Reset Search
 

 

Article

KB44417 - Best practices to configure split tunneling to exclude Office365 applications

« Go Back

Information

 
Last Modified Date4/14/2020 5:02 PM
Synopsis
This article provides details about best practices how to configure split tunneling to exclude Microsoft Exchange, Office, Sharepoint, and Teams with Pulse Secure.
Problem or Goal
Due to excessive pressure on bandwidth and network capability, it has been requested to provide best practices options to reduce load of non-internal applications. A large impact to the network load can be the Office 365 suite of applications.
Cause
Solution

Important! Microsoft has put a moratorium on IP changes until at least June 30, 2020.


The recommendation is to use IP-based split tunneling rules to exclude for the following services:

  • Exchange
  • Sharepoint
  • Teams

For updates on the policies, please subscribe to the following URLs (for when changes may occur, both during this time of crisis and in the future):

To configure split tunneling for excluding the above sites:

  1. Login to the PCS appliance
  2. Navigate to Users > Resource Policies > VPN Tunneling > Split tunneling Networks
  3. Create a new policy
  4. Set a policy name
  5. The IPv4 addresses to set are:
104.146.128.0/17
13.107.128.0/22
13.107.136.0/22
13.107.18.10/31
13.107.6.152/31
13.107.64.0/18
131.253.33.215/32
132.245.0.0/16
150.171.32.0/22
150.171.40.0/22
191.234.140.0/22
204.79.197.215/32
23.103.160.0/20
40.104.0.0/15
40.108.128.0/17
40.96.0.0/13
52.104.0.0/14
52.112.0.0/14
52.120.0.0/14
52.96.0.0/14

The IPv6 addresses to set are:

2603:1006::/40
2603:1016::/36
2603:1026::/36
2603:1036::/36
2603:1046::/36
2603:1056::/36
2603:1096::/38
2603:1096:400::/40
2603:1096:600::/40
2603:1096:a00::/39
2603:1096:c00::/40
2603:10a6:200::/40
2603:10a6:400::/40
2603:10a6:600::/40
2603:10a6:800::/40
2603:10d6:200::/40
2620:1ec:4::152/128
2620:1ec:4::153/128
2620:1ec:8f0::/46
2620:1ec:8f8::/46
2620:1ec:900::/46
2620:1ec:908::/46
2620:1ec:a92::152/128
2620:1ec:a92::153/128
2620:1ec:c::10/128
2620:1ec:c::11/128
2620:1ec:d::10/128
2620:1ec:d::11/128
2a01:111:f400::/48
2a01:111:f402::/48
  1. Define the roles that should use this policy
  2. Set the action to Exclude (This will exclude only these IPs from the tunnel and send all other traffic to the corporate network)
  3. Click Save Changes
  4. Navigate to Users > User Roles > roleName > VPN Tunneling > Options (This should be done for reach role listed in the split tunneling networks policy)
  5. Set the option for Split Tunneling to Enabled
  6. Click Save Changes

Note: If a proxy is being used, the Office 365 host names will need to be defined as excluded from the proxy so that the VPN tunneling policy that allows direct access can be used

The attached XML file is configured with a sample entry of the above. It is configured for all roles but will not impact any role until split tunneling has been enabled.

To import, please perform the following steps:

  1. Save the file to your local system
  2. Login to the PCS
  3. Navigate to Maintenance > Import/Export > Import XML
  4. Click Browse
  5. Navigate to the XML file and select it
  6. Click Import
Related Links
Created ByNick Christen

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255