If you’ve ever tried to activate Microsoft Office in a corporate or restricted network environment, you may have encountered frustrating activation failures. Even with a valid license, Office activation can fail if it cannot communicate with Microsoft’s activation servers. This is almost always due to a firewall blocking the necessary outbound traffic.

This guide provides a comprehensive overview of the required domains and ports for Office activation and offers ready-to-use scripts to configure various firewalls, including Windows Firewall, Cisco ASA, Palo Alto, pfSense, and Linux iptables.

Why Does Office Activation Fail?

  • The Technical Details

Microsoft Office activation is not a single request. It’s a multi-step process that involves contacting various Microsoft services to validate your license and enable all features. Here’s a simplified breakdown of what happens:

  1. License Validation: Office contacts Microsoft’s licensing servers to verify that your product key or subscription is valid.
  2. Service Communication: It communicates with various office.com and live.com services to enable features like cloud storage and collaboration.
  3. Certificate Revocation Check: It checks Certificate Revocation Lists (CRLs) to ensure that the security certificates used in the process are valid and have not been revoked.

A failure at any of these steps, often due to a blocked network connection, will cause the entire activation process to fail.

Required Domains for Activation: To ensure a successful activation, your firewall must allow outbound TCP traffic on ports 80 (HTTP) and 443 (HTTPS) to the following domains:

  • *.microsoft.com
  • *.office.com
  • *.live.com
  • activation.sls.microsoft.com
  • ols.officeapps.live.com
  • odc.officeapps.live.com
  • officecdn.microsoft.com
  • crl.microsoft.com
  • go.microsoft.com
  • nexus.officeapps.live.com

Configuring Your Firewall

Below are scripts and configurations for various common firewall platforms.

1. Windows Firewall (PowerShell)

This PowerShell script creates the necessary outbound firewall rules on a Windows machine. Run it as an Administrator.

# Microsoft Office Activation - Allow Outbound to Required Domains
$domains = @(
    "*.microsoft.com",
    "*.office.com",
    "*.live.com",
    "activation.sls.microsoft.com",
    "ols.officeapps.live.com",
    "odc.officeapps.live.com",
    "officecdn.microsoft.com",
    "crl.microsoft.com",
    "go.microsoft.com",
    "nexus.officeapps.live.com"
)

$ports = @(80, 443)

foreach ($domain in $domains) {
    foreach ($port in $ports) {
        $ruleName = "Allow Office Activation - $domain`:$port"
        if (-not (Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue)) {
            New-NetFirewallRule -DisplayName $ruleName `
                -Direction Outbound -Action Allow `
                -Protocol TCP -RemotePort $port `
                -RemoteAddress $domain -Profile Any
            Write-Host "Created rule: $ruleName"
        } else {
            Write-Host "Rule already exists: $ruleName"
        }
    }
}
Write-Host "Office activation firewall rules applied!"

# To remove the rules later:
# Get-NetFirewallRule -DisplayName "Allow Office Activation*" | Remove-NetFirewallRule

Explanation:

  • The script iterates through the list of required domains and ports.
  • New-NetFirewallRule creates an outbound rule for each domain and port combination.
  • if (-not (Get-NetFirewallRule ...)) checks if a rule with the same name already exists to avoid duplicates.

2. Cisco ASA / Firepower (CLI)

For Cisco ASA or Firepower devices, you can use the following CLI commands to create an object group and access control list (ACL).

! Microsoft Office Activation - Outbound Allow
object-group network OBJ-OFFICE-ACTIVATION
 network-object host activation.sls.microsoft.com
 network-object host ols.officeapps.live.com
 network-object host odc.officeapps.live.com
 network-object host officecdn.microsoft.com
 network-object host crl.microsoft.com
 network-object host go.microsoft.com
 network-object host nexus.officeapps.live.com
 network-object host *.microsoft.com
 network-object host *.office.com
 network-object host *.live.com
exit

access-list ACL-OUTBOUND extended permit tcp any object-group OBJ-OFFICE-ACTIVATION eq 80
access-list ACL-OUTBOUND extended permit tcp any object-group OBJ-OFFICE-ACTIVATION eq 443

! Apply to your outbound interface (e.g., outside)
access-group ACL-OUTBOUND out interface outside

3. Palo Alto Networks (PAN-OS CLI)

For Palo Alto firewalls, you can use these CLI commands to create the necessary address objects, group them, and create a security policy.

# Create address objects
set address activation.sls.microsoft.com fqdn activation.sls.microsoft.com
set address ols.officeapps.live.com fqdn ols.officeapps.live.com
set address odc.officeapps.live.com fqdn odc.officeapps.live.com
set address officecdn.microsoft.com fqdn officecdn.microsoft.com
set address crl.microsoft.com fqdn crl.microsoft.com
set address go.microsoft.com fqdn go.microsoft.com
set address nexus.officeapps.live.com fqdn nexus.officeapps.live.com
set address wildcard.microsoft.com fqdn *.microsoft.com
set address wildcard.office.com fqdn *.office.com
set address wildcard.live.com fqdn *.live.com

# Create address group
set address-group AG-OFFICE-ACTIVATION static [ activation.sls.microsoft.com ols.officeapps.live.com odc.officeapps.live.com officecdn.microsoft.com crl.microsoft.com go.microsoft.com nexus.officeapps.live.com wildcard.microsoft.com wildcard.office.com wildcard.live.com ]

# Create security rule
set rulebase security rules "Allow Office Activation" from trust to untrust
set rulebase security rules "Allow Office Activation" source any
set rulebase security rules "Allow Office Activation" destination AG-OFFICE-ACTIVATION
set rulebase security rules "Allow Office Activation" service [ tcp-80 tcp-443 ]
set rulebase security rules "Allow Office Activation" application [ ssl web-browsing ]
set rulebase security rules "Allow Office Activation" action allow
set rulebase security rules "Allow Office Activation" log-setting Forward-To-Panorama

4. pfSense / OPNsense

For pfSense or OPNsense, the easiest method is to create a URL table alias and then use it in a firewall rule.

  1. Create an Alias:
    • Navigate to Firewall > Aliases > URL Table.
    • Create a new alias with the following settings:
      • Name: Office_Activation_Domains
      • Type: URL Table (IPs)
      • URL: https://raw.githubusercontent.com/microsoft/Office365-URLs/main/activation-domains.txt
  2. Create a Firewall Rule:
    • Navigate to Firewall > Rules > LAN.
    • Create a new rule with the following settings:
      • Action: Pass
      • Interface: LAN
      • Protocol: TCP
      • Source: LAN net
      • Destination: Single host or alias > Office_Activation_Domains
      • Destination Port Range: HTTP, HTTPS
      • Description: Allow Office Activation

5. Linux iptables (Basic)

For a Linux-based firewall, you can use iptables to allow outbound traffic to the required domains. This script resolves the domains to IP addresses and adds rules for each.

# Flush old rules (optional)
# iptables -F

# Allow Office activation domains (requires DNS resolution or IP list)
DOMAINS="activation.sls.microsoft.com ols.officeapps.live.com odc.officeapps.live.com officecdn.microsoft.com crl.microsoft.com go.microsoft.com nexus.officeapps.live.com"

for domain in $DOMAINS; do
    IPS=$(dig +short $domain)
    for ip in $IPS; do
        iptables -A OUTPUT -d $ip -p tcp --dport 80 -j ACCEPT
        iptables -A OUTPUT -d $ip -p tcp --dport 443 -j ACCEPT
    done
done

Note: For a more robust solution on Linux, consider using nftables with IP sets or a proxy that supports domain-based filtering.

Integrating into an Automation Workflow

You can easily wrap the PowerShell script into a reusable function to include in your larger machine setup or configuration management scripts.

function Set-OfficeActivationFirewallRules {
    [CmdletBinding()]
    param()

    $domains = @(
        "*.microsoft.com", "*.office.com", "*.live.com", "activation.sls.microsoft.com",
        "ols.officeapps.live.com", "odc.officeapps.live.com", "officecdn.microsoft.com",
        "crl.microsoft.com", "go.microsoft.com", "nexus.officeapps.live.com"
    )
    $ports = @(80, 443)

    foreach ($domain in $domains) {
        foreach ($port in $ports) {
            $ruleName = "Allow Office Activation - $domain`:$port"
            if (-not (Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue)) {
                New-NetFirewallRule -DisplayName $ruleName -Direction Outbound -Action Allow -Protocol TCP -RemotePort $port -RemoteAddress $domain -Profile Any
                Write-Verbose "Created rule: $ruleName"
            }
        }
    }
    Write-Host "Office activation firewall rules have been configured."
}

# --- Example Usage ---
# Call this function as part of a larger script
# Set-OfficeActivationFirewallRules -Verbose

✅ Verification (All Platforms)

After applying the firewall rules, you should test connectivity from a client machine to ensure the rules are working.

Using CMD: 

telnet activation.sls.microsoft.com 443
curl -I https://ols.officeapps.live.com/olsc/

Using PowerShell: 

Test-NetConnection activation.sls.microsoft.com -Port 443

If the connection is successful (TcpTestSucceeded : True in PowerShell, or a blank screen in Telnet), your firewall rules are correctly configured, and Office activation should now work.

🏁 Summary

Platform Method
Windows PowerShell firewall rules
Cisco ASA object-group + access-list
Palo Alto Address objects + security policy
pfSense / OPNsense URL table alias + LAN rule
Linux iptables or nftables

By ensuring that your firewall allows outbound traffic to Microsoft’s activation domains, you can resolve most Office activation issues in a corporate or restricted network environment. Once the rules are applied and verified, Microsoft Office should activate successfully on the first launch.