I have questions.
Would you tell me the optimum values or tolerance of MAX connections of each MWG model ?
Would you tell me any good case of setting MWG connecting to O365 with number of connections ?
Although I know changing the settings of max connections of MWG ( 25000 ) is not recommended,
A customer will use MWG for connecting O365, and the estimation of MAX connections are 270000 !
but they cannot buy 11 or 12 MWGs for this case, so I want to know good setting of MWG.
How did the Office 365 migration/installation go? We're looking at doing something very similar and would like to get some feedback from other companies on what they saw as far as connections for O365 users. As usual Microsoft guidance seems to suggest that the sky is falling. Not sure if I believe them or not.
Thanks in advance!
We're in the same situation. The target scenario will be 140000 users using O365. We continue to plan with proxies, but will only use them for the Office365 targets for DNS name resolution. However, we find the list provided by Microsoft (https://support.content.office.net/en-us/static/O365IPAddresses.xml) of the Office FQN questionable. For example, Youtube or similar sites should be treated like Office365 targets. (See OneNote section). We will only use this list as a basis and adapt it to our security needs. Currently we have moved the first mailboxes and see up to 13 open connections per mailbox via the proxy. These connections sometimes exist for hours without large amounts of data flowing. (Example: 13 connections, between 2 and 10 hours open, in total 4MB of data transported between client and server) Whether this makes sense is questionable.
, same here. Glad to find someone doing the same thing! So are you running the client traffic through your MWGs or are you excluding them via a proxy.pac file (which is what MS has recommended to us)? If you're running it through the MWGs are you excluding any of it from SSL scanning or authentication? In the testing that we've done (less than 100 users) we are able to send all traffic AND SSL inspect all traffic via MWG but as the number of users ramps up it might become too much for them. Just not sure yet.
The real problem that I see is the TCP source port exhaustion issue on the proxy servers/firewalls. How many MWGs are you using to support 140,000 users?
At present, we work with a centralized infrastructure. 90% of the traffic goes over 3 locations to the Internet. For O365 we will switch to local breakouts, as this accommodates the MS infrastructure. In addition, the RTT times should not be too long at least by Lync. We use the PAC file to send all internet traffic (including O365) to the proxy. There, the O365 traffic is intercepted directly at the beginning of the policy. So no interception and no authentication. We trust MS....: -). The Port Exhausting problem we expect on the rear of the proxies installed firewalls. However, we have enough IPv4 addresses and on the FW, several IPv4 addresses can be linked to one interface. If the internet COnnectiontable is full, we will extend the FW Cluster. However, this will hopefully only be necessary in very few locations.
How many MWGs are in front of the firewalls? I'm concerned about running out of TCP source ports on the MWGs. We have increased the "client connections" to 50,000 per McAfee recommendations but if you do the math (10-30 TCP connections per user for 20,000 users for instance) that is WAY more than 50,000 client connections.
Thank you sir! Would you be opposed to a phone call or, if not, maybe a direct email exchange (firstname.lastname@example.org here) to discuss your O365 experiences? We're looking for some reference accounts with similar configurations to ours.