I am in the process of setting this up for Microsoft O365 to use direct Internet access when on VPN, rather than full tunnel. As I define the custom attributes to match for the dynamic routing directly to Microsoft rather than through the tunnel, I'm wondering how to handle some of the defined domains listed by Microsoft.
I initially posted this question in the following discussion, but received no responses:
The Microsoft O365 URL and IP Address List can currently be found at:
So, there are many specific domain names (such as teams.microsoft.com), but then they also include wildcard names (*.teams.microsoft.com). From how the custom attribute is getting installed in the ASA, I suspect that it will be used to perform exact matches for the terms listed in the attributes, and won't understand that a wildcard term such as *.teams.microsoft.com should match 'test.teams.microsoft.com', 'prod.teams.microsoft.com', etc.
If that is the case, and the names in the custom attribute field need to be exact matches, is it necessary to just enter 'teams.microsoft.com' (no asterisk for wildcard), and the attribute will match for anything using that subdomain?
The other issue is that the Microsoft list is HUGE, but, according to the documentation, the custom attribute name parameter can contain a maximum of 421 characters, but then it says Anyconnect can accept a maximum of 5000 characters. So, it's somewhat confusing how to define these Microsoft-provided domains into custom attributes for the split tunnel, and whether they can even all be accommodated by custom attributes. One section (titled Microsoft 365 Common and Office Online) lists so many domains that it requires MANY custom attributes just to cover them all.
Browse to Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes screen.
Click Add and enter dynamic-split-exclude-domains as an attribute type and enter a description.
After you click to apply this new attribute, click on the AnyConnect custom attribute names link at the top of the UI screen.
Add the corresponding custom attribute names for each cloud/web service that needs access by the client from outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. Define these domains in the Value portion of the AnyConnect Custom Attribute Names screen, using the comma-separated-values (CSV) format, which separates domains by a comma character. AnyConnect only takes into account the first 5000 characters, excluding separator characters (roughly 300 typically-sized domain names). Domain names beyond that limit are ignored.
A custom attribute cannot exceed 421 characters. If a larger value is entered, ASDM breaks it into multiple values capped at 421 characters. All values for a certain attribute type and name are concatenated by ASA when the configuration is pushed to the client.
I am not sure I understand your setup. Where is your DNS server located? are you using the ASA as a DNS server?
If you are using an internal DNS server (not ASA) Then all you need to do is configure split-tunnel to tunnel traffic for your internal networks. DNS traffic is tunneled by default so as long as your internal DNS is able to resolve the O365 domains you should be good.
Please find below some guidance document for Split-tunnelling configuration.