We are going to try the CIDR ranges and see how that goes.
Our VPN solution only allows IP ranges to be split tunnelled (not FQDN's) - so we won't be able to split all Genesys traffic (without adding every AWS IP address which is too broad and ever changing).
Original Message:
Sent: 09-04-2024 15:31
From: Vick Sweeney
Subject: VPN split tunneling - Genesys Cloud best practice?
We are starting our deployment of Genesys Cloud and are looking also into this. We are planning to implement split tunneling and this discussion is interesting.
------------------------------
Vick Sweeney
Hydro Quebec
Original Message:
Sent: 09-03-2024 01:25
From: Jeff Hoogkamer
Subject: VPN split tunneling - Genesys Cloud best practice?
Thanks Niel for the reply - I presume if we are using BYOC Cloud edges these would also be included in the CIDR ranges?
------------------------------
Jeff
Original Message:
Sent: 09-02-2024 05:56
From: Niel Vicente
Subject: VPN split tunneling - Genesys Cloud best practice?
Hi Jeff,
CIDR ranges should be all you need. it already includes STUN/TURN services and google only serves as backup.
No need to include google stun in your whitelist.
One thing to keep in mind is during WebRTC candidate discovery, the edge will return its IP as one of the HOST candidates.
If the edge IP is somewhat reachable via the VPN tunnel, Genesys client may send connectivity checks to that route and inadvertently bind it if it has the lowest latency among all candidates.
RTP will flow thru tunnel if that happens so just be mindful of that.
Detailed WebRTC diagram - Genesys Cloud Resource Center (mypurecloud.com)
------------------------------
Niel Vicente
DAMAC Properties Co. LLC
Original Message:
Sent: 09-02-2024 03:56
From: Jeff Hoogkamer
Subject: VPN split tunneling - Genesys Cloud best practice?
Hi All,
Thought I'd re-visit this post to see if anyone recently has done anything to split-tunnel Genesys Cloud traffic away from a VPN.
Noticed that a Community Q&A session asked the question 'What are the best practices when using the WebRTC phone in a split tunnel scenario' (at 22:30 in) with the transcribed audio as:
"Our recommendation is to have all Genesys Cloud traffic outside of the VPN...we realize there are customers who are unable to do this, so the best we can recommend in that case is to opt all of the Genesys Cloud media traffic outside of the VPN at the very least. This can be accomplished because the media services are all running on the Genesys owned CIDR blocks, but really it it would be ideal if all Genesys Cloud traffic could be routed outside of the VPN that way you don't have to worry about what happens when the VPN cycles, or the extra latency introduced by the VPN or any of the other typical split tunnel issues."
So to clarify/validate the 'minimum' recommended would be to have at least just the CIDR address ranges in a split-tunnel? i.e. for Commercial regions by 28 October 2024
- 52.129.96.0/20
- 169.150.104.0/21
- 167.234.48.0/20
- 136.245.64.0/18
Should there be any other other 'minimum' IP's / domains to include as well (such as Google STUN *.l.google.com)?
------------------------------
Jeff
Original Message:
Sent: 06-17-2021 02:56
From: Jeff Hoogkamer
Subject: VPN split tunneling - Genesys Cloud best practice?
Hi All,
Part of the working from home optimization our organisation did back in 2020, one of the activities was to implement VPN split tunnelling for Office365 (including Teams and Skype for Business) so traffic for 'as a Service' cloud applications didn't have to use our VPN resources and could go direct on the user's local internet connection.
We're new to the Genesys Cloud (using BYOC Cloud) after moving from PureConnect, and looking at whether there's any best practices for Genesys Cloud WFH optimization as well. I had a look around the Resource Center and forums, and the only thing I really found was a forum post about checking connectivity.
Based on the guides I've seen from Microsoft and translating it over to Genesys Cloud, the main items they refer to is to Identify the endpoints to optimize including URL's and IP Address Ranges.
Optimize URLs
As for the URL's, those should be relatively easy to identify specifically for Genesys Cloud based on the Domains for the firewall allowlist
Optimize IP Address Ranges
For the Genesys Cloud Media services (including WebRTC stations), this is now easy due to the CIDR IP address range (52.129.96.0/20).
However for the remainder of the Genesys Cloud application on AWS (including CloudFront, S3 and others) - this is where it gets a little more tricky to only allow traffic specifically for Genesys Cloud and not everything on Amazon AWS.
Also some VPN vendors (suck as CheckPoint) also recommend only using IP address based VPN split tunelling rather than using FQDN's - which also becomes an issue with Genesys Cloud using all of Amazon AWS IP ranges in the region.
So my questions from here are:
1. Should we be optimizing Genesys Cloud at all using VPN split tunnelling?
2. If we should - would optimizing the URL's and only the Genesys Cloud Media Services IP Address range be sufficient?
3. Do we need to optimize the rest of Amazon AWS IP addresses as well?
Thanks in advance.
#ArchitectureandDesign
#Implementation
#PlatformAdministration
#SystemAdministration
------------------------------
Jeff
------------------------------