cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
419
Views
0
Helpful
3
Replies
Highlighted
Beginner

New Question on AnyConnect Split Tunnel Setup for O365

I am in the process of setting this up for Microsoft O365 to use direct Internet access when on VPN, rather than full tunnel.  As I define the custom attributes to match for the dynamic routing directly to Microsoft rather than through the tunnel, I'm wondering how to handle some of the defined domains listed by Microsoft.

I initially posted this question in the following discussion, but received no responses:

https://community.cisco.com/t5/vpn/split-tunnel-to-microsoft-office-365/td-p/3771642 

 

The Microsoft O365 URL and IP Address List can currently be found at:

URLs and IP Address Ranges 

So, there are many specific domain names (such as teams.microsoft.com), but then they also include wildcard names (*.teams.microsoft.com).  From how the custom attribute is getting installed in the ASA, I suspect that it will be used to perform exact matches for the terms listed in the attributes, and won't understand that a wildcard term such as *.teams.microsoft.com should match 'test.teams.microsoft.com', 'prod.teams.microsoft.com', etc.

 

If that is the case, and the names in the custom attribute field need to be exact matches, is it necessary to just enter 'teams.microsoft.com' (no asterisk for wildcard), and the attribute will match for anything using that subdomain?

 

The other issue is that the Microsoft list is HUGE, but, according to the documentation, the custom attribute name parameter can contain a maximum of 421 characters, but then it says Anyconnect can accept a maximum of 5000 characters.  So, it's somewhat confusing how to define these Microsoft-provided domains into custom attributes for the split tunnel, and whether they can even all be accommodated by custom attributes.  One section (titled Microsoft 365 Common and Office Online) lists so many domains that it requires MANY custom attributes just to cover them all.

 

Procedure

Step 1

Browse to Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes screen.

Step 2

Click Add and enter dynamic-split-exclude-domains as an attribute type and enter a description.

Step 3

After you click to apply this new attribute, click on the AnyConnect custom attribute names link at the top of the UI screen.

Step 4

Add the corresponding custom attribute names for each cloud/web service that needs access by the client from outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. Define these domains in the Value portion of the AnyConnect Custom Attribute Names screen, using the comma-separated-values (CSV) format, which separates domains by a comma character. AnyConnect only takes into account the first 5000 characters, excluding separator characters (roughly 300 typically-sized domain names). Domain names beyond that limit are ignored.

A custom attribute cannot exceed 421 characters. If a larger value is entered, ASDM breaks it into multiple values capped at 421 characters. All values for a certain attribute type and name are concatenated by ASA when the configuration is pushed to the client.

 

 
Everyone's tags (2)
3 REPLIES 3
Highlighted
VIP Advisor

Re: New Question on AnyConnect Split Tunnel Setup for O365

I am not sure I understand your setup.  Where is your DNS server located? are you using the ASA as a DNS server?

If you are using an internal DNS server (not ASA) Then all you need to do is configure split-tunnel to tunnel traffic for your internal networks.  DNS traffic is tunneled by default so as long as your internal DNS is able to resolve the O365 domains you should be good.

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Cisco Employee

Re: New Question on AnyConnect Split Tunnel Setup for O365

When you specify a domain name in dynamic-split-exclude-domains Like youtube.com the ASA will include all its Sub-Domains (xxx.youtube.com). it's like using a wildcard (*) but you can configure it with "*", and if you configured it on debugs you will see the client complaining that "the configuration received from the gateway is invalid".

As about the second Query, a custom attribute name can have max 5000 characters divided into multiple values entries for the same custom attribute name, each value can't exceed 421 characters.
Highlighted
Beginner

Re: New Question on AnyConnect Split Tunnel Setup for O365