Overview
Versa VOS includes a built-in Endpoint Database (EPDB) that enables reliable, first-packet classification of popular SaaS applications — even when traffic is encrypted. This article explains what EPDB is, the problem it solves, how it works, and which applications are covered.
Problem Statement
Modern SaaS applications such as Microsoft 365, Zoom, and Okta predominantly use TLS/HTTPS. Traditional Deep Packet Inspection (DPI) relies on inspecting payload content or TLS SNI fields, which can be unreliable in the following scenarios:
- Encrypted first packet — No payload is available before a session is fully established, delaying classification.
- Shared infrastructure — Multiple SaaS apps share the same IP ranges or CDN, making IP-only matching ambiguous.
- Large, frequently-changing IP ranges — Microsoft 365, for example, uses hundreds of IP prefixes and FQDNs that change over time. Manual ACL maintenance is error-prone.
- Split application categories — A single SaaS brand (e.g., Office 365) spans multiple service endpoints: Exchange, SharePoint, Teams, authentication — each with different traffic-steering requirements.
Without accurate classification, SD-WAN policies for preferred path selection, QoS, and breakout cannot be correctly applied to SaaS traffic, degrading user experience.
How EPDB-Based Match Works
The EPDB is a pre-populated, periodically updated database embedded in VOS. Each endpoint in the database is an atomic match entry that combines:
- FQDNs — Fully qualified domain names (supports wildcards, e.g.
*.sharepoint.com) - IP Prefixes — IPv4 and IPv6 CIDR blocks published by the SaaS vendor
- TCP/UDP Ports — Destination ports associated with the service
- When a new flow arrives, VOS performs a first-packet lookup against the EPDB using the destination IP, port, and (if available) SNI/FQDN. A match immediately classifies the flow to the associated application(s), bypassing the need to wait for DPI signature completion. This enables:
- Instant application-aware policy enforcement from the first packet
- Accurate classification of encrypted SaaS traffic
- Granular steering — e.g., route Teams media differently from SharePoint file sync
Supported Applications
The current EPDB build contains 102 endpoints covering the following SaaS applications:
Microsoft Office 365
Office 365 receives the most granular coverage, split across service-specific sub-applications so that SD-WAN policies can be applied per workload:
| App Name | App ID | Description |
|---|---|---|
| office365 | 1781 | General Office 365 umbrella (critical endpoints: auth, mail protection, Teams, SharePoint) |
| o365_ww_al | 3451 | Worldwide — All (highest-priority, latency-sensitive endpoints) |
| o365_ww_comn | 3452 | Worldwide — Common / Shared services (CDN, updates, telemetry, admin portal) |
| o365_ww_de | 3453 | Worldwide — Default (general Microsoft infrastructure endpoints) |
| o365_ww_exch | 3454 | Worldwide — Exchange Online (Outlook HTTPS/IMAP/SMTP) |
| o365_ww_exch_op | 3455 | Worldwide — Exchange Online (optimized path endpoints) |
| o365_ww_op | 3456 | Worldwide — Optimized (latency-sensitive services: Teams, SharePoint, Exchange real-time) |
| o365_ww_sfbo | 3457 | Worldwide — Skype for Business Online / Teams |
| o365_ww_sfbo_op | 3458 | Worldwide — Skype for Business Online (optimized path, media UDP) |
| o365_ww_shrp | 3459 | Worldwide — SharePoint / OneDrive |
| o365_ww_shrp_op | 3460 | Worldwide — SharePoint Online (optimized path) |
Notable coverage includes: Outlook (HTTPS, IMAP/993, SMTP/587), Teams (TCP 443, UDP 3478–3481), SharePoint/OneDrive, Microsoft Entra ID / Azure AD authentication, Microsoft Defender / Purview, Office Web Apps, and DoD GovCloud endpoints (GCC High / DoD).
Okta
| App Name | App ID | Description |
|---|---|---|
| okta | 3120 | Okta Identity Platform — covers *.okta.com, *.oktapreview.com, *.oktacdn.com, *.okta-emea.com, and mTLS variants. Mapped across 15 endpoints covering 1,800+ individual IPs across all AWS regions globally. |
Salesforce
| App Name | App ID | Description |
|---|---|---|
| salesforce | 1222 | Salesforce CRM platform — IP-only endpoint covering all Salesforce data center ranges globally (Americas, EMEA, APAC). |
Zoom
| App Name | App ID | Description |
|---|---|---|
| zoom | 2702 | Zoom Video Communications — covers *.zoom.us, *.zoom.com, and Zoom IP ranges. Includes signaling (TCP 443), SIP (TCP 5091), auxiliary (TCP 390), and media (UDP 20000–64000). |
Cisco Webex
| App Name | App ID | Description |
|---|---|---|
| webex | 724 | Cisco Webex — IP-only endpoint covering Webex infrastructure ranges. |
EPDB Summary
Note: This list can get updated as new spacks are released. This KB was created on 3/17/2026.
| Application | EPDB Endpoints | FQDNs | IP Prefixes |
|---|---|---|---|
| Microsoft Office 365 | 79 | ~270 | ~330 |
| Okta | 15 | ~105 (7 per endpoint) | ~1,800 |
| Salesforce | 1 | 0 | 61 |
| Zoom | 4 | 2 | ~76 |
| Cisco Webex | 1 | 0 | 18 |
| Total | 102 | 355 | 2,159 |
Use Cases
- Direct Internet Breakout — Steer Office 365 and Zoom traffic directly to the internet from branch sites, bypassing the data center, without relying on slow DPI convergence.
- QoS / Path Preference — Prioritize real-time services (Teams UDP media, Zoom UDP) over a low-latency WAN link while sending bulk traffic (SharePoint sync, OneDrive backup) over a cheaper broadband link.
- Application-Aware Firewall — Write security policies using application names (
o365_ww_sfbo,zoom) rather than maintaining manual IP ACLs. - Visibility & Reporting — Accurately attribute capacity and session counts per SaaS application in Versa Analytics.