ASD's Blueprint for Secure Cloud

Optimisation

This section describes the design decisions associated with Autodiscover for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Microsoft 365 is a globally distributed service. The user experience with Microsoft 365 involves connectivity through highly distributed service connection points that are distributed over worldwide Microsoft Azure locations. This section outlines design decisions that aim to:

  1. Achieve the highest level of maturity and adherence to existing Australian Government Whole-of-Government policies
  2. Optimise performance and maximise user experience

Microsoft’s current best practice targets primarily the second objective; however this guidance is inconsistent with guidance regarding Secure Internet Gateways in ASD’s Information Security Manual (ISM) and the Department of Home Affairs’ Protective Security Policy Framework (PSPF). Implementation of the Microsoft recommendations should therefore be undertaken with consideration to the organisations risk appetite and the implications of implementing all Microsoft recommendations.

According to Microsoft, the following achieves optimal Microsoft 365 connectivity and performance:

  • Local DNS resolution and Internet egress - Provision local DNS servers in each location and ensure that Microsoft 365 connections egress to the internet as close as possible to the user’s location. This configuration minimises latency and improves connectivity to the closest Microsoft 365 entry point.
  • Add regional egress points - If the organisation network has multiple locations but only one egress point, add regional egress points to enable users to connect to the closest Microsoft 365 entry point. This configuration minimises latency and improves connectivity to the closest Microsoft 365 entry point.
  • Bypass proxies and inspection devices - Configure browsers to send Microsoft 365 traffic directly to egress points and bypass proxies. Configure edge routers and firewalls to permit Microsoft 365 traffic without inspection. This configuration minimises latency and reduces the load on network devices.
  • Enable split tunnelling connection for VPN users - If a VPN solution is required Always on VPN should be integrated into the organisation infrastructure. For VPN users, enable Microsoft 365 connections to connect directly from the user’s network rather than over the VPN tunnel by implementing split tunnelling. This configuration minimises latency and improves connectivity to the closest Microsoft 365 entry point.

Connectivity optimisation for increased security

Connectivity optimisation for enhanced user experience

Security & Governance

  • None identified

Design

Configuration

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra