AnyConnect Split Tunnel Optimization for Microsoft Office 365 and Cisco Webex

AnyConnect Split Tunnel Optimization for Microsoft Office 365 and Cisco Webex

👨‍💻

an introduction

This document describes how to configure Adaptive Security Appliance (ASA) with settings to exclude traffic destined for Microsoft Office 365 (including Microsoft Teams) and Cisco Webex from a VPN connection. It includes network address and dynamic (FQDN-based) exclusions for AnyConnect clients that support it.

split tunneling

ASA must be configured to “exclude” the specified list of IPv4 and IPv6 destinations to be excluded from the tunnel. Unfortunately, the address list is dynamic and can change. See the configuration section for a Python script and a link to a REPL loop that can be used to retrieve the list and create a configuration sample.

Dynamic Split Tunnel

In addition to the list of split exclusion network addresses, dynamic tunneling has been added in AnyConnect 4.6 for Windows and Mac. Dynamic split tunneling uses the FQDN in order to determine whether or not communication should pass through the tunnel. The python script also defines FQDNs for endpoints to add to AnyConnect custom attributes.

ranking

Run this script in Python 3 REPL or run it in a generic REPL environment like https://repl.it/@ministryofjay/AnyConnectO365DynamicExclude.

import urllib.request import uuid import json re def print_acl_lines(acl_name, ips, section_comment): slash_to_mask = (“0.0.0.0”, “128.0.0.0”, “192.0.0.0”, “224.0.0.0”, “240.0.0.0” “,” 248.0.0.0 “,” 252.0.0.0 “,” 254.0.0.0 “,” 255.0.0.0 “,” 255.128.0.0 “,” 255.192.0.0 “,” 255.224.0.0 “,” 255.240.0.0 “,” 255.192.0.0 “,” 255.240.0.0 “,” “255.248.0.0”, “255.255.0.0”, “255.254.0.0”, “255.255.0.0”, “255.255.128.0”, “255.255.192.0”, “255.255.224.0”, “255.255.240.0” 255.255.248.0 “,” 255.255.252.0 “,” 255.255.254.0 “,” 255.255.255.0 “,” 255.255.255.128 “,” 255.255.255.192 “,” 255.255.255.224 “,” 255.255.255.240 “,” 255.255.255.248 “,” “255.255.255.252”, “255.255.255.254”, “255.255.255.255”,) print (“access list acl_name note comment”. format(acl_name = acl_name, comment = section_comment)) for ip sort (ips) : if “:” in ip: #IPv6 address print (“access-list acl_name ip permission extension ip any6” .format(acl_name = acl_name, ip = ip)) Otherwise: #IPv4 address .Convert to a mask address , italic = ip.split (“/”) sla sh_mask = slash_to_mask[int(slash)]
print(“access-list acl_name permission extended ip addr mask any4” .format(acl_name = acl_name, addr = addr, mask = slash_mask)) # Fetch current endpoints for O365 http_res = urllib.request.urlopen (url = “https://endpoints.office.com/endpoints/worldwide?clientrequestid= ” .format (uuid.uuid4())) res = json.loads (http_res.read ()) o365_ips = set() o365_fqdns = set() for service in res: if service[“category”] == “improvement”: for ip in service.get (“ips”, []): o365_ips.add (ip) to fqdn in service.get (“urls”, []): o365_fqdns.add (fqdn) # Create an ACL for split exclusion excluding print eg (“###### Step 1: Create an ACL to include split exclusion networks n”) acl_name = “ExcludeSass” # O365 print_acl_lines networks ( acl_name = acl_name ips = o365_ips section_comment = “v4 and v6 networks for Microsoft Office 365”,) #Microsoft Teams# https://docs.microsoft.com/en-us/office365/enterprise/office- 365-vpn- apply-split-tunnel #configuring-and-securing-team-media-traffic print_acl_lines(acl_name = acl_name, ips =[“13.107.60.1/32”], section_comment = “v4 address for Microsoft Teams”) # Cisco Webex – per https://help.webex.com/en-us/WBX000028782/Network-Requirements-for-Webex-Teams-Services webex_ips = [
“64.68.96.0/19”,
“66.114.160.0/20”,
“66.163.32.0/19”,
“170.133.128.0/18”,
“173.39.224.0/19”,
“173.243.0.0/20”,
“207.182.160.0/19”,
“209.197.192.0/19”,
“216.151.128.0/19”,
“114.29.192.0/19”,
“210.4.192.0/20”,
“69.26.176.0/20”,
“62.109.192.0/18”,
“69.26.160.0/19”,
]
print_acl_lines(acl_name = acl_name, ips = webex_ips, section_comment = “IPv4 and IPv6 destinations for Cisco Webex”,) #editor. 1st of April 2020 # On advice from Microsoft, they do not recommend using dynamic split tunneling for their Office 365 related properties # print (“nn ##### Step 2: Create a custom Anyconnect attribute for dynamic split exceptions n”) print (“SKIP. According to Microsoft as of April 2020, they advise against fqdn-related Office365 split”) #print (#” “” #webvpn #anyconnect-custom-attr dynamic-split-extracte-domains description dynamic-split-exclude- Domains # # anyconnect-custom-data dynamic-split-extracte-domains saas # “” “.format (#”, “.[re.sub(r”^*.”, “”, f) for f in o365_fqdns]) #) #) # print (“n ##### Step 3: Configure the split exception in Group Policy n”) print (“” “group-policy GP1 split-tunnel-policy attributes except ipv6-split-tunnel policy Exclude the specified split tunnel network list value acl_name “” “.format (acl_name = acl_name))

Noticeable: Microsoft recommends that traffic destined for major Office 365 services be excluded from the scope of a VPN connection by configuring split tunneling using published IPv4 and IPv6 address ranges. For best performance and more efficient use of VPN capacity, traffic should be routed to these dedicated IP address ranges associated with Office 365 Exchange Online, SharePoint Online, and Microsoft Teams (referred to as the Optimize class in Microsoft documentation) directly, outside the scope of the VPN tunnel. See Optimizing Office 365 Connectivity for Remote Users with a VPN Split Tunneling for more detailed information on this recommendation.

Noticeable: As of early April 2020, Microsoft Teams is relying on the IP range 13.107.60.1/32 to be excluded from the tunnel. See Configure and secure Teams media traffic for more information.

Verification

Once the user is connected, they should see “unsafe paths” filled with addresses available in the access control list as well as the “dynamic tunnel exclusion” list.

[ad_1]
Don’t forget to share this post with friends !