SSL VPN Split Tunneling and Office 365
Employee
NimbostratusPSilva Thanks for sharing, well presented, I fully agree, always sign your work 🙂
I understand F5 is not giving MS-product specific recommendations, which is completely valid of course.
However, pardon my stubbornness, let me rephrase the question on the otherwise wonderful address space improvement in v16:
MS' recommendation seems to be to only exclude O365 endpoints used for real-time or high-volume traffic, which are the ones categorized as "optimize" on their JSON .
So what's the rationale for F5 to exclude all hosts instead?
It's not ideal from my perspective, e.g. since login.microsoftonline.com is also hit directly by clients in that case, which means MS authentication-wise sees a non-corp IP from our VPN clients and thus considers them "off network" which has implications on conditional access.
On a more general layer, as you indicate on youtube, there's a risk to excluding hosts from the tunnel. So we'd prefer to avoid excluding more than absolutely necessary.
On our end we're planning to address this manually by pointing our APMs to an internal server where we cache the O365 endpoint list and modify the content (e.g. using jq) to take out any non-"optimize" categories.
And we'll likely do similar customizations by abusing the "zoom" template to cover some of the other applications we're excluding from VPN. Not ideal, but still WAY better than keeping exclusions up to date by hand.