Why Microsoft Mandates Split Tunneling with VPNs

When remote employees join a Teams call, they need a direct, low-latency connection to the Microsoft 365 cloud. But what happens when their entire internet connection, from basic web browsing to streaming video, is forced through the corporate VPN gateway first? The result is often frustrating: choppy voice, dropped frames, and significant delay. This isn’t just about bandwidth; it’s about the Round-Trip Time (RTT). By forcing Teams media traffic onto a full-tunnel VPN, you add extra hops, layers of encryption, and unnecessary congestion. The constant performance issues users experience often go undetected as IT teams check local devices and home networks, missing the real culprit: the corporate VPN is routing all traffic, and Split Tunneling is not enabled.

A Virtual Private Network (VPN) secures remote access by masking the user’s IP and routing all data through a secure, encrypted tunnel to the corporate network for security and compliance.

However, while vital for security, VPNs can introduce latency, potential bandwidth limitations, and routing complexities that are detrimental to real-time communication like Teams. In fact, Microsoft Teams is optimized to work best when media traffic (audio/video) flows directly between clients or through Microsoft’s cloud infrastructure.

Routing Teams media data through VPNs often leads to a phenomenon called “geo-routing inefficiency,” where a user’s data exits the corporate network in a completely different geographical region, or even continent, than where the user is physically located.
For example: User ‘Ann’ in Boston, USA, has her VPN active. Because all traffic is forced through the tunnel, Ann’s media traffic might be routed to the corporate VPN egress point in Vienna, Austria, entering the Microsoft network close to Vienna. This forces her traffic to travel across the ocean unnecessarily, significantly increasing latency, instead of connecting directly to Microsoft’s global network backbone near Boston.

Microsoft strongly recommends that administrators implement Split Tunneling when a Virtual Private Network (VPN) is used in conjunction with Microsoft Teams. In fact, split tunneling is essential to ensure optimal performance, reliability, and call quality for Teams’ real-time communication features, especially for hybrid and remote users.

Let’s dive into why this is:
Split Tunneling is an advanced network feature that provides granular control over which data is using what route. It allows administrators to configure Microsoft Teams media stream traffic to bypass the VPN tunnel entirely and connect directly to the internet. This is the recommended practice for two critical reasons:

Image source: Microsoft

The practice is safe for Teams data because the traffic is already secured at the application layer, meaning it does not rely on the VPN for its core protection. The VPN’s security purpose is also preserved as access to the internal corporate network and its sensitive resources (like file servers or internal applications) remains unchanged. Only the already-encrypted, high-bandwidth Teams traffic is split off, while all other connections remain protected by the VPN.

Implementing split tunneling for Microsoft Teams is a strategic necessity, not a simple setting. Success requires careful planning and coordination across IT and security teams. A thoughtful approach is crucial to avoid introducing vulnerabilities or operational issues.
Below are some helpful resources regarding implementation:

Ultimately, Split Tunneling is the critical configuration that resolves the inherent conflict between VPN security, and the performance demands of Microsoft Teams. By strategically allowing Teams media traffic to bypass the corporate tunnel and connect directly to the internet, organizations eliminate the penalties of double encryption, excessive latency, and bandwidth bottlenecks. This approach ensures a reliable high-quality experience for users engaging in real-time communication while preserving the VPN’s role in securing all other proprietary corporate data. Directly aligning with Microsoft’s strong recommendations for optimizing modern collaboration environments.

With TrueDEM we help organizations identify issues with Teams Call Quality and M365. Incorrect VPN routing is one of the many Insights we detect so that we can help customers determine problems in their Teams environment and setup. If you are interested in learning more about what TrueDEM can do for you, then don’t hesitate and contact us today.