Microsoft Office 365 is unlike any other SaaS applications and, even with careful planning, it’s fair to say that deployments don’t always go as planned. The Zscaler cloud processes over 1.3 billion office requests daily for more than 700 customers. In working with customers and Microsoft, we’ve learned a lot of best practices and common pitfalls companies make when fully deploying Office 365.

1. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION0
Pitfalls to Avoid When
Deploying Office 365
Dhawal Sharma – Director, Product Management
WEBCASTS

2. ©2017 Zscaler, Inc. All rights reserved.1
To ask a question
• Type your questions into the chat box in the Webex
panel or email us at communications@zscaler.com
• We’ll try to get to all questions during the Q&A
session. If we do not get to your question, we’ll make
sure to follow up afterwards
• At the end of the webcast – please let us know how
we did!
©2017 Zscaler, Inc. All rights reserved.
Ask your question here…

3. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION2
Zscaler: The Market Leader in Cloud Security
Enterprise Customers
2,800 CUSTOMERS
Over 200 of the Fortune Global 2000
Global Partners
100
Data centers
35B
Daily requests
185
Countries served
Cloud Scale
The Pioneer in Cloud Security
Mature Global Cloud Operations

4. 700+
Office 365 customers
2.8 PB
Office 365 traffic processed per
month and growing
131 TB
Office 365 traffic processed per
month for one customer
70% of Fortune 500 companies have purchased Office 365

5. Office 365 traffic growth and scalability
1.3 billion Office 365 requests daily
Elastic scale:
Mailbox migration
from a large customer
27 X Growth over 3 years!!

6. The Challenges of Deploying Office 365
A deployment survey of over 200 customers
had problems accessing
business-critical applications
including Office 365.
45%
69%Weekly issues
reported
Many continued to experience
bandwidth issues, impacting
business operations and
productivity
Many were plagued by
network latency issues on
a daily and weekly basis
30%Daily issues
reported
70%Weekly issues
reported
33%Daily issues
reported
Despite appliance upgrades After Deployment

7. Microsoft’s Guidance for Office 365 is Direct Internet
TechNet Blog: bit.ly/ZscalerO365
1. Local Network Egress as close to user as possible
2. Unhindered access to Microsoft
3. Local DNS resolution
4. Optimized connectivity to Microsoft’s global network

8. Legacy Hub and Spoke is the WRONG approach
• Cloud apps like Skype and Sharepoint are
designed for low latency direct access
• Hub and Spoke networks and VPN
requirements add unnecessary latency
• The user experience for Office 365 is
compromised
• MPLS backhauling adds extra cost to
deployment
DC Apps
HQ/IOT San FranciscoNew York
Paris London
Local Network Egress
Microsoft recommends against using a Hub and
Spoke network with Office 365
Hub and Spoke Network
Cloud apps need low latency connections

9. Outlook connections
per user
• Office 365 creates a excessive long-lived
connections that exhaust firewalls
Between 12-20 connections per user!
• Around 4,000 clients can be supported by a
single public IP safely
• Office 365 use will require more than Web
browsing (ports 80 / 443) – uses ephemeral
ports
THE IMPACT ON USER EXPERIENCE?
Local Network Egress
Legacy Hub and Spoke is the WRONG approach
Increased connect load on Firewalls and Proxies
Random hangs and connection issues
(Outlook in a disconnected state)

10. • Not recommended and requires
Microsoft review and approval
• Express route is very complex to configure
correctly.
• Must perform NGFW capacity assessment
– long lived, high throughput connection
• Office 365 traffic growth will outpace
gateway upgrades and budgets
“Microsoft has a review policy… ensure that all
parties are aware of the 2-6 months of planning,
extra complexity…”
ExpressRoute for Office not Recommended
Adds Complexity and extra planning
Local Network Egress
DC Apps
HQ/IOT San FranciscoNew York
Paris London
Hub and Spoke with ExpressRoute

11. Direct Internet connection with appliances
• Requires constant firewall updates – missing
an IP/URL update will cause connectivity issues
• Requires appliance capacity assessments to
handle high number of long-lived connections
• Sacrifices security in branches with only UTMs
or firewalls Ensure local DNS
• Impact of Office 365 still overwhelms
appliances, despite capacity upgrades
Appliance Sprawl
Unhindered Access
DC Apps
HQ/IOT San FranciscoNew York
Paris London
Complex, costly, and still under capacity

12. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION11
Direct Internet
For Office 365 and Open Internet
Zscaler for Office 365 and Direct Internet
HQMOBILE
BRANCHIOT
Data Loss Prevention
Cloud Apps (CASB)
File Type Controls
Data Protection
Cloud Firewall
URL Filtering
Bandwidth Control
DNS Filtering
Access Control
Adv. Protection
Cloud Sandbox
Anti-Virus
DNS Security
Threat Prevention
Zscaler for your Office 365 Traffic
SaaS Open
Internet
Fast, Secure access to the Office 365 and the Internet
Local Network Egress
Unhindered Access
• Direct Internet for a fast user
experience
• Best connection method per
Microsoft’s guidance
• Easily deployed – no hardware
needed
• One Click configuration
simplifies administration
A full security stack to secure your
Direct Internet connection
Zscaler for your Internet traffic

13. Minimize Office 365 latency with Local DNS
Zscaler Local DNS Architecture
San Jose User > San Jose DNS > San Jose O365
Shortest path, fewer hops = faster user experience
Latency: 12ms
Common Centralized DNS Architecture
San Jose user > LA > Denver > Austin > Atlanta O365
Lots of hops increases: slower user experience
Latency: 158ms (22ms+36ms+48ms+52ms)
Los Angeles
RTT=22 ms
Austin
RTT=48 ms
Atlanta
RTT=52 ms
Denver
RTT=36 ms
San Jose
RTT=12 ms
Local DNS
Centralized
DNS
O365
Connection
O365
Connection
Local DNS
Guarantee a fast, local connection regardless of location

14. Los Angeles Dallas
Denver
Toronto
New York
Washington DC
Atlanta
Miami
Paris
Sao Paulo
Johannesburg
London
Amsterdam
Oslo
Brussels Frankfurt
Gdansk
Stockholm
Moscow
Mumbai
Singapore
Sydney
Hong Kong
Tokyo
Madrid
TaipeiDubai
Riyadh
Cairo
Kuwait City
Kuala Lumpur
Cape Town
San Francisco Chicago
Lagos
Tel Aviv
Milan
Copenhagen
Melbourne
Zurich
Chennai
Tianjin
Manila
Doha
Abu Dhabi
Jeddah
Al Khobar
Warsaw
40B+
Requests / day
100M+
Threats blocked /
day
120K+
Unique security
updates / day
Zscaler peers with Office 365 in major DCs
100 DATA CENTERS – 5 CONTINENTS
Secure
On-going third
party testing
CertifiedReliable
Redundancy within and
failover across DCs
Transparent
Trust Portal for service
availability monitoring
O365 Peering Data Center
Seattle
Local DNS
Optimized Connectivity

15. Easily maintains updates without day to day
Office 365 administration
Traditional approach requires constant
firewall updates to maintain connectivity
HQ BRANCH
Local Network Egress
Unhindered Access
BRANCH
Zscaler One Click Configuration Optimized Connectivity
Simplify day to day Office 365 administration
Updates Office 365 connection details
multiple times a week
Automatically configures white list
Exempts Office 365 traffic from
authentication and SSL decryption
Fingerprints all Office 365 applications
No more keeping up with URL and IP changes
in the Office 365 applications.
.XML update list
One Click Configuration Easily define approved tenants

16. Optimized Zscaler TCP Scaling for faster file downloads
3MB file download from a SharePoint public site hosted at Iowa instance
Without Zscaler With Zscaler
Slower scaling,
does not scale beyond 3MB
Scaling starts after 50% of
transaction has completed
Starts at default
256 Byte value
Pre-negotiated
64KB connection
Scales faster, window scale > 4MB
Optimized Connectivity

17. Zscaler and Direct Internet for Best Office 365 Experience
Fully compliant with Microsoft’s recommendation
Local Network Egress Unhindered Access
Delivers fast Direct-to-
Internet for Office 365
traffic
Delivers best User
Experience
Peering in most major
exchanges with 1-2 ms
round trip time
Always a local user
connection
One-Click configuration
simplifies and optimizes
connectivity updates
Window scaling for
faster file downloads
Cloud platform easily
accommodates long-
lived connections
Easily scales as Office
365 user demands grow
Local DNS
Optimized
Connectivity

18. Fully Embrace Direct Internet with Zscaler Cloud Firewall
Office 365
Port: 443
Protocol: HTTPS
User: Jen
APP: Outlook Online
Location: All
APP: Outlook Online
Port: 3478, 3479, 3480, 3481
Protocol: UDP
User: Chris
APP: Skype for Business Online
Location: All
APP: Skype for Business Online
Port: Any
Protocol: UDP
User: Steve
Location: All
APP: BitTorrent
Internet
Branch User
Checking Email
HQ User
Sharing Desktop
Mobile User
Downloading Movies
APP: BitTorrent
Easily scale NGFW visibility and control across all
locations without the appliance cost and complexity
Application visibility and control
• Adv. DPI engine - stateful packet inspection
• ID Apps regardless of port, protocol, or evasion
• Intrusion Prevention w/ protocol anomaly and
signature-based detection.
User identity awareness
ID Users & Groups regardless of IP address
Unified Policy and Visibility
Single console for policy management
and real-time log visibility
Zscaler
Cloud
Firewall
Direct Internet Traffic
Unlimited SSL inspection capacity
• Inspect ALL your Internet traffic
• One-Click config excludes O365 traffic

19. Zscaler Bandwidth Control
Prioritize Office 365 traffic as Business Critical
Always guarantee
Office 365
40% of bandwidth
Cap YouTube
traffic at 20%
• Policies are defined in a single console
and immediately enforced globally
• Policies are enforced in the cloud,
before the last mile bottleneck
• Window shaping and bandwidth
throttling deliver a smooth user
experience
How Zscaler Bandwidth Control Works

20. Low Office 365
traffic in NY
despite one of the
largest offices
– user issues?
Easily identify
the top
Office 365 users
OneDrive
traffic is low –
is Box still
being used?
Real-time
traffic volume
trending
Get Unprecedented Office 365 Visibility with Zscaler
How well is Office 365 being adopted by your users?

21. • Causing WAN congestion
• Sessions were overwhelming firewalls
• Deploying UTMs or NGFWs was prohibitively
expensive and complex (650 locations)
CHALLENGES
• Local Internet breakouts for a fast connection
• Cloud Firewall – elastic scale to handle the
increase number of connections
• Bandwidth Control for Office 365 prioritization
SOLUTION
17B monthly
transactions
700+ successful customer
deployments and growing
1.2PB of traffic processed
monthly (Oct. 2016)
Office 365 is finally the highest use – not YouTube
40% of bandwidth
reserved for O365
during periods of
contention
YouTube
capped at 20%
WAN transformation: Fast Office 365 experience
Global workforce staffing company case study

22. Enable Office 365 ✔
1. Microsoft recommended deployment model (700+ customers)
2. Best possible user experience (fast response times)
3. Rapid deployment (no upgrades, configuration changes)
4. Investment protection and cost avoidance (no hardware or backhaul)
5. Visibility into all Internet traffic within seconds (single console)
Zscaler for Office 365: Five Reasons Why

23. Zscaler for Office 365
Solution Brief
zscaler.com/O365
The 4 Pitfalls of
Deploying Office 365
zscaler.com/pitfalls
Learn more about Office 365
Secure remote access without
the pitfalls of VPN's
Cloud-Delivered SD-
WAN and Security
Thank You!
Questions and Next Steps
Dhawal Sharma
Director, Product Management
dhawal@zscaler.com
Other Webcasts
zscaler.com > resources > webcasts and live demos
Thursday, November 16th, 2017
Americas - 08:30 am PST