For the safety of their organizations, and to help stop the spread of COVID-19/Coronavirus, our customers have moved all non-essential employees to work from home. The increase in volume of remote workers has resulted in considerable added load on Security Gateways, and customers are requesting guidance from Microsoft and Check Point on how to alleviate this additional workload while still maintaining an acceptable security posture.
Microsoft has made two recommendation to customers using Office 365 applications to optimize user experience:
1. Split tunnel, or make a forced tunnel exception for the Office 365 “Optimize” marked endpoints, instead of routing them over a VPN tunnel.
2. Implement this using the relevant IP address ranges provided by Microsoft, rather than using O365 FQDNs
This article describes how to achieve this when using a Check Point VPN client. While sending these connections directly to the Office 365 services alleviates the load on Check Point Security Gateways, it also removes this traffic from the path of Threat Prevention inspection those same gateways provide. Customers should evaluate if split-tunneling this traffic meets their security posture needs. **Please note: The hub mode feature in step 8 is essential to Split Tunnel functionality.
The feature allows for forwarding VPN traffic to destinations in other VPN Sites, or to other clients currently connected to the same Security Gateway.
Configure Check Point VPN Clients to split tunnel Office 365 traffic
1. Open SmartConsole and go to Global Properties
> Remote Access
> Endpoint Connect
2. Change "Route all traffic to gateway" to No
. Then click OK
. (If this setting is set to Configured on endpoint client the end user can modify their local VPN client settings to negate what this SK is providing)
3. Modify the existing Remote Access VPN domain. Create a group for Office 365 addresses: New
> Network Group
4. Create a group with an exclusion and add o365 group as the exclusion: New
> Network Object
> Group with Exclusion
s > enc_domain
5. Open the relevant Gateway/Cluster Properties and navigate to Network Management
> VPN Domain
6. Specify enc_domain
as the VPN domain for the Remote Access Community.
7. Navigate to VPN Clients
> Remote Access
> Hub Mode configuration
8. Make sure the checkbox for "Allow VPN clients to route traffic through this gateway" is selected.
9. Populate the Office 365 group with MS Optimized IP addresses. That list of IP addresses is here
) Automate Office 365 address updates by importing IP Address objects directly from Microsoft’s public feed using the IPaddressFeed2CheckPoint
script from our Community Github page. (Special thanks to Nuuul from CheckMates for sharing this script).
11. If there are multiple Gateways in the Remote Access Community , this should be implemented on all the RA Gateways in the environment.
12. Verify connectivity.
- Once your Check Point VPN client is connected, you can run netstat -rn from the command prompt to verify that there are No Office 365 networks inside. This means traffic will traverse through the user's internet connection.
- You can also run a packet capture on the external interface of your Security Gateway and look for an IP that is inside the Office 365 range. You should not see your connection attempts to Office 365 because it is going directly from the user's internet connection.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.