Configuring Pulse Secure VPN Tunnel Override for Cisco Webex

In this post, I will show you how to configure up your Pulse Secure VPN client to not tunnel Cisco Webex traffic over your VPN tunnel.

Due to COVID-19, there has been a rapid push to extreme levels of remote work. Many networks, including ours, are seeing traffic flows that significantly differ from anything we’ve ever seen before. For example: VPN Gateways fully utilized, Internet circuit utilization that is through the roof, and an unprecedented level of Cisco Webex usage. All of this has changed the network traffic flows and it has created a need to look at what is going on inside our network and look for ways to quickly optimize it for efficiency and best end-user experience.

Background Information

We run our VPN tunnels in full-tunnel mode, meaning when the VPN client is connected, all traffic from the endpoint routes to our Pluse Secure gateways. Typically this works fine. Sure, Internet traffic is a little slower as it flows back to the data center and back out the web proxies, but until now, VPN was more of a convenience, and not a staple of our daily lives. With Cisco Webex accounting for nearly 70% of our Internet bandwidth currently, it doesn’t make sense to hairpin this traffic at the enterprise.

The Pulse Secure Documentation is a little vague on how this is all done. This is mostly due to their split tunnel examples showing how to tunnel specific networks over the VPN tunnel. We wanted to do the opposite. We wanted everything but Webex traffic to flow over the VPN Tunnel. This would save a lot of traffic on our corporate Internet pipes and optimize the end user experience, especially for our International remote workers.

In the steps below I will show you how we accomplished this on the Pulse Secure Platform. The screen shots are in the legacy GUI mode, because I’m old school like that.

Setup VPN Tunneling Range Exemption(s)

Cisco Webex has a support document that will provide you with all of their CIDR ranges, which makes this first part very easy. In this configuration, you want to exempt these ranges from the VPN tunnel so that’s why my action is Deny. (See screenshot, below)

Protip: Subscribe to updates on the Cisco Webex support document, so when these CIDR ranges change, you will be notified and you can verify your list. Please don’t email to tell me that my screenshots are out of date. Go get the current list!

Note: Cisco has different CIDR blocks for several of their products including Meetings, Teams, and Jabber. There may be additional networks you want to add to your list. You can also create multiple rules to keep these grouped neatly. If you’re trying to do this with the Microsoft O365 list, godspeed.

Configure your VPN Tunneling Ranges : Users > Resource Prolicies > VPN Tunneling > Split Tunneling Networks: Create a new entry and enter the CIDR Ranges for Cisco Webex

Enable split tunneling

The last step is to enable split tunneling. This is done in the User Role configuration. See screenshot, below.

Enable Split Tunneling: Users > User Roles > <Role-Name> > VPN Tunneling > Options

Validation

Next you just need to test. Connect your Pulse Secure client and check your routing table on your machine. For Microsoft Windows, just type “route print” at a command prompt. You should see routes for those Cisco Webex CIDR ranges in your routing table that are bypassing the Pulse Secure VPN tunnel. You can validate the traffic flows with tracert commands.

Best of luck!

Author: Michael

I am a Private, Instrument Rated, pilot living in the Kansas City Metro area. I work as a Network Engineer supporting data and voice infrastructure components here in Kansas City. In my spare time I fly.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.