I am in the process of setting this up for Microsoft O365 to use direct Internet access when on VPN, rather than full tunnel.  As I define the custom attributes to match for the dynamic routing directly to Microsoft rather than through the tunnel, I'm wondering how to handle some of the defined domains listed by Microsoft.

The list can currently be found at:

URLs and IP Address Ranges 

So, there are many specific domain names (such as teams.microsoft.com), but then they also include wildcard names (*.teams.microsoft.com).  From how the custom attribute is getting installed in the ASA, I suspect that it will be used to perform exact matches for the terms listed in the attributes, and won't understand that a wildcard term such as *.teams.microsoft.com should match 'test.teams.microsoft.com', 'prod.teams.microsoft.com', etc.

If that is the case, and the names in the custom attribute field need to be exact matches, is it necessary to just enter 'teams.microsoft.com' (no asterisk for wildcard), and the attribute will match for anything using that subdomain?

The other issue is that the Microsoft list is HUGE, but, according to the documentation, the custom attribute name parameter can contain a maximum of 421 characters, but then it says Anyconnect can accept a maximum of 5000 characters.  So, it's somewhat confusing how to define these Microsoft-provided domains into custom attributes for the split tunnel, and whether they can even all be accommodated by custom attributes.  One section (titled Microsoft 365 Common and Office Online) lists so many domains that it requires MANY custom attributes just to cover them all.

Procedure

Hi Ron,

With the Coronavirus pandemic, everyone is working from home and that has cause HUGE CPU load on the ASA's.  We split a tiny piece of traffic but we need to include a much more comprehensive list.  We have split tunneling configured using the standard ACL applied to our group policies but we need to setup dynamic split tunneling as you described below.  Do both these policies work at the same time?  Or would I have to remove the Standard ACL?  Also when you create a custom attribute, what exactly is entered in the attribute names?  Would you be able to provide the syntax?  And lastly have you tried this and does it even work?  I am looking to do this with other web services to such as Google Play, etc.

Hi Nelson

For dynamic excludes you have to use: "dynamic-split-exclude-dns" as the attribute "type" and then add whatever you need as the names - so mine would be a name of "Split_Exclude_Cloud" with a value of "webex.com, teams.microsoft.com (etc)".  They can co-exist with the standard split-tunnel ACL.

Kev

Hi,

    The standard/classic split-tunnelling method (based on IP networks) is mutually exclusive with dynamic split-tunneling method. You can choose on or another, and it makes sense, as otherwise there will be a lot of confusion. Check this guide in order to implement the model which best fits your requirements.

Regards,

Cristian Matei.

That's not strictly true - the document says it can be done, but collisions can occur when the ranges overlap.  Static entries from an ACL take precedence over dynamic lists, so if you have something that overlaps, it will go where the ACL sends it.

From the 4.6 administration guide

"outcome of overlapping scenarios with split tunneling configuration"

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/administration/guide/b_AnyConnect_Administrator_Guide_4-6/configure-vpn.html#reference_xqn_dvl_pbb

"

Dynamic inclusion or exclusion covers only IP addresses not already included or excluded. When both static and some form of dynamic tunneling is applied and a new inclusion or exclusion needs to be enforced, a collision with an already applied inclusion or exclusion may occur. When a dynamic exclusion is enforced (which contains all IP addresses that are part of a DNS response matching an excluded domain name), only those addresses not already excluded are considered for exclusion. Likewise, when a dynamic inclusion is enforced (which contains all IP addresses that are part of a DNS response matching an included domain name), only those addresses not already included are considered for inclusion.

Static public routes (such as split-exclude and critical routes such as the secure gateway route) take precedence over dynamic split include routes. For that reason, if at least one IP address of the dynamic inclusion matches a static public route, the dynamic inclusion is not enforced.

Similarly, static split-include routes take precedence over dynamic split exclude routes. For that reason, if at least one IP address of the dynamic exclusion matches a static split-include route, the dynamic exclusion is not enforced."

Hi,

   @kev-matthews That is correct, the overlapping i had in mind was when you have a crossover of policies (dynamic and standard), which are incoherent, like static exclude some networks and dynamic includes the same networks. In the end, the dynamic split-tunnelling came as a needed feature for mostly cloud resources where IP's may change, even based on your location. So, to keep things simple and avoid running into obvious bugs, i would choose the exclude or include split option, and make use of static and/or dynamic as needed, as this way there is no overlapping:

        - static split policy for networks where IP's don't change

        - dynamic split policy for networks where IP's do change

Regards,

Cristian Matei.

We had both IPs and Dynamic DNS names applied from Microsoft's O365 URLs and IP address range doc in our Anyconnect configuration. In doing so, we had all kinds of strange behavior with Outlook disconnecting and reconnecting. When testing exclusively with Dynamic names, it worked, and then testing exclusively with the IP ranges it also worked, but having both gave us mixed results. So maybe a bug, as you mentioned. We ended up going with IPs using split tunneling since Microsoft isn't changing IPs during the Pandemic, and we know that works. I am curious to see what others experience when trying to combine the two or if using dynamic lists are everyone's preference. 

Hi Ron (and anyone that's looking for an answer on this),

I've tested in my lab this afternoon as we have an ask around o365.  The URL Filtering looks like it works as follows:

If you add teams.microsoft.com, it covers *.teams.microsoft.com and teams.microsoft.com, but not microsoft.com or *.microsoft.com.

This allows you to be smart with the URL's that you're putting in the list.  I see there's several different URL's for sharepointonline:

"*.sharepointonline.com, cdn.sharepointonline.com, privatecdn.sharepointonline.com, publiccdn.sharepointonline.com, static.sharepointonline.com"  So you could just cover that with:

"sharepointonline.com"

Hope that helps :)

Thanks for testing this out and posting your results.  It will be really helpful to reduce the size of the defined list.

Regarding the size limitation...were you able to build a complete O365 list using the method you tested, and fit it into one list?