This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 57.00000000000001%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
Hi guys,
We've successfully updated to Exchange Server 2016 CU22 a few weeks ago. We're stuck at configuring the correct firewall rules. Normally it's just that easy: Accordind to the documentation (HelpConnectivityEEMS) permit all Exchange Servers access to officeclient.microsoft.com/* and you're done. In our case we're not. We noticed that the firewall blocks outbound connections on port 80. To me it looks quite ovious that the service tries to check the certificate for revocation. Normally the connection just times out, when a server is trying to access CRL on internet, but I guess in this case it's not the case because the service is security sensitive. Therefore I understand that the check for revocation must be successful. Ok, first we enabled unrestricted outbound access for the servers on port 80. Which worked, but we don't want to have the Exchange Servers unrestricted internet access on port 80. We've already tried to permit a bunch of well-known CRL URLs in addition to ip adresses blocked by the firewall, but we always get an error when using the get-mitigations.ps1 script:
As you can see the Test-Script works (access to xml endpoint), but the get-mitigations.ps1 does not. In the Eventlog there's an error every hour:
I could find any documentation which URLs are neccessary besides officeclient.microsoft.com. We also tested access through Zscaler proxy. That worked, too, but we don't want unauthorized access through Zscaler because it is paid ber load and not per user. Maybe that are URLs to which all clients should have access to, anyway!? Therefore I have following questions:
Thanks for upcoming replies,
Daniel
We managed it. We're running a PaloAlto firewall and my network colleague didn't wanted to configure all those mentioned ip addresses. Because permitting outbound port 80 to any system and any service was neither an option, we tried to permit web-browsing and ocsp (because we saw that has been blocked) without success. Then he decided to permit the communiation on application categories ocsp and ms-update (without web-browsing) and that worked. We're awaiting an approval by IT security but I guess I can close the thread already.
Thanks to all,
Daniel
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 98%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Thank you so much! I spent hours troubleshooting this. This is the solution. I got my network colleague to make sure application categories ocsp and ms-update were allowed outbound in the Palo Alto.
Microsoft really needs to add this information to the article https://learn.microsoft.com/en-us/exchange/exchange-emergency-mitigation-service?view=exchserver-2019 since clearly it's not enough to make sure officeclient.microsoft.com/* is allowed outbound.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
According to my search, I got below information provided by Exchange Team Blog
Getting 1008 (This XML is not deemed safe to consume since Response xml's signing cert is invalid or not from microsoft). That is because your firewall, proxy or webfilter is blocking the requests of your Exchange Emergency Mitigation Service. You need to allow all the IPs and/or URLs (depending on your firewall and/or webfilter) of Microsoft, Google and Akamai that it takes to check the XMLs certificate, certificate revocation list, schema and so on.
You can simulate the behaviour of the EEMS by getting the test page with a browser (https://officeclient.microsoft.com/getexchangemitigations). For those of you not being familiar - look at the schema links in the XML document as well as the certificate of the URL and check all the certificate chaining, revocation lists URLs and so on.
For the IPs compare the blocked IPs with the following networks and allow them:
https://www.microsoft.com/en-us/download/details.aspx?id=53602
https://www.gstatic.com/ipranges/goog.json
https://github.com/SecOps-Institute/Akamai-ASN-and-IPs-List/blob/master/akamai_ip_cidr_blocks.lst
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Joyce Shen - MSFT ,
thank you for the fast reply. I'm already aware of the Exchange Blog Article and also the comment you quoted. I was able to access the URL by browser on the server but I still got the error when using the get-mitigations.ps1 script. However, I will have a look again with my network guys in the next days. I will come back here, once I have news on this.
Thanks, Daniel.
Hi,
Waiting for your feedback here!