Split Tunnel Use Case: Optimize Office 365 Traffic

Table of Contents

Configure a Split Tunnel Based on the Access Route

Configure a Split Tunnel Based on the Domain and Application

Split Tunnel Use Case: Optimize Office 365 Traffic

Optimize Office 365 Traffic via split tunnel

Where Can I Use This?	What Do I Need?
NGFW Prisma Access Windows, Windows 10 UWP, macOS, iOS, and Linux endpoints	GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription

To support business continuity and remote workforces, you can use Palo Alto Networks firewalls and the GlobalProtect app to securely enable remote access to Microsoft Office 365 applications. This topic provides guidance on implementing Microsoft's recommendations for Office 365 access to optimize the user experience and decrease the bandwidth load on your enterprise network infrastructure.

Microsoft recommends the following for Office 365 applications:

Split tunnel Office 365 applications instead of routing them over a VPN tunnel.
Split tunnel Office 365 applications using specific, optimized Microsoft-provided IP address ranges instead of split tunneling using fully qualified domain names (FQDNs).

Split-tunnel traffic is not inspected by the firewall and, therefore, does not receive the threat prevention capabilities offered by Palo Alto Networks. Carefully review your security requirements before enabling this feature to decide whether split tunneling Office 365 traffic meets your environmental needs.

This use case focuses on implementing split tunnel exclusions based on the access route for the following Office 365 applications:

Skype for Business Online and Microsoft Teams
SharePoint Online and OneDrive for Business
Exchange Online

The GlobalProtect app supports the split tunnel exclude access route feature, which enables you to send latency-sensitive and high-bandwidth traffic directly outside of the VPN tunnel rather than tunneling all traffic. For the best performance and most efficient use of VPN capacity, you should route traffic destined for the dedicated IP address ranges associated with these Office 365 applications (referred to as the Optimize category in Microsoft documentation) directly outside of the VPN tunnel. The firewall supports up to 200 exclude access routes (combining both IPv4 and IPv6 routes). The number of IP address ranges in the Office 365 Optimize category is well within this limit, currently requiring approximately 20 IPv4 ranges and 30 IPv6 ranges.

Determine the IP addresses for the Office applications being used in your environment.
Microsoft categorizes endpoints into three groups: Optimize, Allow, and Default. To optimize Office 365 traffic through VPN split tunnel exclude routes, Microsoft recommends focusing strictly on the Optimize endpoints because they are the most latency-sensitive and consume the highest volume of bandwidth.
Compile the list of Optimize endpoints and their IP prefixes using one of the following methods:
- Web method: View the subnets on the Microsoft Office 365 IP Address and URL Web Service site and locate the rows marked as the Optimize category.
- REST API method: Query the REST interface using PowerShell.
  Send an HTTPS request to the RESTful web service:
  PS C:\> $ep = Invoke-RestMethod("https://endpoints.office.com/endpoints/worldwide?clientrequestid=" + ([GUID]::NewGuid()).Guid)
  Filter the IP addresses for the Optimize category:
  PS C:\> $ep | ?{$_.category -eq "Optimize"} | select-object category, serviceAreaDisplayName, ips, urls | ForEach-Object {$ips += $_.ips; $urls += $_.urls}
  Extract the unique IP prefixes and URLs from the output.
  
  To configure the split tunnel using exclude routes, you need only the IP addresses from this output. You do not need the URLs or FQDNs for the recommended split tunnel configuration.
Create address objects for the Office 365 IP addresses.
1. Select ObjectsAddresses and click Add.
2. Add the IPv4 and IPv6 subnets associated with the specific Office 365 applications you want to exclude. You identified these subnets in step 1.
Group the address objects into an address group.
1. Select ObjectsAddress Groups and click Add.
2. Define the address group (for example, Office 365 Exchange Online) and add all the address objects you created in the previous step.
3. Click OK.
Apply the address group to your split tunnel exclude access route configuration.
1. Select your gateway configuration.
  - On Panorama, navigate to NetworkGlobalProtectGateways.
  - On Strata Cloud Manager (Prisma Access), navigate to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessGlobalProtectSetupGlobalProtect AppTunnel Settings.
  - On Strata Cloud Manager (NGFW), navigate to ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysGateways.
2. Select AgentClient Settings, and then select your client settings configuration.
3. Select the Split Tunnel tab.
4. Under Access Route, click Add in the Exclude area.
5. Specify the address group you defined earlier (for example, Office 365 Skype for Business and Teams).
6. Click OK to save the split tunnel configuration.
Save the gateway configuration.
1. Click OK to save the settings.
2. Commit the changes.
Verify the split tunnel exclude access route configuration.
1. Review the PanGPS.log file in the GlobalProtect logs on the endpoint to verify the split tunnel exclude access route configuration was received from the gateway.
2. On a Windows endpoint, open the command prompt and run the route print command to view the routing table and verify that routes for the excluded subnets are going out via the physical interface.
  You can use similar routing table commands for other operating systems.
In certain scenarios, media traffic might still traverse the VPN tunnel even with the correct routes in place. If you encounter this issue, you can use a security policy rule to block the Teams IP subnets or ports at the GlobalProtect gateway from using the VPN. This will force the application to send media traffic directly to the internet.