OpenGraph+
Get Started

Corporate Firewall Blocking Teams Unfurls

Why enterprise network configurations prevent Teams link previews

The enterprise-specific problem

Teams lives in corporate environments with firewalls, proxy servers, and strict network policies. The unfurl fetch happens on Microsoft’s cloud, not the user’s machine – so your URL must be reachable from the public internet. This creates issues unique to Teams.

Outbound traffic blocked to Microsoft IPs

If your firewall restricts inbound connections to known sources, it may block the SkypeUriPreview crawler running from Microsoft’s cloud. The unfurl fails silently.

Allowlist Microsoft’s IP ranges for Microsoft 365 services. Microsoft publishes these in the Microsoft 365 URLs and IP address ranges documentation. Work with your network team to add the relevant ranges.

SSL inspection breaking the fetch

Enterprise networks often use SSL/TLS inspection (HTTPS interception) where a proxy terminates and re-encrypts connections. The proxy’s intermediate certificate may not be trusted by Microsoft’s servers, causing the fetch to fail.

Symptoms: unfurls work for public URLs but fail for URLs behind the corporate proxy. curl from inside the network works, but the Teams unfurl is blank.

Exclude the target domains from SSL inspection, or ensure your server’s SSL certificate is trusted by standard CAs (not just your internal CA). Verify reverse proxies present the correct certificate chain.

Internal URLs unreachable from the cloud

The SkypeUriPreview crawler runs on Microsoft’s cloud, not your local network. URLs that only resolve on internal DNS (https://intranet.company.local/page) or sit behind a VPN will never unfurl. The crawler can’t reach them.

Internal-only URLs cannot generate unfurls – by design. For internal content, consider a Teams messaging extension with link unfurling that runs within your network. For hybrid setups, ensure the URL resolves publicly.

Diagnosing firewall issues

The key question: can a machine outside your network reach the URL?

# Test from an external machine (not behind your corporate network)
curl -A "SkypeUriPreview Preview/0.5" -I https://yoursite.com/page

If this returns 200 OK externally but unfurls still fail:

  1. Check Microsoft 365 connectivity – verify your network allows traffic to/from Microsoft services
  2. Check SSL certificates – trusted by external clients, not just internal?
  3. Check DNS resolution – resolves to a public IP, not private?
  4. Check WAF/CDN rules – Cloudflare, AWS WAF, etc. may block SkypeUriPreview via bot protection

Working with IT and network teams

When filing the ticket, include:

  • The specific URL that fails to unfurl
  • Evidence it’s reachable from the public internet
  • The user agent string SkypeUriPreview Preview/0.5 that needs to be allowed
  • The Microsoft 365 IP ranges documentation link

This is the most common cause of “works everywhere except Teams” – Teams is uniquely deployed in locked-down corporate environments.