%3CLINGO-SUB%20id%3D%22lingo-sub-1447816%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1447816%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F73770%22%20target%3D%22_blank%22%3E%40Paul%20Collinge%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EThank%20you%20for%20sharing%20this.%20But%20obviously%20some%20questions%20come%20to%20my%20mind%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20too%20much%20to%20ask%2C%20if%20those%20three%20namespace%20could%20be%20clarified%3F%20In%20which%20case%20those%20are%20really%20used%3F%20So%20far%20I%20have%20not%20seen%20any%20other%20namespaces%20for%20Live%20Event%20attendees%20than%20*.streaming.mediaservices.windows.net.%20But%20when%20doing%20a%20nslookup%20like%3A%3C%2FP%3E%3CP%3Enslookup%20endpoint2-prdneucompsvc.streaming.mediaservices.windows.net%3C%2FP%3E%3CP%3EI%20could%20see%20aliases%20which%20are%20for%20other%20name%20spaces%2C%20but%20on%20clients%20I%20have%20not%20seen%20those%20in%20use.%20Is%20that%20something%20which%20you%20use%20as%20a%20preparation%20for%20the%20future%20purposes%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20same%20seems%20to%20go%20with%20Stream%20videos%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Standard%20Stream%20service.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197203iB93F383746520F10%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Standard%20Stream%20service.png%22%20alt%3D%22Standard%20Stream%20service.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20I'm%20not%20sure%20if%20it%20is%20important%20to%20clarify%20that%20this%20is%20only%20(correct%20me%20if%20I'm%20wrong)%20for%20Live%20Event%20attendees%20traffic%20(TCP).%20No%20matter%20if%20they%20were%20looking%20for%20Live%20Event%20session%20via%20Teams%20client%20or%20via%20browsers.%20But%20the%20producers%20and%20speakers%20are%20still%20utilizing%20Teams%20own%20split%20tunnel%20solution%20and%20having%20UDP%20as%20preferably%20protocol.%20So%20there%20are%20no%20needs%20for%20.PAC%20file%20in%20that%20case.%20Only%20external%20name%20resolution%20and%20TCP%2FIP%20routing%20is%20enough%20(and%20FW%20rules)%20following%20your%20previous%20article.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1447873%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1447873%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90197%22%20target%3D%22_blank%22%3E%40Petri%20X%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BThere%20are%20a%20whole%20host%20of%20scenarios%20which%20will%20change%20the%20endpoint%20used%20for%20the%20consumption%20of%20the%20service%2C%20be%20it%20a%20Live%20Event%20in%20Teams%2C%20consuming%20Stream%20etc.%20The%20Live%20Events%2FStream%20engineering%20group%20have%20provided%20the%20FQDN%2FIP%20information%20to%20cover%20as%20many%20of%20those%20scenarios%20as%20comprehensively%20as%20possible.%20As%20it's%20intended%20as%20a%20short%20term%20solution%20until%20the%20namespaces%20can%20be%20updated%20to%20simplify%20this%20solution%2C%20it%20isn't%20something%20we%20can%20break%20down%20further%20as%20it's%20a%20complex%20array%20of%20scenarios.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20of%20course%20just%20add%20streaming.mediaservices.windows.net%20as%20an%20FQDN%20if%20you%20wish%20but%20you%20may%20possibly%20find%20things%20for%20the%20service%20dont%20always%20go%20direct.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20for%20the%20producers%20of%20the%20event%2C%20you're%20correct.%20If%20they%20are%20using%20Teams%20then%20the%20traffic%20will%20go%20to%20the%20Optimize%20marked%20Office%20365%20endpoints%20via%20UDP%20and%20there%20is%20no%20FQDN%20for%20these%20endpoints%20(Row%2011%20in%20the%20URL%2FIP%20service).%26nbsp%3B%20I'll%20add%20an%20FAQ%20to%20this%20effect.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448051%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448051%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20writeup!%26nbsp%3B%20I%20also%20have%20a%20few%20questions.%26nbsp%3B%20Is%20there%20something%20on%20the%20roadmap%20for%20a%20long%20term%20solution%3F%26nbsp%3B%20Does%20this%20cover%20Yammer%20live%20events%20as%20well%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448351%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448351%22%20slang%3D%22en-US%22%3E%3CP%3EWould%20you%20not%20want%20to%20split%26nbsp%3B*.streaming.mediaservices.windows.net%20regardless%20of%20destination%20IP%20as%20if%20you%20do%20not%20do%20so%20then%20video%20on%20demand%20playback%20from%20Stream%20would%20not%20split.%26nbsp%3B%20For%20example%2C%20playing%20back%20a%20video%20from%20Stream%20I%20can%20see%20it%20reaches%20out%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fi2fso7g2ldtyes64sqwlqn5nug.streaming.mediaservices.windows.net%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fi2fso7g2ldtyes64sqwlqn5nug.streaming.mediaservices.windows.net%2F%3C%2FA%3E%26nbsp%3Bwhich%20does%20not%20resolve%20to%20an%20IP%20in%20your%20list.%26nbsp%3B%20Similarly%2C%20if%20a%20user%20downloads%20a%20video%20that%20uses%2C%20for%20example%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Feuno-1-content.api.microsoftstream.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Feuno-1-content.api.microsoftstream.com%2F%20%26nbsp%3B%3C%2FA%3Eit%20again%20does%20not%20match%20your%20whitelist.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20this%20article%20needs%20to%20be%20clear%20that%20we%20are%20talking%20about%20Stream%2FTeams%20live%20events%20only%2C%20and%20not%20Stream%20on%20demand%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EThe%20O365%20IP%2FURL%20list%20also%20includes%3A%3CBR%20%2F%3E%3CBR%20%2F%3Eamsglob0cdnstream11.azureedge.net%20and%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eamsglob0cdnstream12.azureedge.net.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3Eamsglob0cdnstream11.azureedge.net%20%3D%26nbsp%3B152.199.19.160%20-%20Not%20in%20the%20IP%20list%20above%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3Eamsglob0cdnstream12.azureedge.net%20%3D%26nbsp%3B152.199.19.161%20-%20In%20the%20list%20above%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EIs%20that%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1454245%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1454245%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20we%20implement%20this%20change%20for%20Live%20Events%20we%20see%20that%20PowerBI%20is%20using%20%22powerapps-ux-prod-ukwest.%3CSTRONG%3Eazureedge.net%3C%2FSTRONG%3E%20-%20%3CSTRONG%3E152.199.19.161%22%3C%2FSTRONG%3E%20which%20according%20to%20your%20rules%20above%20will%20send%20the%20traffic%20direct.%20From%20our%20security%20point%20of%20view%20we%20would%20not%20want%20PowerBI%20going%20direct.%20Is%20the%20routing%20direct%20as%20expected%2C%20or%20can%20we%20limit%20this%20to%20ONLY%20Live%20Events%20traffic%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1454300%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1454300%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F687743%22%20target%3D%22_blank%22%3E%40DaveOBrien%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20might%20go%20a%20bit%20complicated%2C%20but%20on%20.PAC%20file%20you%20could%20exclude%20that%20host.%20I%20was%20wishing%20to%20hear%20so%20much%20from%20Paul%20that%20%22*.%3CSPAN%3Estreaming.mediaservices.windows.net%3C%2FSPAN%3E%22%20was%20the%20only%20namespace%20required.%20But%20unfortunately%20these%20two%20extra%20appeared%20which%20might%20cause%20extra%20multiplier%20for%20challenging%20level.%20You%20could%20try%20with%20that%20domain%20only%20to%20see%20if%20that%20solves%20it.%20But%20as%20that%20is%20against%20their%20recommendation%20we%20are%20quite%20alone%20%3AD%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1456631%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1456631%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20also%20seen%20traffic%20hit%26nbsp%3B%3CSPAN%3E152.199.19.160%20which%20isn't%20mentioned%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1456714%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1456714%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F696450%22%20target%3D%22_blank%22%3E%40Bailey44%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20is%20also%20interesting.%20We%20have%20also%20seen%20the%20following%20IPs%3A%26nbsp%3B152.199.21.175%20%26amp%3B%26nbsp%3B152.199.19.160%20before%20this%20announcement.%20But%20not%20after%20that.%20Did%20you%20manage%20to%20find%20out%20the%20host%20name%20for%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1456737%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1456737%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F696450%22%20target%3D%22_blank%22%3E%40Bailey44%3C%2FA%3E%26nbsp%3B%20could%20you%20share%20via%20PM%20the%20hostname%20used%20when%20you%20hit%20152.199.19.160%20and%20whether%20this%20was%20just%20the%20webpage%20loading%20or%20the%20actual%20streaming%20content%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90197%22%20target%3D%22_blank%22%3E%40Petri%20X%3C%2FA%3E%26nbsp%3Bwe%20scoped%20in%20the%20CDNs%20to%20the%20152.199.19.161%20address%20for%20some%20elements%20which%20is%20why%20you%20see%20these%20IPs%20less%20now.%20There%20are%20some%20elements%20which%20still%20use%20them%20but%20it's%20possible%20a%20CDN%20has%20been%20missed%2C%20if%20so%20i'll%20get%20it%20fixed.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20both%20for%20the%20feedback%2C%20very%20helpful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1456756%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1456756%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F687743%22%20target%3D%22_blank%22%3E%40DaveOBrien%3C%2FA%3E%26nbsp%3Bunfortunately%20because%20of%20the%20need%20for%20*.azureedge.net%20there%20are%20various%20other%20elements%20which%20may%20get%20caught%20by%20the%20ruleset%2C%20you've%20found%20one%20in%20PowerApps%20there.%20The%20use%20of%20the%20IPs%20in%20the%20PAC%20file%20should%20scope%20this%20down%20to%20only%20a%20few%20rare%20scenarios%20but%20it%20seems%20you've%20tripped%20over%20one.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20tried%20to%20indicate%20this%20in%20the%20article%20but%20i've%20made%20it%20a%20bit%20clearer%20now.%26nbsp%3B%20I%20appreciate%20it's%20not%20a%20perfect%20solution%20and%20we're%20working%20to%20provide%20a%20more%20specific%20namespace%20to%20work%20with%20here%20which%20should%20solve%20this%20problem%20completely%2C%20but%20we%20wanted%20to%20provide%20something%20to%20work%20with%20and%20let%20customers%20make%20the%20decision%20on%20using%20it%20as%20this%20is%20a%20pressing%20problem%20for%20many.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20the%20feedback%20though%2C%20again%2C%20very%20useful.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1439767%22%20slang%3D%22en-US%22%3EHow%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1439767%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22lia-align-justify%22%3EDuring%20this%20current%20COVID-19%20crisis%2C%20many%20organizations%20have%20had%20to%20rapidly%20implement%20a%20work-from-home%20model%20for%20the%20majority%20of%20their%20users.%20For%20many%2C%20this%20means%20an%20enormous%20increase%20in%20load%20to%20the%20VPN%20infrastructure%20as%20all%20traffic%20is%20traditionally%20sent%20via%20this%20path%20that%20was%20invariably%20not%20designed%20for%20the%20volume%20or%20type%20of%20traffic%20now%20reliant%20on%20it.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3ETo%20improve%20performance%2C%20and%20also%20reduce%20load%20on%20the%20VPN%20infrastructure%2C%20many%20customers%20have%20achieved%20significant%20results%20by%20following%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-vpn-implement-split-tunnel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20guidance%20to%20implement%20split%20tunneling%3C%2FA%3E%26nbsp%3B(or%20forced%20tunnel%20exceptions%20to%20use%20the%20correct%20technical%20term)%20on%20the%20Optimize-marked%20Office%20365%20endpoints.%20This%20traffic%20is%20high-volume%20and%20latency-sensitive%20traffic%2C%20and%20thus%20sending%20it%20directly%20to%20the%20service%20solves%20the%20problems%20outlined%20above%20and%20is%20also%20the%20designed%20best%20practice%20for%20these%20endpoints.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20365%20Live%20Events%20(Teams-produced%20live%20events%20and%20those%20produced%20with%20an%20external%20encoder%20via%20Teams%2C%20Stream%2C%20and%20Yammer)%20and%20on-demand%20Stream%20traffic%20are%20not%20currently%20listed%20within%20the%20Optimize%20category%20with%20the%20endpoints%20listed%20in%20the%20%E2%80%98Default%E2%80%99%20category%20in%20the%20Office%20365%20URL%2FIP%20service.%20The%20endpoints%20are%20located%20in%20this%20category%20as%20they%20are%20hosted%20on%20CDNs%20that%20may%20also%20be%20used%20by%20other%20services%2C%20and%20as%20such%20customers%20generally%20prefer%20to%20proxy%20this%20type%20of%20traffic%20and%20apply%20any%20security%20elements%20normally%20done%20on%20diverse%20endpoints%20such%20as%20these.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3EIn%20most%20organizations%20the%20traffic%20is%20internally%20routed%20via%20a%20network%20path%20that%20is%20designed%20to%20cope%20with%20the%20load%20and%20provide%20latency%20at%20a%20level%20that%20doesn%E2%80%99t%20impact%20service%20quality.%20With%20the%20switch%20to%20large%20scale%20remote%20working%2C%20many%20customers%20have%20asked%20for%20the%20information%20required%20to%20connect%20their%20users%20to%20Stream%2FLive%20Events%20directly%20from%20their%20local%20internet%20connection%2C%20rather%20than%20route%20the%20high-volume%20and%20latency-sensitive%20traffic%20via%20an%20overloaded%20VPN%20infrastructure.%20Typically%2C%20this%20is%20not%20possible%20without%20both%20dedicated%20namespaces%20and%20accurate%20IP%20information%20for%20the%20endpoints%2C%20which%20is%20not%20provided%20for%20the%20Default%20marked%20Office%20365%20endpoints.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3EMicrosoft%20is%20working%20to%20provide%20more-defined%20and%20service-specific%20URL%2FIP%20data%20to%20help%20simplify%20connectivity%20to%20the%20service%20for%20the%20VPN%20connection%20model%20but%20as%20you%20can%20imagine%20for%20a%20global%20SaaS%20service%20like%20Office%20365%2C%20this%20is%20not%20something%20which%20can%20be%20achieved%20overnight.%20Therefore%2C%20in%20the%20interim%20we've%20been%20working%20on%20interim%20methods%20to%20meet%20customer%20demand%20for%20this%20information.%20As%20a%20result%20of%20some%20changes%20we%20were%20able%20to%20perform%20relatively%20quickly%2C%20we%20are%20able%20to%20provide%20the%20following%20steps%20to%20allow%20for%20direct%20connectivity%20for%20the%20service%20from%20a%20client%20using%20a%20forced%20tunnel%20VPN.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3EThis%20is%20slightly%20more%20complex%20than%20normal%20to%20implement%20(requiring%20an%20extra%20function%20in%20the%20PAC%20file)%20but%20should%20provide%20a%20solution%20to%20this%20challenge%20until%20such%20time%20as%20we%20can%20rearchitect%20the%20endpoints%20so%20as%20to%20simplify%20connectivity%20requirements.%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3EPlease%20note%2C%20there%20may%20be%20service%20elements%20which%20don't%20resolve%20to%20the%20IP%20addresses%20provided%20and%20thus%20traverse%20the%20VPN%2C%20but%20the%20bulk%20of%20high%20volume%20traffic%20(eg%20streaming%20data)%20should%20do.%20There%20also%20may%20be%20other%20service%20elements%20outside%20the%20scope%20of%20Live%20Events%2FStream%20such%20as%20PowerApps%20which%20get%20caught%20by%20this%20offload%20but%20these%20should%20be%20rare%20as%20they%20have%20to%20meet%20both%20the%20FQDN%20%3CEM%3Eand%3C%2FEM%3E%20the%20IP%20match%20before%20going%20direct.%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3EAs%20noted%2C%20this%20is%20intended%20to%20be%20a%20temporary%20solution%20to%20provide%20customers%20some%20level%20of%20relief%20to%20use%20at%20their%20discretion%20whilst%20we%20work%20through%20engineering%20changes%20to%20simplify%20and%20scope%20this%20traffic%20optimization.%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3ETo%20implement%20the%20Forced%20tunnel%20exception%20for%20Teams%20Live%20Events%20and%20Stream%2C%20the%20following%20steps%20should%20be%20applied%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E1.%20External%20DNS%20resolution.%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3EThe%20client%20needs%20external%2C%20recursive%20DNS%20resolution%20to%20be%20available%20for%20the%20following%20FQDNs%20so%20they%20can%20resolve%20host%20names%20to%20IPs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E*.streaming.mediaservices.windows.net%3C%2FLI%3E%0A%3CLI%3E*.azureedge.net%3C%2FLI%3E%0A%3CLI%3E*.media.azure.net%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-align-justify%22%3EIt%20is%20important%20to%20note%2C%20it%20is%20not%20advised%20to%20just%20use%20these%20URLs%20to%20configure%20VPN%20offload%20even%20if%20technically%20possible%20in%20your%20VPN%20solution%20(eg%20if%20it%20works%20at%20the%20FQDN%20rather%20than%20IP).%20This%20is%20due%20to%20the%20fact%20some%20of%20these%20endpoints%20are%20shared%20with%20other%20elements%20outside%20of%20Stream%2FLive%20Events%20and%20as%20such%20the%20IPs%20provided%20below%20are%20not%20comprehensive%20for%20that%20FQDN%2C%20but%20are%20for%20Teams%20Live%20Events%2FStream.%20(Note%20FQDNs%20are%20not%20required%20in%20the%20VPN%20configuration%2C%20they%20are%20purely%20for%20use%20in%20PAC%20files%20in%20combination%20with%20the%20IPs%20to%20send%20the%20relevant%20traffic%20direct).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E2.%20PAC%20file%20changes%20(Where%20required)%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3EIn%20most%20organizations%2C%20a%20PAC%20file%20will%20be%20used%20in%20a%20VPN%20scenario%20to%20configure%20the%20client%20to%20send%20traffic%20either%20direct%2C%20or%20via%20the%20internal%20proxy%20server.%20Normally%20this%20is%20achieved%20using%20FQDNs.%20However%2C%20with%20Stream%2FLive%20Events%2C%20the%20namespace%20provided%20currently%20includes%20wildcards%20such%20as%20*.azureedge.net%2C%20which%20also%20encompasses%20other%20elements%20for%20which%20it%20is%20not%20possible%20to%20provide%20full%20IP%20listings.%20Thus%2C%20if%20the%20wildcard%20is%20sent%20direct%2C%20traffic%20to%20these%20endpoints%20will%20be%20blocked%20as%20there%20is%20no%20route%20via%20the%20direct%20path%20for%20it%20in%20step%203.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3ETo%20solve%20this%2C%20we%E2%80%99re%20able%20to%20provide%20the%20following%20IPs%20and%20use%20them%20in%20combination%20with%20the%20FQDNs%20in%20section%201%20for%20Stream%2FLive%20Events%20in%20an%20example%20PAC%20file.%20The%20PAC%20file%20checks%20if%20the%20URL%20matches%20those%20used%20for%20Stream%2FLive%20Events%20and%20then%20if%20it%20does%2C%20it%20then%20also%20checks%20to%20see%20if%20the%20IP%20returned%20from%20a%20DNS%20lookup%20matches%20those%20provided%20for%20the%20service.%20If%20%3CEM%3E%3CSTRONG%3Eboth%3C%2FSTRONG%3E%20%3C%2FEM%3Ematch%2C%20then%20the%20traffic%20is%20routed%20direct.%20If%20either%20element%20(FQDN%2FIP)%20doesn%E2%80%99t%20match%20then%20the%20traffic%20is%20sent%20to%20the%20proxy.%20This%20way%20we%20ensure%20anything%20which%20resolves%20to%20an%20IP%20outside%20of%20the%20scope%20of%20Stream%2FLive%20Events%20will%20traverse%20the%20proxy%20via%20the%20VPN%20as%20normal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3E%3CSTRONG%3ETable%201%3A%20IP%20addresses%20for%20Live%20Events%20%26amp%3B%20Stream%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3EIPv4%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3EIPv6%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E72.21.81.200%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E2606%3A2800%3A011F%3A17A5%3A191A%3A18D5%3A0537%3A22F9%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E152.199.19.161%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E2606%3A2800%3A133%3A206E%3A1315%3A22A5%3A2006%3A24FD%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E117.18.232.200%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E2606%3A2800%3A0147%3A120F%3A030C%3A1BA0%3A0FC6%3A265A%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E192.16.48.200%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E2606%3A2800%3A0157%3A1508%3A1539%3A0174%3A1A75%3A1191%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E93.184.215.201%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E2606%3A2800%3A11F%3A7DE%3AD31%3A7DB%3A168F%3A1225%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E68.232.34.200%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E2606%3A2800%3A133%3AF17%3A19E8%3A2356%3A251B%3A02A9%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E192.229.232.200%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E2606%3A2800%3A0147%3A0FF8%3A129B%3A22EB%3A020B%3A1347%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3ETo%20implement%20this%20in%20a%20PAC%20file%20you%20can%20use%20the%20following%20example%20which%20sends%20the%20Office%20365%20Optimize%20traffic%20direct%20(which%20is%20recommended%20best%20practice)%20via%20FQDN%2C%20and%20the%20critical%20Stream%2FLive%20Events%20traffic%20direct%20via%20a%20combination%20of%20the%20FQDN%20and%20also%20the%20returned%20IP%20address.%20%3CEM%3EContoso%20%3C%2FEM%3Ewould%20need%20to%20be%20edited%20to%20your%20specific%20tenant%20name%20where%20%3CEM%3Econtoso%3C%2FEM%3E%20is%20from%20contoso.onmicrosoft.com%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3E%3CSTRONG%3EExample%20PAC%20file%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3Efunction%20FindProxyForURL(url%2C%20host)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%7B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20var%20direct%20%3D%20%22DIRECT%22%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20var%20proxyServer%20%3D%20%22PROXY%2010.1.2.3%3A8081%22%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%20%2F%2FOffice%20365%20Optimize%20endpoints%20direct%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%20if(shExpMatch(host%2C%20%22outlook.office.com%22)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%20%7C%7C%20shExpMatch(host%2C%20%22outlook.office365.com%22)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%20%7C%7C%20shExpMatch(host%2C%20%22contoso.sharepoint.com%22)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%20%7C%7C%20shExpMatch(host%2C%20%22contoso-my.sharepoint.com%22))%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%7B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%20return%20direct%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%7D%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%2F*%20Don't%20proxy%20Stream%2FLive%20Events%20traffic*%2F%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3Bif(shExpMatch(host%2C%20%22*.streaming.mediaservices.windows.net%22)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%7C%7C%20shExpMatch(host%2C%20%22*.azureedge.net%22)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%7C%7C%20shExpMatch(host%2C%20%22*.media.azure.net%22))%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%7B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3Bvar%20resolved_ip%20%3D%20dnsResolve(host)%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3Eif%20(isInNet(resolved_ip%2C%20'72.21.81.200'%2C%20'255.255.255.255')%20%7C%7C%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EisInNet(resolved_ip%2C%20'152.199.19.161'%2C%20'255.255.255.255')%20%7C%7C%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EisInNet(resolved_ip%2C%20'117.18.232.200'%2C%20'255.255.255.255')%20%7C%7C%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EisInNet(resolved_ip%2C%20'192.16.48.200'%2C%20'255.255.255.255')%20%7C%7C%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EisInNet(resolved_ip%2C%20'93.184.215.201'%2C%20'255.255.255.255')%20%7C%7C%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EisInNet(resolved_ip%2C%20'68.232.34.200'%2C%20'255.255.255.255')%20%7C%7C%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EisInNet(resolved_ip%2C%20'192.229.232.200'%2C%20'255.255.255.255'))%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%7B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3Breturn%20direct%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%7D%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%7D%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%2F%2F%20Default%20Traffic%20Forwarding.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3Ereturn%20proxyServer%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%7D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%E2%80%99s%20worth%20stressing%20again%2C%20it%20is%20not%20advised%20to%20attempt%20to%20perform%20the%20VPN%20offload%20using%20just%20the%20FQDNs%2C%20utilizing%20both%20the%20FQDNs%20and%20the%20IPs%20in%20the%20function%20helps%20scope%20the%20use%20of%20this%20offload%20to%20just%20Stream%2FLive%20Events.%20The%20way%20the%20function%20is%20structured%20means%20that%20only%20if%20the%20FQDN%20matches%20those%20listed%2C%20do%20we%20perform%20a%20DNS%20lookup%20for%20it%20i.e%20DNS%20does%20not%20have%20to%20be%20performed%20for%20all%20namespaces%20used%20by%20the%20client.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E3.%20Configure%20routing%20on%20the%20VPN%20to%20enable%20direct%20egress%20%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20final%20element%20is%20to%20add%20a%20direct%20route%20for%20the%20Live%20Event%20IPs%20in%20Table%201%20into%20the%20VPN%20configuration%20to%20ensure%20the%20traffic%20is%20not%20sent%20via%20the%20forced%20tunnel%20into%20the%20VPN.%20Detailed%20information%20on%20how%20to%20do%20this%20for%20the%20Office%20365%20Optimize%20endpoints%20can%20be%20-ERR%3AREF-NOT-FOUND-found%20in%20this%20article%3CSPAN%3E%2C%3C%2FSPAN%3E%20and%20the%20process%20is%20exactly%20the%20same%20for%20the%20Stream%2FLive%20Events%20IPs%20listed%20in%20this%20document.%20Note%20only%20the%20IPs%20(not%20FQDNs)%20published%20above%20should%20be%20used%20for%20VPN%20configuration.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EFAQ%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EQuestion%3A%26nbsp%3B%20Will%20this%20send%20all%20my%20traffic%20for%20the%20service%20direct%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAnswer%3C%2FSTRONG%3E%3A%26nbsp%3B%20%26nbsp%3B%20No%2C%20this%20will%20send%20the%20latency-sensitive%20streaming%20traffic%20for%20a%20Live%20Event%20or%20Stream%20video%20direct%2C%20any%20other%20traffic%20will%20continue%20to%20use%20the%20VPN%20tunnel%20if%20they%20do%20not%20resolve%20to%20the%20IPs%20published.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EQuestion%3A%26nbsp%3B%20Do%20I%20need%20to%20use%20the%20IPv6%20Addresses%3F%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAnswer%3C%2FSTRONG%3E%3A%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BNo%2C%20the%20connectivity%20can%20be%20IPv4%20only%20if%20required.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EQuestion%3A%26nbsp%3B%20Why%20are%20these%20IPs%20not%20published%20in%20the%20Office%20365%20URL%2FIP%20service%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-left%22%3E%3CSTRONG%3EAnswer%3C%2FSTRONG%3E%3A%26nbsp%3B%20%26nbsp%3B%20Microsoft%20has%20strict%20controls%20around%20the%20format%20and%20type%20of%20information%20that%20is%20in%20the%20service%20to%20ensure%20customers%20can%20reliably%20use%20the%20information%20to%20implement%20secure%20and%20optimal%20routing%20based%20on%20endpoint%20category.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20default%20endpoint%20category%20has%20no%20IP%20information%20provided%20for%20numerous%20reasons%2C%20such%20as%20it%20being%20outside%20of%20the%20control%20of%20Microsoft%2C%20is%20too%20large%2C%20or%20changes%20too%20frequently%2C%20or%20is%20in%20blocks%20shared%20with%20other%20elements.%20For%20this%20reason%20Default%20marked%20endpoints%20are%20designed%20to%20be%20sent%20via%20FQDN%20to%20an%20inspecting%20proxy%2C%20like%20normal%20web%20traffic.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20case%2C%20the%20above%20endpoints%20are%20CDNs%20that%20may%20be%20used%20by%20other%20elements%20other%20than%20Live%20Events%20or%20Stream%2C%20and%20thus%20sending%20the%20traffic%20direct%20will%20also%20mean%20anything%20else%20which%20resolves%20to%20these%20IPs%20will%20also%20be%20sent%20direct%20from%20the%20client.%20Due%20to%20the%20unique%20nature%20of%20the%20current%20global%20crisis%20and%20to%20meet%20the%20short-term%20needs%20of%20our%20customers%2C%20Microsoft%20has%20provided%20the%20information%20above%20for%20customers%20to%20use%20as%20they%20see%20fit.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20is%20working%20to%20reconfigure%20the%20Live%20Events%20endpoints%20to%20allow%20them%20to%20be%20included%20in%20the%20Allow%2FOptimize%20endpoint%20categories%20at%20a%20later%20date.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-left%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EQuestion%3A%26nbsp%3B%20%26nbsp%3BDo%20I%20only%20need%20to%20allow%20access%20to%20these%20IPs%3F%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAnswer%3C%2FSTRONG%3E%3A%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BNo%2C%20access%20to%20all%20of%20the%20%E2%80%98Required%E2%80%99%20marked%20endpoints%20in%20-ERR%3AREF-NOT-FOUND-the%20URL%2FIP%20service%20is%20essential%20for%20the%20service%20to%20operate.%20In%20addition%2C%20any%20Optional%20endpoint%20marked%20for%20Stream%20(ID%2041-45)%26nbsp%3Bare%26nbsp%3Brequired.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EQuestion%3A%26nbsp%3B%20%26nbsp%3BWhat%20scenarios%20will%20this%20advice%20cover%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAnswer%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Live%20events%20produced%20within%20the%20Teams%20App%3C%2FP%3E%0A%3CP%3E2.%20Viewing%20Stream%20hosted%20content%3C%2FP%3E%0A%3CP%3E3.%20External%20device%20(encoder)%20produced%20events%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EQuestion%3A%26nbsp%3B%20%26nbsp%3BDoes%20this%20advice%20cover%20presenter%20traffic%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAnswer%3A%26nbsp%3B%3C%2FSTRONG%3E%20It%20does%20not%2C%20the%20advice%20above%20is%20purely%20for%20those%20consuming%20the%20service.%20Presenting%20from%20within%20Teams%20will%20see%20the%20presenter's%20traffic%20flowing%20to%20the%20Optimize%20marked%20UDP%20endpoints%20listed%20in%20URL%2FIP%20service%20row%2011%20with%20detailed%20VPN%20offload%20advice%20outlined%20-ERR%3AREF-NOT-FOUND-here%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1439767%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20to%20Optimize%20Stream%20and%20Live%20Event%20traffic%20when%20using%20a%20Forced%20Tunnel%20VPN%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1439767%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELive%20Events%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESplit%20Tunnel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EStream%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evpn%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1489876%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Optimize%20Stream%20%26amp%3B%20Live%20Events%20traffic%20in%20a%20VPN%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1489876%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%20-%20another%20conflict%20to%20consider%20when%20working%20with%20split%20tunnels%2C%20especially%20based%20on%20URLs%20is%20Anti%20Virus.%20For%20example%2C%20Sophos%20(when%20web%20control%20enabled)%20does%20some%20kind%20of%20local%20proxy%20for%20all%20HTTPS%20traffic.%20And%20this%20bleaks%20VPN%20client%20attempts%20to%20exclude%20this%20traffic%20from%20the%20tunnel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDetails%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.sophos.com%2Fkb%2Fen-us%2F135185%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESophos%20KB%20135185%20-%20Palo%20Alto%20GlobalConnect%20VPN%20in%20Domain%20Split%20Tunnel%20Mode%20incompatible%20with%20Sophos%20Endpoint%20Web%20Protection%20or%20Web%20Control%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

During this current COVID-19 crisis, many organizations have had to rapidly implement a work-from-home model for the majority of their users. For many, this means an enormous increase in load to the VPN infrastructure as all traffic is traditionally sent via this path that was invariably not designed for the volume or type of traffic now reliant on it.

 

To improve performance, and also reduce load on the VPN infrastructure, many customers have achieved significant results by following the Microsoft guidance to implement split tunneling (or forced tunnel exceptions to use the correct technical term) on the Optimize-marked Office 365 endpoints. This traffic is high-volume and latency-sensitive traffic, and thus sending it directly to the service solves the problems outlined above and is also the designed best practice for these endpoints.

 

Microsoft 365 Live Events (Teams-produced live events and those produced with an external encoder via Teams, Stream, and Yammer) and on-demand Stream traffic are not currently listed within the Optimize category with the endpoints listed in the ‘Default’ category in the Office 365 URL/IP service. The endpoints are located in this category as they are hosted on CDNs that may also be used by other services, and as such customers generally prefer to proxy this type of traffic and apply any security elements normally done on diverse endpoints such as these.

 

In most organizations the traffic is internally routed via a network path that is designed to cope with the load and provide latency at a level that doesn’t impact service quality. With the switch to large scale remote working, many customers have asked for the information required to connect their users to Stream/Live Events directly from their local internet connection, rather than route the high-volume and latency-sensitive traffic via an overloaded VPN infrastructure. Typically, this is not possible without both dedicated namespaces and accurate IP information for the endpoints, which is not provided for the Default marked Office 365 endpoints.

 

Microsoft is working to provide more-defined and service-specific URL/IP data to help simplify connectivity to the service for the VPN connection model but as you can imagine for a global SaaS service like Office 365, this is not something which can be achieved overnight. Therefore, in the interim we've been working on interim methods to meet customer demand for this information. As a result of some changes we were able to perform relatively quickly, we are able to provide the following steps to allow for direct connectivity for the service from a client using a forced tunnel VPN.

This is slightly more complex than normal to implement (requiring an extra function in the PAC file) but should provide a solution to this challenge until such time as we can rearchitect the endpoints so as to simplify connectivity requirements. 

Please note, there may be service elements which don't resolve to the IP addresses provided and thus traverse the VPN, but the bulk of high volume traffic (eg streaming data) should do. There also may be other service elements outside the scope of Live Events/Stream such as PowerApps which get caught by this offload but these should be rare as they have to meet both the FQDN and the IP match before going direct. 

 

As noted, this is intended to be a temporary solution to provide customers some level of relief to use at their discretion whilst we work through engineering changes to simplify and scope this traffic optimization. 

 

To implement the Forced tunnel exception for Teams Live Events and Stream, the following steps should be applied:

 

1. External DNS resolution.

 

The client needs external, recursive DNS resolution to be available for the following FQDNs so they can resolve host names to IPs.

 

  • *.streaming.mediaservices.windows.net
  • *.azureedge.net
  • *.media.azure.net

It is important to note, it is not advised to just use these URLs to configure VPN offload even if technically possible in your VPN solution (eg if it works at the FQDN rather than IP). This is due to the fact some of these endpoints are shared with other elements outside of Stream/Live Events and as such the IPs provided below are not comprehensive for that FQDN, but are for Teams Live Events/Stream. (Note FQDNs are not required in the VPN configuration, they are purely for use in PAC files in combination with the IPs to send the relevant traffic direct).

 

2. PAC file changes (Where required)

 

In most organizations, a PAC file will be used in a VPN scenario to configure the client to send traffic either direct, or via the internal proxy server. Normally this is achieved using FQDNs. However, with Stream/Live Events, the namespace provided currently includes wildcards such as *.azureedge.net, which also encompasses other elements for which it is not possible to provide full IP listings. Thus, if the wildcard is sent direct, traffic to these endpoints will be blocked as there is no route via the direct path for it in step 3.

 

To solve this, we’re able to provide the following IPs and use them in combination with the FQDNs in section 1 for Stream/Live Events in an example PAC file. The PAC file checks if the URL matches those used for Stream/Live Events and then if it does, it then also checks to see if the IP returned from a DNS lookup matches those provided for the service. If both match, then the traffic is routed direct. If either element (FQDN/IP) doesn’t match then the traffic is sent to the proxy. This way we ensure anything which resolves to an IP outside of the scope of Stream/Live Events will traverse the proxy via the VPN as normal.

 

Table 1: IP addresses for Live Events & Stream

 

IPv4

IPv6

72.21.81.200

2606:2800:011F:17A5:191A:18D5:0537:22F9

152.199.19.161

2606:2800:133:206E:1315:22A5:2006:24FD

117.18.232.200

2606:2800:0147:120F:030C:1BA0:0FC6:265A

192.16.48.200

2606:2800:0157:1508:1539:0174:1A75:1191

93.184.215.201

2606:2800:11F:7DE:D31:7DB:168F:1225

68.232.34.200

2606:2800:133:F17:19E8:2356:251B:02A9

192.229.232.200

2606:2800:0147:0FF8:129B:22EB:020B:1347

 

To implement this in a PAC file you can use the following example which sends the Office 365 Optimize traffic direct (which is recommended best practice) via FQDN, and the critical Stream/Live Events traffic direct via a combination of the FQDN and also the returned IP address. Contoso would need to be edited to your specific tenant name where contoso is from contoso.onmicrosoft.com

 

Example PAC file

 

function FindProxyForURL(url, host)

 

{

    var direct = "DIRECT";

     var proxyServer = "PROXY 10.1.2.3:8081";

   

   //Office 365 Optimize endpoints direct

   if(shExpMatch(host, "outlook.office.com")

   || shExpMatch(host, "outlook.office365.com")

   || shExpMatch(host, "contoso.sharepoint.com")

   || shExpMatch(host, "contoso-my.sharepoint.com"))

 

{

   return direct;

}

 

 /* Don't proxy Stream/Live Events traffic*/

   

 

 if(shExpMatch(host, "*.streaming.mediaservices.windows.net")

 || shExpMatch(host, "*.azureedge.net")

 || shExpMatch(host, "*.media.azure.net"))

 

 

{

 var resolved_ip = dnsResolve(host);

 

if (isInNet(resolved_ip, '72.21.81.200', '255.255.255.255') ||

isInNet(resolved_ip, '152.199.19.161', '255.255.255.255') ||

isInNet(resolved_ip, '117.18.232.200', '255.255.255.255') ||

isInNet(resolved_ip, '192.16.48.200', '255.255.255.255') ||

isInNet(resolved_ip, '93.184.215.201', '255.255.255.255') ||

isInNet(resolved_ip, '68.232.34.200', '255.255.255.255') ||

isInNet(resolved_ip, '192.229.232.200', '255.255.255.255'))

 

 

{

 return direct;

}

}

 

 

// Default Traffic Forwarding.

return proxyServer;

        

}

 

 

It’s worth stressing again, it is not advised to attempt to perform the VPN offload using just the FQDNs, utilizing both the FQDNs and the IPs in the function helps scope the use of this offload to just Stream/Live Events. The way the function is structured means that only if the FQDN matches those listed, do we perform a DNS lookup for it i.e DNS does not have to be performed for all namespaces used by the client.

 

3. Configure routing on the VPN to enable direct egress

 

The final element is to add a direct route for the Live Event IPs in Table 1 into the VPN configuration to ensure the traffic is not sent via the forced tunnel into the VPN. Detailed information on how to do this for the Office 365 Optimize endpoints can be found in this article, and the process is exactly the same for the Stream/Live Events IPs listed in this document. Note only the IPs (not FQDNs) published above should be used for VPN configuration. 

 

 

FAQ:

 

Question:  Will this send all my traffic for the service direct?

Answer:    No, this will send the latency-sensitive streaming traffic for a Live Event or Stream video direct, any other traffic will continue to use the VPN tunnel if they do not resolve to the IPs published.

 

Question:  Do I need to use the IPv6 Addresses?

Answer:     No, the connectivity can be IPv4 only if required.

 

Question:  Why are these IPs not published in the Office 365 URL/IP service?

Answer:    Microsoft has strict controls around the format and type of information that is in the service to ensure customers can reliably use the information to implement secure and optimal routing based on endpoint category.

 

The default endpoint category has no IP information provided for numerous reasons, such as it being outside of the control of Microsoft, is too large, or changes too frequently, or is in blocks shared with other elements. For this reason Default marked endpoints are designed to be sent via FQDN to an inspecting proxy, like normal web traffic.

 

In this case, the above endpoints are CDNs that may be used by other elements other than Live Events or Stream, and thus sending the traffic direct will also mean anything else which resolves to these IPs will also be sent direct from the client. Due to the unique nature of the current global crisis and to meet the short-term needs of our customers, Microsoft has provided the information above for customers to use as they see fit.

 

Microsoft is working to reconfigure the Live Events endpoints to allow them to be included in the Allow/Optimize endpoint categories at a later date.

 

 

Question:   Do I only need to allow access to these IPs? 

Answer:     No, access to all of the ‘Required’ marked endpoints in the URL/IP service is essential for the service to operate. In addition, any Optional endpoint marked for Stream (ID 41-45) are required. 

 

Question:   What scenarios will this advice cover?

Answer: 

 

1. Live events produced within the Teams App

2. Viewing Stream hosted content

3. External device (encoder) produced events

 

Question:   Does this advice cover presenter traffic

Answer:  It does not, the advice above is purely for those consuming the service. Presenting from within Teams will see the presenter's traffic flowing to the Optimize marked UDP endpoints listed in URL/IP service row 11 with detailed VPN offload advice outlined here

 

 

 

 

11 Comments
Regular Contributor

Hi @Paul Collinge,

Thank you for sharing this. But obviously some questions come to my mind :)

 

Is it too much to ask, if those three namespace could be clarified? In which case those are really used? So far I have not seen any other namespaces for Live Event attendees than *.streaming.mediaservices.windows.net. But when doing a nslookup like:

nslookup endpoint2-prdneucompsvc.streaming.mediaservices.windows.net

I could see aliases which are for other name spaces, but on clients I have not seen those in use. Is that something which you use as a preparation for the future purposes?

 

This same seems to go with Stream videos:

Standard Stream service.png

 

Also, I'm not sure if it is important to clarify that this is only (correct me if I'm wrong) for Live Event attendees traffic (TCP). No matter if they were looking for Live Event session via Teams client or via browsers. But the producers and speakers are still utilizing Teams own split tunnel solution and having UDP as preferably protocol. So there are no needs for .PAC file in that case. Only external name resolution and TCP/IP routing is enough (and FW rules) following your previous article.

Microsoft

Hi @Petri X 

                     There are a whole host of scenarios which will change the endpoint used for the consumption of the service, be it a Live Event in Teams, consuming Stream etc. The Live Events/Stream engineering group have provided the FQDN/IP information to cover as many of those scenarios as comprehensively as possible. As it's intended as a short term solution until the namespaces can be updated to simplify this solution, it isn't something we can break down further as it's a complex array of scenarios. 

You can of course just add streaming.mediaservices.windows.net as an FQDN if you wish but you may possibly find things for the service dont always go direct. 

 

As for the producers of the event, you're correct. If they are using Teams then the traffic will go to the Optimize marked Office 365 endpoints via UDP and there is no FQDN for these endpoints (Row 11 in the URL/IP service).  I'll add an FAQ to this effect. 

Super Contributor

Thanks for the writeup!  I also have a few questions.  Is there something on the roadmap for a long term solution?  Does this cover Yammer live events as well?  

New Contributor

Would you not want to split *.streaming.mediaservices.windows.net regardless of destination IP as if you do not do so then video on demand playback from Stream would not split.  For example, playing back a video from Stream I can see it reaches out to https://i2fso7g2ldtyes64sqwlqn5nug.streaming.mediaservices.windows.net/ which does not resolve to an IP in your list.  Similarly, if a user downloads a video that uses, for example, https://euno-1-content.api.microsoftstream.com/  it again does not match your whitelist.

 

Perhaps this article needs to be clear that we are talking about Stream/Teams live events only, and not Stream on demand?

 

The O365 IP/URL list also includes:

amsglob0cdnstream11.azureedge.net and  amsglob0cdnstream12.azureedge.net.  


amsglob0cdnstream11.azureedge.net = 152.199.19.160 - Not in the IP list above

amsglob0cdnstream12.azureedge.net = 152.199.19.161 - In the list above

 

Is that correct?

Frequent Visitor

When we implement this change for Live Events we see that PowerBI is using "powerapps-ux-prod-ukwest.azureedge.net - 152.199.19.161" which according to your rules above will send the traffic direct. From our security point of view we would not want PowerBI going direct. Is the routing direct as expected, or can we limit this to ONLY Live Events traffic?

Regular Contributor

@DaveOBrien 

This might go a bit complicated, but on .PAC file you could exclude that host. I was wishing to hear so much from Paul that "*.streaming.mediaservices.windows.net" was the only namespace required. But unfortunately these two extra appeared which might cause extra multiplier for challenging level. You could try with that domain only to see if that solves it. But as that is against their recommendation we are quite alone :D

 

Frequent Visitor

I've also seen traffic hit 152.199.19.160 which isn't mentioned

Regular Contributor

@Bailey44 

That is also interesting. We have also seen the following IPs: 152.199.21.175 & 152.199.19.160 before this announcement. But not after that. Did you manage to find out the host name for that?

Microsoft

@Bailey44  could you share via PM the hostname used when you hit 152.199.19.160 and whether this was just the webpage loading or the actual streaming content?

@Petri X we scoped in the CDNs to the 152.199.19.161 address for some elements which is why you see these IPs less now. There are some elements which still use them but it's possible a CDN has been missed, if so i'll get it fixed. 

 

Thanks both for the feedback, very helpful.

Microsoft

@DaveOBrien unfortunately because of the need for *.azureedge.net there are various other elements which may get caught by the ruleset, you've found one in PowerApps there. The use of the IPs in the PAC file should scope this down to only a few rare scenarios but it seems you've tripped over one.

 

I tried to indicate this in the article but i've made it a bit clearer now.  I appreciate it's not a perfect solution and we're working to provide a more specific namespace to work with here which should solve this problem completely, but we wanted to provide something to work with and let customers make the decision on using it as this is a pressing problem for many.

 

Thanks for the feedback though, again, very useful. 

Occasional Contributor

FYI - another conflict to consider when working with split tunnels, especially based on URLs is Anti Virus. For example, Sophos (when web control enabled) does some kind of local proxy for all HTTPS traffic. And this bleaks VPN client attempts to exclude this traffic from the tunnel.

 

Details - Sophos KB 135185 - Palo Alto GlobalConnect VPN in Domain Split Tunnel Mode incompatible with Sophos ...