Merge pull request #28687 from MicrosoftDocs/main

[AutoPublish] main to live - 06/13 10:31 PDT | 06/13 23:01 IST

Author: m365-skilling-repo-management[bot]

microsoft-365/enterprise/microsoft-365-vpn-stream-and-live-events.md

@@ -34,11 +34,11 @@ description: "Special considerations for Teams events in VPN environments"
 >- For guidance on securing Teams media traffic in VPN split tunneling environments, see [Securing Teams media traffic for VPN split tunneling](microsoft-365-vpn-securing-teams.md).
 >- For information about optimizing Microsoft 365 worldwide tenant performance for users in China, see [Microsoft 365 performance optimization for China users](microsoft-365-networking-china.md).
 
-Microsoft Teams Live events attendee traffic (this includes attendees to Teams-produced live events and those produced with an external encoder via Teams or Viva Engage) and Microsoft Teams Town hall attendee traffic is currently categorized as **Default** versus **Optimize** in the [URL/IP list for the service](urls-and-ip-address-ranges.md). These endpoints are categorized as **Default** because they're hosted on CDNs that might also be used by other services. Customers generally prefer to proxy this type of traffic and apply any security elements normally done on endpoints such as these.
+Microsoft Teams Live events **attendee** traffic (this includes attendees to Teams-produced live events and those produced with an external encoder via Teams or Viva Engage) and Microsoft Teams Town hall **attendee** traffic is currently categorized as **Default** versus **Optimize** in the [URL/IP list for the service](urls-and-ip-address-ranges.md). These endpoints are categorized as **Default** because they're hosted on Content Delivery Networks (CDNs) that might also be used by other services. Customers generally prefer to proxy this type of traffic and apply any security elements normally done on endpoints such as these.
 
 Many customers have asked for URL/IP data needed to connect their attendees in Teams events directly from their local internet connection, rather than route the high-volume and latency-sensitive traffic via the VPN infrastructure. Typically, this isn't possible without both dedicated namespaces and accurate IP information for the endpoints, which isn't provided for Microsoft 365 endpoints categorized as **Default**.
 
-Use the following steps to identify and enable direct connectivity for attendee traffic for Teams Events from clients that are using a forced tunnel VPN. This solution is intended to provide customers with an option to avoid routing attendee traffic over VPN while there's high network traffic due to work-from-home scenarios. If possible, we recommend accessing the service through an inspecting proxy.
+Use the following steps to identify and enable direct connectivity for attendee traffic for Teams Events from clients that are using a forced tunnel VPN. This solution is intended to provide customers with an option to avoid routing attendee traffic over VPN while there's high network traffic due to work-from-home scenarios. If possible, we recommend accessing the service through an inspecting proxy. Attendee traffic will connect to the CDN over TCP/UDP 443.
 
 > [!NOTE]
 > Using this solution, there might be service elements that don't resolve to the IP addresses provided and thus traverse the VPN, but the bulk of high-volume traffic like streaming data should. There might be other elements outside the scope of Live Events/Stream which get caught by this offload, but these should be limited as they must meet both the FQDN _and_ the IP match before going direct.
@@ -53,7 +53,6 @@ To implement the forced tunnel exception for Teams Events, the following steps s
 Clients need external, recursive DNS resolution to be available so that the following host names can be resolved to IP addresses.
 
 For the **Commercial** cloud:
-- \*.bmc.cdn.office.net
 - \*.ml.cdn.office.net
 
 
@@ -77,11 +76,36 @@ To solve this, we can provide the following IPs and use them in combination with
 
 ### Gathering the current lists of CDN Endpoints
 
-For the Commercial cloud and Microsoft 365 U.S. Government clouds (GCC, GCC High and DoD) Teams events use Azure CDN from Microsoft. Over time this could be changed due to situations such as regional availability. This article provides the required namespaces for Teams events and guidance for the corresponding IP address ranges used (where available).
+For the Commercial cloud Teams events use Azure CDN from Microsoft and Akamai CDN; Microsoft 365 U.S. Government clouds (GCC, GCC High and DoD) use Azure CDN from Microsoft along with the existing IP ranges defined in the respective Optimize category for their environment. Over time this could be changed due to situations such as regional availability. This article provides the required namespaces for Teams events and guidance for the corresponding IP address ranges used (where available).
 
 For the **Commercial** cloud:
 
 - For Azure CDN from Microsoft, you can download the list from [Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56519) - you'll need to look specifically for the service tag `AzureFrontdoor.Frontend` in the JSON; _addressPrefixes_ will show the IPv4/IPv6 subnets. Over time the IPs can change, but the service tag list is always updated before they're put in use.
+- For Akamai CDN, the following IP addresses are used (these are only used for Teams traffic):
+   * 23.11.32.10/32
+   * 23.11.33.10/32
+   * 23.11.34.10/32
+   * 23.11.35.10/32
+   * 23.11.38.12/32
+   * 23.11.39.12/32
+   * 23.11.36.9/32
+   * 23.11.37.9/32
+   * 23.11.40.9/32
+   * 23.11.41.9/32
+   * 23.11.42.9/32
+   * 23.11.43.9/32
+   * 2600:14e1:0:1::/64
+   * 2600:14e1:4:1::/64
+   * 2600:14e1:8:1::/64
+   * 2600:14e1:c:1::/64
+   * 2600:14e1:18:2::/64
+   * 2600:14e1:1c:2::/64
+   * 2600:14e1:10:7::/64
+   * 2600:14e1:14:7::/64
+   * 2600:14e1:20:7::/64
+   * 2600:14e1:24:7::/64
+   * 2600:14e1:28:7::/64
+   * 2600:14e1:2c:7::/64
 
 For the **Government** clouds **(GCC, GCC High and DoD)**:
 
@@ -94,10 +118,11 @@ The following script can generate a PAC file that will include the namespaces an
 Here's an example of how to generate the PAC file for the Commercial cloud:
 
 1. Save the script to your local hard disk as _Get-EventsPacFile.ps1_.
-1. In a PowerShell window, run the following command. If you only desire the Optimize names (and not Optimize and Allow) change the -Type parameter to OptimizeOnly.
+2. Create a new text file named AkamaiCDN.txt, and copy the Akamai CDN IP addresses from the previous section into the file. Ensure there is only one IP address/prefix per line. Save this file, you will need it in the next step.
+1. In a PowerShell window, run the following command. If you desire the Optimize and Allow names (and not Optimize only) change the -Type parameter to OptimizeAnyAllow.
 
    ```powershell
-   .\Get-EventsPacFile.ps1 -Instance Worldwide -Type OptimizeAndAllow -FilePath .\Commercial.pac
+   .\Get-EventsPacFile.ps1 -Instance Worldwide -Type OptimizeOnly -EIPBFilePath .\AkamaiCDN.txt -FilePath .\Commercial.pac
    ```
 
 1. The Commercial.pac file will contain all the namespaces and IPs (IPv4/IPv6) available for Teams Events attendee traffic.
@@ -123,7 +148,7 @@ Here's an example of how to generate the PAC file for the GCC environment:
 
 <#PSScriptInfo
 
-.VERSION 1.0.7
+.VERSION 1.0.8
 
 .AUTHOR Microsoft Corporation
 
@@ -198,17 +223,21 @@ The tenant name to replace wildcard Urls in the webservice.
 
 The service areas to filter endpoints by in the webservice.
 
+.PARAMETER EIPBFilePath
+
+The input file for the Akamai IP addresses.
+
 .PARAMETER FilePath
 
 The file to print the content to.
 
 .EXAMPLE
 
-Get-EventsPacFile.ps1 -Instance Worldwide -Type OptimizeOnly -FilePath .\PACFiles\Commercial.pac 
+Get-EventsPacFile.ps1 -Instance Worldwide -Type OptimizeOnly -EIPBFilePath .\AkamaiCDN.txt -FilePath .\Commercial.pac 
 
 .EXAMPLE
 
-Get-EventsPacFile.ps1 -Instance USGov -FilePath .\PACFiles\USGov.pac -Type OptimizeAndAllow
+Get-EventsPacFile.ps1 -Instance USGov -FilePath .\USGov.pac -Type OptimizeAndAllow
 
 
 #>
@@ -251,7 +280,11 @@ Param (
 
     [Parameter()]
     [ValidateNotNullOrEmpty()]
-    [string] $FilePath
+    [string] $FilePath,
+
+    [Parameter()]
+    [ValidateNotNullOrEmpty()]
+    [string] $EIPBFilePath
 
 )
 
@@ -338,7 +371,7 @@ function Get-PacString {
         if (!$ServiceAreas -or $ServiceAreas.Contains('Skype')) {
             $EventsConfig = Get-TeamsEventsConfiguration
             if ($EventsConfig.EventsAddressRanges.Count -gt 0) {
-                $EventsBlock = $EventsConfig | Get-TLEPacConfiguration
+                $EventsBlock = $EventsConfig | Get-TeamsEventsPacConfiguration
                 $PACSb.AppendLine()
                 $PACSb.AppendLine($EventsBlock)
             }
@@ -369,16 +402,20 @@ function Get-TeamsEventsConfiguration {
             break
         }
         default {
-            @('*.bmc.cdn.office.net', '*.ml.cdn.office.net')
+            @('*.ml.cdn.office.net')
             break
         }
     }
     $IncludedAddressRanges = & {
+        if (!$Instance.StartsWith('USGov') -and ![string]::IsNullOrEmpty($EIPBFilePath) -and (Test-Path -Path $EIPBFilePath)) {
+            Get-Content -Path $EIPBFilePath -ErrorAction SilentlyContinue
+        }
+                
         $ServiceTagsDownloadId = '56519'
         if ($Instance.StartsWith('USGov')) {
             $ServiceTagsDownloadId = '57063'
         }
-        $AzureIPsUrl = Invoke-WebRequest -Uri "https://www.microsoft.com/en-us/download/confirmation.aspx?id=$ServiceTagsDownloadId" -UseBasicParsing -ErrorAction SilentlyContinue |
+        $AzureIPsUrl = Invoke-WebRequest -Uri "https://www.microsoft.com/en-us/download/details.aspx?id=$ServiceTagsDownloadId" -UseBasicParsing -ErrorAction SilentlyContinue |
             Select-Object -ExpandProperty Links | Select-Object -ExpandProperty href |
             Where-Object { $_.EndsWith('.json') -and $_ -match 'ServiceTags' } | Select-Object -First 1
         if ($AzureIPsUrl) {
@@ -393,7 +430,7 @@ function Get-TeamsEventsConfiguration {
     }
 }
 
-function Get-TLEPacConfiguration {
+function Get-TeamsEventsPacConfiguration {
     [CmdletBinding()]
     param (
         [Parameter(ValueFromPipelineByPropertyName)]
@@ -502,9 +539,9 @@ else {
 }
 ```
 
-The script will automatically parse the appropriate Azure CDN list based on the **Instance** parameter value and keys off of **AzureFrontDoor.Frontend**, so there's no need to get that manually.
+The script will automatically parse the appropriate Azure CDN list based on the **Instance** parameter value and keys off of **AzureFrontDoor.Frontend**, so there's no need to get that manually. The Akamai CDN information will be incorporated if you supplied the AkamaiCDN.txt file.
 
-Performing VPN offloading utilizing **both** the FQDNs and the IP addresses (where provided) in the function helps scope the use of this offload to a limited set of endpoints including Teams Events. The way the function is structured will result in a DNS lookup being done for the FQDN that matches those listed by the client directly, that is, DNS resolution of the remaining namespaces remains unchanged. In the case of the Commercial cloud, not all IP addresses are provided; VPN offloading would need to rely on matching the namespaces defined earlier in this article.
+Performing VPN offloading utilizing **both** the FQDNs and the IP addresses in the function helps scope the use of this offload to a limited set of endpoints including Teams Events. The way the function is structured will result in a DNS lookup being done for the FQDN that matches those listed by the client directly, that is, DNS resolution of the remaining namespaces remains unchanged.
 
 
 ## 3. Configure routing on the VPN to enable direct egress
@@ -518,6 +555,10 @@ The final step is to add a direct route for the Teams event IPs (or namespaces)
 
 No, this will send the latency-sensitive, potentially high-volume streaming traffic for a Teams Event attendee direct, any other traffic will continue to use the VPN tunnel if they don't resolve to the IPs published or match the defined namespace.
 
+### Is a PAC file required?
+
+No, the PAC file is not required - it all depends on your network and security requirements. The information provided in this document can also be leveraged in other configurations, such as VPN concentrators - please refer to the manufacturer's documentation for configuration assistance.
+
 ### Do I need to use the IPv6 Addresses?
 
 No, the connectivity can be IPv4 only if necessary.
@@ -530,16 +571,16 @@ The **Default** endpoint category has no IP information provided for numerous re
 
 ### Do I only need to allow access to these IPs/namespaces?
 
-No, access to all of the **Required** marked endpoints for the appropriate environment is essential for the service to operate.
+No, access to all of the **Required** marked endpoints for the appropriate environment is essential for the service to operate. Government clouds can also leverage the Optimize endpoint ranges.
 - Worldwide including GCC: [Endpoints for Worldwide](urls-and-ip-address-ranges.md)
 - Microsoft 365 U.S. Government GCC High: [Endpoints for GCC High](microsoft-365-u-s-government-gcc-high-endpoints.md)
 - Microsoft 365 U.S. Government DoD: [Endpoints for DoD](microsoft-365-u-s-government-dod-endpoints.md)
 
 ### What scenarios will this advice cover?
 
-1. Live events produced within the Teams App
-2. Teams encoder produced live events
-3. Teams Town hall
+1. Attending Live events produced within the Teams App
+2. Attending Teams encoder produced live events
+3. Attending Teams Town hall
 
 ### Does this advice cover presenter traffic?
 
@@ -568,6 +609,4 @@ It doesn't; the preceding advice is purely for those attending the event. Presen
 
 [Enhancing VPN performance at Microsoft: using Windows 10 VPN profiles to allow auto-on connections](https://www.microsoft.com/itshowcase/enhancing-remote-access-in-windows-10-with-an-automatic-vpn-profile)
 
-[Running on VPN: How Microsoft is keeping its remote workforce connected](https://www.microsoft.com/itshowcase/blog/running-on-vpn-how-microsoft-is-keeping-its-remote-workforce-connected/?elevate-lv)
-
 [Microsoft global network](/azure/networking/microsoft-global-network)