04-08-2020 02:30 AM
The %variable% method definitely works if you have a GlobalProtect license, but you need to make sure your GP client version and your PAN OS version support it. (https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel...)
Just wanted to quickly share about my experience on this, as some of you may have been or will be in a similar situation:
- Configuring split tunneling for the Teams.exe process located under %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe does work but we had a lot of issues with users that could not join MS Teams Meetings. Video calls and audio calls worked fine, but the main issue was with online meetings. It could be that Teams creates sub-processes or uses some system resources in the background, I have not dug deeper into this.
The reason why we considered to configure split tunneling was to reduce the load and bandwidth consumption on our VPN Gateways (Netflow is a good indicator to see that MS Teams video/voice traffic on ports UDP/3478, UDP/3479, UDP/3480, UDP/3481 is far from being negligible) and to provide our users with the best possible audio/video experience (back homing the traffic over a long distance may be sub-optimal, and Microsoft designed their solution in a way that the client will always connect to the best possible Microsoft PoP and all the traffic will then run on Microsoft's backbone).
I finally tested the split-tunneling based on Microsoft subnet list published here https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-...
I excluded the routes to the following subnets: 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, and this was working great!
Another interesting topic is Microsoft Stream and Microsoft Teams Live events, which are often used for virtual townhall meetings. Here my tests and wireshark captures showed the following:
For MS Stream Live events: you'll need to exclude traffic to the following domain: *.azureedge.net port tcp/443
For MS Teams Live events: you'll need to exclude traffic to the following domain: *.streaming.mediaservices.windows.net port tcp/443
Microsoft definitely do not make our life easy since they leverage CDNs for this.
I have not tested it very thoroughly but found it fun to see how these services work, so please make sure to test it thoroughly and from different regions if you need to go down the split-tunneling route for these services
Please note that you'll probably need a GlobalProtect license for this, and the scope here is large, therefore you should definitely clarify whether this is acceptable or not with your IT Security Officer. This configuration is done on the GlobalProtect gateway directly!
Regarding Webex, a full list of subnets to exclude can be found here: https://help.webex.com/en-us/WBX264/How-Do-I-Allow-Webex-Meetings-Traffic-on-My-Network
I did not test the split-tunneling for Zoom meetings, but found the following article on Zoom's KB: https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zo...
All the information shared here are coming from my personal analysis and you should be careful before implementing it as security is a critical aspect in the RA VPN infrastructure and you should make sure that the split tunneling configuration you make complies with your corporate policies/requirements.
I hope this helps.
Cheers.
Yann
