MIIS Firewall IPs

In order to secure transactions between your institution and the Windows Live provisioning system,
Microsoft will need to add your schools MIIS server source IP to the permit list on our network
firewall.

The IP address that you give us must be a dedicated static internet addressable IP address. Routing
your MIIS Server through a dedicated firewall/proxy server is acceptable.

Run the tests below BEFORE giving us your IP address to be sure that your network is properly
configured. It is difficult for us to troubleshoot network routing issues in your own equipment.

Once you have configured your IP and run the tests below, send your IP to ed-desk@microsoft.com
with the email title being “MIIS/Firewall IP for MAv2 - <university name>”. Once we get this IP from
you, we put it in our systems on our side. We will send you email to ask you to test it when the IP is
added to our permit list.

Setting up and Testing the MIIS/Firewall IPs

The IP addresses you give us must be
• Static - DHCP assigned IP addresses will not work
• Internet routable - 10.x.x.x and 192.168.x.x addresses handed out by most internal routers
cannot be used on the internet.
• Dedicated to Windows Live calls - Due to the nature of the data we host for our partners, we
would prefer that the source IP(s) provided are dedicated to calls to the Windows Live
provisioning system. This is to prevent connectivity from other services that you may proxy
from the same source IP that are unrelated to the Windows Live provisioning functionality.
Giving us the general firewall or proxy server of your institution may result in your access to
our provisioning server being turned off. If there is other non Windows Live traffic going over
this IP address to the server IP we give you, your IP may be locked out without notice.
• Open over port 443 (https) and port 80 (http) - You will need to allow two way communications
over these ports.
Once you have your MIIS server and IP rules setup, run the following tests BEFORE sending us your
IP address.

1. From your MIIS server, go to this web site below. Your server’s IP address as seen on the
Internet will be displayed. It’s the IP that our servers will see. If it’s not what you expected, then
resolve this issue. If may be showing the IP address of your router, proxy server or general
network firewall. If this URL does not work for you, this is a list of other web sites that will show
your IP address near the end of this document.
http://www.mediacollege.com/internet/utilities/show-ip.shtml

If you cannot view this web page, then you probably do not have port 80 open. As a result, the
telnet test over port 80 in a later step will probably fail as well. Reconfigure your network to allow
access over port 80 and rerun this test.

If the URL above does not work, you can use these alternate web sites to test your IP.
http://www.2privacy.com/www/privacy-protection/ip-check-privacy-test.html
http://www.proxyway.com/cgi-bin/Check-IP-Proxy-Judge-Privacy-Test.pl

2. From your MIIS server, go to the URL above again. The IP address should be consistent
whenever you visit this site, regardless of reboots. If the IP address changes, then reconfigure
your network and retest this step.

3. From your MIIS server, open up a command window to run the following commands.
4. Confirm ability to telnet over port 443.

telnet www.microsoft.com 433

Success will appear as a blank screen as shown above.

Failure will give you an error message such as shown above.

Wait for 2 minutes for the connection to either go through or fail. www.microsoft.com allows
telnet connection over port 443 regardless of your IP address. If the connection fails, then you
do not have the proper connectivity over port 443. Reconfigure your network until this test
works

5. Confirm network connectivity and test ability to telnet over port 80. Open another command
window and type telnet www.microsoft.com 80. You will obtain the same success or failure
indications as for port 443.

6. If all these tests pass, submit your IP address to ed-desk@microsoft.com as indicated in the
instructions above.

We will send you notification when we’ve loaded your IP into our system. Then you will run telnet
test again to the IP address that we send you. It will be of the form 65.54.158.26. Type
>>telnet 65.54.158.26 443

1. If connectivity to this new 65.54.158.26 succeeds, notify us that it’s succeeded at ed-
desk@microsoft.com. YOU ARE DONE! You are ready to move to the next step.

2. If connectivity fails, perform the following checks. Remember that we have over 100 other
universities already working in our system. Most problems can be traced to either fat-
fingering IPs during the transfer process or problems on the university side.
a. Did you submit the right IP? Check the IP that you emailed to ed-desk against the
actual IP. Check the URL location given above to check your actual IP. Many
problems are simply a typo in the IP address you sent to us. If this is the problem,
notify us of the correct IP at ed-desk@microsoft.com and we will file the correct IP
address.
b. Are you typing the right command? You have to be checking over port 443. Other
ports will not work. Type *only* the command c:\>telnet 65.54.158.26 443
c. Check your network settings to be sure that you allow connectivity to the new
65.54.158.26 IP we’ve given you. You may have a firewall or proxy server that is
getting in the way of outgoing traffic to 65.54.158.26 or return traffic from
65.54.158.26.
d. Perform a tracert to the 65.54.158.26 IP address we give you. It will look something
like below.
C:\Documents and Settings\a-robb>tracert 65.54.158.26
Tracing route to ssapi.msn.com [65.54.158.26]
over a maximum of 30 hops:

1 * * * Request timed out.

2 12 ms * 11 ms GE-1-10-ur01.wa.seattle.comcast.net [68.86.177.33]
3 * * * Request timed out.
4 14 ms 11 ms 11 ms 12.118.60.5
5 43 ms 41 ms 37 ms 12.127.6.90
6 37 ms 37 ms 38 ms tbr2-cl10.sffca.ip.att.net [12.122.12.113]
7 38 ms 37 ms 38 ms 12.122.80.41
8 33 ms 33 ms 33 ms 12.126.40.6
9 52 ms 35 ms 34 ms ge-7-3-0-57.sjc-64cb-1b.ntwk.msn.net [207.46.37.201]
10 35 ms 33 ms 35 ms pos6-1.tuk-76cb-1b.ntwk.msn.net [207.46.34.170]
11 48 ms 35 ms 43 ms ten2-1.tuk-76c-1a.ntwk.msn.net [207.46.36.197]
12 33 ms 33 ms 44 ms gig3-16.tuk-6nf-5b.ntwk.msn.net [207.46.39.102]
13 * * * Request timed out.
14 * * * Request timed out.
15 ^C
C:\Documents and Settings\a-robb>

You will never see the 65.54.158.26 IP in the tracert because ICMP is not active past a
certain point.

e. If your trace is not getting to ntwk.msn.net at 207.46.37.201, then there is some

problem between your MIIS server and our network.
f. If your trace is getting to ntwk.msn.net at 207.46.37.201 then there is one of a
couple issues
i. We have not properly put your IP in our firewall. We will check this.
ii. You are not coming from the right IP or over the right port.
iii. You are blocking return traffic from our 65.54.158.26 server.
g. We can check to see if we are getting hit counts from the IP we filed for you. If we
are, then your traffic is using the wrong port.
.