Firewall Settings for MyWorkDrive Server
Administrators my wish to lock down the MyWorkDrive Server client site to be accessible from only restricted networks or not publish the site and allow access from internal LAN segments only. This would typically be used where the administrator wishes to provide access to the Web File Manager site for view and editing documents in Office 365 but restrict external access. View typical network deployment scenario diagrams here.
Firewall lockdown is possible and MyWorkDrive will function and allow Office online document editing even if restricted to company WAN IP’s or LAN segments only with the following caveats:
- OneDrive external file sharing will not function ( a publicly accessible Web File Manager URL is needed for Microsoft to copy files to OneDrive) unless the server can access https://*.live.com and https://wp-onedrive-api.wanpath.net for OneDrive external sharing.
- An internal host name must be used to reference the site for internal file sharing – for example: https://share.mycompany.local if referenced on the internal LAN only.
- Office 365 Editing must be enabled on the MyWorkDrive Server Admin Panel.
Please note Office online editing will function even if the Web File Manager client site is locked down since it is made available during Office online editing transactions on a session basis through our MyWorkDrive reverse proxy in Azure locked down to Microsoft Office online hosts only. Full details are in this article. In additional to firewall lockdown we also recommend disabling unneeded ciphers. See our Steps to lock down IIS SSL for Compliance and Security for additional information.
Outgoing firewall requirements
To function correctly the MyWorkDrive Server needs outgoing access to the following hosts and TCP ports:
- MyWorkDrive license servers at licensing.wanpath.net on SSL port 443
- Port 443 to *.live.com for OneDrive external sharing along with Office 365 URL’s and IP address ranges per Microsoft article here.
Server Version 5.4 and higher relay requirements:
For customers using CloudFlare Argo Relays ( for *.myworkdrive.net and Office 365 Editing)- connections are relayed through Cloudflare Argo. Cloudflare Argo requires TCP port 7844 outbound from your server to Cloudflare IP’s. MyWorkDrive recommends a direct internet connection – outgoing proxy services (typically web filtering) may break Office 365 online editing features and MyWorkDrive.net usage.
Beginning with version 5.3 an outgoing proxy server may be specified in the MyWorkDrive Admin Panel under settings in the format of http://hostname or IP Address and optional port number. For example http://10.10.10.10 or http://10.10.10.10:8888.
Server Version 5.3 and below relay requirements:
Relays are no longer supported on server 5.3 or lower. Upgrade to 5.4 Server or higher.
Warning: Antivirus software installed on the server can interfere with the ability for your MyWorkDrive to communicate with Microsoft Azure for our Office 365 and Cloud Connectors if any firewall features are enabled. Review our Antivirus article for settings and exclusions.
Troubleshooting Office 365 and Cloud Connector firewall issues
If basic troubleshooting of the cloud connector fails using this article begin additional troubleshooting by ensuring the Office 365 Editing feature and/or the cloud connectors are enabled on the MWD Server admin panel under settings. If enabled, check services.msc on your server for “Argo Tunnel Agent” . It should be running.
If the service is running and has been for at least 15 minutes, next test outbound firewall access. From a command prompt, type “Netstat -b”. Note any connection for portbridge. A healthy service should show something like below with https and 7844 ports open and in and “ESTABLISHED” state.
If these are missing, check our outgoing firewall rules, remove any Antivirus software from the MWD server and ensure your MWD server has full internet connectivity. Then run netstat -b again to see if outbound connections are established.
Netstat -b healthy outbound connections Cloudflare Argo:
[cloudflared.exe] TCP 192.168.41.111:56200 184.108.40.206:7844 ESTABLISHED
[cloudflared.exe] TCP 192.168.41.111:56201 220.127.116.11:7844 ESTABLISHED
[cloudflared.exe] TCP 192.168.41.111:56202 18.104.22.168:7844 ESTABLISHED
[cloudflared.exe] TCP 192.168.41.111:56208 22.214.171.124:https ESTABLISHED
Test communications on port 7844 outbound to Cloudflare Argo tunnel service:
Launch powershell on the MyWorkDrive server and type the following command:
test-netconnection -computername 126.96.36.199 -port 7844
The results should come back like below with:
TcpTestSucceded:True: ComputerName : 188.8.131.52 RemoteAddress : 184.108.40.206 RemotePort : 7844 InterfaceAlias : Lan SourceAddress : 10.10.200.20 TcpTestSucceeded : True
If TcPTestSucceded returns false a firewall or antivirus is blocking TCP port 7844 outbound from the MyWorkDrive server and needs to be investigated.
If you have clustering enabled, TCP Port 8353 needs to be opened on any server or nework firewalls to the lan. Cluster members will communicate via TCP 8353.