cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
427
Views
15
Helpful
5
Replies

Exclude MS Teams traffic

Chess Norris
Participant
Participant

Hello,

Is anyone using split tunneling to exclude MS Teams traffic?

We are using a "tunnel all" policy for our RA VPN users, but some users have issues when using MS teams and we want to implement split tunneling to exclude the MS teams traffic from being tunneled. 

My initial thought was to use dynamic split tunneling and exclude all traffic to *.teams.microsoft.com, but according to this guide -Securing Teams media traffic for VPN split tunneling it says "Some VPN client software allows routing manipulation based on URL. However, Teams media traffic has no URL associated with it, so control of routing for this traffic must be done using IP subnets"

So should we instead exclude the subnets described here under "Optimize IP address ranges"?  https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel?view=o365-worldwide 

Thanks

/Chess

5 Replies 5

Milos_Jovanovic
VIP Engager VIP Engager
VIP Engager

Hi @Chess Norris,

I'm using split-exclude quite often. I've tried playing around with excluding domains, but that wasn't working for me at that time. Instead, I'm excluding only "Optimize Required" traffic from this link - scopes 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14. This is usually providing regullar RTP experience - video and audio are working smoothly, and screen sharing is not being delayed.

Kind regards,

Milos

Thank you Milos,

Do you have any idea on how often those addresses change? We will probably subscribe to the RSS feed to get notification, but I'm curious if you noticed any changes of addresses since you started excluding those subnets?

Best regards

/Chess

I configured those 3 like 2-3 years ago, and havent changed since.

Kind regards,

Milos

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

I am using dynamic Split Excludes for this purpose. Works great. Here is a document that describes even fetching the routes dynamically:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215343-optimize-anyconnect-split-tunnel-for-off.html

 

Thank you Karsten,

We are using FTD appliances and not ASA, but I belive it can be done with Flexconfig. I've might give it a try but if those 3 subnets rarly changes, it will probably be easier to just exclude them.

Best regards

/Chess

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers