Firewall rules for SAS URI

Anahaym 486 Reputation points
2020-06-15T16:30:56.43+00:00

Hi,
I'm using Microsoft Azure Storage Explorer to upload pst files via SAS URI and import them to the user's mailboxes. Recently we installed the MASE on another server and I'm getting an error - upload failed. In the Firewall we see the following logs:

10082-log1.png

What are these IP addresses? Do we need to whitelist them?
Is there any official documentation about requirements for MASE?

Thank you in advance.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
608 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anahaym 486 Reputation points
    2020-11-10T16:49:13.403+00:00

    The issue was not related to the firewall, but client changes. it was stated this was fixed in the newest versions of the client, but we still use old version:

    38844-image.png

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Sumarigo-MSFT 45,406 Reputation points Microsoft Employee
    2020-06-22T11:42:40.227+00:00

    @TheAnahaym-5734 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. Can you to upload similar files using Azcopy and let me know the status

    Also try to regenerate the SAS and upload in Storage Explorer, Sometime SAS would be broken or expired.

    If the issue still persist, Tell us more about the environment and container you're attempting to upload to. What kind of storage account does it belong to? How are you connecting to the container (did you sign in, use an account or service SAS, or use an account key)? Are you operating through any special network configurations, like a proxy server?

    Since you're signed in, can you verify whether you're using RBAC to access the blob container? You can easily check this by selecting the account node in Storage Explorer and looking for the Primary or Secondary Key properties. If you don't see them, you're using RBAC.

    If you are using RBAC, please verify that the permissions you have allow you write blobs. This may seem silly if you're the account admin, but I've found that you still need to assign the proper roles. I think it's because admin roles only have management-level permissions, not data-level.

    Get started with Storage Explorer: https://learn.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. Anahaym 486 Reputation points
    2020-06-23T07:41:23.047+00:00

    Hello Sumarigo,

    I prefer to use Azure Explorer instead of Azcopy. It is much easy for me.
    The SAS I used was fresh generated and was working at the same time on the old server (not it is turned off).
    How am I connecting? I just open Azure Explorer and paste the SAS link.
    No, we don't have any proxies.

    I'll check the RBAC but what about IP I've mentioned above?

    0 comments No comments

  3. TravisCragg-MSFT 5,681 Reputation points Microsoft Employee
    2020-06-25T19:36:45.953+00:00

    Both the IP Addresses in your firewall logs (I am not sure which one is the source and which one is the destination) are internal addresses, and are most likely addresses within your Virtual Network or connected network. None of those addresses are within Azure's public IP ranges.

    It is my understanding that you are not on a Virtual Network, but on-premise. If that is the case, do you have any special routing / networking rules that could alter your traffic? Also, I see that this is using port 445. Typically file uploads / downloads are done via blob storage, are you using a file share to host this data? If so, there are a lot of issues with connecting via port 445 outside Azure.

    Can you give more information about how traffic should flow from this machine to your storage account, and what type of storage you are using?

    0 comments No comments

  4. Anahaym 486 Reputation points
    2020-06-25T19:59:11.047+00:00

    Hello Travis,
    192.168.100.160 - source address, 10.10.10.9 - destination address. This activity registres in our firewall only then I try to upload files.
    Unfortunately, I don't know which type of storage I use, I need just to upload the PST-files to import them to Exchange Online later.
    Now, I've tested it at home where I don't have any outgoing firewalls and it failed as well... but at home, I didn't see any traffic to 10.10.10.9

    Question: Do I need to register the application in Azure?

    0 comments No comments