Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1438
Views
15
Helpful
5
Replies

Exclude MS Teams traffic

Chess Norris
Level 4
Level 4

‎11-28-2022 01:35 AM

Hello,

Is anyone using split tunneling to exclude MS Teams traffic?

We are using a "tunnel all" policy for our RA VPN users, but some users have issues when using MS teams and we want to implement split tunneling to exclude the MS teams traffic from being tunneled. 

My initial thought was to use dynamic split tunneling and exclude all traffic to *.teams.microsoft.com, but according to this guide -Securing Teams media traffic for VPN split tunneling it says "Some VPN client software allows routing manipulation based on URL. However, Teams media traffic has no URL associated with it, so control of routing for this traffic must be done using IP subnets"

So should we instead exclude the subnets described here under "Optimize IP address ranges"?  https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel?view=o365-worldwide 

Thanks

/Chess

Labels:
0 Helpful
5 Replies 5

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎11-28-2022 11:51 AM

Hi @Chess Norris,

I'm using split-exclude quite often. I've tried playing around with excluding domains, but that wasn't working for me at that time. Instead, I'm excluding only "Optimize Required" traffic from this link - scopes 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14. This is usually providing regullar RTP experience - video and audio are working smoothly, and screen sharing is not being delayed.

Kind regards,

Milos

Chess Norris
Level 4
Level 4
In response to Milos_Jovanovic

‎11-29-2022 12:31 AM

Thank you Milos,

Do you have any idea on how often those addresses change? We will probably subscribe to the RSS feed to get notification, but I'm curious if you noticed any changes of addresses since you started excluding those subnets?

Best regards

/Chess

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Chess Norris

‎11-29-2022 05:08 AM

I configured those 3 like 2-3 years ago, and havent changed since.

Kind regards,

Milos

Karsten Iwen
VIP
VIP

‎11-28-2022 12:52 PM

I am using dynamic Split Excludes for this purpose. Works great. Here is a document that describes even fetching the routes dynamically:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215343-optimize-anyconnect-split-tunnel-for-off.html

 

Chess Norris
Level 4
Level 4
In response to Karsten Iwen

‎11-29-2022 12:35 AM

Thank you Karsten,

We are using FTD appliances and not ASA, but I belive it can be done with Flexconfig. I've might give it a try but if those 3 subnets rarly changes, it will probably be easier to just exclude them.

Best regards

/Chess

0 Helpful
Customers Also Viewed These Support Documents