SCCM 2107 : Configuring VPN Split tunneling to route traffic to Microsoft Updates services

Question

We have configured split tunneling on VPN to connect to the internet without coming to the corporate network and so we have whitelisted the required urls in our PAC file and it worked for more than an year. But from last two months we have seen a huge traffic got hit to our VPN tunnel and while investigating we found a new urls got notified.

So, my question is do we have defined or standard urls ( both for software updates and MS365 ) that can be whitelisted or does it changes every time? I have been told this will keep changing every month if so that is more difficult to manage.

Following are the urls that we have whitelisted and please verify and let us know if any more is missing. Also would need if this should be a sub portion of this for wildcard match? Aka, akamai.odsp.cdn.office.net, odsp.cdn.office.net, cdn.office.net etc? This would be a great help. Thank You.

/* ——- Microsoft CDN ———- */
if (dnsDomainIs(host, “officecdn.microsoft.com”) ||
dnsDomainIs(host, “download.windowsupdate.com”) ||
dnsDomainIs(host, “emdl.ws.microsoft.com”) ||
dnsDomainIs(host, “akamai.net”) ||
dnsDomainIs(host, “llnwi.net”) ||
dnsDomainIs(host, “footprint.net “) ||
dnsDomainIs(host, “officecdn.microsoft.com “) ||
dnsDomainIs(host, “config.office.com “) ||
dnsDomainIs(host, “windowsupdate.microsoft.com”) ||
dnsDomainIs(host, “update.microsoft.com”) ||
dnsDomainIs(host, “windowsupdate.com”) ||
dnsDomainIs(host, “download.microsoft.com”) ||
dnsDomainIs(host, “test.stats.update.microsoft.com”) ||
dnsDomainIs(host, “ntservicepack.microsoft.com”) ||
dnsDomainIs(host, “prod.do.dsp.mp.microsoft.com”) ||
dnsDomainIs(host, “emdl.ws.microsoft.com”) ||
dnsDomainIs(host, “delivery.mp.microsoft.com”) ||
dnsDomainIs(host, “tsfe.trafficshaping.dsp.mp.microsoft.com”)
) return “DIRECT”;

New Addition:

statica.akamai.odsp.cdn.office.net

in progress 0
SUMAN VADDIPARTHI 2021-10-27T01:31:12+05:30 2 Answers 185 views Beginner 0

Answers ( 2 )

    0
    2021-11-01T20:20:36+05:30

    I will take a look of the MS site provided. Thank You , Sir.

  1. This is the common problem among the enterprises. I think there should be a standard change every month to go through the changes … also Microsoft provided a list of IP addresses also because most of the firewalls can’t be configured with urls if I understand correctly.

    Some useful links below

    https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide

    https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-networking-partner-program?view=o365-worldwide

    https://techcommunity.microsoft.com/t5/office-365-networking/use-microsoft-flow-to-receive-an-email-for-changes-to-office-365/m-p/240651

Leave an answer

Sorry, you do not have a permission to answer to this question .