Split-tunnel Teams media: make it right!

luismramos

With the pandemic and the new work culture, work-from-home and VPNs are here to stay. I already wrote about SfB Split-tunneling, so the same logic applies to Teams: Media should reach the quickest path as possible to the other endpoint.

It’s up to the VPN solutions to configure the clients to use them. Microsoft has enough articles on how to deploy it globally for MS365 and VPN providers.

But due to some appliance limitations or ‘easier-to-deploy’ decisions, you might find cases were the split-tunnel rules based on application or process name. If you decide to allow split-tunnel for the ‘teams.exe’ processes you are allowing it to use the local internet breakout for any public IP instead of using the companies firewall inspector to protect the user from malicious sites.

Not a problem? let’s review Teams.

Teams is not just a communication app, but also allows you to embed other plugins and apps. But most important: it’s an ‘Electron based browser’. To make it simple and quick to understand here’s the ‘catch’:

1. Go to a Teams channel and click on the (+) sign of the Tab
2. Choose Website, type a name and a the URL website you want to open
3. You will now be able to navigate that site within the teams ‘embedded browser’ and directly on the Internet (since it’s allowed to bypass) without any corporate restrictions

This will also happens with any Teams app that can be attached to Teams

How bad can it be? Here’s the proof of concept:

1. using a normal web browser in you company you will obsviously get blocked when reaching a malicious web site, because you use your company internet breakout/firewall through the VPN tunnel.
2. If I embed the same site on a teams.exe-vpn-bypass web page, you I will be able to navigate through it.
And I don’t think that this chromium browser has too many security measures implemented like the standard browsers.

Risk: moderate

It’s not something that users will know how to do, but they can be deceived by someone who can craft a way to use ‘teams.exe’ to open a site or download a file (we still have the local EDR or AV to protect, right?). The other concern here is that users are able to access content that would be required to be inspected by a firewall / content filter (example: if someone invites the user to another Tenant that has an excel file or any other file hosted on sharepoint that contains a macro or other code)

Teams VPN media optimization: the right way

If you you want to optimize Teams media in a secure way, the simplest way is to create a VPN client rule allowing split tunnel for the Teams media gateways IP’s and ports on list #11 of the office MS documentation:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.