How do I allow Microsoft Office 365 clients through Smoothwall?

Article #: Product Castle
1740 Guardian All


This article explains how to setup your Smoothwall so that you are able to allow the use of Microsoft Office 365 clients.


Microsoft Office 365 may be blocked or inaccessible with your current Smoothwall configuration.


To enable use of Microsoft Office 365 clients:

  1. Create a firewall rule(s) that allows the following ports:
    • TCP port 5061
    • UDP port 3478
    • TCP/UDP port 5223
    • UDP ports 50000-59999

    See for pre-Inverness customers; or for customers running Inverness or higher.

  2. Create a Web Filter Policy to Allow the Microsoft Office 365 [NEW] category. To do this:
    1. Navigate to Guardian > Web Filter > Policy Wizard.
    2. Create a Web Filter Policy with the following settings:
    • Who — *As Required
    • What — Microsoft Office 365 [NEW]
    • Where — *As Required
    • When — *As Required
    • Action — Allow
    1. Click Save.
  3. Add your email domain to the Microsoft Office 365 category, to do this:
    1. Navigate to Guardian > Policy Objects > Categories .
    2. In the Categories panel, expand Standard Categories.
    3. Edit Microsoft Office 365 [NEW].
    4. Add mydomain.local to Domain/URL filtering where mydomain.local is your
  4. Add the Microsoft Office 365 [NEW] category to Authentication Exceptions.

For more information see

  1. Also add the following categories to Authentication Exceptions:

Note: The following categories may have already added for a previous application.

  • Software Updates
  1. Add the Microsoft Office 365 [NEW] category to a Whitelist policy for Everyone — see
  2. Move the policy you created up the Web filter policies table until it is above any block or blanket block in place for the group Unauthenticated IPs — see
  3. Save and restart the web proxy.

Note: On some Windows XP and Android clients, despite using proxy settings, some of the traffic from the Lync login process attempts to go out directly on port 443 regardless of proxy settings. If you are using transparent HTTPS interception, this traffic may be intercepted, however Lync does not support SNI and will not connect.

If you filter the web filter realtime logs by the IP of your test client and obtain the destination IPs Lync is using, these can be added as custom entries to the built in category entitled Transparent HTTPS Incompatible Sites — go to Guardian > Policy objects > Categories > Categories > Standard categories.

Seeing HTTP Code 503 in the Web Filter Logs

Using Auto Configuration URL in Outlook Client fails to configure the client and you see HTTP Code 503 in the guardian logs.

Office 365 DOES NOT support HTTPS for the auto configuration URL. This will most likely be caused by an SRV record or group policy setting. Most likely it’s a setting leftover from when an Exchange server was used on site before moving to a cloud solution. Even if the Exchange function has been removed from a server, Exchange schema changes to the domain schema cannot be removed.

You will need to use HTTP else you will see HTTP Code 503 when accessing — see


Last updated: Author: Contributions by:
11 January 2018 Patrick Gleeson Jonathan Mckeague