79.197.215/32	TCP 587
R06	Exchange Online	Exchange Servers	40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 52.238.78.88/32 104.47.0.0/17	TCP 443
R06	Exchange Online	Exchange Servers	40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17	TCP 25
R06	Exchange Online	Exchange Servers	13.107.6.152/31 13.107.18.10/31 13.107.128.0/22 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 52.96.0.0/14 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 191.234.140.0/22 204.79.197.215/32	TCP 80, 443

Office 365 – Skype for Business and Microsoft Teams

Proxy whitelist

The following table describes the Office 365 Skype for Business and Microsoft Teams Proxy Whitelist settings.

Reference	Purpose	Source	Destination	Port
R06	Skype for Business Online and Microsoft Teams		.sfbassets.com .urlp.sfbassets.com skypemaprdsitus.trafficmanager.net .keydelivery.mediaservices.windows.net .msecnd.net .streaming.mediaservices.windows.net ajax.aspnetcdn.com mlccdn.blob.core.windows.net aka.ms amp.azure.net .msedge.net compass-ssl.microsoft.com .mstea.ms .secure.skypeassets.com mlccdnprod.azureedge.net videoplayercdn.osi.office.net *.skype.com	TCP 80, 443
R06	Skype for Business Online and Microsoft Teams		quicktips.skypeforbusiness.com .sfbassets.com .urlp.sfbassets.com skypemaprdsitus.trafficmanager.net .keydelivery.mediaservices.windows.net .msecnd.net .streaming.mediaservices.windows.net ajax.aspnetcdn.com mlccdn.blob.core.windows.net aka.ms amp.azure.net .msedge.net compass-ssl.microsoft.com .mstea.ms .secure.skypeassets.com mlccdnprod.azureedge.net videoplayercdn.osi.office.net *.skype.com statics.teams.microsoft.com	TCP 443

Direct firewall exclusion

The following table describes the Office 365 Skype for Business and Teams Direct Firewall Exclusion settings.

Reference	Purpose	Destination	Port
R06	Skype for Business Online and Microsoft Teams	13.70.151.216/32 13.71.127.197/32 13.72.245.115/32 13.73.1.120/32 13.75.126.169/32 13.89.240.113/32 13.107.3.0/24 13.107.64.0/18 51.140.155.234/32 51.140.203.190/32 51.141.51.76/32 52.112.0.0/14 52.120.0.0/14 52.163.126.215/32 52.170.21.67/32 52.172.185.18/32 52.178.94.2/32 52.178.161.139/32 52.228.25.96/32 52.238.119.141/32 52.242.23.189/32 52.244.160.207/32 104.215.11.144/32 104.215.62.195/32 138.91.237.237/32	TCP 80, 443
R06	Skype for Business Online and Microsoft Teams	13.70.151.216/32 13.71.127.197/32 13.72.245.115/32 13.73.1.120/32 13.75.126.169/32 13.89.240.113/32 13.107.3.0/24 13.107.64.0/18 51.140.155.234/32 51.140.203.190/32 51.141.51.76/32 52.112.0.0/14 52.120.0.0/14 52.163.126.215/32 52.170.21.67/32 52.172.185.18/32 52.178.94.2/32 52.178.161.139/32 52.228.25.96/32 52.238.119.141/32 52.242.23.189/32 52.244.160.207/32 104.215.11.144/32 104.215.62.195/32 138.91.237.237/32	TCP 443
R06	Skype for Business Online and Microsoft Teams	13.107.64.0/18 52.112.0.0/14 52.120.0.0/14	UDP 3478, 3479, 3480, 3481

Office 365 – SharePoint Online and OneDrive for Business

Proxy whitelist

The following table describes the Office 365 SharePoint Online and OneDrive for Business Proxy Whitelist settings.

Reference	Purpose	Source	Destination	Port
R06	SharePoint Online and OneDrive for Business		.wns.windows.com admin.onedrive.com officeclient.microsoft.com g.live.com oneclient.sfx.ms .sharepointonline.com cdn.sharepointonline.com privatecdn.sharepointonline.com publiccdn.sharepointonline.com spoprod-a.akamaihd.net static.sharepointonline.com *.svc.ms Dev-files.sharepoint.com Dev-myfiles.sharepoint.com	TCP 80, 443

Direct firewall exclusion

The following table describes the Office 365 SharePoint Online and OneDrive for Business Direct Firewall Exclusion settings.

Reference	Purpose	Source	Destination	Port
R06	SharePoint Online and OneDrive for Business		13.107.136.0/22 40.108.128.0/17 52.104.0.0/14 104.146.128.0/17 150.171.40.0/22	TCP 80, 443

Office 365 – email protective markings with MIP technology

For organisations that send PROTECTED emails through a GovLink mail gateway, the labelling product, as well as the gateway itself, must support the inspection of the email headers. At the time of writing, Microsoft Information Protection labelling does not natively offer a method to format email headers in a manner consistent with the requirements of the PSPF and as such, additional configuration is needed. This section provides a method of modifying the email headers in a mail gateway to ensure compliance with the PSPF.

Outbound protective marking

Below describes the Office 365 Cisco ESA Rules for Office 365 Outbound Protective Marking settings.

office365_outboundprotectivemarkings:
if ((mail-from == '@<Agency Acronym>\\.gov\\.au$') and (sendergroup == "RELAYLIST")) {
    if header("Subject") == "SEC=PROTECTED" {
        edit-header-text("Subject", "\\[SEC=PROTECTED\\]*", "");
    }
    if header("Subject") == "SEC=OFFICIAL:Sensitive" {
        edit-header-text("Subject", "\\[SEC=OFFICIAL:Sensitive\\]*", "");
    }
    if header("Subject") == "SEC=UNOFFICIAL" {
        edit-header-text("Subject", "\\[SEC=UNOFFICIAL\\]*", "");
    }
    if header("Subject") == "SEC=OFFICIAL" {
        edit-header-text("Subject", "\\[SEC=OFFICIAL\\]*", "");
    }
    if (header("msip_labels") == "PROTECTED") AND (sendergroup == "RELAYLIST") {
        insert-header("X-Protective-marking", "VER=2018.1, NS=gov.au, SEC=PROTECTED, ORIGIN=$EnvelopeFrom");
        edit-header-text("Subject", "(.*)", "\\1 [SEC=PROTECTED]");
    } else {
        if (header("msip_labels") == "Sensitive") AND (sendergroup == "RELAYLIST") {
            insert-header("X-Protective-marking", "VER=2018.1, NS=gov.au, SEC=OFFICIAL:Sensitive, ORIGIN=$EnvelopeFrom");
            edit-header-text("Subject", "(.*)", "\\1 [SEC=OFFICIAL:Sensitive]");
        } else {
            if (header("msip_labels") == "UNOFFICIAL") AND (sendergroup == "RELAYLIST") {
                insert-header("X-Protective-marking", "VER=2018.1, NS=gov.au, SEC=UNOFFICIAL, ORIGIN=$EnvelopeFrom");
                edit-header-text("Subject", "(.*)", "\\1 [SEC=UNOFFICIAL]");
            } else {
                if (header("msip_labels") == "OFFICIAL") AND (sendergroup == "RELAYLIST") {
                    insert-header("X-Protective-marking", "VER=2018.1, NS=gov.au, SEC=OFFICIAL, ORIGIN=$EnvelopeFrom");
                    edit-header-text("Subject", "(.*)", "\\1 [SEC=OFFICIAL]");
                } else {
                    quarantine("Policy");
                }
            }
        }
    }
} else {                                       
    no-op();
}

Inbound protective marking

Note: Please do not copy the below rule directly into the Agency environment for Inbound Protective Marking as it will not produce the desired results. This is an example rule which requires modification prior to implementation. The rule contains Globally Unique Identifiers (GUIDs) related to instances of sensitivity labels in a specific tenant.

office365_inboundprotectivemarkings: 
if (rcpt-to == '@<Agency Acronym>\\.gov\\.au$') {
    if (header("Subject") == "SEC=PROTECTED") AND (header("Subject") == "SEC") {
        insert-header("X-Protective-marking", "VER=2018.1, NS=gov.au, SEC=PROTECTED, ORIGIN=$EnvelopeFrom");
        insert-header("msip_labels", "MSIP_Label_12dcf2ca-f80e-4ac2-861b-4b6557faeea3_Enabled=True;MSIP_Label_12dcf2ca-f80e-4ac2-861b-4b6557faeea3_SiteId=158b7f91-36cd-420e-8730-3dbec75e20a9;MSIP_Label_12dcf2ca-f80e-4ac2-861b-4b6557faeea3_Name=PROTECTED;MSIP_Label_12dcf2ca-f80e-4ac2-861b-4b6557faeea3_ContentBits=0;MSIP_Label_12dcf2ca-f80e-4ac2-861b-4b6557faeea3_Method=Privileged;");
    } else {
        if (header("Subject") == "SEC=OFFICIAL:Sensitive") AND (header("Subject") == "SEC") {
            insert-header("X-Protective-marking", "VER=2018.1, NS=gov.au,SEC=OFFICIAL:Sensitive, ORIGIN=$EnvelopeFrom");
            insert-header("msip_labels", "MSIP_Label_42227f60-6734-42bf-b4e6-da15ab730981_Enabled=True;MSIP_Label_42227f60-6734-42bf-b4e6-da15ab730981_SiteId=158b7f91-36cd-420e-8730-3dbec75e20a9;MSIP_Label_42227f60-6734-42bf-b4e6-da15ab730981_Name=OFFICIAL Sensitive;MSIP_Label_42227f60-6734-42bf-b4e6-da15ab730981_ContentBits=0;MSIP_Label_42227f60-6734-42bf-b4e6-da15ab730981_Method=Privileged;");
        } else {
            if (header("Subject") == "SEC=UNOFFICIAL") AND (header("Subject") == "SEC") {
                insert-header("X-Protective-marking", "VER=2018.1, NS=gov.au, SEC=UNOFFICIAL,ORIGIN=$EnvelopeFrom");
                insert-header("msip_labels", "MSIP_Label_217258b3-6022-44f0-adb4-d6eca052ad20_Enabled=True;MSIP_Label_217258b3-6022-44f0-adb4-d6eca052ad20_SiteId=158b7f91-36cd-420e-8730-3dbec75e20a9;MSIP_Label_217258b3-6022-44f0-adb4-d6eca052ad20_Name=UNOFFICIAL;MSIP_Label_217258b3-6022-44f0-adb4-d6eca052ad20_ContentBits=0;MSIP_Label_217258b3-6022-44f0-adb4-d6eca052ad20_Method=Privileged;");
            } else {
                if (header("Subject") == "SEC=OFFICIAL") AND (header("Subject") == "SEC") {
                    insert-header("X-Protective-marking", "VER=2018.1, NS=gov.au, SEC=OFFICIAL,ORIGIN=$EnvelopeFrom");
                    insert-header("msip_labels", "MSIP_Label_8260affa-0595-45d6-a83e-a3b79a9c02c4_Enabled=True;MSIP_Label_8260affa-0595-45d6-a83e-a3b79a9c02c4_SiteId=158b7f91-36cd-420e-8730-3dbec75e20a9;MSIP_Label_8260affa-0595-45d6-a83e-a3b79a9c02c4_Name=OFFICIAL;MSIP_Label_8260affa-0595-45d6-a83e-a3b79a9c02c4_ContentBits=0;MSIP_Label_8260affa-0595-45d6-a83e-a3b79a9c02c4_Method=Privileged;");
                } else {
                    no-op();
                }
            }
        }
    }
} else  {
    no-op();
}

Azure Advanced Threat Protection (Azure ATP)

The following tables below describe the Azure Advanced Threat Protection service URLs Whitelist settings.

Direct and correct service location access to the agency Azure ATP instance name (Option 1)

Reference	Purpose	Source	Destination	Port
R08	Azure ATP portal		`agency-instance-name`.atp.azure.com	TCP 443
R08	Azure ATP senor		`agency-instance-name`.sensorapi.atp.azure.com	TCP 443

Granular control to service location access for Azure ATP (Option 2)

Reference	Purpose	Destination	Port
R08	Service location: US	triprd1wcusw1sensorapi.atp.azure.com triprd1wcuswb1sensorapi.atp.azure.com triprd1wcuse1sensorapi.atp.azure.com	TCP 443
R08	Service location: Europe	triprd1wceun1sensorapi.atp.azure.com triprd1wceuw1sensorapi.atp.azure.com	TCP 443
R08	Service location: Asia	triprd1wcasse1sensorapi.atp.azure.com	TCP 443

Azure Advanced Threat Protection Sensor (Domain Controller) Proxy Whitelist settings

Reference	Purpose	Source	Destination	Port
R08	Internet ports	Domain Controllers	SSL (*.atp.azure.com)	TCP 443 / Outbound direction
R08	Internet ports	Localhost	SSL (localhost)	TCP 444 / Both direction
R08	Internal ports	Domain Controllers	All devices on network	TCP/UDP 445 / Outbound
R08	Internal ports (Optional)	Domain Controllers	SIEM Server	TCP/UDP 514, depending on configuration / Inbound
R08	Internal ports	Domain Controllers	RADIUS	UDP 1813 / Inbound direction
R08	Internal ports	Domain Controllers	DNS servers	TCP & UDP 53 / outbound direction
R08	Internal ports	Domain Controllers	All devices on network	TCP 135 / Inbound direction
R08	Internal ports	Domain Controllers	All devices on network	UDP 137 / Inbound direction
R08	Internal ports	Domain Controllers	All devices on network	TCP 3389 / Inbound direction

Azure Advanced Threat Protection Sensor (Standalone Server) Proxy Whitelist settings

Reference	Purpose	Source	Destination	Port
R08	Internet ports	Standalone Server	SSL (*.atp.azure.com)	TCP 443 / Outbound direction
R08	Internal ports	Standalone Server	Domain Controllers	TCP & UDP 389 / Outbound direction
R08	Internal ports	Standalone Server	Domain Controllers	TCP 636 / Outbound direction
R08	Internal ports	Standalone Server	Domain Controllers	TCP 3268 / Outbound direction
R08	Internal ports	Standalone Server	Domain Controllers	TCP 3269 / Outbound direction
R08	Internal ports	Standalone Server	Domain Controllers	TCP & UDP 88 / Outbound direction
R08	Internal ports	Standalone Server	All devices on network	TCP/UDP 445 / Outbound
R08	Internal ports	Standalone Server	Domain Controllers	UDP 123 / Outbound direction
R08	Internal ports	Standalone Server	DNS servers	TCP & UDP 53 / Outbound direction
R08	Internal ports (Optional)	Standalone Server	SIEM Server	TCP/UDP 514, depending on configuration / Inbound direction
R08	Internal ports	Domain Controllers	RADIUS	UDP 1813 / Inbound direction

Azure Active Directory Connect

The following table describes the AAD Connect ports and protocols required for communication between the AAD Connect server and on-premises Active Directory.

Reference	Purpose	Source	Destination	Port
R09	DNS (DNS lookups on the destination forest)	AAD Connect server	DNS server	53 (TCP/UDP) / Both direction
R09	Kerberos (Authentication to the AD forest)	AAD Connect server	Domain Controllers	88 (TCP/UDP) / Both direction
R09	MS-RPC (Used during the initial configuration of the Azure AD Connect wizard when it binds to the AD forest, and also during password synchronisation)	AAD Connect server	Domain Controllers	135 (TCP/UDP) / Both direction
R09	LDAP (Used for data import from AD. Data is encrypted with Kerberos Sign & Seal)	AAD Connect server	Domain Controllers	389 (TCP/UDP) / Both direction
R09	SMB (used by Seamless SSO to create computer account in AD forest)	AAD Connect server	Domain Controllers	445 (TCP/UDP) / Both direction
R08	LDAP/SSL (used for data import from AD. The data transfer is signed and encrypted. Only used if you are using TLS)	AAD Connect server	Domain Controllers	636 (TCP/UDP)
R08	RPC (Used during the initial configuration of the Azure AD Connect wizard when it binds to the AD forest, and also during password synchronisation)	AAD Connect server	Domain Controllers	49152 – 65535 (Random high RPC port) (TCP)

The following table describes the AAD Connect ports and protocols required for communication between the AAD Connect server and Azure AD.

Reference	Purpose	Source	Destination	Port
R09	HTTP (used to download Certificate Revocation Lists to verify SSL certificates)	AAD Connect server	Agency Azure AD Tenant	80 (TCP) / outbound direction
R09	HTTPS (used to synchronise with Azure AD, including communication with the AAD Connect Health agents)	AAD Connect server	Agency Azure AD Tenant	443 (TCP) / outbound direction