All Categories Zscaler Internet Access Best Practices for Implementing Access to Microsoft 365 with Zscaler

Best Practices for Implementing Access to Microsoft 365 with Zscaler

Microsoft published guidelines for work-from-anywhere (WFA) users and a strategy to split the most performance-sensitive Microsoft 365 applications, which need optimized connectivity from VPN tunnels. These applications include Microsoft Teams, Exchange Online, and SharePoint Online (Implementing VPN split tunneling for Office 365 - Microsoft 365 Enterprise | Microsoft Docs).

For an optimal user experience, Zscaler recommends split tunneling IP ranges for Teams traffic from Zscaler Client Connector for work-from-anywhere users only. For location traffic, the best practice is to forward traffic via tunnels configured to Zscaler Public Edge Connectors.

Steps to split specific traffic for WFA users:

For Tunnel with Local Proxy mode we have to do it in the PAC file and that will be in the Forwarding profile PAC file. The ports will not matter in the PAC file exceptions.

Below are sample ways of how you can do it in Forwarding PAC File:

if (isInNet(resolved_ip, "13.107.64.0","255.255.192.0") || isInNet(resolved_ip, "52.112.0.0","255.252.0.0") || isInNet(resolved_ip, "52.120.0.0","255.252.0.0")) {
return "DIRECT";
}

For Tunnel mode 1.0, this needs to be done in the ZCC Portal under respective App Profile under the option Hostname VPN Gateway Bypass option. For Tunnel mode, you don't have to do the bypass in the PAC files.

This is how you can do it from the Zscaler ZIA Admin Portal:

  1. Login to the Zscaler admin portal and go to the Zscaler Client Connector portal: Policy >> Zscaler Client Connector portal

  2. Add Microsoft Teams under Application bypass as shown below: App Profile >> Windows >> Add Windows Policy ( modify existing profile as needed) >> Hostname or IP Address Bypass for VPN Gateway

    Add Microsoft Teams as shown below:

    image.png

    Note: Here is the list of the dedicated Microsoft 365 IP ranges for Microsoft Teams:

    • 13.107.64.0/18

    • 52.112.0.0/14

    • 52.120.0.0/14

    • 52.238.119.141/32

    • 52.244.160.207/32

    If you choose to bypass more than the Microsoft Teams service, the below IP ranges can be used to add more optimized endpoint IP ranges manually:

    • 104.146.128.0/17

    • 13.107.128.0/22

    • 13.107.136.0/22

    • 13.107.18.10/31

    • 13.107.6.152/31

    • 131.253.33.215/32

    • 132.245.0.0/16

    • 150.171.32.0/22

    • 150.171.40.0/22

    • 204.79.197.215/32

    • 23.103.160.0/20

    • 40.104.0.0/15

    • 40.108.128.0/17

    • 40.96.0.0/13

    • 52.104.0.0/14

    • 52.96.0.0/14

For Tunnel mode 2.0, you can make use of Application Bypass and Destination Exclusions option.

This is how you can do it from the Zscaler ZIA Admin Portal:

  1. Login to the Zscaler admin portal and go to the Zscaler Client Connector portal: Policy->Zscaler Client Connector portal

  2. Add Microsoft Teams under Application bypass as shown below: App Profile >> Windows >> Add Windows Policy ( modify existing profile as needed) >> Under Z-Tunnel 2.0 configuration ->Application Bypass >> Selected

    Add Microsoft Teams as shown below:

    image.png

    Note: Zscaler maintains the IP ranges and ports for the Microsoft Teams service. Here is the list of dedicated Microsoft 365 IP ranges and TCP/UDP ports covered under the above bypass selection:

    • 13.107.64.0/18

    • 52.112.0.0/14

    • 52.120.0.0/14

    • 52.238.119.141/32

    • 52.244.160.207/32

    • TCP: 80 and 443

    • UDP: 3478, 3479, 3480 and 3481

    If you choose to bypass more than the Microsoft Teams service, the below configuration can be used to add more optimized endpoint IP ranges and ports manually.

    App Profile >> Windows >> Add Windows Policy ( modify existing profile as needed) Under Z-Tunnel 2.0 configuration >> Destination Exclusions, add IP ranges

    Below are sample ways of how you can do it in "Destination Exclusions":

    image.png

    Note: Here is the list of the additional dedicated Microsoft 365 IP ranges and TCP/UDP ports:

    • 104.146.128.0/17

    • 13.107.128.0/22

    • 13.107.136.0/22

    • 13.107.18.10/31

    • 13.107.6.152/31

    • 131.253.33.215/32

    • 132.245.0.0/16

    • 150.171.32.0/22

    • 150.171.40.0/22

    • 204.79.197.215/32

    • 23.103.160.0/20

    • 40.104.0.0/15

    • 40.108.128.0/17

    • 40.96.0.0/13

    • 52.104.0.0/14

    • 52.96.0.0/14

    • TCP: 80, 143, 443, 587, 993 and 995

    Please note that if you choose to manually bypass the Microsoft service, then you should also plan to maintain the related exclusion lists regularly. (Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Docs)