cancel
Showing results for 
Search instead for 
Did you mean: 
ReganAnderson
F5 Employee
F5 Employee
UPDATE: Apr 9, 2020 A colleague, Vinicius M. , put together a Configuration guide:
Optimizing Office 365 traffic on Remote Access through VPNs when using BIG-IP APM.pdf

As we shift to a much larger remote workforce than ever before, additional strains are being placed on the remote access infrastructure of many organizations around the world.

Over the past several weeks we have seen organizations adapt quickly, and as it relates to APM, implement split tunneling configurations to specifically allow Office 365 traffic to egress a client's local interface instead of the corporate network via the VPN tunnel. Microsoft publishes their Office 365 endpoints (URLs & IPs) via an API but occasionally they make changes and keeping on top of those changes can be an administrative nightmare.

To make the ongoing maintenance of the Network Access Lists / split tunneling configuration as seamless as possible, I’ve adapted a Python script (see GitHubRepo) we commonly use for SSL Orchestrator deployments to fetch Office 365 endpoints and update one or more Network Access Lists. Used in conjunction with iCall, this script will periodically check for and apply updates to your Network Access List(s) without any administrative intervention, allowing you to focus on other mission critical tasks.

The script is maintained and documented in this GitHub repository: https://github.com/f5regan/o365-apm-split-tunnel


Microsoft has provided us with a statement concerning their recommendations for Office 365 and split tunneling:

"Microsoft recommends excluding traffic destined to key Office 365 services from the scope of VPN connection by configuring split tunneling using published IPv4 and IPv6 address ranges. For best performance and most efficient use of VPN capacity, traffic to these dedicated IP address ranges associated with Office 365 Exchange Online, SharePoint Online and Microsoft Teams (referred to as Optimize category in Microsoft documentation) should be routed directly, outside of the VPN tunnel. Please refer to Microsoft guidance for more detailed information about this recommendation."

Microsoft’s recommendations have been incorporated into the script published in the aforementioned GitHub repository. See the changelog for details.

More Resources

In addition to considering how the steps in this article may relieve some strain on your organization’s remote access infrastructure, I’d highly recommend visiting How to optimize SSL VPN connections when BIG-IP is reaching 100% CPU for further guidance on optimizing SSL VPN connections.

Comments
PeteWhite
F5 Employee
F5 Employee

Great job Regan - I have translated this into an iApp which installs the script and creates an iCall to update daily at https://devcentral.f5.com/s/articles/SSL-VPN-Tunnel-and-Office-365

 

Dan_Pacheco
Altocumulus
Altocumulus

Hiya,

I am looking for a similar functionality (retrieve MS IP and subnet list), but instead of updating the APM network access list, I want it to automatically update an LTM IP data-group. Any idea where I might find such a thing?

Thanks,

PeteWhite
F5 Employee
F5 Employee
Dead simple - I’ll take a look at changing this script to update a datagroup Regards Peter White T: 07785 456991
Smithy
Cirrostratus
Cirrostratus
GeoffG
Nimbostratus
Nimbostratus

Very useful and really well done.

Was wondering if there was​ something similar for Microsoft windows Updates along the same lines?

Cheer and thanks for the share

ReganAnderson
F5 Employee
F5 Employee

 I'm not aware of a published list of IPs used for Windows Update but Microsoft has published a list of Windows Update URLs here: https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting#device-can...

 

You would have to verify with Microsoft whether these URLs are subject to change but assuming it is fairly static list you could simply add these addresses to the "additional_urls" list in the script.

GeoffG
Nimbostratus
Nimbostratus

  Thanks very much I have been playing around on my testbed. One thing I have noticed is I need to apply the Access policy after the update is working. maybe I have missed something(probably 😉 ) but is there another step I need to take o make sure this is applied to the Network Access List automatically ?

 

Cheers and thanks again

ReganAnderson
F5 Employee
F5 Employee

 The Access policies/profiles defined in the "access_profiles" list (line 40) should be applied (on or around line 386) when the script is executed. If you have them defined but they aren't applying, make sure you don't have a typo in the name.

GeoffG
Nimbostratus
Nimbostratus

The access policy and NA​ is being updated ok but I still need to "Apply" the access policy so it won't take effect until this is done is all.. Just needs my manual intervention.

Also​, adding the URLs to the script includes them in the DNS exclusion. Which is fine as this is the intended functionality of the script but in my case this would likely mean the routing table on the client could potentially be very long as a result.. I believe each entry from the DNS Exclusion list is resolved and then added in as a host route.

I'm not actually sure Microsoft has an endpoint specifically of windows update like it seems they do for O365.

Thanks very much for your replies too. This script in any event is great and much appreciated.

Cheers​

Abdessamad1
Cirrostratus
Cirrostratus

Great solution !

Any plan to extend it to other collaboration services like Webex and Zoom ?

Mikael_Lindelö1
Nimbostratus
Nimbostratus

Great! Anyone has suggestion on how to make the connections via proxyservers?

Matias1
Nimbostratus
Nimbostratus

this is awesome! but i need to make the connections through a proxy as well 😞

_johnloi
Nimbostratus
Nimbostratus

@ReganAnderson The PDF seems to be corrupt and does not open after downloading.  Can you re-upload the file?

ReganAnderson
F5 Employee
F5 Employee

@_johnloi Thanks for bringing this to my attention! I've re-uploaded the PDF and the link should be working now.

Version history
Last update:
‎16-Jun-2022 11:56
Updated by:
Contributors