Genesys Cloud - Main

 View Only

Discussion Thread View
  • 1.  VPN split tunneling - Genesys Cloud best practice?

    Posted 06-17-2021 02:57
    Edited by Jeff Hoogkamer 01-13-2022 05:50

    Hi All,

    Part of the working from home optimization our organisation did back in 2020, one of the activities was to implement VPN split tunnelling for Office365 (including Teams and Skype for Business) so traffic for 'as a Service' cloud applications didn't have to use our VPN resources and could go direct on the user's local internet connection.

    We're new to the Genesys Cloud (using BYOC Cloud) after moving from PureConnect, and looking at whether there's any best practices for Genesys Cloud WFH optimization as well. I had a look around the Resource Center and forums, and the only thing I really found was a forum post about checking connectivity.

    Based on the guides I've seen from Microsoft and translating it over to Genesys Cloud,  the main items they refer to is to Identify the endpoints to optimize including URL's and IP Address Ranges.

    Optimize URLs
    As for the URL's, those should be relatively easy to identify specifically for Genesys Cloud based on the Domains for the firewall allowlist

    Optimize IP Address Ranges
    For the Genesys Cloud Media services (including WebRTC stations), this is now easy due to the CIDR IP address range (52.129.96.0/20).

    However for the remainder of the Genesys Cloud application on AWS (including CloudFront, S3 and others) - this is where it gets a little more tricky to only allow traffic specifically for Genesys Cloud and not everything on Amazon AWS.

    Also some VPN vendors (suck as CheckPoint) also recommend only using IP address based VPN split tunelling rather than using FQDN's - which also becomes an issue with Genesys Cloud using all of Amazon AWS IP ranges in the region.


    So my questions from here are:
    1. Should we be optimizing Genesys Cloud at all using VPN split tunnelling?
    2. If we should - would optimizing the URL's and only the Genesys Cloud Media Services IP Address range be sufficient?
    3. Do we need to optimize the rest of Amazon AWS IP addresses as well?

    Thanks in advance.


    #ArchitectureandDesign
    #Implementation
    #PlatformAdministration
    #SystemAdministration

    ------------------------------
    Jeff
    ------------------------------


  • 2.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 08-09-2021 21:24
    Just bumping this thread.

    Maybe @Chris Bohlin has some input :D​​​

    ------------------------------
    Jeff
    ------------------------------



  • 3.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 01-11-2022 04:02
    Jeffrey,

    Did you ever get feedback on this via other channels (support, ...)?

    I'd be interested in this info as well.

    rgds,

    Tommy

    ------------------------------
    Tommy Braes
    CX Consultant
    Proximus PLC
    tommy.braes.ext@proximus.com
    ------------------------------



  • 4.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 01-13-2022 05:50
    Edited by Jeff Hoogkamer 01-13-2022 05:51
    Hi Tommy,

    I didn't get anything that helped my situation. Most orgs use VPN just for local traffic and usually continue to send all internet traffic over the user's local internet connection, split tunnelling hasn't been required

    In our case where we are routing all traffic over the VPN (except for our Office365 tenant) - it would be impossible to only split Genesys Cloud traffic due to the shared (and changing) AWS IP ranges as well as the shared FQDN's (e.g. cloudfront.net, bam.nr-data.net, js-agent.newrelic.com,etc)

    We could try just splitting *some* of the Genesys Cloud traffic that we 100% know is Genesys Cloud including the CIDR IP range and the relevant FQDN's (e.g. mypurecloud.com.au, apse2.pure.cloud, etc)  to get some of the traffic off the VPN - but I'm sure Genesys Cloud won't like the different endpoint IP's and probably break something.

    Cheers,
    Jeff.




  • 5.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 01-16-2022 17:49
    Hi Jeffrey,

    Have you looked into Force TURN feature in Genesys Cloud? it won't completely fix your split tunnel VPN issues but could help limit down the IP Address routing - https://help.mypurecloud.com/articles/use-the-force-turn-feature/

    ------------------------------
    Nathan Kaden
    CALLSCAN AUSTRALIA PTY. LTD.
    ------------------------------



  • 6.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 09-02-2024 03:57

    Hi All,

    Thought I'd re-visit this post to see if anyone recently has done anything to split-tunnel Genesys Cloud traffic away from a VPN.

    Noticed that a Community Q&A session asked the question 'What are the best practices when using the WebRTC phone in a split tunnel scenario' (at 22:30 in) with the transcribed audio as:

    "Our recommendation is to have all Genesys Cloud traffic outside of the VPN...we realize there are customers who are unable to do this, so the best we can recommend in that case is to opt all of the Genesys Cloud media traffic outside of the VPN at the very least. This can be accomplished because the media services are all running on the Genesys owned CIDR blocks, but really it it would be ideal if all Genesys Cloud traffic could be routed outside of the VPN that way you don't have to worry about what happens when the VPN cycles, or the extra latency introduced by the VPN or any of the other typical split tunnel issues."

    So to clarify/validate the 'minimum' recommended would be to have at least just the CIDR address ranges in a split-tunnel? i.e. for Commercial regions by 28 October 2024

    • 52.129.96.0/20
    • 169.150.104.0/21
    • 167.234.48.0/20
    • 136.245.64.0/18

    Should there be any other other 'minimum' IP's / domains to include as well (such as Google STUN *.l.google.com)?



    ------------------------------
    Jeff
    ------------------------------



  • 7.  RE: VPN split tunneling - Genesys Cloud best practice?
    Best Answer

    Top 25 Contributor
    Posted 09-02-2024 05:56

    Hi Jeff,

    CIDR ranges should be all you need. it already includes STUN/TURN services and google only serves as backup.

    No need to include google stun in your whitelist.

    One thing to keep in mind is during WebRTC candidate discovery, the edge will return its IP as one of the HOST candidates.

    If the edge IP is somewhat reachable via the VPN tunnel, Genesys client may send connectivity checks to that route and inadvertently bind it if it has the lowest latency among all candidates.

    RTP will flow thru tunnel if that happens so just be mindful of that. 

    Detailed WebRTC diagram - Genesys Cloud Resource Center (mypurecloud.com)



    ------------------------------
    Niel Vicente
    DAMAC Properties Co. LLC
    ------------------------------



  • 8.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 09-03-2024 01:26

    Thanks Niel for the reply - I presume if we are using BYOC Cloud edges these would also be included in the CIDR ranges?



    ------------------------------
    Jeff
    ------------------------------



  • 9.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 09-04-2024 15:32

    We are starting our deployment of Genesys Cloud and are looking also into this.  We are planning to implement split tunneling and this discussion is interesting.  



    ------------------------------
    Vick Sweeney
    Hydro Quebec
    ------------------------------



  • 10.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 30 days ago

    We are going to try the CIDR ranges and see how that goes.

    Our VPN solution only allows IP ranges to be split tunnelled (not FQDN's) - so we won't be able to split all Genesys traffic (without adding every AWS IP address which is too broad and ever changing).



    ------------------------------
    Jeff
    ------------------------------



Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources