使用 VPN 拆分隧道为远程用户优化 Office 365 连接Optimize Office 365 connectivity for remote users using VPN split tunneling

对于通过 VPN 将远程工作设备与公司网络或云基础结构连接的客户,Microsoft 建议关键 Office 365 场景 Microsoft TeamsSharePoint OnlineExchange Online 通过 _VPN 拆分隧道_配置进行路由。For customers who connect their remote worker devices to the corporate network or cloud infrastructure over VPN, Microsoft recommends that the key Office 365 scenarios Microsoft Teams, SharePoint Online and Exchange Online are routed over a VPN split tunnel configuration. 作为在新型冠状病毒肺炎(COVID-19)危机等大规模在家办公事件中促使员工持续保证工作效率的一线战略,这一点尤其重要。This becomes especially important as the first line strategy to facilitate continued employee productivity during large scale work-from-home events such as the COVID-19 crisis.

拆分隧道 VPN 配置

图 1:将定义的 Office 365 异常直接发送到服务的 VPN 拆分隧道解决方案。所有其他流量都将遍历 VPN 隧道,而不考虑目标。Figure 1: A VPN split tunnel solution with defined Office 365 exceptions sent directly to the service. All other traffic traverses the VPN tunnel regardless of destination.

这种方法的本质是,为企业提供一种简单的方法来降低 VPN 基础结构饱和的风险,并在尽可能短的时间内显著提高 Office 365 的性能。The essence of this approach is to provide a simple method for enterprises to mitigate the risk of VPN infrastructure saturation and dramatically improve Office 365 performance in the shortest timeframe possible. 将 VPN 客户端配置为允许最关键、高容量 Office 365 流量绕过 VPN 隧道将获得以下好处:Configuring VPN clients to allow the most critical, high volume Office 365 traffic to bypass the VPN tunnel achieves the following benefits:

  • 立即缓解企业 VPN 体系结构中大多数客户报告的影响 Office 365 用户体验的性能和网络容量问题的根本原因Immediately mitigates the root cause of a majority of customer-reported performance and network capacity issues in enterprise VPN architectures impacting Office 365 user experience

    建议的解决方案专门针对 Office 365 URL 和 IP 地址范围主题中分类为优化的 Office 365 服务终结点。The recommended solution specifically targets Office 365 service endpoints categorized as Optimize in the topic Office 365 URLs and IP address ranges. 流向这些终结点的流量对延迟和带宽限制非常敏感,使其绕过 VPN 隧道可显著改善最终用户体验,并减少公司网络负载。Traffic to these endpoints is highly sensitive to latency and bandwidth throttling, and enabling it to bypass the VPN tunnel can dramatically improve the end user experience as well as reduce the corporate network load. 不构成大部分带宽或用户体验足迹的 Office 365 连接可继续通过 VPN 隧道和 Internet 捆绑的其他流量进行路由。Office 365 connections that do not constitute the majority of bandwidth or user experience footprint can continue to be routed through the VPN tunnel along with the rest of the Internet-bound traffic. 有关详细信息,请参阅 VPN 拆分隧道策略For more information, see The VPN split tunnel strategy.

  • 可由客户快速配置、测试和实施,无需其他基础结构或应用程序要求Can be configured, tested and implemented rapidly by customers and with no additional infrastructure or application requirements

    根据 VPN 平台和网络体系结构,实现可能只需几个小时。Depending on the VPN platform and network architecture, implementation can take as little as a few hours. 有关详细信息,请参阅实现 VPN 拆分隧道For more information, see Implement VPN split tunneling.

  • 通过不更改其他连接的路由方式(包括到 Internet 的流量)来保留客户 VPN 实现的安全状况Preserves the security posture of customer VPN implementations by not changing how other connections are routed, including traffic to the Internet

    建议的配置遵循 VPN 流量异常的最低特权原则,并允许客户实现拆分隧道 VPN,而不会将用户或基础结构暴露于额外的安全风险中。The recommended configuration follows the least privilege principle for VPN traffic exceptions and allows customers to implement split tunnel VPN without exposing users or infrastructure to additional security risks. 直接路由到 Office 365 终结点的网络流量会进行加密,由 Office 客户端应用程序堆栈验证其完整性,且范围限定为专用于 Office 365 服务的 IP 地址,这些地址在应用程序和网络级别都进行了强化。Network traffic routed directly to Office 365 endpoints is encrypted, validated for integrity by Office client application stacks and scoped to IP addresses dedicated to Office 365 services which are hardened at both the application and network level. 有关详细信息,请参阅安全专业人员和 IT 人员在当前独特的远程工作场景中实现新式安全控制的替代方法(Microsoft 安全团队博客)For more information, see Alternative ways for security professionals and IT to achieve modern security controls in today's unique remote work scenarios (Microsoft Security Team blog).

  • 由大多数企业 VPN 平台在本地提供支持Is natively supported by most enterprise VPN platforms

    Microsoft 与制作商业版 VPN 解决方案的行业合作伙伴持续协作,帮助合作伙伴开发与以上建议一致的解决方案的目标指南和配置模板。Microsoft continues to collaborate with industry partners producing commercial VPN solutions to help partners develop targeted guidance and configuration templates for their solutions in alignment with the above recommendations. 有关详细信息,请参阅适用于常见 VPN 平台的操作指南For more information, see HOWTO guides for common VPN platforms.

Tip

Microsoft 建议重点关注 Office 365 服务记录的专用 IP 范围上的拆分隧道 VPN 配置。Microsoft recommends focusing split tunnel VPN configuration on documented dedicated IP ranges for Office 365 services. 虽然 FQDN 或基于 AppID 的拆分隧道配置可能适用于某些 VPN 客户端平台,但可能不能完全涵盖关键 Office 365 场景,并且可能与基于 IP 的 VPN 路由规则相冲突。FQDN or AppID-based split tunnel configurations, while possible on certain VPN client platforms, may not fully cover key Office 365 scenarios and may conflict with IP based VPN routing rules. 因此,Microsoft 不建议使用 Office 365 FQDN 来配置拆分隧道 VPN。For this reason, Microsoft does not recommend using Office 365 FQDNs to configure split tunnel VPN. 使用 FQDN 配置在其他相关方案中可能非常有用,例如 .pac 文件自定义或实现代理绕过。The use of FQDN configuration may be useful in other related scenarios, such as .pac file customizations or to implement proxy bypass.

有关完整的实现指南,请参阅实现 Office 365 的 VPN 拆分隧道For full implementation guidance, see Implementing VPN split tunneling for Office 365.

VPN 拆分隧道策略The VPN split tunnel strategy

传统的公司网络通常旨在在预云环境中安全工作,其中最重要的数据、服务和应用程序在本地托管,并且与大多数用户一样直接连接到内部公司网络。Traditional corporate networks are often designed to work securely for a pre-cloud world where most important data, services, applications are hosted on premises and are directly connected to the internal corporate network, as are the majority of users. 因此,网络基础结构是围绕这些元素构建的,分支机构通过_多协议标签切换 (MPLS)_ 网络连接到总部,而远程用户必须通过 VPN 连接到公司网络才能访问本地终结点和 Internet。Thus network infrastructure is built around these elements in that branch offices are connected to the head office via Multiprotocol Label Switching (MPLS) networks, and remote users must connect to the corporate network over a VPN to access both on premises endpoints and the Internet. 在此模型中,来自远程用户的所有流量都将遍历公司网络,并通过公共出口点路由到云服务。In this model, all traffic from remote users traverses the corporate network and is routed to the cloud service through a common egress point.

强制 VPN 配置

图 2:适用于远程用户的公共 VPN 解决方案,其中所有流量都会被强制流回公司网络,而无需考虑目标Figure 2: A common VPN solution for remote users where all traffic is forced back into the corporate network regardless of destination

随着组织将数据和应用程序移动到云,此模型效率开始下降,因为它很快变得累赘、费用高昂且不可缩放,这严重影响了用户的网络性能和效率,并限制了组织适应不断变化的需求的能力。As organizations move data and applications to the cloud, this model has begun to become less effective as it quickly becomes cumbersome, expensive and unscalable, significantly impacting network performance and efficiency of users and restricting the ability of the organization to adapt to changing needs. 许多 Microsoft 客户报告几年前 80% 的网络流量都是指向内部目标,但到 2020 年 80% 以上的流量都连接到一个基于云的外部资源。Numerous Microsoft customers have reported that a few years ago 80% of network traffic was to an internal destination, but in 2020 80% plus of traffic connects to an external cloud based resource.

COVID-19 危机加剧了此问题,需要立即为绝大多数组织提供解决方案。The COVID-19 crisis has aggravated this problem to require immediate solutions for the vast majority of organizations. 许多客户发现强制 VPN 模型的缩放性或性能不足以实现 100% 的远程工作场景,例如这次危机所需的远程工作场景。Many customers have found that the forced VPN model is not scalable or performant enough for 100% remote work scenarios such as that which this crisis has necessitated. 为使这些组织继续高效运作,需要快速提供解决方案。Rapid solutions are required for these organization to continue to operate efficiently.

对于 Office 365 服务,Microsoft 在为服务设计连接要求时已充分考虑到这一问题,可在其中非常简单快速地优化一组集中的、严格控制和相对静态的服务终结点,以便为访问服务的用户提供高性能,减少 VPN 基础结构的负担,使其能够被仍然需要它的流量使用。For the Office 365 service, Microsoft has designed the connectivity requirements for the service with this problem squarely in mind, where a focused, tightly controlled and relatively static set of service endpoints can be optimized very simply and quickly so as to deliver high performance for users accessing the service, and reducing the burden on the VPN infrastructure so it can be used by traffic which still requires it.

Office 365 将 Office 365 所需的终结点分为三类:优化允许默认Office 365 categorizes the required endpoints for Office 365 into three categories: Optimize, Allow, and Default. 优化终结点是我们的重点,具有以下特征:Optimize endpoints are our focus here and have the following characteristics:

  • 为 Microsoft 拥有和托管的终结点,托管在 Microsoft 基础结构上Are Microsoft owned and managed endpoints, hosted on Microsoft infrastructure
  • 专用于核心的 Office 365 工作负载,例如 Exchange Online、SharePoint Online、Skype for Business Online 和 Microsoft TeamsAre dedicated to core Office 365 workloads such as Exchange Online, SharePoint Online, Skype for Business Online, and Microsoft Teams
  • 提供了 IPHave IPs provided
  • 低更改率,预计仍保持较小数量(目前有 20 个 IP 子网)Low rate of change and are expected to remain small in number (currently 20 IP subnets)
  • 高容量和/或延迟敏感Are high volume and/or latency sensitive
  • 可在服务中提供所需的安全元素,而不是在网络上内联Are able to have required security elements provided in the service rather than inline on the network
  • 约占 Office 365 服务流量的 70-80%Account for around 70-80% of the volume of traffic to the Office 365 service

这组严格限定范围的终结点可以从强制 VPN 隧道中分离出来,并通过用户的本地接口安全直接地发送到 Office 365 服务。This tightly scoped set of endpoints can be split out of the forced VPN tunnel and sent securely and directly to the Office 365 service via the user's local interface. 这称为拆分隧道This is known as split tunneling.

可在服务内的不同层针对这些终结点更高效地传递 DLP、AV 保护、身份验证和访问控制等安全元素。Security elements such as DLP, AV protection, authentication and access control can all be delivered much more efficiently against these endpoints at different layers within the service. 由于我们还将大部分流量从 VPN 解决方案中转移出去,这将为仍然依赖于它的业务关键流量释放 VPN 容量。As we also divert the bulk of the traffic volume away from the VPN solution, this frees the VPN capacity up for business critical traffic which still relies on it. 在许多情况下,它还应消除通过冗长而昂贵的升级程序来应对这种新操作方式的需要。It also should remove the need in many cases to go through a lengthy and costly upgrade program to deal with this new way of operating.

拆分隧道 VPN 配置

图 3:将定义的 Office 365 异常直接发送到服务的 VPN 拆分隧道解决方案。所有其他流量都将强制流回公司网络(无论目标如何)。Figure 3: A VPN split tunnel solution with defined Office 365 exceptions sent direct to the service. All other traffic is forced back into the corporate network regardless of destination.

从安全角度来看,Microsoft 提供了一系列安全功能,可用于提供类似甚至增强的安全性,而不是由本地安全堆栈通过内联检查提供的安全性。From a security perspective, Microsoft has an array of security features which can be used to provide similar, or even enhanced security than that delivered by inline inspection by on premises security stacks. Microsoft 安全团队的博客文章安全专业人员和 IT 人员在当前独特的远程工作场景中实现新式安全控制的替代方法对可用功能进行了清晰的总结,你将在本文找到更详细的指导。The Microsoft Security team's blog post Alternative ways for security professionals and IT to achieve modern security controls in today's unique remote work scenarios has a clear summary of features available and you'll find more detailed guidance within this article. 有关 Microsoft 实现 VPN 拆分隧道的信息,还可以参阅运行 VPN:Microsoft 如何让远程工作人员互联You can also read about Microsoft's implementation of VPN split tunneling at Running on VPN: How Microsoft is keeping its remote workforce connected.

在许多情况下,可在几个小时内完成此实现,以便快速解决在组织迅速转变到全面远程工作时面临的最紧迫的问题之一。In many cases, this implementation can be achieved in a matter of hours, allowing rapid resolution to one of the most pressing problems facing organizations as they rapidly shift to full scale remote working. 有关 VPN 拆分隧道的实现指南,请参阅实现 Office 365 的 VPN 拆分隧道For VPN split tunnel implementation guidance, see Implementing VPN split tunneling for Office 365.

Note

Microsoft 已经承诺至少在 2020 年 6 月 30 日前挂起对 Office 365“优化”**** 终结点的更改,以便客户专注于其他挑战,而不是在最初实施后维护终结点白名单。Microsoft has committed to suspending changes to Optimize endpoints for Office 365 until at least June 30 2020, allowing customers to focus on other challenges rather than maintaining the endpoint whitelist once initially implemented.

实现 Office 365 的 VPN 拆分隧道Implementing VPN split tunneling for Office 365

面向中国用户的 Office 365 性能优化Office 365 performance optimization for China users

安全专业人员和 IT 人员在当前独特的远程工作场景中实现新式安全控制的替代方法(Microsoft 安全团队博客)Alternative ways for security professionals and IT to achieve modern security controls in today's unique remote work scenarios (Microsoft Security Team blog)

增强 Microsoft 的 VPN 性能:使用 Windows 10 VPN 配置文件以允许自动打开连接Enhancing VPN performance at Microsoft: using Windows 10 VPN profiles to allow auto-on connections

运行 VPN:Microsoft 如何让远程工作人员互联Running on VPN: How Microsoft is keeping its remote workforce connected

Office 365 网络连接原则Office 365 Network Connectivity Principles

评估 Office 365 网络连接Assessing Office 365 network connectivity

Microsoft 365 连接测试Microsoft 365 connectivity test