GlobalProtect: Optimizing Office 365 Traffic
via VPN Split Tunnel Exclude Access Route
Background:
Due to the COVID-19 pandemic, enterprises require their employees and contractors to work remotely. Customers can deploy GlobalProtect with on-premise firewall to securely enable remote work from home, including access to their corporate Microsoft Office 365 applications.
Microsoft has made two recommendation to customers using Office 365 applications to optimize user experience during the COVID-19 pandemic:
- Split tunnel Office 365 applications instead of routing them over a VPN tunnel
- Split tunnel Office 365 applications using specific optimized Microsoft provided IP address ranges instead of split tunneling using FQDNs
NOTE: Split-tunnel traffic is not inspected by next-generation firewall and, therefore, does not have the threat-protection offered by Palo Alto Networks. Hence, customers are advised to carefully review before enabling this feature, and then decide whether the split tunnel for Office 365 traffic meets their environment needs.
The document is written to provide guidance to Palo Alto Networks customers on how these recommendations from Microsoft on Office 365 access can be implemented using our the GlobalProtect application in next-generation firewalls.
Objective:
The objective of this document is to provide guidance to customers for optimizing their Office 365 user traffic.
While Palo Alto Networks next-generation firewall supports multiple split tunneling options using Access Route, Domain and Application, and dynamically split tunneling video traffic. This document specifically focuses on implementing split tunneling exclude using access route feature based on Microsoft recommendations for the following Office 365 Applications:
- Skype for Business Online and Microsoft Teams
- SharePoint Online and OneDrive for Business
- Exchange Online
This helps enterprises with business continuity, and if the enterprise network infrastructure is overwhelmed with an increased traffic load during COVID-19, customers can chose to split tunnel high bandwidth consumption apps in office 365 to ensure business continuity.
- For best performance and most efficient use of VPN capacity, traffic to these dedicated IP address ranges associated with Office 365 Exchange Online, SharePoint Online, and Microsoft Teams (referred to as Optimize category in Microsoft documentation) should be routed directly outside of the VPN tunnel. Please refer to Microsoft guidance for more detailed information about this recommendation.
Prerequisite:
- Palo Alto Network Next-Generation Firewall and GlobalProtect App with:
- PAN-OS 8.1 or above. To use Address Group, PAN-OS 9.0 or above
- Recommended GlobalProtect App 5.0.x or above releases
Platform Supported:
- Windows, Windows UWP, Mac, iOS, and Linux
- GlobalProtect and Operating System Compatibility matrix can be found here: Where Can I Install the GlobalProtect App?
- NOTE: Split tunnel exclude access route feature is not supported by GlobalProtect app on the following platforms due to operating system framework limitation:
Split Tunnel Exclude Access Route:
- GlobalProtect supports split tunnel exclude access route feature. This feature can be configured to exclude traffic for certain subnets outside the VPN tunnel rather than tunneling all traffic over VPN.
- Excluding certain high volume and latency sensitive application subnets from GlobalProtect VPN tunnel via split tunnel exclude access route feature can enhance user experience during high work from home (WFH) moment, particularly, during the COVID-19 pandemic.
- Current split tunnel exclude routes support is up to 200 exclude access routes. This includes both IPv4 and IPv6 routes combined. Currently, the number of IP address ranges in the Office 365 Optimize category (recommended for split tunnel configuration) is 20 IPv4 ranges and 30 IPv6 ranges.
Configuration:
- Start with finding out which of the following applications is used in your enterprise and which you would like to split tunnel exclude traffic for it from your GlobalProtect VPN tunnel:
- Skype for Business Online and Microsoft Teams
- SharePoint Online and OneDrive for Business
- Exchange Online
- Next, find the respective subnets/IP addresses for the specific application. Microsoft applications have three categories of endpoints:
- Optimize
- Allow
- Default
Details on the category taxonomy and our general guidance on treatment of Office 365 traffic is provided at
http://aka.ms/pnc#new-office-365-endpoint-categories.
Per specific guidance provided by Microsoft on optimizing Office 365 traffic via VPN split tunnel exclude routes (direct egress), the “Optimize” endpoints are the highest volume and latency sensitive; hence, the focus should be split tunnel exclude “Optimize” endpoints from the VPN tunnel.
- The list of “Optimize” endpoints and their subnets/IP addresses for the specific Office 365 Microsoft application can be found via following two methods:
- These subnets are listed on http://aka.ms/o365ip [look for corresponding rows marked as Optimize category]
- Another way to find subnets/IP addresses is via a query to a REST interface. This is three steps process:
- Send https request to a RESTful web service
PS C:\> $ep = Invoke-RestMethod("https://endpoints.office.com/endpoints/worldwide?clientrequestid=" + ([GUID]::NewGuid()).Guid )
- Filter “Optimize” category IP Addresses
PS C:\> $ep|?{$_.category -eq "Optimize"}|select-object category, serviceAreaDisplayName, ips, urls |ForEach-Object {$ips += $_.ips; $urls += $_.urls}
Finally, grab the unique ip prefixes and urls from the result of step ii:
PS C:\> $ips |Sort-Object -Unique
104.146.128.0/17 2603:1096:a00::/39 40.108.128.0/17
13.107.128.0/22 2603:1096:c00::/40 40.96.0.0/13
13.107.136.0/22 2603:10a6:200::/40 52.104.0.0/14
13.107.18.10/31 2603:10a6:400::/40 52.112.0.0/14
13.107.6.152/31 2603:10a6:600::/40 52.120.0.0/14
13.107.64.0/18 2603:10a6:800::/40 52.96.0.0/14
131.253.33.215/32 2603:10d6:200::/40
132.245.0.0/16 2620:1ec:4::152/128
150.171.32.0/22 2620:1ec:4::153/128
150.171.40.0/22 2620:1ec:8f0::/46
191.234.140.0/22 2620:1ec:8f8::/46
204.79.197.215/32 2620:1ec:900::/46
23.103.160.0/20 2620:1ec:908::/46
2603:1006::/40 2620:1ec:a92::152/128
2603:1016::/36 2620:1ec:a92::153/128
2603:1026::/36 2620:1ec:c::10/128
2603:1036::/36 2620:1ec:c::11/128
2603:1046::/36 2620:1ec:d::10/128
2603:1056::/36 2620:1ec:d::11/128
2603:1096::/38 2a01:111:f400::/48
2603:1096:400::/40 2a01:111:f402::/48
2603:1096:600::/40 40.104.0.0/15
PS C:> $urls
Outlook.office.com
Outlook.office365.com
*.sharepoint.com
NOTE: To configure the split tunnel for Office 365 using exclude routes, you will only need IP addresses from the above output. URLs/FQDNs are not used in recommended split tunnel configuration, but may be useful for clients, who need to configure proxy exclusions/.pac file customizations in addition to VPN split tunnel setup.
PowerShell showing the REST API commands
- Per the information provided by Microsoft team, the current intent is to hold these subnets/IP addresses static for the next few months in order to allow for quick customer deployments related to the COVID-19 situation. In long term, customers would need to either build automation to keep this configuration up to date, or follow the suggestions and subscribe to update notifications at: https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service#update-notifications
- Considering the fact that to exclude any application we will have to exclude multiple subnets, it is better to utilize Addresses and Address Groups to better manage and define subnets
- To configure Address on the Panorama, navigate to: Object > Address > Add
Panorama Address Configuration Screen
- We can add all the subnets, IPv4 and IPv6, associated with our specific applications
Panorama Objects Tab - Mobile_User_Device_Group
- Next define the Address Group and add all the Addresses or Address Group defined in the previous step with 'Exchange Online’ Address Group. To configure Address Groups on the Panorama, navigate to: Object > Address Groups > Add
Panorama Address Group Screen
- Review the Address Groups configuration
Panorama Object Tab Address Groups
- Final step is to apply the Address Group under Split Tunnel Exclude Access Route. To configure Split Tunnel Exclude Access Route on the Panorama, navigate to: Network > GlobalProtect > Gateway > Agent > Client Settings > Client-Config > Split Tunnel > Access Route > Add. Here specify the Address Group, Office 365 - Skype for Business and Teams, defined earlier.
Config > Split Tunnel > Access Route
- Once configured click ‘OK’ and ‘Commit and Push’ the configuration from Panorama. Above configuration is pushed on the GlobalProtect once it is connected to the gateway.
- The steps described so far can be utilized to exclude subnets/IP addresses for more than one application as well. Following is the configuration summary screen shot showing split tunnel exclude access route configuration for more than one the applications.
- Configure Address Groups
Panorama Address Group Configuration
- Split Tunnel Exclude Access Route Configuration
Configs Split Tunnel Access Route
Output & Verification:
- You can verify the split tunnel exclude access route configuration received from the gateway in PanGPS.log file in GlobalProtect logs. More information on collecting GlobalProtect logs can be found in our Knowledge Base: How to Collect Logs from GlobalProtect Clients.
<exclude-access-routes>
<member>52.112.0.0/14</member>
<member>13.107.64.0/18</member>
<member>52.120.0.0/14</member>
</exclude-access-routes>
- We can utilize the ‘route print’ command on Windows OS to print routing table and make sure that routes for the excluded subnets are going out via physical interface. Similar commands can be utilized for other operating system for verification
