If user experience with Office 365 matters to you, there are some very important recommendations from Microsoft that you need to know about; and, Citrix makes it easy to implement these Office 365 Network Connectivity Principles across your office locations.
There are several ways to access Office 365 applications, services and data:
- The new Citrix Workspace app securely accesses SaaS apps and web sites.
- Users who haven’t adopted the Workspace app can access O365 from a browser.
- Citrix Virtual Apps and Desktops users access O365 apps from within their virtual desktop.
No matter which of the above scenarios applies to your organization, the quality of the network connection to O365 is the biggest factor impacting end-user experience. Microsoft’s O365 connectivity principles recommend using SD-WAN technology to ensure the lowest possible latency and to increase connection reliability. If you follow Microsoft’s guidelines and some additional tips from Citrix to securely manage your O365 traffic, you can be assured of the best possible performance.
The user experience with Office 365 (including performance, reliability and other important quality characteristics) involves connectivity through highly distributed service front doors that are scaled out across hundreds of Microsoft locations worldwide.
To understand why these connectivity guidelines are critical, it helps to have a basic architectural understanding of the Office 365 cloud. If you’ve equated the O365 cloud with Azure in your mind, you’re wrong. The O365 cloud is made up of an extensive set of distributed micro-services and applications. Office 365 data centers aren’t necessarily in the same location as Azure data centers. At last count, there are just under 40 Office 365 data centers globally, but there are many more Office 365 “front doors” (edge nodes). To quote Microsoft (from the O365 Network Connectivity Principles), “The user experience with Office 365 (including performance, reliability and other important quality characteristics) involves connectivity through highly distributed service front doors that are scaled out across hundreds of Microsoft locations worldwide.”
Why are the O365 front doors so critical to delivering a great user experience? Consider some everyday scenarios. A user types in the search field in Outlook; each character narrows down that search and the results that are displayed, so it is important for this function to be extremely responsive. A user elevates a chat in Teams into a real-time audio or audio-video call; latency must be minimized and audio drop-outs cannot be tolerated.
So, the primary key to a great O365 user experience is to steer O365 traffic to the nearest front door, rather than to the O365 data center, and to avoid backhauling through the customer data center. Even though O365 tenant data may be stored in a specific geographic location, the O365 user experience is optimized through an architecture of highly distributed edge nodes.
The first step in properly routing O365 traffic is to identify it. That’s the job of Citrix SD-WAN. The Citrix SD-WAN appliance (physical or virtual) at each branch office identifies and classifies O365 traffic, and steers it directly to the nearest O365 front door.
To improve the accuracy of O365 traffic identification and make it easier to keep up with the constant evolution of the O365 cloud, Microsoft recently created a REST API web service that catalogs and returns up-to-date information about all Office 365 front door service endpoints. Citrix and Microsoft have closely partnered on this project, and the upcoming release of Citrix SD-WAN, available later this year, will feature enhanced O365 support leveraging the new APIs. Citrix is proud to be part of the new Microsoft Office 365 Networking Partner Program just announced by Microsoft.
If you’re attending Microsoft Ignite this week in Orlando, please be sure to come and take a look at our demo in the Citrix Booth 414.
Microsoft has organized O365 service endpoints into three categories: Optimize, Allow and Default. Endpoints in the Optimize category are the most sensitive to network performance, latency and availability. The new APIs enable Citrix SD-WAN to handle each category of traffic most appropriately to deliver a high-quality user experience.
With Citrix SD-WAN, general internet browsing traffic or unknown application traffic can be forwarded to a Secure Web Gateway such as the Citrix Access Control service or Zscaler, to a cloud proxy or to a remote datacenter, while trusted Office 365 traffic is routed directly to Microsoft over the internet. This ability to identify key connections as early as possible and steer traffic in accordance with business policies and application centric logic is a key value of Citrix SD-WAN technology
Local DNS resolution close to the branch office is another Microsoft recommendation. Citrix SD-WAN will make it easy for customers to redirect DNS resolution for Office 365 to the ISP’s DNS or Quad 9, ensuring that Microsoft’s geolocation-aware DNS servers can point users from the branch to the nearest O365 front door.
What about security?
Consider bypassing proxies, traffic inspection devices and duplicate security which is available in Office 365. O365 traffic is already encrypted, using secure protocols such as HTTPS and SRTP. Performing additional encryption or decryption is unnecessary and would add unwanted latency. Inline encryption/decryption of traffic on the complex SaaS protocols used by Exchange Online, SharePoint Online and Teams/Skype for Business Online would not only add unnecessary overhead and performance bottlenecks, but also cause interoperability problems, availability issues and potential supportability challenges.
What about when O365 applications are delivered as part of a virtual desktop? The same connectivity principles apply. The VDA (Virtual Delivery Agent) may be running in an on-premises data center or in Azure. Either way, it needs direct connectivity to the closest O365 front door. But don’t forget about real-time audio and video. If you are using Skype for Business Online or Teams, media processing is performed locally on the user device using optimizations such as the HDX RealTime Media Engine and HDX Browser Content Redirection. So, for users at branch offices, direct egress to the Internet is critical. In some scenarios, it may be desirable to route traffic to Azure first, provided that the added latency is minimal, to take advantage of more advanced Citrix SD-WAN capabilities that are enabled by a “bookended” implementation (more on that later). Furthermore, Citrix SD-WAN optimizes the HDX traffic (ICA protocol) between the VDA and the user with many advances features (see my blog series on Workspace connectivity).
Most importantly, Microsoft advises: “Migrate from traditional WAN to SD-WAN.” Yes, if user experience with Office 365 matters to you, then Citrix SD-WAN needs to be part of your architecture.
This graphic, courtesy of Microsoft, provides a nice summary of O365 connectivity principles:
Sr. Director of Product Management, SD-WAN