SSL VPN Split Tunneling and Office 365

UPDATE: Apr 9, 2020 A colleague, Vinicius M. , put together a Configuration guide: Optimizing Office 365 traffic on Remote Access through VPNs when using BIG-IP APM.pdf As we shift to a much larg...
Updated Jun 16, 2022
Version 2.0
BIG-IP Access Policy Manager (APM)
o365
security
split tunneling
ssl vpn
ReganAnderson's avatar
Icon for Employee rankEmployee
I've worked as a Professional Services Consultant for F5 Networks since 2011. I'm primarily focused on designing and implementing SSL Orchestrator and APM solutions.
View Profile
ReganAnderson's avatar
Icon for Employee rankEmployee
I've worked as a Professional Services Consultant for F5 Networks since 2011. I'm primarily focused on designing and implementing SSL Orchestrator and APM solutions.
View Profile
sh00b's avatar
sh00b
Icon for Nimbostratus rankNimbostratus
Dec 05, 2022

Brilliant work ReganAnderson !!

IMO it's worth noting that a more "off the shelve" but less flexible approach (dynamic address spaces) has been introduced with v16 which pulls the full O365 endpoint list (not just the "optimize" category) from what I understand
https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-network-access/configuring-address-spaces/what-is-address-space.html

Which brings me to my question: What's the best practice as far as O365 tunnel exclusions go - offload all O365 hosts or just the "optimize" ones?