SOLVED

Office 365 Network Onboarding tool POC updated with VPN testing

Microsoft

Today we’re announcing an update to the Office 365 network onboarding tool. It now detects use of a VPN and evaluates if the VPN is configured for recommended Office 365 split tunneling. With many companies sending employees to work from home scalable and performant VPN implementation supporting Office 365 is one of the top responsibilities that IT faces. Office 365 split tunneling guidance is documented at http://aka.ms/o365vpn.

 

The Office 365 network onboarding tool shows VPN results after the advanced test client is run. You should click the Run Tests button to download it and a Windows PC is required.


NOT-udpate-0408-1.png

The advanced test client has the filename format Connectivity.[guid].exe and it is digitally signed by Microsoft Corporation. It is 2.3 Mb and the prerequisite .NET Core runtime for x64 is 51.9 Mb.

 

VPN results show in two lines in the Details and solutions tab. These do not appear if you have not run the advanced test client. The first line identifies if a VPN is in use on the local machine and attempts to identify the name. It shows a red cross if forced tunneling is detected on the VPN. The second line evaluates Office 365 optimize category IP Address ranges and how they are routed.

 

  • Forced tunnel routing means that all of the optimize category IP Addresses for a workload are sent to the VPN tunnel
  • Split tunnel routing means that none of the optimize category IP Addresses for a workload are sent to the VPN tunnel. This is the recommended configuration
  • Selective tunnel routing means that some but not all of the optimize category IP Addresses for a workload are split out as recommended.

 

NOT-udpate-0408-2.png

A description of the optimize category network endpoints can be found at http://aka.ms/pnc.

 

IP Addresses included in the optimize category can be found at http://aka.ms/o365ip.

 

Note that VPN route evaluation is for the Office 365 worldwide commercial instance only. No evaluation is done for other Office 365 service instances.

 

For this release we have also redesigned the advanced test client installer. It now uses .NET core 3.1.3 desktop runtime or later. If the pre-requisite runtime is not installed, then the user will be linked to the install web page and the user has to install it before they can run the test client.

 

https://dotnet.microsoft.com/download/dotnet-core/current/runtime

 

You must install the .NET Core Desktop Runtime. The PC installers are highlighted in this snippet from the web page.

 

dotnetruntime1.png

 

 

Documentation for the tool is here:

https://docs.microsoft.com/Office365/Enterprise/office-365-network-mac-perf-onboarding-tool

 

FAQ

 

Q. How can I use this to troubleshoot a user’s home internet connectivity for use with Office 365?

A. Ask the user to run the tool and the advanced test client at home and to send you the output. Evaluate the output to find things that could be improved.

10 Replies
Great tool, only one thing, I think secure.globalsign.com is down, please check. It is currently giving a 403 forbidden maybe it should be taken out of the tests.

@AndresGorzelany Sorry about this. We have an outstanding work item to improve the testing to specific FQDNs.

 

Paul

best response confirmed by ivbarley (Microsoft)
Solution

We released an updated build today. Updates included in this release:

  • URL parameter tenantName prepopulates the tenant name to test
  • URL parameter details will default results to the Details and Solutions tab
  • Link to the documentation page and removal of the web page embedded FAQ
  • Split tunnel VPN testing can now identify Cisco Any Connect VPN
  • Fixed multiple rich test client exceptions resulting in stack trace
  • Connectivity test to secure.globalsign.com is corrected
  • Improved error message for when the user denied geolocation
  • Tenant name can now be extracted from .onmicrosoft.com 

@PaulAndrew 

Hi Paul, I've just downloaded the tool, and installed .net core 3.1.3 to run it, but I keep getting the error "To run this application, you must install .NET Core. Would you like to download it now?"

I see a lot of dlls in "C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App\3.1.4", but I'm probably missing something...

@Massimo_Ferrario I think you must have installed the .NET Core server runtime instead of the desktop one. Please get the desktop runtime for Windows here: https://dotnet.microsoft.com/download/dotnet-core/current/runtime

 

Regards,

Paul

Hi @PaulAndrew,
the tool has been running for the last three hours, apparently stuck at "Completed test 247 of 248": does the last test need hours to complete?

According to Resource Monitor, the Connectivity*.exe I launched is currently connected to port 443 of 13.66.138.99, sending a few bytes per second.  

@PaulAndrew We need your advice for the following:

a. When we tried to use this O365 onboarding tool POC through our VPN to collect the connectivity and performance statistics, we experienced "endless looping" where it seem like the tool is unable to locate our location after we clicked on the "Locate Me" icon. Message is showing "Please wait while testing is in progress". It seem like something was blocked and "Locate Me" function is unable to proceed to the next stage.

b. Is there any IP address/URL that may have been blocked that we need to whitelist in our VPN box? 

 

 

@shong Connectivity is required to endpoints.office.com and dev.virtualearth.net

 

Regards,

Paul

@PaulAndrew Thanks for the info. It helps. 🙂

1 best response

Accepted Solutions
best response confirmed by ivbarley (Microsoft)
Solution

We released an updated build today. Updates included in this release:

  • URL parameter tenantName prepopulates the tenant name to test
  • URL parameter details will default results to the Details and Solutions tab
  • Link to the documentation page and removal of the web page embedded FAQ
  • Split tunnel VPN testing can now identify Cisco Any Connect VPN
  • Fixed multiple rich test client exceptions resulting in stack trace
  • Connectivity test to secure.globalsign.com is corrected
  • Improved error message for when the user denied geolocation
  • Tenant name can now be extracted from .onmicrosoft.com 

View solution in original post