05-02-2019
10:47 PM
- last edited on
03-20-2020
07:13 AM
by
arsimon
Hi
I have 8.1.5 on the pa and 4.1.11-9 client
I have setup the gateway for video traffic exclusion, and selected
youtube-streaming
netflix-streaming
But a simple test shows utube still come over the tunnel address
I want to allow MS Teams to by pass the tunnel, so I goto agent / client setting select my config and split tunnel
domain and application
but the app runs from
{userprofile}\AppData\Local\Microsoft\Teams\current\Teams.exe
how can i enter that into the config
05-03-2019 11:52 AM
You can use the userprofile environmental variable like so:
%userprofile%\AppData\Local\Microsoft\Teams\current\Teams.exe
The only thing I can think with the exclusion is that you should add youtube-base and netflix-base and see if that works. I haven't tried including just the streaming app-ids to see how well that works.
05-03-2019 02:37 PM - edited 05-03-2019 03:11 PM
Cool, I will try that with teams. I presume it runs under the current user so the env variable will point to the right place.
Now - do I want to include - does that mean by pass the vpn or exclude ??
Yeah , not getting utube to work. watching now and its still in vpn
So I turn on video traffic exclude
and selected utube and netflix
but its not working
05-14-2019 04:55 PM
So i have found my answer.
You need a license for the video split tunnel .... sigh
05-14-2019 08:26 PM
That you do; this is not included within the "base" functionality of GlobalProtect included with the device. If I would have to guess I would assume that the "free" version of GlobalProtect will essentially stay at where it is currently, and all the new exciting things will be included in the license.
05-15-2019 12:21 PM
Hello,
While I understand why you want to do a split tunnel, its not best practice and will fail most major compliance requirements.
Regards,
05-15-2019 05:58 PM
Yes understand but, we haved started to use MS teams video chat - and well hair pin turning a video stream 1/2 way around the world is a pain. So we are looking at allowing just MS teams to have direct access out to just O365 ip's
02-07-2020 08:23 AM
Anyone else try this out?
From real-world testing I found it did work with exceptions by adding the path %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe
The exception being that the ability to join meetings is completely broken. That traffic somehow ends up coming back across the tunnel while keeping the main teams application on the local network which causes the attempt to join to fail.
Upon investigation of the processes that are created while joining a meeting in Teams it seems Teams temporarily stages another Teams.exe at this location
%userprofile\AppData\Local\Microsoft\Teams\stage\Teams.exe
However, adding this to the Split Tunnel config still did not work.
Not sure what I am missing, but the fact that Palo Alto does not support the ability to Split Tunnel based on external IP blocks is ridiculous as this would have been much easier and working now.
02-27-2020 11:36 AM
%userprofile% not %userprofile
03-12-2020 02:00 AM
I've added 52.112.0.0/14 to the split tunnel config because all teams traffic seems to go there.
This worked for a bit, but i still see traffic to this subnet comming trought the vpn altough traceroutes and manual request do go the correct way.
to counter this i've blocked this traffic on the palo so the client has to take the direct route via local internet, but this raises some strange issues for users.
Does ms teams override the routing table ? very strange.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!