With the move of large numbers of university and college staff and students to working from home there has been a significant shift in traffic flows across Janet.
Microsoft have released guidance, How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure, about how to optimise these new traffic flows and avoid unnessecary traffic flowing across your institutional networks and Janet. In short, if your staff, and possibly your students, are currently forcing all traffic through a VPN to your site, strongly consider split tunnelling in order to route any Office 365-related traffic directly over the Internet.
The article describes:
“the simple steps an organization can take to drastically reduce the impact Office 365 traffic has on the traditional corporate infrastructure when we have a large percentage of users working remotely all at once. The solution will also have a significant impact on user performance and also provide the benefit of freeing up the corporate resources for elements which still have to rely on it.
Most remote users who are not using a virtualized desktop will use a VPN solution of some sort to route all connectivity back into the corporate environment [i.e. your institutional network] where it is then routed out to Office 365, often through an on premises security stack which is generally designed for web browsing.
The key to this solution is separating out the critical Office 365 traffic which is both latency sensitive and that which also puts enormous load on the traditional network architecture. We then treat this traffic differently and use the user’s local internet connection to route the connectivity directly to the service”.
To summarise, it is inadvisable to route traffic that is destined for Office 365 via your institutional network using a VPN.
In a related article, Remote access to on-premises applications through Azure Active Directory’s Application Proxy, Microsoft describe how to provide secure access to on-prem applications via their Application Proxy without using a VPN. Note that such access is limited to applications that fall into the following areas:
- Web applications that use Integrated Windows Authentication for authentication
- Web applications that use form-based or header-based access
- Web APIs that you want to expose to rich applications on different devices
- Applications hosted behind a Remote Desktop Gateway
- Rich client apps that are integrated with the Active Directory Authentication Library (ADAL)
Did you know?
Jisc are now offering weekly drop-in clinics to help our members with technology issues related to dealing with the coronavirus outbreak. We can also make limited amounts of free consultancy available to you (typically up to 3 hours) to help with the crisis. Consultancy will be provided by one of our cloud consultants, solutions architects or engineers. In all cases, these offers are for help with Office 365, Azure, AWS, cloud security or cloud connectivity.
Want to know more? Please contact your account manager.