O365 - Teams routing

office365
(Tomas) #1

Hey there,

within my clients network, we use MPLS with Local Internet Breakout.
We use Z-Application on each clients laptop.
within Zscaler cloud, we used Microssoft recommended One Click.
I have traced down traffic, and I have noticed following traffic pattern for MS Teams calls :

  • within my company, we are creating P2P MS TEams calls, so we are not utilizing Zscaler tunnels via Internet (which is ok)
  • when I`m calling outside, to Road Warrior, we are routed to realy.teams.microsoft servers …
  • unfortunately, we are again routed to MPLS and then to our central DC for internet breakout …
    • I would assume, that Zen App will catch this traffic and send it to Zscaler …
    • Zen App is in Tunnel with Proxy mode, …
    • default route is towards MPLS … so from routing perspective it is clear, that we are routing towards MPLS …

Is there anything what we can do with Zscaler settings, that ZenApp would identify this MS teams flow towards Relay Teams and route it towards Zen nodes ?

Thank you !

Tomas

(Lmay) #2

What are you trying to achieve? All internet traffic to go through Zscaler? Or only o365?

If I understand you correctly, your default route is to MPLS, thus any traffic zapp would route to Zscaler, will end up going to MPLS. Is that not the case?

Generally, you should route traffic destined to Zscaler, to go “direct”. In that case, zapp PAC would be your controls for what goes to Zscaler, and what stays within your MPLS.

You could also explicitly route only your internal networks to go via MPLS.

Hope this help :slight_smile:

(Tomas) #3

Hello Lmay,

Ok, so I`m controling what goes to Zscaler via PAC file.

I`m not matching within PAC file any microsoft URLs nad marking them to go DIRECT (Direct in this case means to follow Default route to MPLS)

So I would assume, that if Teams.exe application is calling relay.microsoft.com URL, than it will be sent (thanx to PAC file) to Zscaler APP and then to the Zscaler tunnels.

Question now is, what should I do, if i want to route O365 to Zscaler fully.

I thought that ZenApp - Tunnel with Proxy would do the trick.

If I have Proxy with default settings to send everything to Zscaler, than I would have to modify proxy to go with DIrect (default route) to MPLS.

Thank you for any advice !

Tomas

pi 7. 6. 2019 o 10:14 Lmay via Zenith zscaler@discoursemail.com napísal(a):

(Lmay) #4

Okay
I’ve seen issues with teams and PAC file forwarding due to the (UDP) nature of the traffic, unlike with proxy setting which should work… this could be the case here as well…

You can try working with tunnel mode in zapp, that will forward traffic fully (as per PAC), without any dependencies of browser/system proxy settings.

(Tomas) #5

I think that Tunnel mode somehow interferes with other tunnels. Our users are using remote access vpns.

Wouldn’t Zscaler Tunnel mode impact creation of additional SSL VPN from remote user to our corporate network ?

Actually, if we would have default route pointing inside of Zscaler Tunnel, we would not have these issues ?

Simply all traffic would be pushed inside of Zscaler cloud ?

Tomas

(Lmay) #6

That is correct, and VPN gateways should be bypassed from the app profile page.

Once you get this issue sorted, ZPA should be your next Challenge :slight_smile:
You would then pass all traffic, including internal apps, to Zscaler. Save money on MPLS, increase security (zero-trust), and simplify your network by removing VPN gateways.

(Tomas) #7

Ok, so if we would have Tunnel mode, I would be able to simply send all traffic to ZenApp. If I do not want to send traffic to specific destinations ( local subnets, SSL VPN destination IP address) I can configure this within Zscaler profile page ?

Thank you

Tomas

(Lmay) #8

Regardless of the VPN gateway bypass mentioned before, to modify the app’s traffic forwarding behavior in tunnel mode, you can add a custom PAC file in your app profile so that the app forwards traffic according to its instructions.

You should test this in a pilot group first, as forwarding all web traffic (and not just system proxy dependable apps), could require some fine tuning.

https://help.zscaler.com/zia/configuring-forwarding-profiles-zscaler-app

You can also check out David Creedy’s presentation for a complete overview of ZApp to fully understand it:

1 Like