How to configure Split Tunnel for Office 365 and other SaaS Applications

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk167000
Technical Level
Product	IPSec VPN, Endpoint Security VPN, SecureClient
Version	R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10
OS	Gaia
Platform / Model	All
Date Created	20-May-2020
Last Modified	17-Jan-2023

Solution

Background

For the safety of their organizations, and to help stop the spread of COVID-19/Coronavirus, many Check Point customers have moved all non-essential employees to work from home.

The increase in volume of remote workers has resulted in considerable added load on Security Gateways, and customers are requesting guidance from Microsoft and Check Point to alleviate this additional workload while still maintaining an acceptable security posture.

Microsoft made two recommendation to customers using Office 365 applications to optimize user experience:

Instead of routing remote users over a VPN tunnel, use a Split tunnel or make a forced tunnel exception for the Office 365 "Optimize" marked endpoints.
Use the relevant IP address ranges provided by Microsoft rather than the O365 FQDNs.

Note: Configuration of exclusions by URLs is not supported.

This article describes how to implement Microsoft's recommendations with a Check Point VPN client.

While sending these connections directly to the Office 365 services alleviates the load on Check Point Security Gateways, Threat Prevention does not inspect this traffic.

Customers should evaluate if split-tunneling this traffic meets their security needs.

Starting from R81.20, see the Remote Access VPN Administration guide for the relevant version > "Dynamic Split Tunneling for SaaS Using Updatable Objects".

Note - To implement this solution on a single Security Gateway, see sk111995.

Configuring Check Point VPN Clients to split tunnel Office 365 traffic

Connect with SmartConsole to the Management Server.
Configure the Global Properties:
1. Click the Menu button (top left corner) and click Global Properties > Remote Access > Endpoint Connect.
2. In the field Route all traffic to gateway, select No.
  
  Note - If this setting is set to Configured on endpoint client, it is possible for the end user to modify local VPN client settings to conflict with the new configuration.
  
  Example:
3. Click OK.
Create a new object of type "Network Group" for the Office 365 IP addresses:

New > Network Group.

For example, give it the name: o365_address_ranges
Create a new object of type "Group with Exclusions" that contains the Network Group object "o365_address_ranges" as the exclusion:

New > More > Network Object > Group > Group with Exclusions.

For example, give it the name: enc_domain
Configure the Security Gateway / Cluster object:
1. Configure the VPN Domain for the Remote Access Community:
  1. From the left tree, click Network Management > VPN Domain.
  2. Click Set domain for Remote Access Community.
    
    Example:
  3. Select the RemoteAccess community object.
  4. Click Set.
  5. In the field Specify VPN domain, select the "Group with Exclusions" object enc_domain.
    
    Example:
  6. Click OK to close the Set VPN Domain per Remote Access Community window.
  7. Click OK to close the VPN Domain per Remote Access Community window.
2. Configure the Hub Mode:
  1. From the left tree, click VPN Clients > Remote Access.
  2. In the section Hub Mode configuration, select Allow VPN clients to route traffic through this gateway.
    
    Important note - The Hub Mode feature is essential for the Split Tunnel functionality. The feature allows to forward VPN traffic to destinations in other VPN Sites, or to other clients currently connected to the same Security Gateway.
    
    Example:
3. Click OK to close the Security Gateway / Cluster object.
Populate the Network Group object o365_address_ranges with the Microsoft Optimized IP addresses from this page.

Note - Check Point does not have an updatable object that uses this Microsoft HTML page because Microsoft can change the address of page at any time. The preferred way to work with an updatable object is to use an official feed/source (such as JSON/CSV/XML file).
Optional: Automate Office 365 address updates by importing IP Address objects directly from Microsoft's public feed using the IPaddressFeed2CheckPoint script from the Check Point Community GitHub page. (Special thanks to Nuuul from CheckMates for sharing this script.)
Verify the connectivity.
1. After your Check Point Remote Access VPN client is connected, you can run the "netstat -rn" from the command prompt to verify that there are no Office 365 networks listed.
  
  This means traffic will traverse through the user's internet connection.
2. You can also run a packet capture on the external interface of your Security Gateway and look for an IP address that belongs to the Office 365 IP range.
  
  You should not see connection attempts to Office 365 because this traffic is going directly through the user's internet connection.

Additional References

Microsoft Blog - How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure
Microsoft Article - Office 365 Optimized URL and IP address ranges
Microsoft Article - Office 365 URLs and IP address ranges

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating