Split Tunnel

Mehulp · ‎08-11-2023

How to Configure split Tunnel to exclude only Microsoft Teams Traffic (There is no option to exclude FQDN for Trusted destination)

Babitha_M · ‎08-11-2023

Hi Mehul,

Please note that the ISDB object will not support split tunneling. It is necessary to manually build an address group and include all of the Teams addresses.

Regards,
Babitha M

Mehulp · ‎08-11-2023

Is there any template to perform the same because there are a lot of IP ranges for MS Teams

funkylicious · ‎08-11-2023

These would be the ranges for TCP/80,443

13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32

geek

esalija · ‎08-12-2023

Hi,

Please follow the KB - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-to-Specific-FQDN-using-Split-Tunnel...

Best regards,

Erlin

pavankr5 · ‎08-14-2023

Hello @Mehulp.,

+ Find the IP address ranges that Microsoft Teams uses for its traffic. Microsoft provides a list of IP addresses and ranges that their services use, including Teams.

+ Set up the basic split tunneling configuration on your FortiGate firewall to route general internet traffic through the VPN tunnel while allowing specific traffic to bypass it.

+ You'll need to create a custom routing table to handle the traffic you want to exclude from the VPN tunnel.
+ Assign the custom routing table to the IP address ranges associated with Microsoft Teams traffic.

Example of what the CLI configuration might look like

config system dns-database

edit "microsoft_teams"

config ip-range

edit 1

set start-ip <start_ip>

set end-ip <end_ip>

config system route-table

edit "teams_bypass"

config rule

edit 1 set src 0.0.0.0 0.0.0.0

set dst "microsoft_teams"

set gateway <gateway_ip>

Let us know if you have any queries.

Thanks,

Pavan