From 14cf38326b4766666fbc8737b898e1bc3d99361d Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 14:12:22 -0700 Subject: [PATCH] Update vpn-office-365-optimization.md Updates per feedback --- .../vpn/vpn-office-365-optimization.md | 133 +++++++++++++++++- 1 file changed, 127 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index cc51ad08ac..e5f40a37e2 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: kelleyvice-msft ms.localizationpriority: medium -ms.date: 04/06/2020 +ms.date: 04/07/2020 ms.reviewer: manager: dansimp ms.author: jajo @@ -28,13 +28,13 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). -To enable the use of force tunnelling in Windows 10 VPN, the setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the section: +To enable the use of force tunnelling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: ```xml ForceTunnel ``` -In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the section as follows: +In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `` section as follows: ```xml @@ -44,7 +44,7 @@ In order to define specific force tunnel exclusions, you then need to add the fo ``` -Entries defined by the **[IP Addresses or Subnet]** and **[IP Prefix]** references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate section for each required exclusion. +Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `` section for each required exclusion. An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below: @@ -445,7 +445,7 @@ You should also be able to adapt this approach to include necessary exclusions f ## Examples -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the inittial PowerShell script: +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script: ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. @@ -667,5 +667,126 @@ Write-Host "$Message" An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file: ```xml -_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14true
http://webproxy.corp.contsoso.com/proxy.pac
_ + + true + corp.contoso.com + true + corp.contoso.com + + edge1.contoso.com + ForceTunnel + IKEv2 + + Certificate + + + +
13.107.6.152
+ 31 + true +
+ +
13.107.18.10
+ 31 + true +
+ +
13.107.128.0
+ 22 + true +
+ +
23.103.160.0
+ 20 + true +
+ +
40.96.0.0
+ 13 + true +
+ +
40.104.0.0
+ 15 + true +
+ +
52.96.0.0
+ 14 + true +
+ +
131.253.33.215
+ 32 + true +
+ +
132.245.0.0
+ 16 + true +
+ +
150.171.32.0
+ 22 + true +
+ +
191.234.140.0
+ 22 + true +
+ +
204.79.197.215
+ 32 + true +
+ +
13.107.136.0
+ 22 + true +
+ +
40.108.128.0
+ 17 + true +
+ +
52.104.0.0
+ 14 + true +
+ +
104.146.128.0
+ 17 + true +
+ +
150.171.40.0
+ 22 + true +
+ +
13.107.60.1
+ 32 + true +
+ +
13.107.64.0
+ 18 + true +
+ +
52.112.0.0
+ 14 + true +
+ +
52.120.0.0
+ 14 + true +
+ + http://webproxy.corp.contsoso.com/proxy.pac + +
```