Optimization of cloud services in AnyConnect VPN tunnel on Cisco ASA

Many companies are switching to using cloud services in their business around the world, including office applications, BigData services, chat / video / audio communication for rallies / training, and many others. However, due to the mass transfer to remote work of employees, one way or another, access to the corporate network is required(unless of course the customer does not fully work on the cloud platform), in order to make access secure, as a rule, services such as Remote-Access VPN are used .
Classically, such services can either completely direct all traffic of the remote client to the VPN tunnel, or selectively direct or exclude traffic from the tunnel based on IPv4 / IPv6 subnets.

Many security guards will decide that the best option would be to use the full tunnelall traffic option to fully control all user traffic at the time of connection to the corporate network and the inability to parallel output data through an uncontrolled Internet connection. However, there is another scales ...

• How to organize Box / Dropbox / SharePoint file sharing directly to the cloud with the speed of a home Internet channel, bypassing a slow corporate VPN?
• How to organize a Webex / Skype connection directly with a subscriber without having it through an HQ VPN gateway, creating communication delays and reducing the quality of communication?
• How to make only certain cloud services work outside the VPN tunnel so that the user uses them directly through the home Internet and control the rest of the untrusted services centrally?
• How to effectively reduce the load on the VPN gateway without passing traffic through trusted cloud applications through it?

VPN-, VPN-, , VPN. VPN, :

• ( Office365, Webex ..)
• (Webex, Skype, Jabber ..) / .

VPN .

VPN, :

• IP IP;
• IP , ;

Dynamic Split Tunneling, , Cisco AnyConnect 4.6 VPN Cisco ASA.

Dynamic Split Tunneling , VPN- , .

.

Cisco ASA / AnyConnect Group-Policy. , VPN ( IP ) / .

AnyConnect VPN Cisco ASA ASA VPN Load-Balancing

1. AnyConnect, :
   

   !
   ASA(config)# webvpn
   ASA(config-webvpn)# anyconnect-custom-attr dynamic-split-exclude-domains description dynamic-split-exclude-domains
   !

2. , (MS Skype for Business, MS Exchange Online, MS Sharepoint Online, MS O365, Cisco AMP for Endpoints, Cisco Webex) ( Group-Policy ! 510 ):

   
   
   • Microsoft ;
   • Cisco AMP;
   • Cisco Webex Teams Cisco Webex Meetings
   
   

   !
   ASA(config)# anyconnect-custom-data dynamic-split-exclude-domains SKYPE skype.com, lync.com, teams.microsoft.com, skypeforbusiness.com
   !
   ASA(config)# anyconnect-custom-data dynamic-split-exclude-domains EXCHANGE-ONLINE outlook.office.com, outlook.office365.com, smtp.office365.com, outlook.com, office.com
   !
   ASA(config)# anyconnect-custom-data dynamic-split-exclude-domains SHAREPOINT-ONLINE sharepoint.com
   !
   ASA(config)# anyconnect-custom-data dynamic-split-exclude-domains O365 online.office.com, officeapps.live.com, msappproxy.net, msftidentity.com, account.activedirectory.windowsazure.com, windows.net, microsoftonline.com, autologon.microsoftazuread-sso.com, microsoftonline-p.net, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.windows.net, office.com, cloudappsecurity.com, admin.microsoft.com
   !
   ASA(config)# anyconnect-custom-data dynamic-split-exclude-domains CISCO-AMP amp.cisco.com, amp.sourcefire.com, panacea.threatgrid.com, panacea.threatgrid.eu
   !
   ASA(config)# anyconnect-custom-data dynamic-split-exclude-domains CISCO-WEBEX wbx2.com, webex.com, ciscospark.com, webexcontent.com, activate.cisco.com, webapps.cisco.com, accompany.com, huron-dev.com, sparkpostmail1.com, giphy.com, safebrowsing.googleapis.com, walkme.com, s3.walkmeusercontent.com, speech.googleapis.com, texttospeech.googleapis.com, crashlytics.com, eum-appdynamics.com, amplitiude.com, segment.com, segment.io
   !

   
   

   Webex, AMP Skype

   
   

   !
   ASA(config)# anyconnect-custom-data dynamic-split-exclude-domains CLOUD-SERVICES webex.com, wbx2.com, webexcontent.com, amp.cisco.com, amp.sourcefire.com, panacea.threatgrid.com, panacea.threatgrid.eu, skype.com, lync.com, teams.microsoft.com, skypeforbusiness.com
   !

   
   

   , , , . , webex.com, cisco.webex.com .

   
   
3. Group-Policy:
   

   !
   ASA(config)# group-policy ASHES-VPN attributes
   ASA(config-group-policy)# anyconnect-custom dynamic-split-exclude-domains value CLOUD-SERVICES
   !

4. VPN, , VPN!

   
   
   • VPN :
     
     webex.com cisco.webex.com:
     
   • , tunelall :
     
   
   

UPDATE: Microsoft , Webex Office365, .

, () Office365 , Skype Webex VPN- . , .

!

P.S. , "" =)