Firewall Settings for MyWorkDrive Server
Administrators my wish to lock down the MyWorkDrive Server client site to be accessible from only restricted networks or not publish the site and allow access from internal LAN segments only. This would typically be used where the administrator wishes to provide access to the Web File Manager site for view and editing documents in Office 365 but restrict external access. View typical network deployment scenario diagrams here. Firewall lockdown is possible and MyWorkDrive will function and allow Office online document editing even if restricted to company WAN IP’s or LAN segments only with the following caveats:
- OneDrive external file sharing will not function ( a publicly accessible Web File Manager URL is needed for Microsoft to copy files to OneDrive) unless the server can access https://*.live.com and https://wp-onedrive-api.wanpath.net for OneDrive external sharing.
- An internal host name must be used to reference the site for internal file sharing – for example: https://share.mycompany.local if referenced on the internal LAN only.
- Office 365 Editing must be enabled on the MyWorkDrive Server Admin Panel.
Please note Office online editing will function even if the Web File Manager client site is locked down since it is made available during Office online editing transactions on a session basis through our MyWorkDrive reverse proxy in Azure locked down to Microsoft Office online hosts only. Full details are in this article.
In additional to firewall lockdown we also recommend disabling unneeded ciphers. See our Steps to lock down IIS SSL for Compliance and Security for additional information.
Outgoing firewall requirements
To function correctly the MyWorkDrive Server needs outgoing access to the following hosts and TCP ports:
MyWorkDrive license servers at my.nalpeiron.com & licensing.wanpath.net on SSL port 443
Port 443 to *.live.com for OneDrive external sharing along with Office 365 URL’s and IP address ranges per Microsoft article here.
Server Version 5.3 and below relay requirements:
For customers using MyWorkDrive Relays ( for *.myworkdrive.net and Office 365 Editing) TCP ports 443, 9350 through 9354, 5671 & 5672 to all hosts.
MyWorkDrive Relay Hosts:
*.servicebus.windows.net 5671-5672 Used for Advanced Message Queuing Protocol (AMQP).
*.servicebus.windows.net 443, 9350-9354 Listens on Service Bus Relay over TCP (requires 443 for Access Control token acquisition)
Ideally we do not recommend locking down your firewall to individual IP addresses for our relays, since these may change over time to maintain our service’s high availability.
Server Version 5.4 and higher relay requirements:
For customers using CloudFlare Argo Relays ( for *.myworkdrive.net and Office 365 Editing)- connections are relayed through Cloudflare Argo. Cloudflare Argo requires ports 443 and 7844 outbound.
MyWorkDrive recommends a direct internet connection – outgoing proxy services (typically web filtering) may break Office 365 online editing features and MyWorkDrive.net usage. Beginning with version 5.3 an outgoing proxy server may be specified in the MyWorkDrive Admin Panel under settings in the format of http://hostname or IP Address and optional port number. For example http://10.10.10.10 or http://10.10.10.10:8888.
Warning: Antivirus software installed on the server can interfere with the ability for your MyWorkDrive to communicate with Microsoft Azure for our Office 365 and Cloud Connectors if any firewall features are enabled. Review our Antivirus article for settings and exclusions.
Troubleshooting Office 365 and Cloud Connector firewall issues
If basic troubleshooting of the cloud connector fails using this article begin additional troubleshooting by ensuring the Office 365 Editing feature and/or the cloud connectors are enabled on the MWD Server admin panel under settings. If enabled, check services.msc on your server for “MyWorkDrive Portbridge Service” . It should be running. If the service is running and has been for at least 1 hour to replicate across our global relays, next test outbound firewall access.
From a command prompt, type “Netstat -b”. Note any connection for portbridge. A healthy service should show something like below with https, 5671 and 9350 series ports open and in and “ESTABLISHED” state. If these are missing, check our outgoing firewall rules, remove any Antivirus software from the MWD server and ensure your MWD server has full internet connectivity. Then run netstat -b again to see if outbound connections are established.
Netstat -b healthy outbound connections:
TCP 10.10.101.6:60469 18.104.22.168:5671
TCP 10.10.101.6:60475 22.214.171.124:9352
TCP 10.10.101.6:60488 126.96.36.199:9352
TCP 10.10.101.6:60515 188.8.131.52:9352
TCP 10.10.101.6:60535 184.108.40.206:9352
TCP 10.10.101.6:60538 220.127.116.11:9352
Netstat -b healthy outbound connections Cloudflare Argo:
TCP 192.168.41.111:56200 18.104.22.168:7844 ESTABLISHED
TCP 192.168.41.111:56201 22.214.171.124:7844 ESTABLISHED
TCP 192.168.41.111:56202 126.96.36.199:7844 ESTABLISHED
TCP 192.168.41.111:56208 188.8.131.52:https ESTABLISHED