F5 APM VPN Support For Microsoft O365 Split-Tunneling
We ran into a significant issue with remote VPN client performance when our Microsoft Office products moved to the O365 cloud offering. Our current limitation of "no split-tunneling" per corporate policy, prevented our users from establishing connectivity to their geographically preferable O365 cloud. Instead, their traffic could/would route back to the corporate F5 APM VPN BigIP and then out to the internet. Much longer path and real-time services such as Teams/Skype calls suffered greatly. Other vendors were also having issues with this such as ForcePoint (Websense) and McAfee. Those vendors released O365 specific patches to permit a better performance through various rules and methods. Our F5 APM VPN was the bottle-neck and we had to address this quickly. Approval was granted to permit ONLY O365 products to be split-tunneled. Luckily, Microsoft has fielded this question/requirement many times and they had a ready answer: https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges Unfortunately, there's +500 IPv4 networks alone. Many are overlapping and some could be combined into a supernet. Not pretty, but workable. Using node.js, we developed a script that will pull-down the Microsoft IPv4 space, perform a CIDR clean on the networks, log into the F5 BigIP and push the Network Access exclude IP list, then apply the Access Policy in one shot. You can see the repo here: https://github.com/adamingle/f5O365SplitTunnelUpdateScript If you'd like to use the repo, please note the "settings.json" file. You will need to update according to the README.md Additionally, you will need to configure the allowable/tunneled traffic for the Network Access on VPN. If you only specify the exclusion space, there will be no inclusion space and no traffic will traverse the tunnel. Enable split-tunneling by checking the "Use split tunneling for traffic" radio button Add ALL networks to the "IPV4 LAN Address Space" with the IP Address 0.0.0.0 and Mask 0.0.0.0 Specify wildcard/asterisk for the "DNS Address Space" After you have the split-tunneling enabled on your Network Access Lists in F5 APM and you have correctly modified the "settings.json" file of your local f5O365SplitTunnelUpdateScript repo, you should be able to execute your O365 split-tunneling address exclusion changes. Use Jenkins or other automation tool to run the script automatically. Definitely worth a watch: https://channel9.msdn.com/Events/Ignite/2015/BRK3141 *This has been tested/used successfully with the Edge 7.1.7.1 client on v13.1.1
VPN BIG-IP Edge client : traffic over VPN tunnel with full or split tunneling
We have established a VPN connection between a Windows client and a BIGIP v15. We are using BIGIP Edge client, with network access. Full tunneling We do not really understand what kind of traffic is allowed or disallowed over the VPN tunnel. According to this document : https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-13-0-0/2.html with full tunneling "all traffic (including traffic to or from the local subnet) is forced over the VPN tunnel." How traffic to local subnet can be forced over the VPN tunnel ? Does full tunneling ensure that the resource is not leaking traffic to the client's LAN ? Split tunneling In order to use split tunneling, we have to fill the field "IPV4 LAN Address Space", to specify a list of addresses. Only the traffic to these addresses goes through the tunnel configured for Network Access, all other traffic bypasses the tunnel. As this field is mandatory, what is the purpose of the field "Exclude Address Space" (not mandatory) ? What is the purpose of the feature "split by DNS" ? How to know if it is better to use "split by DNS" instead of "split by IP" ?
