Many organizations have implemented the work-from-home model for their employees, which has resulted in an increase in load to their VPN infrastructure. Typically, this infrastructure is not designed to handle this volume or type of traffic. Many organizations are using split tunneling or forced tunnel exceptions on optimize-marked Microsoft 365 endpoints to improve performance and reduce the load on the VPN infrastructure.
Sending high-volume and latency-sensitive traffic directly to Microsoft services can not only solve these issues but are also the designed best practice for these endpoints. However, Teams-produced live events and on-demand Stream traffic are not listed within the Optimize category. In this article, we will focus on how to optimize stream and live events traffic using VPN in Microsoft 365.
How to Implement Forced Tunnel Exception for Teams Live Events and Stream?
Follow the steps below to simplify connectivity requirements for Live Events/Stream using VPN.
Resolve external DNS
To resolve host names to IPs, the client needs external, recursive DNS resolution to be available for *.streaming.mediaservices.windows.net, *.azureedge.net, *.media.azure.net, and *.bmc.cdn.office.net. These FQDNs are required in PAC files in combination with the IPs to send the relevant traffic direct. However, it is not recommended to use these URLs to configure VPN offload, as some of the endpoints are shared with other elements outside of Stream/Live Events.
Configure PAC file when required
Organizations use PAC files in VPN scenarios in which clients have to send either direct traffic or through an internal proxy server. This involves the use of FDQNs. However, currently, Stream/Live Events use namespaces that include wildcards such as *.azureedge.net, which also include other elements, for which providing full IP listings is not possible. Consequently, if the wildcard is used, traffic will be blocked to the endpoint.
When the IPs are used in combination with the FQDNs in a PAC file, the URL for the Stream/Live Events and the IP returned from a DNS lookup match the details provided for the service. If either does not match, traffic is routed to the proxy, else, it is sent direct. This ensures that anything that resolves to an IP outside of the scope of both the IP and FQDN traverses the proxy through the VPN as intended.
Enabling direct egress by configuring routing on VPN
Finally, adding a direct route for the Stream/Live Event IPs into the VPN configuration ensures that traffic is not sent via the forced tunnel into the VPN. Ensure that only IPs, and not the FQDNs, are used for VPN configuration.
Apps4Rent Can Help with Microsoft 365 Configuration and Customization
Forced tunnel exception for Teams Live Events and Stream sends the latency-sensitive streaming traffic direct, while other traffic uses the VPN tunnel. While this is a temporary solution, an incorrect configuration could compromise user security. Microsoft is re-architecting the endpoints to simplify connectivity requirements for Live Events and Streams. As a Tier 1 Microsoft CSP, Apps4Rent can help with Microsoft 365 licensing, configuration, customization of applications and services. Call, chat, or email our senior Microsoft 365 consultants available 24/7 for assistance.