Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

F5 APM VPN Support For Microsoft O365 Split-Tunneling

We ran into a significant issue with remote VPN client performance when our Microsoft Office products moved to the O365 cloud offering. Our current limitation of "no split-tunneling" per corporate policy, prevented our users from establishing connectivity to their geographically preferable O365 cloud. Instead, their traffic could/would route back to the corporate F5 APM VPN BigIP and then out to the internet. Much longer path and real-time services such as Teams/Skype calls suffered greatly.

Other vendors were also having issues with this such as ForcePoint (Websense) and McAfee. Those vendors released O365 specific patches to permit a better performance through various rules and methods.

Our F5 APM VPN was the bottle-neck and we had to address this quickly. Approval was granted to permit ONLY O365 products to be split-tunneled. Luckily, Microsoft has fielded this question/requirement many times and they had a ready answer:

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

Unfortunately, there's +500 IPv4 networks alone. Many are overlapping and some could be combined into a supernet. Not pretty, but workable.

Using node.js, we developed a script that will pull-down the Microsoft IPv4 space, perform a CIDR clean on the networks, log into the F5 BigIP and push the Network Access exclude IP list, then apply the Access Policy in one shot.

You can see the repo here:

https://github.com/adamingle/f5O365SplitTunnelUpdateScript

If you'd like to use the repo, please note the "settings.json" file.

You will need to update according to the README.md

Additionally, you will need to configure the allowable/tunneled traffic for the Network Access on VPN. If you only specify the exclusion space, there will be no inclusion space and no traffic will traverse the tunnel.

  1. Enable split-tunneling by checking the "Use split tunneling for traffic" radio button
  2. Add ALL networks to the "IPV4 LAN Address Space" with the IP Address 0.0.0.0 and Mask 0.0.0.0
  3. Specify wildcard/asterisk for the "DNS Address Space"

Image Text

After you have the split-tunneling enabled on your Network Access Lists in F5 APM and you have correctly modified the "settings.json" file of your local f5O365SplitTunnelUpdateScript repo, you should be able to execute your O365 split-tunneling address exclusion changes.

Use Jenkins or other automation tool to run the script automatically.

Definitely worth a watch: https://channel9.msdn.com/Events/Ignite/2015/BRK3141

*This has been tested/used successfully with the Edge 7.1.7.1 client on v13.1.1

1
Rate this Question
Comments on this Question
Comment made 17-Oct-2018 by Philip Jonsson 1097

Great work! Cool solution! :)

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Adam, I am faced with a similar issue with O365 traffic trough our VPN Tunnel. I am trying to test your method however I have a quick question, how do I run the settings.json script?

Thanks in advance

0