AnyConnect Split Tunnel Optimization for Microsoft Office 365 and Cisco Webex
π¨βπ»
an introduction
This document describes how to configure Adaptive Security Appliance (ASA) with settings to exclude traffic destined for Microsoft Office 365 (including Microsoft Teams) and Cisco Webex from a VPN connection. It includes network address and dynamic (FQDN-based) exclusions for AnyConnect clients that support it.
split tunneling
ASA must be configured to “exclude” the specified list of IPv4 and IPv6 destinations to be excluded from the tunnel. Unfortunately, the address list is dynamic and can change. See the configuration section for a Python script and a link to a REPL loop that can be used to retrieve the list and create a configuration sample.
Dynamic Split Tunnel
In addition to the list of split exclusion network addresses, dynamic tunneling has been added in AnyConnect 4.6 for Windows and Mac. Dynamic split tunneling uses the FQDN in order to determine whether or not communication should pass through the tunnel. The python script also defines FQDNs for endpoints to add to AnyConnect custom attributes.
ranking
Run this script in Python 3 REPL or run it in a generic REPL environment like https://repl.it/@ministryofjay/AnyConnectO365DynamicExclude.
import urllib.request import uuid import json re def print_acl_lines(acl_name, ips, section_comment): slash_to_mask = (“0.0.0.0”, “128.0.0.0”, “192.0.0.0”, “224.0.0.0”, “240.0.0.0” “,” 248.0.0.0 “,” 252.0.0.0 “,” 254.0.0.0 “,” 255.0.0.0 “,” 255.128.0.0 “,” 255.192.0.0 “,” 255.224.0.0 “,” 255.240.0.0 “,” 255.192.0.0 “,” 255.240.0.0 “,” β255.248.0.0β, β255.255.0.0β, β255.254.0.0β, β255.255.0.0β, β255.255.128.0β, β255.255.192.0β, β255.255.224.0β, β255.255.240.0β 255.255.248.0 “,” 255.255.252.0 “,” 255.255.254.0 “,” 255.255.255.0 “,” 255.255.255.128 “,” 255.255.255.192 “,” 255.255.255.224 “,” 255.255.255.240 “,” 255.255.255.248 “,” β255.255.255.252β, β255.255.255.254β, β255.255.255.255β,) print (βaccess list acl_name note commentβ. format(acl_name = acl_name, comment = section_comment)) for ip sort (ips) : if “:” in ip: #IPv6 address print (“access-list acl_name ip permission extension ip any6” .format(acl_name = acl_name, ip = ip)) Otherwise: #IPv4 address .Convert to a mask address , italic = ip.split (“/”) sla sh_mask = slash_to_mask[int(slash)]
print(“access-list acl_name permission extended ip addr mask any4” .format(acl_name = acl_name, addr = addr, mask = slash_mask)) # Fetch current endpoints for O365 http_res = urllib.request.urlopen (url = “https://endpoints.office.com/endpoints/worldwide?clientrequestid= ” .format (uuid.uuid4())) res = json.loads (http_res.read ()) o365_ips = set() o365_fqdns = set() for service in res: if service[“category”] == “improvement”: for ip in service.get (“ips”, []): o365_ips.add (ip) to fqdn in service.get (“urls”, []): o365_fqdns.add (fqdn) # Create an ACL for split exclusion excluding print eg (“###### Step 1: Create an ACL to include split exclusion networks n”) acl_name = “ExcludeSass” # O365 print_acl_lines networks ( acl_name = acl_name ips = o365_ips section_comment = “v4 and v6 networks for Microsoft Office 365”,) #Microsoft Teams# https://docs.microsoft.com/en-us/office365/enterprise/office- 365-vpn- apply-split-tunnel #configuring-and-securing-team-media-traffic print_acl_lines(acl_name = acl_name, ips =[“13.107.60.1/32”], section_comment = βv4 address for Microsoft Teamsβ) # Cisco Webex – per https://help.webex.com/en-us/WBX000028782/Network-Requirements-for-Webex-Teams-Services webex_ips = [
“64.68.96.0/19”,
“66.114.160.0/20”,
“66.163.32.0/19”,
“170.133.128.0/18”,
“173.39.224.0/19”,
“173.243.0.0/20”,
“207.182.160.0/19”,
“209.197.192.0/19”,
“216.151.128.0/19”,
“114.29.192.0/19”,
“210.4.192.0/20”,
“69.26.176.0/20”,
“62.109.192.0/18”,
“69.26.160.0/19”,
]
print_acl_lines(acl_name = acl_name, ips = webex_ips, section_comment = “IPv4 and IPv6 destinations for Cisco Webex”,) #editor. 1st of April 2020 # On advice from Microsoft, they do not recommend using dynamic split tunneling for their Office 365 related properties # print (“nn ##### Step 2: Create a custom Anyconnect attribute for dynamic split exceptions n”) print (βSKIP. According to Microsoft as of April 2020, they advise against fqdn-related Office365 splitβ) #print (#β ββ #webvpn #anyconnect-custom-attr dynamic-split-extracte-domains description dynamic-split-exclude- Domains # # anyconnect-custom-data dynamic-split-extracte-domains saas # ββ β.format (#β, β.[re.sub(r”^*.”, “”, f) for f in o365_fqdns]) #) #) # print (“n ##### Step 3: Configure the split exception in Group Policy n”) print (“” “group-policy GP1 split-tunnel-policy attributes except ipv6-split-tunnel policy Exclude the specified split tunnel network list value acl_name “” “.format (acl_name = acl_name))
Verification
Once the user is connected, they should see “unsafe paths” filled with addresses available in the access control list as well as the “dynamic tunnel exclusion” list.
[ad_1]
Don’t forget to share this post with friends !