Microsoft 365 Network Performance for Remote Employees

Today, VPN split tunneling is recommended for accessing Microsoft 365 services to eliminate the overhead added by VPN. Many Microsoft services are latency sensitive, such as co-authoring a document in the browser or desktop or making calls on Microsoft Teams. Microsoft outlines what IP address ranges and FQDNs should be placed on a bypass list, but the general recommendation is to use split tunneling for VPN regardless of scenario.

You also need to split tunnel DNS traffic over VPN. The front door for Exchange Online is determined by the DNS resolver location, as one example (and certain functions in Outlook perform a live query against Exchange Online, such as search or the online archive mailbox, even when in cached mode). If your worldwide users connect to your main corporate office for VPN, where you co-locate your in-house DNS resolvers, users across the globe will be directed based on the location of the DNS resolver at your main corporate office. Unless your users are in the same general geographic region as the VPN endpoint, they may be directed to a suboptimal location for Microsoft 365 services.

The concept behind split tunneling DNS is your VPN client needs to only route DNS traffic applicable to your corporate network, such as the fully qualified name of your Active Directory domain. By split tunneling DNS traffic over VPN, your clients will use their local DNS resolver, likely assigned by their ISP, which will be used to route traffic to the optimal location within Microsoft 365 for traffic following over the public Internet while using your corporate DNS resolvers for internal-only name resolution.

You can learn more about the network fundamentals for Microsoft 365 services at Microsoft 365 network connectivity overview. You can also run tests from your client by going to Microsoft 365 network connectivity test. This will tell you if your client is using VPN split tunneling, any proxy servers interfering with traffic, and so forth. In addition, Microsoft 365 admins can get additional data from the Microsoft 365 network connectivity health dashboard. This dashboard does have some pre-requisites, so make sure you review those. The most important pre-requisite is to enable Windows Location Services and use the OneDrive sync client on your Windows desktops.

TL;DR: Split tunnel VPN, including DNS, and adding IPs/URLs to any proxy service (such as a service which performs SSL inspection) will provide the optimal experience for your end users.

Trevor Seward is a Microsoft Office Apps and Services MVP who specializes in SharePoint Server administration, hybrid scenarios, and SharePoint Online. He has been working with SharePoint for 16 years from SharePoint 2003 on up, managing environments with terabytes of content for 150,000+ user organizations. Trevor is an author of Deploying SharePoint 2016 and Deploying SharePoint 2019. You can find him on Twitter and in /r/sharepoint.