Using Forticlient EMS Cloud 7.4 and Forticlient 7.2.8. We using an IPSEC remote access profile but need to split-tunnel MS teams audio/video/sharing traffic but no all MS teams traffic (chat etc.). As such we have excluded the cloud application (as defined by Forticlient EMS remote access profile application based split-tunnel) Microsft-teams.Published.Worldwide.Optimized.

Checking in our Foritgate ISDB view we see this object contains the IP ranges for MS teams optimize traffic listed here Microsoft 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn:

Now one some machines this generally works and on others is doesn't and this traffic is sent down our VPN. On inspection of the machine we see there is no route for the specific endpoint MS teams is using for the UDP audio stream in the ranges 52.112.0.0/14, 52.122.0.0/1 . These impacted machines contain some of the IP address in the route table for those ranges but not the one in use per se.

So we opened a ticket with Fortinet and are getting very little clarity around this (unfortunately my general experience with support for Forticlient is very poor). For starters if we look at this range (Considering the IPv4 ranges:)

• 52.112.0.0/14 -> 262,142 IPs
• 52.122.0.0/15 -> 131,070 IP

Forticlient seems to add each IP address as a /32 route to the local route table with no summarisation!!! Even so, we don't see ~ 400k routes so it is not adding each route when we connect our VPN.

So how can this even work?

Q1: Is it the case that when we start an MS teams meeting Forticlient should add the route for the UDP stream being used on the fly? If so why is it not happening?

Q2: Why would it even do it this this way? Why not add a summsarised route instead?
Q3: Is it possible to configure the summarise route via EMS in another manner?