Support Center > Search Results > SecureKnowledge Details
How to configure Split Tunnel for Office 365 and other SaaS Applications Technical Level
Solution

Background

For the safety of their organizations, and to help stop the spread of COVID-19/Coronavirus, many Check Point customers have moved all non-essential employees to work from home. The increase in volume of remote workers has resulted in considerable added load on Security Gateways, and customers are requesting guidance from Microsoft and Check Point to alleviate this additional workload while still maintaining an acceptable security posture.

Microsoft made two recommendation to customers using Office 365 applications to optimize user experience:

1. Instead of routing remote users over a VPN tunnel, use a Split tunnel or make a forced tunnel exception for the Office 365 “Optimize” marked endpoints.

2.  Use the relevant IP address ranges provided by Microsoft rather than the O365 FQDNs. Note: Configuration of exclusions by URLs is not supported.

This article describes how to implement Microsoft's recommendations with a Check Point VPN client. While sending these connections directly to the Office 365 services alleviates the load on Check Point Security Gateways, Threat Prevention does not inspect this traffic. Customers should evaluate if split-tunneling this traffic meets their security needs. 

Note: To implement this solution on a single Security Gateway, see sk111995.

Configuring Check Point VPN Clients to split tunnel Office 365 traffic

  1. Open SmartConsole and go to Global Properties > Remote Access > Endpoint Connect.

  2. Change Route all traffic to gateway to No.

  3. Click OK.  (Note: If this setting is set to Configured on endpoint client, it is possible for the end user to modify local VPN client settings to conflict with the new configuration.)

     
  4. Modify the existing Remote Access VPN domain. Create a group for Office 365 addresses: New > Network Group > o365_address_ranges.

  5. Create a group with an exclusion and add o365 group as the exclusion: New > More > Network Object > Group > Group with Exclusions > enc_domain.

     
  6. Open the relevant Gateway/Cluster Properties and navigate to Network Management > VPN Domain.

  7. Specify enc_domain as the VPN domain for the Remote Access Community.

  8. Navigate to VPN Clients > Remote Access > Hub Mode configuration.

  9. Make sure the checkbox for Allow VPN clients to route traffic through this gateway is selected.

    Important note: The hub mode feature in this step is essential to Split Tunnel functionality. The feature allows for forwarding VPN traffic to destinations in other VPN Sites, or to other clients currently connected to the same Security Gateway.

  10. Populate the Office 365 group with MS Optimized IP addresses. That list of IP addresses is here

  11. (Optional) Automate Office 365 address updates by importing IP Address objects directly from Microsoft’s public feed using the IPaddressFeed2CheckPoint script from the Check Point Community Github page. (Special thanks to Nuuul from CheckMates for sharing this script.)

  12. Verify connectivity.

    1. Once your Check Point VPN client is connected, you can run netstat -rn from the command prompt to verify that there are No Office 365 networks inside. This means traffic will traverse through the user's internet connection.

    2. You can also run a packet capture on the external interface of your Security Gateway and look for an IP that is inside the Office 365 range. You should not see your connection attempts to Office 365 because it is going directly from the user's internet connection.

Additional References

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment