Should SaaS apps go through VPN or not.
Routing SaaS via VPN is almost always wrong. Microsoft 365, Google Workspace, Salesforce, Slack: they have their own security, tunneling adds latency for little gain. Apply zero trust on the SaaS itself, not on the tunnel.
Try this first
- 1Exclude Microsoft 365 endpoints from the VPN tunnel using the official Microsoft endpoint list.
- 2Enforce Conditional Access on SaaS: only from compliant device, MFA, geo blocks.
- 3Require SAML or OIDC SSO, otherwise every SaaS stays a password island.
- 4For data exfiltration concerns use Microsoft Purview, Google DLP or a CASB, not VPN DLP.
When to bring us in
Your security team demands full inspection: pick an SSE/SASE solution (Cloudflare, Zscaler, Netskope) so SaaS goes direct but still gets inspection.
See also
- VPN will not connect or keeps droppingTwo main causes: your home internet or the VPN server. One quick test separates them.
- VPN connects but corporate folders are unreachableConnection says "green" but your network drives will not open. Almost always a DNS or routing issue.
- Home PC slow on VPN, fast at the officeThree suspects: home internet, VPN server limits, or routing that takes a long detour.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.