Genesys Cloud CX

 View Only
Discussion Thread View
  • 1.  VPN split tunneling - Genesys Cloud best practice?

    Top 25 Contributor
    Posted 06-17-2021 02:57
    Edited by Jeffrey Hoogkamer 01-13-2022 05:50

    Hi All,

    Part of the working from home optimization our organisation did back in 2020, one of the activities was to implement VPN split tunnelling for Office365 (including Teams and Skype for Business) so traffic for 'as a Service' cloud applications didn't have to use our VPN resources and could go direct on the user's local internet connection.

    We're new to the Genesys Cloud (using BYOC Cloud) after moving from PureConnect, and looking at whether there's any best practices for Genesys Cloud WFH optimization as well. I had a look around the Resource Center and forums, and the only thing I really found was a forum post about checking connectivity.

    Based on the guides I've seen from Microsoft and translating it over to Genesys Cloud,  the main items they refer to is to Identify the endpoints to optimize including URL's and IP Address Ranges.

    Optimize URLs
    As for the URL's, those should be relatively easy to identify specifically for Genesys Cloud based on the Domains for the firewall allowlist

    Optimize IP Address Ranges
    For the Genesys Cloud Media services (including WebRTC stations), this is now easy due to the CIDR IP address range (52.129.96.0/20).

    However for the remainder of the Genesys Cloud application on AWS (including CloudFront, S3 and others) - this is where it gets a little more tricky to only allow traffic specifically for Genesys Cloud and not everything on Amazon AWS.

    Also some VPN vendors (suck as CheckPoint) also recommend only using IP address based VPN split tunelling rather than using FQDN's - which also becomes an issue with Genesys Cloud using all of Amazon AWS IP ranges in the region.


    So my questions from here are:
    1. Should we be optimizing Genesys Cloud at all using VPN split tunnelling?
    2. If we should - would optimizing the URL's and only the Genesys Cloud Media Services IP Address range be sufficient?
    3. Do we need to optimize the rest of Amazon AWS IP addresses as well?

    Thanks in advance.


    #ArchitectureandDesign
    #Implementation
    #PlatformAdministration
    #SystemAdministration

    ------------------------------
    Jeff
    ------------------------------


  • 2.  RE: VPN split tunneling - Genesys Cloud best practice?

    Top 25 Contributor
    Posted 08-09-2021 21:24
    Just bumping this thread.

    Maybe @Chris Bohlin has some input :D​​​

    ------------------------------
    Jeff
    ------------------------------



  • 3.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 01-11-2022 04:02
    Jeffrey,

    Did you ever get feedback on this via other channels (support, ...)?

    I'd be interested in this info as well.

    rgds,

    Tommy

    ------------------------------
    Tommy Braes
    CX Consultant
    Proximus PLC
    tommy.braes.ext@proximus.com
    ------------------------------



  • 4.  RE: VPN split tunneling - Genesys Cloud best practice?

    Top 25 Contributor
    Posted 01-13-2022 05:50
    Edited by Jeffrey Hoogkamer 01-13-2022 05:51
    Hi Tommy,

    I didn't get anything that helped my situation. Most orgs use VPN just for local traffic and usually continue to send all internet traffic over the user's local internet connection, split tunnelling hasn't been required

    In our case where we are routing all traffic over the VPN (except for our Office365 tenant) - it would be impossible to only split Genesys Cloud traffic due to the shared (and changing) AWS IP ranges as well as the shared FQDN's (e.g. cloudfront.net, bam.nr-data.net, js-agent.newrelic.com,etc)

    We could try just splitting *some* of the Genesys Cloud traffic that we 100% know is Genesys Cloud including the CIDR IP range and the relevant FQDN's (e.g. mypurecloud.com.au, apse2.pure.cloud, etc)  to get some of the traffic off the VPN - but I'm sure Genesys Cloud won't like the different endpoint IP's and probably break something.

    Cheers,
    Jeff.




  • 5.  RE: VPN split tunneling - Genesys Cloud best practice?

    Posted 01-16-2022 17:49
    Hi Jeffrey,

    Have you looked into Force TURN feature in Genesys Cloud? it won't completely fix your split tunnel VPN issues but could help limit down the IP Address routing - https://help.mypurecloud.com/articles/use-the-force-turn-feature/

    ------------------------------
    Nathan Kaden
    CALLSCAN AUSTRALIA PTY. LTD.
    ------------------------------