APM Split tunnel

Question

Hi we have deployed a split tunnel in APM to ensure MS Teams traffic goes outside of the tunnel as per F5 guidelines.  However, we have several Win10 users who connect to this but their traffic to Teams fails (they get page cannot be displayed type errors).  What can be checked to verify this? A simple tracert shows the first hop as their home router (not F5) and ping resolves all the well known microsoft domains like teams.office.com.  Users have uninstalled edge client multiple times and deleted Teams cache with no improvement.   User can login fine to Teams on same device when not connected to APM. F5 support have been unable to help too.

sanjayp · Answer

Is it only happening for win10 users or any other windows OS user? I can think of following points.

I would suggest to see if "Allow Local DNS Servers" option is checked under NACL.
Also please verify, if initital authentication with O365 is working fine. Is it using SAML federation with on-prem IDP and Does it need to go via VPN tunnel?
Can you connect to https://teams.microsoft.com/ once you have full vpn tunnel? if not, check in the developer tools in the browser where it fails.
If it's working on other windows platforms other than 10, what's special with this build?
Involve MS support to troubleshoot as well where this is failing

Forum Discussion

APM Split tunnel

1 Reply

Recent Discussions

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

Related Content

SSL VPN Split Tunneling and Office 365

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

VPN Split Tunneling: The Benefits and Risks

GSLB Split DNS by iRule

DNS Tunnel Mitigation v2