News

Microsoft Touts Split Tunneling with VPNs To Support Remote Workers

• By Kurt Mackie
• 03/26/2020

• Related: CISA Outlines VPN Best Practices for Supporting Teleworkers

Microsoft this week advocated for the split tunneling networking approach to support remote workers, rather than send all traffic through a corporate virtual private network (VPN).

Split tunneling lets remote workers access file servers through the corporate VPN while also permitting more direct connections to sites on the Internet. In a Thursday article, the Microsoft security team explained that Microsoft uses split tunneling as part of its own VPN strategy, which is outlined in this March 23 article. That approach, adopted worldwide by Microsoft, was taken "to reduce the workload that the company pushes through its VPN pipes."

Microsoft claimed a success with its VPN strategy. The strategy was tested when much of Microsoft's workforce shifted to working from home this month in response to the novel coronavirus disease pandemic.

Microsoft was able to implement split tunneling more easily for its workforce because of its near-total use of cloud-based services, the March 23 article explained:

Split tunneling became possible because Microsoft is nearly 100 percent in the cloud, which allows its remote workers to access core applications and experiences over the internet via Microsoft Azure and Office 365. Before the company migrated to the cloud, everything would have been routed through VPN.

In addition to using split tunneling, Microsoft rebuilt its VPN so that it can support "over 200,000 concurrent sessions" for its overall 151,000 employees. Its work-from-home switch for employees in response to the pandemic resulted in a VPN use spike from a typical 55,000 connections per day to up to 128,000 connections per day.

Microsoft's use of the split tunneling approach also eased matters when there was a surge in Microsoft Teams use among its employees.

"We've been able to sustain this massive spike in Teams usage without major issues because it's being routed over the internet -- leaving our VPN capacity for just necessary connections between users and our internal resources," Microsoft's March 23 article explained.

VPN Best Practices
Microsoft's best practices for VPNs include:

• Save load on your VPN infrastructure by using split tunnel VPN, send networking traffic directly to the internet for "known good" and well defined SaaS services like Teams and other Office 365 services, or optimally, by sending all non-corporate traffic to the internet if your security rules allow.
• Collect user connection and traffic data in a central location for your VPN infrastructure, use modern visualization services, like Power BI, to identify hot spots before they happen, and plan for growth.
• If possible, use a dynamic and scalable authentication mechanism, like Azure Active Directory, to avoid the trouble of certificates and improve security using multi-factor authentication (MFA) if your VPN client is Active Directory aware, like the Azure OpenVPN client.
• Geographically distribute your VPN sites to match major user populations, use a geo-load balancing solution such as Azure Traffic Manager, to direct users to the closest VPN site and distribute traffic between your VPN sites.

Optimizing Office 365 Traffic
Microsoft also offered advice for optimizing Office 365 traffic for remote workers in a March 6 article by Paul Collinge, a senior program manager on the Microsoft Office 365 product team. Organizations need to identify Office 365 service end points and optimize traffic using split tunneling, he advised.

Collinge dismissed the lack of VPN security protections when connecting directly to Office 365 service end points using a split tunnel approach because "Microsoft has numerous features in place which means your security with the modern approach may well be higher than available previously."

To assure that end users are securely connecting outside the corporate VPN, Collinge recommended enforcing conditional access policies on devices. A conditional access service will check if the domain is trusted and if a known corporate IP address is used, and whether the user is authorized to access a particular application.

Office 365 ProPlus Updates
Microsoft also had advice to share on how to keep remote users of the Office 365 ProPlus productivity suites properly patched and updated. Office 365 ProPlus users should get their updates directly from Microsoft's content delivery network (CDN), Microsoft argued.

Moreover, organizations should use split tunneling for that purpose, according to a Wednesday article by Microsoft's Dave Guenthner.

"Speaking generally, the VPN client needs to support split tunneling or be configured so network traffic destined for Office 365 are directed to internet and are not required to pass through VPN Server," Guenthner wrote. He added that "Office 365 ProPlus is designed by default to update from CDN."

Organizations using System Center Configuration Manager to manage Office 365 ProPlus updates can make a configuration change so that client updates arrive via Microsoft's CDN directly, instead of through Configuration Manager, Guenthner explained.