The document discusses challenges with deploying Office 365 and recommends using Zscaler's cloud security platform as a better solution. It notes that traditional hub-and-spoke VPN architectures and routing traffic through on-premises appliances increases latency and hurts the user experience. Zscaler differentiates Office 365 traffic and sends it directly to Microsoft while applying full security controls. It also provides benefits like one-click configuration, local DNS for faster connections, bandwidth control to prioritize Office 365, and visibility into usage. The summary concludes that Zscaler is fully compliant with Microsoft's recommendations and provides the best user experience and rapid deployment.
4. The staggering growth of Office 365
700+
Office 365 customers
6.4 PB
Office 365 traffic processed per
month and growing
700%
traffic growth in
the last 3 years!!
5. Office 365 Deployments are challenging
A deployment survey of over 200 customers
had problems accessing
business-critical applications
including Office 365.
45%
69%Weekly issues
reported
Many continued to experience
bandwidth issues, impacting
business operations and
productivity
Many were plagued by
network latency issues on
a daily and weekly basis
30%Daily issues
reported
70%Weekly issues
reported
33%Daily issues
reported
Despite appliance upgrades After Deployment
6. Identify and differentiate Office 365 traffic1
Egress network connections locally2
Assess Bypassing Proxies3
Avoid network hairpins4
Microsoft’s Guidance for Office 365 is Direct Internet
Identify the O365 apps you plan to use.
These need to be isolated from your other traffic.
Don’t backhaul O365 traffic.
Send straight to internet for lowest latency.
Don’t run O365 through
security appliances.
This adds latency and kills
app performance.
Send remote users directly to Microsoft.
VPN hairpins kill the user experience.
7. 6
Cloud apps need low latency connections
Legacy Hub and Spoke is the WRONG approach
Cloud apps like Skype and Sharepoint are
designed for low latency direct access
Hub and Spoke and VPN requirements
add unnecessary latency
The user experience for Office 365 is
compromised
MPLS backhauling adds extra cost to
deployment
DC Apps
HQ/IOT San FranciscoNew York
Paris London
Microsoft recommends against using a
Hub and Spoke network with Office 365
Hub-and-Spoke Network
8. DC Apps
HQ/IOT San FranciscoNew York
Paris London
Office 365 creates a excessive long-lived
connections that exhaust firewalls
Between 12-20 connections per user!
Outlook connections per user
THE IMPACT ON USER EXPERIENCE?
Random hangs and connection issues
Legacy Hub and Spoke is the WRONG approach
Increased connect load on Firewalls and Proxies
9. 8
Not recommended and requires Microsoft
review and approval
Express route is very complex to configure
correctly
Office 365 traffic growth will outpace
gateway upgrades and budgets
“Microsoft has a review policy… ensure that
all parties are aware of the 2-6 months of
planning, extra complexity…”
ExpressRoute for Office not Recommended
Adds complexity and extra planning
DC Apps
HQ/IOT San FranciscoNew York
Paris London
Hub and Spoke with ExpressRoute
10. 9
Direct Internet connection with appliances
Requires constant firewall updates – missing
an IP/URL update can break connectivity
Sacrifices security in branches with only
UTMs or firewalls ensure local DNS
Office 365 overwhelms appliances, despite
upgrades
Appliance Sprawl
DC Apps
HQ/IOTNew York
Paris London
Complex, costly, and still under capacity
San Francisco
11. 10
HQMOBILE
BRANCHIOT
Data Loss Prevention
Cloud Apps (CASB)
File Type Controls
Data Protection
Cloud Firewall
URL Filtering
Bandwidth Control
DNS Filtering
Access Control
Adv. Protection
Cloud Sandbox
Anti-Virus
DNS Security
Threat Prevention
Zscaler
Open
Internet
Differentiate O365 traffic
Egress O365 close to user
Direct Internet for a fast user
experience across all ports and
protocols
Easily deployed. No hardware needed!
One Click configuration automates
O365 IP address changes and exempts
from SSL inspection
Optimize connectivity with Zscaler
Cloud Firewall and Bandwidth Control
A full security stack for the rest of
your direct internet connection
For your Open Internet traffic
Office 365
For your Office 365 Traffic
Fully compliant with Microsoft’s
connection recommendations
Zscaler for Office 365 and Direct Internet Differentiate O365 traffic
Egress O365 close to user
12. 11
Minimize Office 365 latency with Local DNS
Guarantee a fast, local connection regardless of location
Zscaler Local DNS Architecture
San Jose User > San Jose DNS > San Jose O365
Shortest path, fewer hops = faster user experience
Latency: 12ms
Common Centralized DNS Architecture
San Jose user > LA > Denver > Austin > Atlanta O365
Lots of hops increases: slower user experience
Latency: 52ms
Los Angeles
RTT=22 ms
Austin
RTT=48 ms
Atlanta
RTT=52 ms
Denver
RTT=36 ms
San Jose
RTT=12 ms
Local DNS
Centralized
DNS
O365
Connection
O365
Connection
14. Zscaler One Click Configuration
Simplify day to day Office 365 administration
Easily maintains updates without day to day
Office 365 administration
Traditional approach requires constant
firewall updates to maintain connectivity
HQ BRANCHBRANCH
Updates Office 365 connection details
multiple times a week
Automatically configures white list
Exempts Office 365 traffic from
authentication and SSL decryption, as
recommended by Microsoft.
Fingerprints all Office 365 applications
No more keeping up with URL and IP changes
in the Office 365 applications.
.XML update list
One Click Configuration
15. Fully Embrace Direct Internet with Zscaler Cloud Firewall
Office 365 (All ports and protocols)
Port: 443
Protocol: HTTPS
User: Jen
APP: Outlook Online
Location: All
APP: Outlook Online
Port: 3478, 3479, 3480, 3481
Protocol: UDP
User: Chris
APP: Skype for Business Online
Location: All
APP: Skype for Business Online
Port: Any
Protocol: UDP
User: Steve
Location: All
APP: BitTorrent
Internet
Branch User
Checking Email
HQ User
Sharing Desktop
Mobile User
Downloading Movies
APP: BitTorrent
Easily scale NGFW control across all locations without
the appliance cost and complexity.
Application visibility and control
• Adv. DPI engine - stateful packet inspection
• ID Apps regardless of port, protocol, or evasion
• Intrusion Prevention w/ protocol anomaly and
signature-based detection.
User identity awareness
ID Users & Groups regardless of IP address
Unified Policy and Visibility
Single console for policy management
and real-time log visibility
Zscaler
Cloud
Firewall
Direct Internet Traffic
Unlimited SSL inspection capacity
• Inspect ALL your Internet traffic
• One-Click config excludes O365 traffic
16. Zscaler Bandwidth Control
Prioritize Office 365 traffic as Business Critical
Always guarantee
Office 365
40% of bandwidth
Cap YouTube
traffic at 20%
Policies are defined in a single console and
immediately enforced globally
Policies are enforced in the cloud,
before the last mile bottleneck
Window shaping and bandwidth throttling
deliver a smooth user experience
How Zscaler Bandwidth Control Works
Local Network Egress
Unhindered Access
17. WAN transformation: Fast Office 365 experience
Global workforce staffing company case study
WAN congestion caused by O365 traffic
Firewalls overwhelmed with connections
Branch Firewalls to costly (650 locations)
CHALLENGES
Local Internet breakouts for a fast connection
Cloud Firewall for elastic scale of connections
Bandwidth Control for Office 365 prioritization
SOLUTION
18. Optimized Zscaler TCP Scaling for faster file downloads
3MB file download from a SharePoint public site hosted at Iowa instance
Without Zscaler With Zscaler
Slower scaling,
does not scale beyond 3MB
Scaling starts after 50% of
transaction has completed
Starts at default
256 Byte value
Pre-negotiated
64KB connection
Scales faster, window scale > 4MB
19. Low Office 365
traffic in NY
despite one of the
largest offices
– user issues?
Easily identify
the top
Office 365 users
OneDrive
traffic is low –
is Box still
being used?
Real-time
traffic volume
trending
Get Unprecedented Office 365 Visibility with Zscaler
How well is Office 365 being adopted by your users?
20. Zscaler for Office 365 ✔
1. Fully Compliant Microsoft Connection Method (700+ customers)
2. Best possible user experience (fast response times)
3. Rapid deployment (no upgrades, configuration changes)
4. Investment protection and cost avoidance (no hardware or backhaul)
5. Visibility into all Internet traffic within seconds (single console)
Zscaler for Office 365: Five Reasons Why