Why You Need an Office 365 Network Plan
No one wants to wait to get work done. Since your entire company relies heavily on the Office 365 environment to get that vital work done, it’s mission critical that the environment is performing the way it should. That’s why you need an Office 365 network connectivity and optimization plan. Read on.
Some background on Office 365
Since Office 365 is a cloud-hosted SaaS platform accessed through the Internet, it requires an optimal network design to ensure acceptable performance. Plus, Office 365 services handles critical corporate applications such as email (Exchange Online), content (SharePoint Online), communications (Skype for Business) – you get the picture.
It’s all-important that network administrators create an Office 365 optimization plan to evaluate the existing network infrastructure. Plus, the plan will recommend updates to optimize network connectivity between critical Office 365 services and corporate users.
Consider these three things during network planning for Office 365:
- Network connectivity and routing of Office 365 services
- Network latency
- Network egress model for connecting Office 365 within corporate network
Network latency is the observed time delay, as data transmits from one point to another. And in SaaS applications such as Office 365, application performance is heavily dependent on latency of the network connection.
In this blog, I illustrate some of the factors that affect network latency and need to be considered when planning networking for Office 365.
Microsoft’s Global Network
Over the years, Microsoft has built one of the largest network of data centers and WAN backbones in the world. The resulting network is capable of high bandwidth (multi-Terabit) and low latency connections between thousands of miles of privately-owned dark fiber connecting the data centers and the data centers with the edge nodes.
Figure 1: Microsoft’s Global Network (Courtesy: Microsoft)
This network is designed to allow the different Office 365 services to achieve acceptable performance and scalability from anywhere in the world irrespective of the region where the data is located.
Suggestion: When planning an Office 365 implementation, IT managers should focus on keeping the corporate’s Office 365 traffic to the least amount of time on the internet before the ISP hands it to Microsoft’s network. Reducing the number of network hops required to reach Microsoft’s network also helps in improving network latency. Check out this blog on Localized Network Egress by Paul Collinge that goes into a little more detail on network egress and its effect on application performance.
The two most common egress models for connecting machines from inside the corporate network to Office 365 services are proxied access and direct routing. Let’s dig into these models.
Proxied access involves the use of a proxy server as an intermediary between clients within the corporate network and external resources. Today, most companies use web proxies to facilitate access to content on the internet. The advantages of using a proxy server to handle external web requests is that it simplifies the connectivity process and enables centralized management of internet access within the corporate network.
The Proxy server is generally located at the egress and connects the internal machine to external sources on behalf of the requestor. The connection is managed established as two TCP connections: 1) client to proxy and 2) proxy to endpoint.
This allows the proxy server to
- Intercept network traffic for additional processing
- Inspect traffic for malicious code
- Change or deny requests
Proxied connections offer many advantages such as ease of configuration, monitoring, restricts traffic to small number of IP addresses and ports for easy firewall traversal etc.
However, when using a SaaS platform such as O365, there are some downsides to using Proxied connections. Proxies generally do not handle UDP traffic (affects call quality in Skype). Second, the proxy is a “man in the middle” and can lead to potential SSL issues. Finally, issues with scalability and performance as proxy servers are generally not designed or configured with SaaS services in mind.
In case a proxy server absolutely needs to be used, suggest doing the following:
- Ensure the configuration of the proxy devices are reviewed and finetuned to support SaaS services
- Avoid using centralized proxies as they tend to increase latency
- Ensure that the point of local ingress with Microsoft’s network is located in the same region where the client is located
- Avoid routing Skype for Business traffic through these devices even when optimized
Direct routing supports the handling of direct UDP traffic, which optimizes it for use with Skype. It also improves latency and optimizes connectivity with Office 365 services since there’s no or minimal interference with payload at egress.
However, there are some of the disadvantages of using direct routing when compared to Proxied routing:
- Routing to the appropriate egress needs to be managed internally
- Need to authorize all Office 365 endpoints and ports on all firewalls
- Continuously monitor any changes to IP ranges, Urls or ports used by Office 365 (they rarely change) – however, failure to update the firewall settings with any IP/ ports changes can result in connectivity issues. This could be a challenge to larger organizations
Clients connect with Office 365 services directly through a dynamic Network/Port Address Translation (NAT/ PAT) devices located at the egress of the corporate network. The NAT/PAT changes the internal IP and/or port to a public one. The Office 365 endpoint receives the public IP address used for NAT/PAT.
ExpressRoute is another option for connecting with Office 365 services. It is essentially direct routing via another path, involving private peering with Microsoft network. The current guidance from Microsoft is that “ExpressRoute is not required or recommended for Office 365 except in a small number of situations.”
If you plan on leveraging Azure ExpressRoute for your Office 365 implementation, a review by Microsoft is required before it can be approved.
Additional details on leveraging ExpressRoute for Office 365 can be found here.