This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weird Issue with Microsoft Teams

Hello,

I am having trouble diagnosing this particular issue with Microsoft Teams. The messaging function isn't working as messages aren't sent ("Failed to send" error message). After checking the web filtering logs, i found this out: 

 

2019:03:13-09:12:20 utm-bomare-2 httpproxy[6214]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block"

method="CONNECT" srcip="192.168.1.168" dstip="40.74.62.125" user="" group="" ad_domain="" statuscode="500" cached="0"

profile="REF_HttProContaInterNetwo (VIP_Profile)" filteraction="REF_HttCffVipwhfilte (VIP_WHFilterAction)"

size="517" request="0x1b020c00" url="emea.ng.msg.teams.microsoft.com/" referer="" error="Connection timed out" authtime="0" dnstime="2"

cattime="128" avscantime="0" fullreqtime="127255911" device="0" auth="0" ua="" exceptions="application" category="122" reputation="neutral"

categoryname="Instant Messaging" application="micrsoft" app-id="1151"

 

Apparently, the request was blocked because of a connection time out error. I don't have AV scanning enabled on any of my filter actions. I tried skipping the proxy, same thing. I even disabled web filtering and application control, still same problem. Could it be a DNS issue? (we don't have an internal DNS server, we're using the UTM as gateway and DNS).

Any suggestions?



This thread was automatically locked due to age.
  • Check the Intrusion Protection log.  A blocked reply will cause a browser timeout.  The IPS entry can be two minutes earlier than the web log entry.

  • If you can get away with it, when I have Microsoft Issues I typically come in when no one is here and disbale web filtering, then country blocking, then application filtering, then IPS to determine which is the culprit.  Another trick is run a test with nothing else running on the target workstation and do a TCP DUMP to see what is happening, might fill in the blanks.

    Respectfully, 

     

    Badrobot

     

  • This is one approach to debugging, but it should not be necessary.  Any blocked packet should appear in a log, unless the administrator has created an exception that includes the option to disable logging of qualifying traffic.   You are correct that there are multiple places to look.

  • Nothing in there, I just checked. 

  • Okay so i know i said on my post that i tried skipping the transparent proxy but it didn't work but somehow someway, this morning when i tried that again it worked, i was able to send and receive messages.

    Do websites that i visit still get proxied and appear in the web filtering live log even when i'm on the Skip transparent proxy list? I'm saying this because it's still showing all of my traffic, and one thing i noticed is, that Microsoft Teams URL that gets blocked for a connection timeout does not appear on the log. Is it sort of an implicit "pass" action? I only see this line related to Microsoft Teams:

     

    2019:03:14-09:58:23 utm-bomare-2 httpproxy[12473]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" 
     
    method="CONNECT" srcip="192.168.1.168" dstip="52.113.194.131" user="" group="" ad_domain="" statuscode="200" cached="0"
     
    profile="REF_HttProContaInterNetwo (VIP_Profile)" filteraction="REF_HttCffVipwhfilte (VIP_WHFilterAction)"
     
    size="1199515" request="0x1a86b800" url="https://teams.microsoft.com/" referer="" error="" authtime="0" dnstime="2580612"
     
    cattime="132" avscantime="0" fullreqtime="382729168" device="0" auth="0" ua="" exceptions="application" category="122" reputation="neutral"
     
    categoryname="Instant Messaging" application="micrsoft" app-id="1151"

     

     

  • I went all over my Web Filtering configs but couldn't find what's really causing the issue. Keep in mind that as soon as i skip the proxy, Teams works fine.

  • Could this be a certificate issue?

    Respectfully, 

     

    Badrobot

     

  • Or maybe not the certificate but it did get me thinking, what is teams using for proxy/certificate settings, I found this with a quick search - docs.microsoft.com/.../connectivity-issues

    Respectfully, 

     

    Badrobot

     

  • Salut Zak,

    If an access appears in the Web Filtering log, it did not qualify for the Skiplist.  Since you weren't doing AV scanning, the only thing left was to skip the Proxy for the access to emea.ng.msg.teams.microsoft.com.  I note that that FQDN has multiple DNS A-records, so you will want to use it in a DNS Group definition in the Skiplist instead of a DNS Host definition.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello and sorry for the late response, 

     

    I just tried adding that DNS Group definition to the Transparent Mode Skiplist... and it didn't work, still getting that same line on the web filtering log. MS Teams seems to be only working when my source IP is on that skiplist. Confusing.