VPN Split Tunnel for Microsoft Teams and Skype for Business Online Media Traffic Dated: 2/8/2021

Executive Summary To improve the online meeting experience for remote workers utilizing Teams and Skype4B Online with VPN, the Department of Administration (DOA)/Division of Enterprise Technology (DET) will implement a split tunnel configuration Wednesday, February 17 at 5:00pm for the Enterprise VPN service that optimizes Microsoft 365 (M365) traffic. Skype4B On-Prem user traffic will not be separated by this Split Tunnel configuration. The configuration will split three subnets from M365 on Azure and route it directly through the user’s local internet connection to the M365 GCC cloud, bypassing the VPN tunnel connection. Microsoft’s Product Group also verified Teams SharePoint Online and OneDrive file storage traffic are also included for these subnets. All split traffic will be fully encrypted, in compliance with DOA State Standard 250, and alignment with NIST 800-53 Rev5 SC7(7) guidelines. The 3 subnets are 52.120.0.0/14, 52.112.0.0/14 and 13.107.64.0/18. From our analysis, we see these subnets carrying Teams and Skype4B online media (audio, video, and screen share), Teams chat, file share, Skype for Business Online media, SharePoint Online and OneDrive traffic. This includes traffic for users accessing M365 through both their client and browser connections. The Teams media signaling traffic, and all other traffic will continue to go through the VPN connection back to the state network. This includes identification and authentication information, access control information, all non-Microsoft traffic, and all traffic to the On-Prem systems located at the state data centers. Microsoft recommends this approach, which is referred to as ‘VPN Forced Tunnel with a small number of trusted exceptions’, see Appendix I References. This approach has low risk exposure and is expected to have high impact on improving the user experience, particularly for Teams meetings. The implementation is limited to the Enterprise VPN service used by DET, DOA, DNR, DOC, DSPS, DWD, OCI, OPD, DFI, EFT and DHS. DOR has implemented the change on their VPN. DET is working with DATCP, PSC and DOT that use the Palo Alto VPN service or have their own VPN to implement this architecture at a later date. The following defines the implementation specifics, compliance to DOA state standard 250 and provides a reference for compliance with NIST 800-53, Rev 5 guidelines, see Appendix II. The VPN Split Tunnel conceptual diagram in Appendix III is for regulatory reference.

Implementation Specifics • DET creates the profiles in the Cisco ASA VPN and are configured with a Standard Access List and a Dynamic access list to control local (workstation ISP subnet) and remote (VPN subnet) access. This defines the split tunnel. The profile is then pushed from the ASA to the AnyConnect client to create the split tunnel environment in the user login process. • The configuration defines the traffic over 3 subnets from M365 on Azure to be split from the VPN, all other traffic continues to go through the VPN: • It is a simple configuration and is controlled and limited to trusted roles. o There are small number of defined endpoints in Azure, a specific set of subnets - 3 subnets: 52.120.0.0/14, 52.112.0.0/14, 13.107.64.0/18. o The configuration by default routes all other traffic through the VPN. • The endpoints are controlled and trusted – Microsoft GCC and AnyConnect VPN on the remote workstations. • Additional technical controls: o The associated encryption for this traffic provides boundary protections for the transmitted information on this communication path. o The encryption is strong - TLS 1.2 with AES 256, The TLS certificate for Microsoft Teams is a 2048-bit SHA256RSA certificate issued by Baltimore CyberTrust Root. Compliance references: This implementation is compliant with DOA 250 System and Communication Protection Standard - Prevent Split Tunneling for Remote Devices (SC-7(7)).

• The standard states - Preventing split tunneling for remote devices connecting to Agency owned systems unless the split tunnel is securely provisioned using Agency defined safeguards. https://detcc.wi.gov/security/Shared%20Documents/DRAFT%20250%20System%20a nd%20Communications%20Protection_Executive%20Branch_10262020.docx The following aligns the implementation with NIST 800-53 Rev5, SC-7(7) control BOUNDARY PROTECTION | SPLIT TUNNELING FOR REMOTE DEVICES, see Appendix II.

• Control SC-7(7) discussion includes … A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of preapproved addresses, without user control. • The implementation defined above describes a securely provisioned VPN, a specific set of preapproved addresses, and without user control.

Appendix I - References: • The Technology: o Microsoft - Configuring and security Teams media traffic - https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn- implement-split-tunnel?view=o365-worldwide#configuring-and-securing-teams-media- traffic o Microsoft - VPN Forced Tunnel with a small number of trusted exceptions - https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn- implement-split-tunnel?view=o365-worldwide#2-vpn-forced-tunnel-with-a-small- number-of-trusted-exceptions o Cisco AnyConnect split tunneling for M365 https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility- client/215343-optimize-anyconnect-split-tunnel-for-off.html o Microsoft Office 365 URLs and IP address ranges - https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address- ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams • Security and Compliance o DOA State standard 250 – System and Communications Protection Standard, see the approved 11/1/2020 on lower part of page - o https://detcc.wi.gov/security/Pages/securitypoliciesstandards.aspx o NIST 800-53 - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 53r5.pdf Appendix II – NIST 800-53 Rev 5, Related Information Control Summaries, from Appendix C - SC7(7) Control Implementation = S: implemented by an information system through technical means, i.e., a technical control.

Control - SC-7(7), Boundary Protection | Prevent Split Tunneling for Remote devices

BOUNDARY PROTECTION | SPLIT TUNNELING FOR REMOTE DEVICES

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. Discussion: Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of preapproved addresses, without user control.

Related Controls: None Appendix III – Component Diagram and Data Flow This flow diagram can be used for regulatory informational purposes.

M365 Gov cloud for Wisconsin 3

F5 - ADFS Authentication

3

4

2

Enterprise Edge

Remote Worker Split Tunnel Teams 1 Agency Edge

Cisco ASA VPN

Remote Workstation DET Data center with Cisco AnyConnect Data Flow

1. Remote Computer initiates the Cisco AnyConnect VPN and once connected to the Cisco ASA VPN; the remote computer attempts to connect to a Teams meeting. 2. The VPN is an encrypted tunnel that carries the encrypted TLS and DTLS traffic for the Teams meeting in the form of a Microsoft signaling. 3. Once the signaling gets to the Microsoft Tenant for Wisconsin, the signaling starts the conference connection and sends the signaling answer back the same route to the remote computer. 4. The media traffic for the Teams session and Skype for Business will use the Split tunnel configuration that is defined the client’s profile on the Cisco ASA VPN. All other traffic still traverses the VPN.

Split tunnel Configuration: • DTLS encrypted UDP Media ports for teams: 3478 = Discovery allocation and Real-time Traffic; 3479 = Audio; 3480 = Video; 3481 = Video Screen sharing • Microsoft IP Subnets to be allowed to split tunnel: 52.120.0.0/14; 52.112.0.0/14; 13.107.64.0/18.