From df708e9238eb2d996faddcb38a79d53d015188e0 Mon Sep 17 00:00:00 2001 From: "Jason Jones (MSFT)" Date: Tue, 7 Apr 2020 01:07:54 +0100 Subject: [PATCH 1/8] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index a8f7c610b6..4d5d2a8164 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -437,7 +437,7 @@ This solution is supported with the following versions of Windows: - Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported - Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported -Microsoft strongly recommends that the latest Windows 10 cumulative update always be applied. +Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied. ## Other Considerations @@ -445,7 +445,7 @@ You should also be able to adapt this approach to include necessary exclusions f ## Examples -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below: +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the inittial PowerShell script: ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. From 14cf38326b4766666fbc8737b898e1bc3d99361d Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 14:12:22 -0700 Subject: [PATCH 2/8] Update vpn-office-365-optimization.md Updates per feedback --- .../vpn/vpn-office-365-optimization.md | 133 +++++++++++++++++- 1 file changed, 127 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index cc51ad08ac..e5f40a37e2 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: kelleyvice-msft ms.localizationpriority: medium -ms.date: 04/06/2020 +ms.date: 04/07/2020 ms.reviewer: manager: dansimp ms.author: jajo @@ -28,13 +28,13 @@ The solution is based upon the use of a VPN Configuration Service Provider Refer Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). -To enable the use of force tunnelling in Windows 10 VPN, the setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the section: +To enable the use of force tunnelling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: ```xml ForceTunnel ``` -In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the section as follows: +In order to define specific force tunnel exclusions, you then need to add the following lines to your existing Profile XML (or script) for each required exclusion, and place them outside of the `` section as follows: ```xml @@ -44,7 +44,7 @@ In order to define specific force tunnel exclusions, you then need to add the fo ``` -Entries defined by the **[IP Addresses or Subnet]** and **[IP Prefix]** references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate section for each required exclusion. +Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `` section for each required exclusion. An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below: @@ -445,7 +445,7 @@ You should also be able to adapt this approach to include necessary exclusions f ## Examples -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the inittial PowerShell script: +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script: ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. @@ -667,5 +667,126 @@ Write-Host "$Message" An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file: ```xml -_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ + + true + corp.contoso.com + true + corp.contoso.com + + edge1.contoso.com + ForceTunnel + IKEv2 + + Certificate + + + +
13.107.6.152
+ 31 + true + + +
13.107.18.10
+ 31 + true + + +
13.107.128.0
+ 22 + true + + +
23.103.160.0
+ 20 + true + + +
40.96.0.0
+ 13 + true + + +
40.104.0.0
+ 15 + true + + +
52.96.0.0
+ 14 + true + + +
131.253.33.215
+ 32 + true + + +
132.245.0.0
+ 16 + true + + +
150.171.32.0
+ 22 + true + + +
191.234.140.0
+ 22 + true + + +
204.79.197.215
+ 32 + true + + +
13.107.136.0
+ 22 + true + + +
40.108.128.0
+ 17 + true + + +
52.104.0.0
+ 14 + true + + +
104.146.128.0
+ 17 + true + + +
150.171.40.0
+ 22 + true + + +
13.107.60.1
+ 32 + true + + +
13.107.64.0
+ 18 + true + + +
52.112.0.0
+ 14 + true + + +
52.120.0.0
+ 14 + true + + + http://webproxy.corp.contsoso.com/proxy.pac + + ``` From 0aefce7eb4ccc882a25bfe74b7c1ff2ec2f195d5 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 14:19:46 -0700 Subject: [PATCH 3/8] Update vpn-office-365-optimization.md reverted xml for Intune formatting, added note --- .../vpn/vpn-office-365-optimization.md | 128 +----------------- 1 file changed, 5 insertions(+), 123 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index e5f40a37e2..381f6eb333 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -664,129 +664,11 @@ Write-Host "$Message" ``` -An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file: +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. + +>[!NOTE] +>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. ```xml - - true - corp.contoso.com - true - corp.contoso.com - - edge1.contoso.com - ForceTunnel - IKEv2 - - Certificate - - - -
13.107.6.152
- 31 - true - - -
13.107.18.10
- 31 - true - - -
13.107.128.0
- 22 - true - - -
23.103.160.0
- 20 - true - - -
40.96.0.0
- 13 - true - - -
40.104.0.0
- 15 - true - - -
52.96.0.0
- 14 - true - - -
131.253.33.215
- 32 - true - - -
132.245.0.0
- 16 - true - - -
150.171.32.0
- 22 - true - - -
191.234.140.0
- 22 - true - - -
204.79.197.215
- 32 - true - - -
13.107.136.0
- 22 - true - - -
40.108.128.0
- 17 - true - - -
52.104.0.0
- 14 - true - - -
104.146.128.0
- 17 - true - - -
150.171.40.0
- 22 - true - - -
13.107.60.1
- 32 - true - - -
13.107.64.0
- 18 - true - - -
52.112.0.0
- 14 - true - - -
52.120.0.0
- 14 - true - - - http://webproxy.corp.contsoso.com/proxy.pac - - +_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ ``` From e1d67beba3519bbd6953214fe8adfcb2b3c4a3df Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 15:22:39 -0700 Subject: [PATCH 4/8] Update vpn-office-365-optimization.md minor edits --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 381f6eb333..e7df3d7fa3 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -26,7 +26,7 @@ This can be achieved for the native/built-in Windows 10 VPN client using a _Forc The solution is based upon the use of a VPN Configuration Service Provider Reference profile ([VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp)) and the embedded [ProfileXML](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-profile-xsd). These are used to configure the VPN profile on the device. Various provisioning approaches can be used to create and deploy the VPN profile as discussed in the article [Step 6. Configure Windows 10 client Always On VPN connections](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files). -Typically, these VPN profiles are distributed using a Mobile Device Manager solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). +Typically, these VPN profiles are distributed using a Mobile Device Management solution like Intune, as described in [VPN profile options](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) and [Configure the VPN client by using Intune](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#configure-the-vpn-client-by-using-intune). To enable the use of force tunnelling in Windows 10 VPN, the `` setting is typically configured with a value of _ForceTunnel_ in your existing Profile XML (or script) by way of the following entry, under the `` section: @@ -664,7 +664,7 @@ Write-Host "$Message" ``` -An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. +An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/security/identity-protection/vpn/vpn-profile-options#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file. >[!NOTE] >This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. From ec9edd52819855361595ed880a8bd559baf4970b Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 16:00:58 -0700 Subject: [PATCH 5/8] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index e7df3d7fa3..0cf4f9d635 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -73,9 +73,9 @@ An example of a correctly formatted Profile XML configuration for force tunnel w For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges?redirectSourcePath=%252fen-us%252farticle%252fOffice-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) to ensure that they are excluded from VPN force tunnelling. -This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the addresses ranges are always used. +This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the documentation in [Create the ProfileXML configuration files](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial script. +An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below. ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. From a6b741c73680a79bd4d35cd173d96e1bdf615231 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 16:03:27 -0700 Subject: [PATCH 6/8] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 0cf4f9d635..9f6582bbc0 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -670,5 +670,5 @@ An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/secu >This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace. ```xml -_truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac_ +truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate
13.107.6.152
31true
13.107.18.10
31true
13.107.128.0
22true
23.103.160.0
20true
40.96.0.0
13true
40.104.0.0
15true
52.96.0.0
14true
131.253.33.215
32true
132.245.0.0
16true
150.171.32.0
22true
191.234.140.0
22true
204.79.197.215
32true
13.107.136.0
22true
40.108.128.0
17true
52.104.0.0
14true
104.146.128.0
17true
150.171.40.0
22true
13.107.60.1
32true
13.107.64.0
18true
52.112.0.0
14true
52.120.0.0
14truehttp://webproxy.corp.contsoso.com/proxy.pac ``` From 425de973c4246142b1cb3dfdccd5e268d8bc2072 Mon Sep 17 00:00:00 2001 From: kelleyvice-msft Date: Tue, 7 Apr 2020 16:07:28 -0700 Subject: [PATCH 7/8] Update vpn-office-365-optimization.md --- .../identity-protection/vpn/vpn-office-365-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 9f6582bbc0..537a6d097d 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -75,7 +75,7 @@ For Office 365, it is therefore necessary to add exclusions for all IP addresses This can be achieved manually by adding the IP addresses defined within the **optimize** category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used. -An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below. +An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below. ```powershell # Copyright (c) Microsoft Corporation. All rights reserved. From e389b8a9faee558354dd082d1c52ae356741f928 Mon Sep 17 00:00:00 2001 From: Kelley Vice Date: Tue, 7 Apr 2020 16:37:57 -0700 Subject: [PATCH 8/8] Update TOC.md --- windows/security/identity-protection/TOC.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md index 8dc6b27a55..7f7f58c2b8 100644 --- a/windows/security/identity-protection/TOC.md +++ b/windows/security/identity-protection/TOC.md @@ -71,4 +71,5 @@ ### [VPN security features](vpn\vpn-security-features.md) ### [VPN profile options](vpn\vpn-profile-options.md) ### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md) -### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) \ No newline at end of file +### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) +### [Optimizing Office 365 traffic with the Windows 10 VPN client](vpn\vpn-office-365-optimization.md)