3 Replies Latest reply on Oct 19, 2017 12:59 PM by matthew.stokes

    TCP Port Exhaustion on MWG with O365?




      Wanted to get some input on others experience with larger Office 365 deployments using MWG as the proxy solution. We are considering deploying O365 internally to over 40,000 users. Microsoft is telling us that we need to account for around 20 concurrent TCP proxy connections per user for O365. Since each MWG has only a single IP address there is only about 60,000 possible source TCP ports per box. Based on this we would need more than 12 MWGs to support this level of traffic. So I guess my question is two fold...


      1. Has anyone seen this type of deployment in action and if so what did you ACTUALLY see for the number of required concurrent TCP connections?

      2. Is there a way to add more logical IPs to the MWG to allow us to do more with fewer physical MWGs? I'm pretty sure the boxes we already have have enough hardware horsepower to handle the traffic but the logical source port count is another problem altogether.

        • 1. Re: TCP Port Exhaustion on MWG with O365?

          I haven't specifically done this for O365, but the network tab of F12, developer tools (variations on all the major browsers) does much to reveal (and troubleshoot) Internet bloatware.  If I had an active account, I'd give it a look myself.

          • 2. Re: TCP Port Exhaustion on MWG with O365?

            We have addressed the same situation - education environment with potentially 30,000 O365 users.

            Initially the O365 consultants indicated the O365 should not be transported via Proxy - this proved to be not the case.

            We have created a Whitelist for O365 Url.Hosts ( to bypass Category/Application and Authentication in Web Gateway - recommended by Microsoft  - refer https://support.content.office.net/en-us/static/O365IPAddresses.xml )

            We have observed an increase in concurrent TCP connections but current MWG and Proxy fleet are accommodating at moment - in saying that I suspect that O365 usage is ever increasing.

            Microsoft have indicated that upto 2,000 concurrent IP sessions via external /32 IP Address is advised, thus a NAT Pool is used to distribute external 0365 connections from the education entity - Note that the NAT Pool is managed via Load Balancer and not MWG.

            • 3. Re: TCP Port Exhaustion on MWG with O365?

              Thanks for the reply ! So if you don't mind my asking, how many MWG's were spec'd out for a deployment of 30,000 O365 users? Your implementation size sounds very similar to ours. We currently run (4) fully loaded 5500C appliances for our user base and they are not even working hard at the moment. But I suspect the TCP port issue will be more of a logical limitation than a physical hardware performance limitation.


              Did the McAfee sizing folks make any special adjustments to their recommendation because of the O365 application or did they treat it like any other Internet access requirement basing it purely on user count or bandwidth?