Organizations block users' access to the World Wide Web for reasons ranging from productivity to security. Before disabling Internet access, administrators should consider that the Microsoft Office System is designed to use resources on the Web to help increase user productivity. An alternative to completely blocking access to the Internet would be to allow access to the Microsoft.com Web portal.

Managing access to the Internet is performed through a proxy server, a component of a company's firewall that manages communications between the internal network and the Internet. If you have never worked with proxy server settings, you should consult documentation or contact someone in your organization who manages proxy servers.

 Note    Support for Microsoft Proxy Server 2.0 ended December 31, 2003; Internet Security and Acceleration (ISA) Server replaces it. ISA Server goes beyond the classic proxy server concept by providing an enterprise firewall and a high-performance Web cache server. ISA Server allows you to use groups to manage Internet access — for example, allowing access to Web-based research services for one department, but blocking access for other departments.

Internet-based resources hosted by Microsoft

In order to take advantage of all the features in the Microsoft Office System, users need Internet access. For example, the types of content available from Microsoft through Office applications include tools, clip art, training courses, technical support, and other information and resources used by knowledge workers. The following sections explain advantages Internet access provides users of the Microsoft Office System.

Extended Error Messages

Technically known as "Extended Error Messages (with additional help)," this new feature of the Microsoft Office System provides information about commonly encountered errors. Many of these errors occur when an Office feature is used incorrectly. A typical extended message includes helpful tips on how to avoid the condition that triggered the error message. Internet access is needed for this feature in order for Microsoft to update or add to the collection of available error messages. Users must be participating in the Customer Experience Improvement Program (CEIP) to receive these updates.

Customer Experience Improvement Program

Known also as SQM, the Customer Experience Improvement Program is a way for Microsoft to learn how customers are using products. If a user participates, a list of statistics is generated from the users' computers at scheduled intervals; that list is later submitted to Microsoft via the Internet when the user’s computer is not busy. If a user does not participate, the statistics are not sent, and the latest Extended Error Messages are not downloaded.

Research option

The Research feature available in Microsoft Office Word 2003, Office Excel 2003, Office PowerPoint® 2003, and Office Outlook® 2003 allows users to access a plethora of information, such as dictionaries, encyclopedias, news wires, translation services, or Web search engines. These services are available through predefined URLs found in the Research task pane. A service may exist on the corporate intranet (a custom service), a Microsoft Web site, or a third-party Web site.

Microsoft Office Online

The Microsoft Office Online Web site serves as a gateway to a number of specialized sites that support and enhance the Microsoft Office System of products and services. The site includes Template Gallery, Design Gallery Live (which includes clip art), Office Assistance Center, Office eServices, Office Update (for security patches and product updates), and links to related sites covering platform, developer, and international issues.

Information Rights Management (IRM)

Information Rights Management (IRM) is a feature of Microsoft Office 2003 Editions designed to enhance collaboration methods and help restrict unauthorized access to the content of Word 2003, Excel 2003, PowerPoint 2003, and Outlook 2003 files. IRM takes advantage of the Internet when a user has been granted access to a document or file from another user outside of the company firewall. In this case, IRM will try to validate any externally managed permissions by means of Microsoft Windows Live ID accounts,. If you don't have a means of authenticating these accounts, you cannot assign IRM privileges for external users.

Hyperlinks

Hyperlinks within users' documents may point to sites on the World Wide Web. As noted earlier in this article, it is possible to restrict or allow access to Web sites by using proxy settings.

Online collaboration

Usually considered to be only a local area network issue, it is possible for users to connect to external Web sites (such as those created and managed by Microsoft Windows® SharePoint™ Services). Access can be granted or blocked via a proxy server.

Validation of digital signatures and certificates of trust

In order to validate certificates of trust, users need access to the Internet. Companies that issue these signatures and trust certificates have Web sites where they post lists of stolen, rejected, or bad signatures for certificates of trust. If you have the Check for publisher’s certificate revocation or the Check for server certificate revocation option turned on in Internet Explorer, you'll need Internet access to accommodate the request by Office applications to confirm certificates.

These are just some of the Office features that take advantage of the Internet. Access to most of these sites can be managed using the approved IP addresses list created on the proxy server.

Addresses for Internet sites related to Office

The addresses provided here are always changing. New addresses may be added to support new features or to provide more services to users. However, commonly used addresses will be redirected to any new Unique Resource Locator (URL) addresses as time goes on. To determine what the most current address is, enter any of the addresses listed below at a browser address entry line. After the page for that address appears, examine the address line. It should have resolved to the current address for that URL. If it has changed, it is advised to update any proxy server settings you may have to support that change.

 Note   IP and URL addresses change; sometimes without warning. Usually any address of importance is redirected to the new address automatically. If you have a need to see the current IP address of a URL, search the web for a provider that lists URL and IP addresses. For example, the following web page provides valuable information about URLs and IP addresses: http://uptime.netcraft.com/.

The following is a list of URLs and IP addresses that you might allow users to access:

• Microsoft Office Online: http://office.microsoft.com - 207.68.166.247 and 64.4.52.30, 65.54.206.34 also listed as http://www.office.microsoft.com.

  The following addresses related to this site are no longer valid. These invalid addresses are now automatically redirected to the Microsoft Office Online Web site:

  • http://services.office.microsoft.com - 65.54.206.56
  • http://r.office.microsoft.com - 65.54.206.58, 64.4.52.58
  • http://r.office.microsoft.com.nsatc.net - 64.4.52.58 and 64.4.52.57
  • http://officeupdate.microsoft.com - 65.54.206.33, 64.4.52.33
  • http://officeimages.microsoft.com - 65.54.206.53, 65.54.206.55, 65.54.206.56, 65.54.206.57, or 65.54.206.58
  • http://config.office.microsoft.com - 64.4.52.57
  • http://www.backoffice.microsoft.com - 207.46.245.222
• Supporting host sites for ads on the Microsoft Office Online Web site:
• http://global.msads.net
• Microsoft main web pages: http://www.microsoft.com - 207.46.249.27

  Used for downloads, searching for product information, and product updates.

  • activex.microsoft.com - 207.46.196.108
  • download.microsoft.com - 207.46.249.92 (now www.microsoft.com/downloads)
  • i.microsoft.com
  • i2.microsoft.com
  • i3.microsoft.com
  • i4.microsoft.com
  • go.microsoft.com - 207.46.196.55, 207.46.250.101, 207.46.250.104
  • msdn.microsoft.com - 207.46.196.115, 207.46.248.109
  • partner.microsoft.com - list of Microsoft partners - 131.107.101.76
  • profile.microsoft.com - 207.46.250.113, 64.4.52.125
  • search.microsoft.com - 207.46.130.97, 207.46.250.107
  • support.microsoft.com - 207.46.248.248, 207.46.196.46, 64.4.52.254
  • update.microsoft.com 207.46.249.157, 207.46.134.62, 207.46.249.57, 207.46.134.126, 207.46.249.126, 207.46.157.30, 207.46.156.25, 207.46.253.157, 64.4.21.93, 64.4.23.221
  • v3.windowsupdate.microsoft.com - 207.46.225.221, 207.46.18.94, 207.46.249.57
  • v4.windowsupdate.microsoft.com - 207.46.20.222, 207.46.20.126, 207.46.20.190, 207.46.20.158, 207.46.244.222
  • v5.windowsupdate.microsoft.com - 207.46.250.158, 64.4.23.188
  • windowsupdate.microsoft.com - 207.46.225.221, 207.46.18.94, 207.46.249.57, 207.46.249.56
• Microsoft Watson reporting website (no home page - reporting site only): http://watson.microsoft.com - 207.68.166.243, 65.54.206.43

  This site is used by the Office Error Reporting feature. The following list of alternate sites should be added in case this site is overloaded):

  • http://watson3.microsoft.com - 207.68.166.191
  • http://watson4.microsoft.com - 207.68.166.192
  • http://watson5.microsoft.com - 207.68.166.193
  • http://officewatson.officeupdate.microsoft.com - 207.68.166.243

The majority of these sites have an IP address beginning with 207.68.166.xxx. Some of the sites listed above reside on the same IP address (for instance http://watson.microsoft.com and http://officewatson.officeupdate.microsoft.com). You could list access to sites by providing the IP address, but occasionally these URLs change and move to a different IP address, which may result in a broken link. It is suggested to use the URL name (http://<address>), which is more likely to remain the same over time.

A simple solution for allowing access to Microsoft

A simple solution for enabling access to Office related Microsoft Web sites is to add the following information to your list of allowed Web sites using the administrative features of your proxy server:

*.microsoft.com

For port 80 or port 443.

Be sure to set your system to allow access to this URL for port 80 and port 443.

However, if you want users to access most of the sites in the above domain with the exception of Windows Update or Office Update, you face a bigger challenge, but it is possible. To block access to these update sites, you block the following URL names by using proxy server settings:

• http://v3.windowsupdate.microsoft.com
• http://v4.windowsupdate.microsoft.com
• http://v5.windowsupdate.microsoft.com
• http://windowsupdate.microsoft.com
• http://update.microsoft.com
• http://office.microsoft.com/officeupdate

 Note    If your company has blocked or limited access to the Internet, it is recommended to allow access to the various Web sites that provide certificate revocation checking so users can validate certificates of trust on a regular basis. Check with your network administrator or proxy server administrator for possible options you can explore to allow access to certificate revocation servers available from certificate authorities.