How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure

Maybe App Proxy can help.  That way Conditional Access/Zero Trust can be used and better security can be implemented.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy

Good article. You should link to the official documentation of the IP ranges: https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges instead of just posting them since they might change and the docs should always be up to date.

@Dennis Gaida Indeed, good advice but the article does already make a clear warning to check for updates, links to the URL/IP page, REST API and a script to query the web service for updates.

Great article, MFA could be leverage with this solution as well.

Thank you for sharing this valuable information.
COVID-19 should be an opportunity to enterprise to think move forward with zero-trust and software-defined perimeter (SDP). 

Agree with Zied about zero-trust.  I am not sure how software-defined perimeter can help.  Can you collaborate a bit more?

I think the Graph Security API (https://docs.microsoft.com/en-us/graph/security-concept-overview) can help vendors interconnect with each other and allow more granular policies to be implemented including:

• Is the user account compromised?
• Is the user account using MFA?
• Is the user connecting from on-prem or from outside?
• Is the user connecting from a US IP or maybe Russia?
• Is the system managed?
• Is the system compliance?
• Is the system showing Indication of Compromise?
• Is the data sensitive?

And others ..  This will start help environments to use deep verifications and true Zero Trust

Could I get a clarification on something? In response to Q1 you say to send authentication traffic over the VPN. Does this mean that I could then use conditional access rules to determine that the connection is from a trusted network and allow access that way?

Thanks in advance.

HI @TonyJ25 

                        You are 100% correct. If you continue to send the authentication traffic down the VPN so it can be egressed through your corporate internet connection then IP based conditional access rules will continue to apply, even though the user is able to connect directly to the service endpoint for the split tunnelled (Optimize marked) endpoints.

For example you may set a rule that authentication tokens for your tenant are only issued if the auth request originates from an IP block you own. Obviously this will then cause remote users doing direct authentication to fail, as the source will be their ISP's IP address. 

However, authentication traffic is relatively low volume and not massively latency sensitive so is absolutely fine to continue to hairpin this through a corporate VPN. 

That way the only way someone outside your corporate network can get a token to access your Office 365 tenant is:

A. They have the correct credentials to do so

and also

B. They also have a device with the rights and configuration to be able to VPN into your corporate network to send the authentication request via there. 

If you're using Tenant restrictions to prevent authentication to untrusted tenants then this will also continue to apply if auth traffic is sent into the corporate network via the VPN, the proxy implementing the feature will continue to manage the traffic and apply the policies set. 

Once they have the relevant token, this can then be used to access the service endpoint directly via the split tunnel. This way we continue to ensure a high level of security whilst bypassing the VPN bottleneck for the high volume and latency sensitive traffic to/from the service.

You can obviously add other conditional access elements where necessary such as User Attributes, Device state, Application, Risk etc and make risk based decisions based on the results such as Block, Allow, Require MFA. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview gives a good overview. 

Hope that helps!

Hi @Paul Collinge, we currently have all O365 bound routed via our corporate VPN.  We also use Tenant Restrictions and must continue to use it.  We are looking to implement split tunnelling for when our users are remote working and I expect to route both the Optimize & the Allow categorised endpoints directly.  We will therefore still need to route the 3 Tenant Restrictions URLs via the VPN and out via our Proxy and will send the Default categorised endpoints also via VPN & Proxy.

At the same time we are looking to deploy PAC files so that when our users are in the office\within the corporate network the Optimize & Allow (minus the 3 Tenant Restriction URLs) bypass our Proxy and route direct via Firewalls.

My questions are:

1) Do we need a PAC file for proxy bypass to support our target remote working/spilt tunnelling solution?

2) If we do not need a PAC file, will the use of a PAC file impact our target remote working/spilt tunnelling solution?

3) If we do need a PAC file, will it need to be different from the PAC file that will be used when our users are in the office\within the corporate network?

Thanks in advance :-).

@Paul Collinge  Re: @TonyJ25 

How do we separate the authentication traffic from the general traffic in order to obtain the authentication token from the internal IPs?  Are authentications going over specific ports? Which are they?

Our Conditional Access rule is set with token expiration of 1 hour when off the corporate network.  If the primary traffic is coming from the users home local IP, I suspect even with split tunneling for authentication traffic, since general traffic is coming over the users local IP it will trigger more frequent authentication interruptions (WAM popups/white screen). Am I wrong?

Finally, how about Conditional Access rules for IPv6? There are none available, and we have users whose ISPs use IPv6 and no IPv4 addresses. Our VPN will issue them both IPv6 and IPv4 for internal network, but there are inherent issues with this approach when we cannot configure our corporate IPv6 range in the Conditional Access rules. Authentications fail over internal IPv6 addresses whcih could pose issues if split tunnel defers to the internal IPv6 for authentication.

Thanks for the guidance!

@reevesjeremy  

Authentication traffic uses TCP port 443 so are not possible to split out via unique port. You'll find the URLs in question in row 56 of the URL/IP service. The specific authentication URLs are login.microsoftonline.com, login.microsoft.com, login.windows.net. Ensure these are sent down the VPN tunnel to the proxy or similar if you want to ensure they are sent to Microsoft via your corporate network. 

In terms of the conditional access rule, if you only split tunnel the optimize marked traffic then the auth traffic will continue to arrive at AAD from your corporate network and the rules you've set for that scenario will continue to apply. i.e when the user requests a token, the request is routed via the on premises environment and thus the policies applied to that scenario are applied. 

As for IPV6, as these auth endpoints (the three listed above) do not have IPv6 addresses assigned to them the client cannot/will not attempt to connect to them over IPV6, rather it'll use IPV4.

@Ian_M10  

These questions are relatively hard to answer verbosely without knowing your full network configuration/VPN solution etc but I’ve done my best to answer as much as is possible below. I would strongly recommend you consult VPN vendor if possible for explicit guidance in case there are any additional steps required for the particular solution.

1. Do we need a PAC file for proxy bypass to support our target remote working/spilt tunnelling solution?

The answer depends on your environment, and configuration on handling HTTP/HTTPS traffic. If you need/want to send traffic to an explicit proxy within the corporate network, but route other traffic such as the Optimize marked Office 365 endpoints via the local interface on the remote client. then yes, a PAC file is likely necessary to make this split.

Any traffic you want to send direct via the internet should be configured in the PAC file to return DIRECT, located above any logic which sends traffic to the proxy, a very simple example is shown below sending the OPTIMIZE traffic direct, the rest to the proxy, elements in italics being tenant specific:

// Define proxy server

    var proxyserver = "PROXY 10.10.10.10:8080";

    // Make host lowercase

    var lhost = host.toLowerCase();

    host = lhost;

    }

        //EXPRESS ROUTE DIRECT

    else if ((isPlainHostName(host))

                        || (shExpMatch(host, "contoso.sharepoint.com")) 

                        || (shExpMatch(host, "contoso-my.sharepoint.com")) 

                        || (shExpMatch(host, "outlook.office.com")) 

                        || (shExpMatch(host, "outlook.office365.com")) 

                   )

    {

        return "DIRECT";

    }

        //Catchall for all other traffic to proxy

    else

    {

        return proxyserver;

    }

}

Once this split is made on the PAC file the VPN client also needs to be configured to recognise the traffic you want to allow to go direct via the local interface/gateway to the internet.

For example traffic to the proxy IP address/name e.g. 10.1.1.2 (proxy.contoso.com) will be configured in the VPN client to be routed down the VPN tunnel. Normally you would configure all your internal IP space to use the VPN tunnel.

Traffic to outlook.office365.com or the IP subnets that URL publicly resolves to should then be routed direct out of the user’s internet connection. How this is configured in the VPN client depends on the VPN solution itself. UDP traffic to Teams should work automatically via the local interface if a path is available via the internet for the IP subnets. (52.112.0.0/14 and 13.107.64.0/18)

2. If we do not need a PAC file, will the use of a PAC file impact our target remote working/spilt tunnelling solution?

If you don’t need a PAC file you are likely using a transparent proxy or direct network egress, in this scenario, the VPN client needs to have the configuration so that the Optimize marked IP subnets are sent out of the local interface, i.e. excluded from the traffic sent down the VPN tunnel. I’d suspect this isn’t a scenario you’re using (i.e. you’re likely using an explicit proxy as per answer #1 and thus are using a PAC file)

3. If we do need a PAC file, will it need to be different from the PAC file that will be used when our users are in the office\within the corporate network?

The answer to this question depends again on your internal network configuration. Does the internal network have a direct network egress for the Optimize traffic? If not (i.e. internet browsing has to go via the proxy on the corporate network). If the network doesn’t have a local network egress then traffic sent direct will get dropped. In this scenario you’ll need a different PAC file for the remote clients, which should be easy to do based on the IP subnet the client has e.g.

Client has IP subnet 10.1.0.0/16 = Corpnet client > Corpnet PAC

Client has IP subnet 10.2.0.0/16 = VPN Client > Remote Worker PAC

Or you can use myipaddress()  function to point the client to different proxy nodes based on the Client IP range within the same PAC file.

If you do provide direct and local egress for the Optimize marked traffic from your corporate network (via SDWAN/Local Firewall etc) as per best practice, then you should not need a separate PAC file.

Hope that helps! 

Paul & the Office 365 network team

Hi @Paul Collinge + O365 network team.  Thank you very much for the response - it is v useful and helps clarify a question that we were not 100% sure on.

@Paul Collinge, concerning pac files

The myipaddress() is not always advised to detect VPN access.

Unfortunately, the function may return the first address of a workstation that may be the native address of the network it is connected to and not the one of your VPN.

I've seen blogs mentioning that one could only check if the workstation is in the corporate subnet. Such a partial check may not be sufficient in some situations.

Another way could be to base the decision on the presence of a site (DirectAccess style). DNS resolution in PAC files is not always recommended, either.

So if anyone has a solution, I am all ears!

Hi, is there a guide on how to achieve that configuration with Windows AlwaysOn VPN? It would be easy to have a normal split tunnel (separating company traffic from internet traffic). But what I would like to have is a forced tunnel with excludes for the O365 IP ranges here (split tunnel only for Office 365, rest through the company firewall / proxy to the internet). In best case with the option to dynamically update the ranges if they change.

@Paul Collinge 

Would you like to clarify about the issue on forced VPNs and why this one IP address (13.107.60.1) should be added into there. So far I have not been able found any other documentation for support for this.

Other thing which would be nice to know, when using a split tunnel only for media on Teams, then how long time it is expected that media is working if VPN close down? Small hick ups are not causing issues, and this improves end user experience. But wish to understand that more deeper.

Are there any updates on this issue? 

Hi @Paul Collinge  and others,

When speaking about Live Event and network optimization you have released following details:

Reaching viewers when you have a VPN split-tunneling configuration 

This unfortunately does not includes the endpoints, and perhaps because of that there is following text a bit later:

Note

The above guidance will not be helpful for customers with a VPN+proxy configuration. Microsoft is working on a solution for such scenarios.

Do you have any update when we perhaps could get the endpoint FQDNs for these IP addresses and get above note removed?

Hi@Petri X ,

                      The issue with Live Events/Stream is that they currently require a wildcard domain *.azureedge.net. This wildcard contains may other Azure based elements other than those two services, and to implement a forced tunnel exception you need both the FQDN and all corresponding IPs that FQDN resolves to. As this isnt the case here, anything outside Live Events/Stream that sits in this namespace would end up getting blocked as you dont have the IP for it. The Live Events team are working on moving the service to dedicated namespaces to facilitate the current remote working requirements but it wont be a quick thing to implement as you can imagine, so unfortunately i dont have an ETA to share at this time. That said, in the interim it should be possible with the IPs provided to offload the traffic using a PAC file, something like the following should do the job. Not ideal i admit, but it is an option.

Paul

function FindProxyForURL(url, host) 

{
    var direct = "DIRECT";
    var proxyServer = "PROXY 10.0.0.199:8080";

//Office 365 Optimize endpoints direct
    if(shExpMatch(host, "outlook.office.com")
        || shExpMatch(host, "outlook.office365.com")
        || shExpMatch(host, "contoso.sharepoint.com")
        || shExpMatch(host, "contoso-my.sharepoint.com"))

    {
        return direct;
    }

//Put any other URL based rules here

var resolved_ip = dnsResolve(host);

/* Don't proxy Teams Live Event or Stream traffic*/

if (isInNet(resolved_ip, '72.21.81.200', '255.255.255.255') ||

isInNet(resolved_ip, '152.199.19.161', '255.255.255.255') ||

isInNet(resolved_ip, '117.18.232.200', '255.255.255.255') ||

isInNet(resolved_ip, '192.16.48.200', '255.255.255.255') ||

isInNet(resolved_ip, '93.184.215.201', '255.255.255.255') ||

isInNet(resolved_ip, '68.232.34.200', '255.255.255.255') ||

isInNet(resolved_ip, '192.229.232.200', '255.255.255.255'))

{

returndirect;

}

// Default Traffic Forwarding.
    return proxyServer;                
}

Big thanks @Paul Collinge to share that!

It is indeed a big change to regular infrastructure as the amount of DNS request would goes to sky. Perhaps we could isolate this section only for the FQDNs related to this. But that increase the complexity even more.

I also would like to ask the clarification about the names, as you also refers to *.azureedge.net. But at least, at the moment when analyzing the browser traffic it looks like this:

So is azureedge.net a namespace for future use, or do you expect that it should b already in use? In my mind that is not yet.

@Petri X  the domain is used as a CDN amongst other things. You may see it used in some scenarios and not others, it's required for the service to operate though and is listed in row 44 of the URL/IP Web service for Stream.

@Paul Collinge 

I thought to use rule like following to be able to impact only audio/video streams:

if(shExpMatch(host, "*.streaming.mediaservices.windows.net"))
{
	var host_ip = dnsResolve(host);
 
	/* Check if Stream services are targets */
	if (isInNet(host_ip, '72.21.81.200', '255.255.255.255') ||
	isInNet(host_ip, '152.199.19.161', '255.255.255.255') ||
	isInNet(host_ip, '117.18.232.200', '255.255.255.255') ||
	isInNet(host_ip, '192.16.48.200', '255.255.255.255') ||
	isInNet(host_ip, '93.184.215.201', '255.255.255.255') ||
	isInNet(host_ip, '68.232.34.200', '255.255.255.255') ||
	isInNet(host_ip, '192.229.232.200', '255.255.255.255'))
	{
		returndirect;
	}

    return proxyServer;                
}

Then I could minimize the DNS queries. And above code is just a snap, not full .PAC file :)

@Petri X  Thanks, that's useful information. We were actually working on something similar but couldnt use/share it until we finished testing and confirmed we had comprehensive FQDN information and incorporate changes from the Live events Engineering side. I've now got that and we have a working PAC file scoped to the Live Events/Stream FQDNs/IPs. I'll write it up in a new Techcommunity post and hopefully publish tomorrow. 

Thanks again for the feedback.

Paul

Just a small hint for testing, if you want to see what is the actual adapter (and source IP) you application is using

Download and run currports.   You can add teams.exe as a filter. Or you can see all applications and what way they are going.

It shows all sessions and the source IP.

• If source ip vpn it is tunnelled
• If source ip lan it is direct.

https://www.nirsoft.net/utils/cports.html

Note:  it does not show destination IP for UDP, but shows the number of packets.

Alternative + description https://www.nirsoft.net/utils/live_tcp_udp_watch.html

• CurrPorts displays the current table of active TCP connections and TCP/UDP listening ports. but this technique has some disadvantages, for example, if UDP packets are sent from your computer to remote network address, you won't see it with CurrPorts, because with UDP there is no really a connection and the UDP table contains only listening UDP ports. The advantage of CurrPorts is the ability to use it without elevation (Run As Administrator).
• NetworkTrafficView uses network sniffing technique - It analyzes every packet sent/received by your network card and displays extensive summary according to the display mode you choose. The disadvantages of this tool: You have to choose a network card and capture method for activating the network sniffer.
• LiveTcpUdpWatch uses event tracing API to get live information from Windows Kernel about every TCP/UDP packet sent/received on your system. As opposed to CurrPorts, it captures all UDP activity with process information, but without the need of using a network sniffer.

Thank you @Sergg  to share that tool.

Need to say, that I'm still fan of Microsoft Network Monitor 3.4 (archive) . Old and grey, but still powerful network monitor. The most powerful feature is of course possibility to filtering traffic based on the process(es). Microsoft had also the super powerful and great tool for network (and others): Microsoft Message Analyzer. Unfortunately that is also left without Microsoft's attention. Someone has once more had look about $$$'s and noticed that these tools brings zero dollars to MS, but good reputation from administrators. But as money speaks, we are using over ten years old tools  

Hi @Paul Collinge ,

Has the traffic optimization document for Live Events already been published?

@viny1991 

Check this: How to Optimize Stream & Live Events traffic in a VPN scenario 

FYI - another conflict to consider when working with split tunnels, especially based on URLs is Anti Virus. For example, Sophos (when web control enabled) does some kind of local proxy for all HTTPS traffic. And this bleaks VPN client attempts to exclude this traffic from the tunnel.

Details - Sophos KB 135185 - Palo Alto GlobalConnect VPN in Domain Split Tunnel Mode incompatible with Sophos ...

Is there another way to remotely verify traffic is egressing the local connection outside of using Netmon / Wireshark to monitor packets?

@David Phillips, you can also use Microsoft's own Process Monitor which offers a very friendly and easy to understand interface

@Paul Collinge We have implemented split tunnel for Teams and now looking to do Exchange Online one issue we have come across is that delegate rights on mailboxes is now failing as authentication traffic for that seems to go outside of the tunnel. We know normal authentication goes inside over our VPN as our CA rules do not trigger when launching applications. 

Also noticed Outlook is not adhering to a 60 minute token refresh so unless you restart outlook you can send and receive mail even if our VPN is disconnected for a day which other applications do adhere too.

Any suggestions would be appreciated.

Hi @Paul Collinge ,

Any possibilities to you to clarify this IP address:

13.107.60.1/32

How long time we should allow traffic into there?

Microsoft's Solution-Deployment have a script which only have a comment:

# Temporarily include additional IP address until Teams client update is released
$optimizeIpsv4 += "13.107.60.1/32"

What is the Teams client version this is referring?

@Petri X  it's no longer needed. The version of Teams required to work without it is outlined in the article on this subject which we maintain, specifically this section. https://docs.microsoft.com/en-us/office365/enterprise/office-365-vpn-implement-split-tunnel#configur...

@Paul Collinge 

You were quick ! 

Big thanks for clarifying this.

@Paul Collinge I have been scouring through blogs and documentation but I am not able to find IP Ranges for officecdn to use for Office 365 Updates. We are unfortunately have a limitation where we need to split tunnel our Office 365 Updates to use public internet for clients connected over VPN. Our original plan was to use CMG to deploy the updates but turns out Office 365 Updates are not supported over CMG\cloud Distribution points. The only alternative is to allow our clients to download the updates over the internet but in order to do that we need the IP ranges for the office CDN. We are currently running Windows Upgrades over our CMG. Any thoughts on how to over come this?