System and Network Requirements - Split-Tunnel VPN
This documentation was last updated on: 3/20/2024 3:14:33 PM (UTC).
Quick Navigation
Please find the System and Network requirements for Split Tunnel VPN below. Please click here to view Amwell’s full list of Products and their network requirements.
Please click here to view the System and Network Requirements change log.
Split-Tunnel Virtual Private Network
The Split-Tunnel Virtual Private Network instructions below are recommended for all Amwell products where providers are connecting via VPN. Amwell strongly recommends that all Customer’s providers and their associated enterprise/campus environments implement network split tunneling.
Connectivity
For the best quality experience when using AmWell’s video conferencing systems from your video conferencing-enabled device while on a virtual private network (VPN) connection, a split-tunnel configuration is strongly recommended. To improve video performance for users connected to a corporate or campus VPN, a common challenge with health system integrations, we recommend implementing a split-tunnel VPN configuration on corporate firewalls. This configuration excludes a specific set of endpoint Internet Protocol (IP) addresses and/or fully qualified domain names from Internet Protocol overhead associated with VPN tunneling. The IP overhead is associated with encrypted application workloads embedded within an encrypted VPN tunnel.
Split Tunnel Basics
When connecting remotely to a corporate or campus network using a VPN, policy-driven traffic is directed over the VPN tunnel, including Internet-bound traffic. However, the traffic flows “hair-pinned” through a corporate VPN gateway also increases latency and noticeably impacts the performance of high-bandwidth applications, such as video conferences. The VPN tunnel encrypts all traffic from the source host to the corporate network, and “hairpins” IP traffic destined to the public Internet. The return traffic must take the same return path through the corporate VPN gateway. A split-tunnel configuration allows specific sessions of a host’s traffic to go directly to the Internet over the local Internet Service Provider, instead of being forced over the VPN tunnel toward the corporate office location.
Configuration Recommendations
Each VPN appliance will have its own specific guide on implementing a split-tunnel configuration. Recommended general industry standards to consider:
- When possible, implement split-tunnel configurations by leveraging Fully Qualified Domain Name (FQDN) filtering. Filters based on destination IP addresses are subject to change, particularly with services hosted within public cloud infrastructures like Amazon Web Services, Google Cloud Platform and Microsoft Azure.
- Configurations that require an Access Control List (ACL) should be written so that the video traffic is excluded from the VPN tunnel while encrypting the remaining IP traffic from a source, through the corporate office VPN endpoint.
A FQDN-based ACL is preferable. The ACL policy must permit the following FQDN and URLs:
- *.telehealthvideo.com
- w1.xirsys.com
- u1.xirsys.com
- *.avizia.io
- *.avizia.com
- global.vss.twilio.com
- us1.vss.twilio.com
- us2.vss.twilio.com
- sdkgw.us1.twilio.com
- *.amwell.com
- *.amwell.systems