cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2302
Views
10
Helpful
3
Replies
Beginner

Split tunnel to Microsoft Office 365

I was wondering if what the best way to split tunnel to Miscrosoft O365.  When working with split tunnelling in the past, I have had to use the IP address.  The FQDN wouldn't work.  Since Microsoft O365 is a cloud based solution, the number of ip addresses would be quite large and would change continuously.  This would be an administrative nightmare.  Does anyone know a whay to handle this?  Thanks. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Split tunnel to Microsoft Office 365

Hi Brian Koch,

 

You can run dynamic split tunneling, with that you can exclude or include domains to the split tunnel configuration:

 

ASDM

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#task_ydq_tbw_tz

CLI

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/administration/guide/b_AnyConnect_Administrator_Guide_4-5/configure-vpn.html#reference_nbv_k44_xz

 

Keep in mind this is only going to work if you are running ASA 9.x and AnyConnect 4.5 or latest.

 

Hope this info helps!!

 

Rate if helps you!! 

 

-JP- 

 

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: Split tunnel to Microsoft Office 365

Hi Brian Koch,

 

You can run dynamic split tunneling, with that you can exclude or include domains to the split tunnel configuration:

 

ASDM

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#task_ydq_tbw_tz

CLI

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/administration/guide/b_AnyConnect_Administrator_Guide_4-5/configure-vpn.html#reference_nbv_k44_xz

 

Keep in mind this is only going to work if you are running ASA 9.x and AnyConnect 4.5 or latest.

 

Hope this info helps!!

 

Rate if helps you!! 

 

-JP- 

 

View solution in original post

Highlighted
Beginner

Re: Split tunnel to Microsoft Office 365

I am in the process of setting this up for Microsoft O365 to use direct Internet access when on VPN, rather than full tunnel.  As I define the custom attributes to match for the dynamic routing directly to Microsoft rather than through the tunnel, I'm wondering how to handle some of the defined domains listed by Microsoft.

 

The list can currently be found at:

URLs and IP Address Ranges 

So, there are many specific domain names (such as teams.microsoft.com), but then they also include wildcard names (*.teams.microsoft.com).  From how the custom attribute is getting installed in the ASA, I suspect that it will be used to perform exact matches for the terms listed in the attributes, and won't understand that a wildcard term such as *.teams.microsoft.com should match 'test.teams.microsoft.com', 'prod.teams.microsoft.com', etc.

 

If that is the case, and the names in the custom attribute field need to be exact matches, is it necessary to just enter 'teams.microsoft.com' (no asterisk for wildcard), and the attribute will match for anything using that subdomain?

 

The other issue is that the Microsoft list is HUGE, but, according to the documentation, the custom attribute name parameter can contain a maximum of 421 characters, but then it says Anyconnect can accept a maximum of 5000 characters.  So, it's somewhat confusing how to define these Microsoft-provided domains into custom attributes for the split tunnel, and whether they can even all be accommodated by custom attributes.  One section (titled Microsoft 365 Common and Office Online) lists so many domains that it requires MANY custom attributes just to cover them all.

 

Procedure

Step 1

Browse to Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes screen.

Step 2

Click Add and enter dynamic-split-exclude-domains as an attribute type and enter a description.

Step 3

After you click to apply this new attribute, click on the AnyConnect custom attribute names link at the top of the UI screen.

Step 4

Add the corresponding custom attribute names for each cloud/web service that needs access by the client from outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. Define these domains in the Value portion of the AnyConnect Custom Attribute Names screen, using the comma-separated-values (CSV) format, which separates domains by a comma character. AnyConnect only takes into account the first 5000 characters, excluding separator characters (roughly 300 typically-sized domain names). Domain names beyond that limit are ignored.

A custom attribute cannot exceed 421 characters. If a larger value is entered, ASDM breaks it into multiple values capped at 421 characters. All values for a certain attribute type and name are concatenated by ASA when the configuration is pushed to the client.

 

Highlighted
VIP Advisor

Re: Split tunnel to Microsoft Office 365

It is still same using IP addresses. Nothing has changed.
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here