Forum Discussion

Adam_Ingle_1300's avatar
Oct 17, 2018

F5 APM VPN Support For Microsoft O365 Split-Tunneling

We ran into a significant issue with remote VPN client performance when our Microsoft Office products moved to the O365 cloud offering. Our current limitation of "no split-tunneling" per corporate policy, prevented our users from establishing connectivity to their geographically preferable O365 cloud. Instead, their traffic could/would route back to the corporate F5 APM VPN BigIP and then out to the internet. Much longer path and real-time services such as Teams/Skype calls suffered greatly.

 

Other vendors were also having issues with this such as ForcePoint (Websense) and McAfee. Those vendors released O365 specific patches to permit a better performance through various rules and methods.

 

Our F5 APM VPN was the bottle-neck and we had to address this quickly. Approval was granted to permit ONLY O365 products to be split-tunneled. Luckily, Microsoft has fielded this question/requirement many times and they had a ready answer:

 

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

 

Unfortunately, there's +500 IPv4 networks alone. Many are overlapping and some could be combined into a supernet. Not pretty, but workable.

 

Using node.js, we developed a script that will pull-down the Microsoft IPv4 space, perform a CIDR clean on the networks, log into the F5 BigIP and push the Network Access exclude IP list, then apply the Access Policy in one shot.

 

You can see the repo here:

 

https://github.com/adamingle/f5O365SplitTunnelUpdateScript

 

If you'd like to use the repo, please note the "settings.json" file.

 

You will need to update according to the README.md

 

Additionally, you will need to configure the allowable/tunneled traffic for the Network Access on VPN. If you only specify the exclusion space, there will be no inclusion space and no traffic will traverse the tunnel.

 

  1. Enable split-tunneling by checking the "Use split tunneling for traffic" radio button
  2. Add ALL networks to the "IPV4 LAN Address Space" with the IP Address 0.0.0.0 and Mask 0.0.0.0
  3. Specify wildcard/asterisk for the "DNS Address Space"

 

After you have the split-tunneling enabled on your Network Access Lists in F5 APM and you have correctly modified the "settings.json" file of your local f5O365SplitTunnelUpdateScript repo, you should be able to execute your O365 split-tunneling address exclusion changes.

 

Use Jenkins or other automation tool to run the script automatically.

 

Definitely worth a watch: https://channel9.msdn.com/Events/Ignite/2015/BRK3141

 

*This has been tested/used successfully with the Edge 7.1.7.1 client on v13.1.1

 

7 Replies

  • Hi Adam, I am faced with a similar issue with O365 traffic trough our VPN Tunnel. I am trying to test your method however I have a quick question, how do I run the settings.json script?

     

    Thanks in advance

     

    • Remi_COAT's avatar
      Remi_COAT
      Icon for Nimbostratus rankNimbostratus

       

      Hello.

       

      With the COVID-19 crisis, I am trying to implement this on my APM (running version BIG-IP 13.1.0.5 Build 0.0.5 Point Release).

       

      The problem is, I don't know what to do with JSON scripts.

      Have you figured out how to do it and if YES, could you tell me how you did it?

       

      Sincerely, Remi.

  • ​Can someone explain more about it and how is really works? What are the steps to bring it up and running?

    • Remi_COAT's avatar
      Remi_COAT
      Icon for Nimbostratus rankNimbostratus

       

      Hello.

       

      With the COVID-19 crisis, I am trying to implement this on my APM (running version BIG-IP 13.1.0.5 Build 0.0.5 Point Release).

       

      The problem is, I don't know what to do with JSON scripts.

      Have you figured out how to do it and if YES, could you tell me how you did it?

       

      Sincerely, Remi.

      • ReganAnderson's avatar
        ReganAnderson
        Icon for Employee rankEmployee

        Hi Remi,

         

        If you are unable to figure out how to get this script to work (I haven't tried implementing it myself) you might want to check out the Python script I wrote for this same use case. It adds support for HA pairs, multiple Network Access Lists, IPv6, DNS, and the ability to add additional "exclude" addresses for other services you may not want to tunnel through your VPN.

         

        https://devcentral.f5.com/s/articles/SSL-VPN-Split-Tunneling-and-Office-365

         

        I hope that helps!

         

        Regan