I have 8.1.5 on the pa and 4.1.11-9 client
I have setup the gateway for video traffic exclusion, and selected
But a simple test shows utube still come over the tunnel address
I want to allow MS Teams to by pass the tunnel, so I goto agent / client setting select my config and split tunnel
domain and application
but the app runs from
how can i enter that into the config
You can use the userprofile environmental variable like so:
The only thing I can think with the exclusion is that you should add youtube-base and netflix-base and see if that works. I haven't tried including just the streaming app-ids to see how well that works.
Cool, I will try that with teams. I presume it runs under the current user so the env variable will point to the right place.
Now - do I want to include - does that mean by pass the vpn or exclude ??
Yeah , not getting utube to work. watching now and its still in vpn
So I turn on video traffic exclude
and selected utube and netflix
but its not working
That you do; this is not included within the "base" functionality of GlobalProtect included with the device. If I would have to guess I would assume that the "free" version of GlobalProtect will essentially stay at where it is currently, and all the new exciting things will be included in the license.
Yes understand but, we haved started to use MS teams video chat - and well hair pin turning a video stream 1/2 way around the world is a pain. So we are looking at allowing just MS teams to have direct access out to just O365 ip's
Anyone else try this out?
From real-world testing I found it did work with exceptions by adding the path %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe
The exception being that the ability to join meetings is completely broken. That traffic somehow ends up coming back across the tunnel while keeping the main teams application on the local network which causes the attempt to join to fail.
Upon investigation of the processes that are created while joining a meeting in Teams it seems Teams temporarily stages another Teams.exe at this location
However, adding this to the Split Tunnel config still did not work.
Not sure what I am missing, but the fact that Palo Alto does not support the ability to Split Tunnel based on external IP blocks is ridiculous as this would have been much easier and working now.
I've added 188.8.131.52/14 to the split tunnel config because all teams traffic seems to go there.
This worked for a bit, but i still see traffic to this subnet comming trought the vpn altough traceroutes and manual request do go the correct way.
to counter this i've blocked this traffic on the palo so the client has to take the direct route via local internet, but this raises some strange issues for users.
Does ms teams override the routing table ? very strange.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!