Forum Discussion
Split Tunnel Implemented. But, some of the traffic still going via VPN
Hi, I am new to Microsoft Teams and I am wondering why some of Microsoft Teams traffic and going straight to the internet and some are going via VPN. We use Cisco AnyConnect and has configured dynam...
Hello,
Is the traffic that you are seeing going still thru VPN categorized as Allow here?
https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
also
"Signaling traffic is performed over HTTPS and isn't as latency sensitive as the media traffic and is marked as Allow in the URL/IP data and thus can safely be routed through the VPN client if desired."
"In certain scenarios, often unrelated to Teams client configuration, media traffic still traverses the VPN tunnel even with the correct routes in place. If you encounter this scenario, then using a firewall rule to block the Teams IP subnets or ports from using the VPN should suffice."
https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn-securing-teams?view=o365-worldwide
Is the traffic that you are seeing going still thru VPN categorized as Allow here?
https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
also
"Signaling traffic is performed over HTTPS and isn't as latency sensitive as the media traffic and is marked as Allow in the URL/IP data and thus can safely be routed through the VPN client if desired."
"In certain scenarios, often unrelated to Teams client configuration, media traffic still traverses the VPN tunnel even with the correct routes in place. If you encounter this scenario, then using a firewall rule to block the Teams IP subnets or ports from using the VPN should suffice."
https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn-securing-teams?view=o365-worldwide
- In the first link that Andrew sent it the listing of the ports and traffic. There are categories like Optimize Required, Allow Required, etc. The article at https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-network-connectivity-principles?view=o365-worldwide#new-office-365-endpoint-categories says what you need to do for each of them.
So basic answer is yes, they can be split. But Microsoft recommends full bypass of any VPN solutions. And to meet in the middle, at least optmized required should be bypassing the VPN.
VPN normally encrypt the data, slowing it down. The generally take the longest route to a Microsoft Data Center., and by routing most of the traffic through a security monitored VPN, the security system really can't do much about it anyway.
And it is important that the workstation receive a DNS response based upon it's location, so that it can find through geo-based DNS, the closest location.
