This article focuses on Microsoft 365 Global used by companies with users in China. Where Microsoft 365 is operated by 21Vianet, the performance model is different. For a more detailed discussion of that environment, see our separate article.
The Short Answer
A firewall can improve Microsoft 365 performance in China — but it's rarely the only fix, and in many cases, a poorly configured one is actively making things worse. Performance in China depends on four things working together: routing path, breakout point, DNS resolution, and inspection policy. A firewall touches some of these. Not all of them.
"A firewall improves M365 performance in China by optimizing the application-layer path — not by increasing raw bandwidth."
A Common Worst-Case Scenario
The worst case is simple: Global IT ships a standard firewall policy to the China office, but nobody adjusts it for local conditions. Microsoft 365 traffic ends up routing through HQ, broad SSL inspection is applied by default, and the result is predictable. Teams calls start dropping, Outlook synchronization lags by minutes, and SharePoint becomes too unreliable for normal daily use.
On paper, everything looks consistent. The governance dashboard is clean, compliance reporting is in place, and the global standard appears intact. But for people in the office, Microsoft 365 has quietly become something they work around rather than work with.
1. Why Microsoft 365 Can Feel Slow or Unstable in China
Microsoft 365 performance in China has less to do with raw bandwidth and more to do with what happens to traffic after it leaves the office: where it exits to the internet, how DNS resolves requests, and what security controls sit in the path. That is why M365 can feel inconsistent in China even when ordinary browsing still appears usable.
| Issue | Why it affects M365 in China |
|---|---|
| Cross-border routing instability | International routes out of China can be congested, lossy, and inconsistent, which affects M365 sessions more than ordinary web browsing. |
| HQ backhaul design | Routing China office traffic through headquarters or a regional security hub often adds latency and extra failure points before traffic reaches Microsoft. |
| DNS path issues | If DNS resolves through a distant corporate path, users can be directed to a less optimal Microsoft endpoint before real traffic even begins. |
| Security controls in the path | TLS inspection, proxies, and broad filtering policies can degrade Microsoft 365 performance when applied without the right exceptions. |
| Real-time app sensitivity | Teams, Outlook sign-in, and other M365 services are more sensitive to latency, jitter, and packet loss than standard website traffic. |
Cross-border routing is often the starting point. International links out of China can be inconsistent in ways that may not affect ordinary browsing but do affect Teams meetings, screen sharing, and Outlook sign-in. In many multinational environments, the larger issue is network design: traffic from China is still backhauled through headquarters or a regional security hub before reaching Microsoft, which adds latency and unnecessary complexity.
DNS and security policy can make the problem worse. If Microsoft 365 requests resolve through a distant corporate DNS path, users may be directed to a less optimal endpoint before application traffic even starts. On top of that, TLS inspection, proxies, and broad filtering often turn a slow experience into a broken one. It is also important to distinguish between global Microsoft 365 and the version operated by 21Vianet in China, since they are separate service environments.
2. What a Firewall Can Actually Help With
A firewall can improve Microsoft 365 performance in China, but only in the areas it actually controls. The value is not “faster internet.” It is helping M365 traffic take a cleaner path — exiting locally, avoiding unnecessary inspection, and being handled differently from generic web traffic.
- Local internet breakout for M365 traffic
- Policy-based routing for Microsoft 365 flows
- Reduced backhaul through HQ or regional hubs
- SSL inspection exceptions for key M365 endpoints
- Application visibility and traffic classification
- QoS prioritization for Teams media traffic
- Path steering through SD-WAN logic where available
- Weak ISP performance on cross-border circuits
- Unstable or low-quality international paths out of China
- A global network architecture built around unnecessary backhaul
- Lack of a workable local internet strategy
- Microsoft-side service incidents or outages
- China connectivity problems the firewall did not create
How these capabilities translate to real improvement
Local breakout is usually the highest-impact change. If Microsoft 365 traffic exits directly from China instead of hairpinning through headquarters or a regional hub, one of the most common sources of added latency is removed. It does not solve every cross-border issue, but it often shortens the path enough to improve real-world performance.
SSL inspection policy matters just as much. Microsoft advises against TLS break-and-inspect for key Microsoft 365 endpoint categories, and many environments still get this wrong. When those flows are inspected anyway, the result is often higher latency, unstable sessions, or authentication problems. In practice, correct exemptions often improve stability more than simply adding bandwidth.
Application visibility and QoS determine whether the firewall can actually help. The platform has to recognize Microsoft 365 traffic before it can route or treat it differently. For Teams, QoS can also reduce call-quality issues where the bottleneck is internal congestion. But if the real problem is the cross-border path itself, the firewall is only reducing friction around the problem — not fixing the underlying route.
3. What a Firewall Cannot Fix on Its Own
Even a well-configured firewall has clear limits. It can optimize policy, routing logic, and inspection behavior, but it cannot solve problems that originate in the circuit itself, in the broader network design, or on Microsoft’s side.
Cross-border circuit quality still sets the baseline
A firewall can only work with the path that already exists. If a China office reaches Microsoft 365 over a high-latency or unreliable cross-border connectivity path, local policy changes do not remove the underlying congestion or packet loss. The firewall may choose the better available route, but it cannot create bandwidth or fix weak ISP peering to Microsoft’s network.
Architecture matters more than local tuning
If there is no local internet strategy, or Microsoft 365 traffic is still routed through a centralized hub designed for control rather than SaaS performance, the firewall can only reduce some of the friction. It cannot correct the design itself. This is why local breakout and reduced backhaul usually matter more than additional firewall policy complexity.
Microsoft-side incidents remain outside your control
If Microsoft 365 is degraded or unavailable on Microsoft’s side, firewall policy changes will not help. At that point, the practical task is to distinguish between a problem in your own network path and a Microsoft-side incident by checking service health and connectivity testing tools.
If performance remains poor after reasonable firewall tuning, the next place to look is usually the circuit, the breakout architecture, and Microsoft service health — not more firewall complexity.
Figure 1: Defining the limits of firewall influence on M365 performance.
4. How to Balance Microsoft 365 Performance, Security, and Compliance in China
In China, Microsoft 365 network design is not only a performance question. Compliance obligations, operating model, and the way cross-border connectivity is actually licensed and delivered all shape what is practical. Architectures that work elsewhere do not always translate well in China, especially when they rely on unmanaged breakout, blanket inspection, or a global policy applied without adjustment for local conditions.
For most organizations, the most workable model is selective inspection combined with controlled local breakout. That means Microsoft 365 is treated as a distinct traffic class rather than generic web traffic, with shorter paths, fewer detours, and less unnecessary processing in the middle.
This approach also aligns better with the reality of operating in China. It supports governance and monitoring without defaulting to blanket inspection, and it improves performance without assuming that global network standards can be copied directly into a China environment.
5. What IT Teams Should Check Before Blaming the Firewall
Before concluding that the firewall is the problem — or the solution — a structured diagnostic will usually find the real bottleneck faster.
- 01Review the traffic path end-to-end — where does M365 traffic exit to the internet from the China office?
- 02Audit DNS configuration — which servers resolve M365 hostnames, and where are the responses pointing?
- 03Confirm breakout location — is traffic breaking out locally in China, or hairpinning through HQ?
- 04Review SSL inspection policies — are M365 endpoints properly excluded from TLS inspection?
- 05Check real-time traffic handling — is Teams media traffic being treated with appropriate QoS priority?
- 06Instrument and monitor — measure latency, jitter, and packet loss on the actual path to Microsoft's network, not just to the internet gateway.
Latency above 150ms to Microsoft's front-end servers will cause noticeable Teams degradation regardless of firewall settings. Packet loss above 1% on the path to M365 endpoints will cause audio and video quality issues on calls. These numbers help distinguish a configuration problem from an infrastructure problem.
Figure 2: Optimized traffic flow featuring selective SSL inspection.
6. Signs Your Firewall Design May Be Hurting Microsoft 365 in China
- Persistent Teams instability — When Teams keeps dropping while normal browsing is fine, the problem usually is not general internet speed. Jitter, packet loss, inspection overhead, or a routing path that is longer than it needs to be will hit real-time M365 traffic before they show up anywhere else.
- Poor user experience in China only — If users in China consistently report slower logins, worse call quality, or less reliable access than colleagues on the same tenant elsewhere, that points to a location-specific network problem. Backhaul, non-local breakout, and a weaker cross-border path are the common causes — none of which usually show up in a global policy review.
- High latency despite sufficient bandwidth — A well-sized circuit does not mean low latency. If latency stays high when bandwidth looks adequate, the issue is usually path length, routing inefficiency, or inspection overhead. Adding more capacity will not fix any of those.
- Generic firewall treatment of M365 traffic — If M365 goes through the same broad policies as uncategorized internet traffic, the design was never built for this. Without application-aware rules, local breakout logic, or inspection exceptions, the firewall is not neutral — it is adding to the problem.
That warning becomes even more important once the traffic path is understood correctly. For Microsoft 365 Global accessed from China, performance is shaped not only by firewall policy but by how traffic breaks out locally, crosses the border, resolves DNS, and reaches Microsoft's global network. Microsoft 365 operated by 21Vianet in China does not create the same traffic assumptions, so it should not be used as the same reference point. If that distinction is missed, latency, unstable Teams sessions, or poor user experience in China can be diagnosed too narrowly as firewall problems, when the path the traffic is taking may be the more important issue.
Conclusion
A firewall can meaningfully improve M365 performance in China — but only as part of an architecture that was actually designed for China. The right configuration (local breakout, SSL inspection exceptions, QoS, application-aware routing) removes real obstacles. But those gains only show up if the path, DNS, and circuit quality underneath are adequate.
The most common mistake is applying the same global policy template to China that works everywhere else. China requires specific attention to routing, regulatory compliance, ISP selection, and breakout strategy. Generic policies do not address any of that.
Design matters more than hardware. A well-configured mid-range firewall in a China-fit architecture will consistently outperform a premium appliance running a one-size-fits-all policy.
FAQ
• Why does Microsoft 365 feel slow in China?
Microsoft 365 can feel slow in China for several reasons, and the firewall is only one of them. In many cases, the bigger issues are cross-border routing, unstable connectivity, DNS behavior, and inspection policy. If Microsoft 365 traffic is handled like general internet traffic, Teams calls, Outlook sync, and OneDrive uploads may all feel slower for China office users.
• Does Microsoft Teams work in China?
Yes, Microsoft Teams can work in China, but performance is not always consistent. For many international companies, the real issue is not whether Teams is available, but whether it works well enough for daily meetings and collaboration. User experience often depends on traffic path, local internet quality, and firewall policy.
• Is the firewall always the reason Microsoft 365 is slow in China?
No. A firewall can affect Microsoft 365 performance in China, but it is not always the main cause. Poor provider quality, weak cross-border connectivity, global backhaul design, and broad inspection policies can all contribute to the problem. In many cases, the firewall is only one part of a larger traffic and connectivity issue.
• Can a firewall improve Microsoft 365 performance in China?
Yes, in some cases it can. A well-configured firewall can improve Microsoft 365 performance in China by applying better traffic policy, supporting local breakout, and reducing unnecessary inspection. Its value comes from helping the right traffic take the right path, rather than simply adding more bandwidth.
• What should IT teams check before changing firewall policy?
Before changing firewall policy, IT teams should review the traffic path for Microsoft 365, DNS behavior, breakout design, inspection settings, and the way Teams traffic is handled. It is also important to check the underlying connectivity quality. In many cases, changing firewall rules too early solves the wrong problem.
• Can Microsoft 365 performance be improved without creating compliance risk?
Yes, but the design needs to stay controlled. In China, Microsoft 365 performance should be improved through better traffic policy, breakout logic, and inspection tuning without losing visibility or governance. Faster access should not come at the cost of weaker compliance control.
• What can a firewall not fix on its own?
A firewall cannot solve every Microsoft 365 performance issue in China. It cannot fix poor provider quality, weak cross-border circuits, an unsuitable global architecture, or Microsoft-side service issues. It can improve traffic handling, but it cannot replace a well-designed connectivity strategy.
• Can poor connectivity make Teams feel slow even when the firewall is working normally?
Yes. Even when the firewall is configured correctly, Teams can still feel slow if the underlying connectivity is weak or unstable. High latency, jitter, packet loss, or inconsistent cross-border routing can all affect call quality. In these cases, the real problem may be the connectivity path, not the firewall itself.
• Should Microsoft 365 traffic use local breakout in China offices?
In many cases, yes, but it depends on the company’s design and compliance requirements. Local breakout can improve Microsoft 365 performance in China when it reduces unnecessary backhaul and shortens the traffic path. However, it should be planned carefully so that performance gains do not create governance or security issues.
• Can firewall inspection slow down Teams, Outlook, or OneDrive traffic?
Yes, it can. If inspection is too broad or too heavy, it may add delay to Microsoft 365 traffic, especially for real-time or cloud-based collaboration tools. Teams meetings, Outlook sync, and OneDrive transfers can all be affected when SaaS traffic is inspected like ordinary web traffic. In many cases, selective inspection works better than inspecting everything equally.
Need help diagnosing Microsoft 365 performance issues in China?
Contact JET IT Services to review your traffic path, firewall policy, breakout design, and Microsoft 365 user experience in China. You can also stay updated on China IT insights from JET IT Services.
