Problem Description :
Coronavirus has become a global catastrophe and many organizations are encouraging work from home to avoid spreading it. This has caused many organizations to review their vpn infrastructure because if a whole organization starts doing WFH at once then it could cause many scalability issues because in most of organizations VPNs aren’t designed to work for the whole organization at once.
Let’s come to the point, Microsoft Office 365 is one of the primary workloads of organization and most of the organizations don’t care about intentionally force its traffic to be routed through VPN.
Microsoft recently published an article about split tunneling of Office 365 traffic so that when end-user connects to VPN, there office 365 isn’t routed through VPN instead, it is routed from user computer to internet directly. This will help in avoiding a large workload to consume VPN infrastructure.
Leverage split tunneling if your VPN product supports it.
Talk to your Network Engineers and Enable split tunneling for these office 365 FQDNs :
| Endpoint to Optimize | Port/s | Use |
|---|---|---|
| https://outlook.office365.com | TCP 443 | This is one of the Core URLs Outlook uses to connect to its Exchange Online server and has high volume of bandwidth usage and connection count. Low network latency is required for online features including: Instant search, Other mailbox calendars, Free / busy lookup, manage rules & alerts, Exchange online archive, Emails departing the outbox. |
| https://outlook.office.com | TCP 443 | This is use for Outlook Online web access to connect to its Exchange Online server and network latency. Connectivity is particularly required for large file upload and download with SharePoint Online. |
| https://<tenant>.sharepoint.com | TCP 443 | This is the primary URL for SharePoint Online and has high volume of bandwidth usage. |
| https://<tenant>-my.sharepoint.com | TCP 443 | This is the primary URL for OneDrive for Business and has high volume of bandwidth and possibly high connection count from the OneDrive for Business Sync tool. |
| Teams Media IPs (no URL) | UDP 3478, 3479, 3480, and 3481 | Relay Discovery allocation and real time traffic (3478), Audio (3479), Video (3480), and Video Screen Sharing (3481). These are the endpoints used for Skype for Business and Microsoft Teams Media traffic (Calls, meetings etc). Most endpoints are provided when the Microsoft Teams client establishes a call (and are contained within the required IPs listed for the service).UDP is required for optimal media quality. |
Ref Articles
- https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel-for-public-applications.html
- https://techcommunity.microsoft.com/t5/office-365-blog/how-to-quickly-optimize-office-365-traffic-for-remote-staff-amp/ba-p/1214571
Thank you for reading and keep yourself safe !
Learn Tech Future 