Office 365: What’s your network deployment architecture?

Office 365 implementation can be far more complex than you might imagine. Implementing the ideal architecture will make the difference between a quick success or a painful extended process. Using SD-WAN makes it easier if you have regional internet breakouts.

Office 365 and OneDrive document sharing

I recently gave a webinar on how to best architect your network for Office 365. It comes on the heels of a number of complaints from customers around their struggles deploying responsive Office 365 implementations. SharePoint doesn’t quite work; Skype calls are unclear. And forget about OneDrive for Business. It’s incredibly slow.

Latency and Office 365

Ensuring a smooth transition to Office 365, or for that matter any cloud deployment, involves a solid understanding of which Office 365 applications are being deployed. Here latency matters. Microsoft recommends that round trip latency for Office 365 does not exceed 275 ms, but those metrics change significantly depending on the Office 365 application. Latency should not exceeds 50ms with Exchange Online and 25ms with SharePoint. (Check out my “ultimate” list of Office 365 networking tools for help with your O365 deployment.)

One customer’s experience particularly stuck out for me as it typifies the challenges many enterprises face when deploying Office 365. The company’s office in Poland had purchased Office 365 licenses, which were accessing an instance in the Microsoft’s Netherlands datacenter. Despite the relatively short distance from Poland to the Netherlands, the company experienced painfully long data transfers to and from SharePoint Online. We’re talking minutes to move just 10 MB files.

As part of the customer engagement, we examined their routing policies. The company was backhauling Internet traffic across their MPLS network to an exit point in the US. The traffic then traveled back across the Internet to reach their Office 365 instance in the Netherlands. No wonder they were having latency issues.

The 4 O365 network architectures and how to evaluate them

The fix seemed simple: eliminate the backhaul by providing them with direct Internet access. But as we discussed in the webinar, throughput and the consistency of performance are only part of the consideration when evaluating Office 365 network architectures. You also need to look at security, deployment, mobile support and costs.

Those characteristics can differ significantly between the four network architectures we examined during the webinar. Distributed Internet access is the simplest, connecting offices directly to the Internet but there’s no inherent security. WAN Extension brings better performance and improve security management, but is more challenging to deploy, extending the WAN to the Microsoft edge. Express Route goes the opposite way, bringing the Microsoft edge to the WAN. Cloud-based SD-WAN seems to offer a happy medium between the approach,

In the end, we deployed an SD-WAN appliance at the Polish office that broke out the Internet traffic. Office 365 traffic was sent directly to the public Internet; WAN traffic continued to be hauled back to the US. With RTT cut in half, Office 365’s problems were “magically” resolved. And as for security, they used the SD-WAN stateful firewall, which was open only to requisite Office 365 domains/IPs, while the remaining traffic continued to be backhauled to the USA. Budget and management of a local firewall was a motivating factor for this.

SD-WAN security is essential

While distributed Internet access may work for this customer it may not work for you. Managing security at the branch site is an enormous issue for many of my companies. While one or two offices may not pose an issue, delivering security across branch offices at scale are a problem.

Which is why I’ve been saying that security should be integrated with the SD-WAN. I don’t mean encryption, which every SD-WAN provider offers. I mean advance security such as next-generation firewall (NGFW), an Intrusion Prevention System (IPS), and Secure Web Gateway (SWG).

SD-WAN vendors have progressed on this front. Last August, Cato added IPS to its converged networking and security cloud-based SD-WAN service. Open Systems repackages third-party services in its appliances and offers NextGen firewall, IDS/IPS and network security monitoring. Versa Networks offers a vCPE that runs the various security VNFs, which includes SSL inspection in their firewall.

Where SD-WAN vendors don’t integrate security, many use service insertion and service chaining to simplify third-party integration. Velocloud, for example, has been building a third-party ecosystem of security vendors, such as Palo Alto, Fortinet and Check Point. It recently expanded that ecosystem to include Symantec, VMware, and Forcepoint. Silver Peak has a similar integration with Zscaler, Palo Alto Networks, Fortinet and Check Point.

Delivering security becomes more challenging than when security is integrated into the SD-WAN. You still need to deploy third-party security products and services at the branch with all of the complexity and costs which that entails

The issues of rolling out Office 365 are many spanning security, performance and more. Four architectures can address various aspects of these challenges. Which approach is right will depend on your organization.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022