This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Call quality issues with Teams

We just moved to Teams. Calls/meeting inside our network have choppy video/voice quality. People outside the network have no issues. Only if the traffic traverses the UTM does it have issue.

Does anyone have a writeup on how to configure the UTM so it doesn't mess with Teams traffic?

Thanks!



This thread was automatically locked due to age.
Parents
  • Hi Paul,

    You might also take a look at https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams.

    At one of my clients, I determined that Teams caused a tremendous amount of virtual memory swapping in the UTM even after skipping both Web Filtering and Snort (IPS).  What UTM do you have and what are your Internet speeds?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Depending on the download speed of your internet connection, unless you have more than 8 internal users on a call, I would think you should be OK just excepting the UDP traffic as suggested by papa_.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • We have gigabit internet. Only 8 internal? We have 20-25 people on calls.

  • If you have 20-25 people in the office on call(s) at the same time, you might want to watch top at the command line.

    Let us know if you see high %sy when folks complain.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Here are my Exceptions for Intrusion Prevention and Web Filtering:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks a lot! I will try this and see what happens.

  • FormerMember
    0 FormerMember in reply to BAlfson

    Hi Bob,

    a question of understanding on my part. What is the purpose of your service definition "Response"? And is it not enough to set the type of definition to UDP?

  • Hallo Ludo - great question!

    A request on port 3478 has dstport="3478" and the response to it has srcport="3478".  Sometimes Teams is responding to us and maybe sometimes we're responding to Teams, so I wanted to be sure that Intrusion Prevention didn't block responses or requests from Teams.  Realistically, we probably only needed the "Response" definitions, but I already had the request Services defined for a firewall Allow rule and I didn't want to risk leaving the client with any exposure.

    The docs from Microsoft specified TCP/UDP, so that's why the request and response Service definitions use that.  UDP is the only thing that might trigger an anti-flooding drop, so that probably could have been used in definitions here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    0 FormerMember in reply to BAlfson

    Hi Bob,

    the docs from Microsoft specified only UDP (see Screenshot)?! Or do I not understand something?

    Ok, understand, with the responseservice you want to play it safe. But actually this is not necessary, is it?

     

  • I've slept since then, so I don't remember the details of which client I first did this for, whether the client I was using as an example had already started configuring and what other documentation might have led to using TCP/UDP.  If you try this with only UDP, please let us know if that's indeed all that's needed for firewall rules and Intrusion Prevention Exceptions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    0 FormerMember in reply to BAlfson

    Unfortunately, I cannot find any clear statements on the Internet. On the Microsoft side, the network request is UDP ports 3478 to 3481. In my Teams Admin Center, however, under the meeting settings 50000-50019 for audio, 50020-50039 for video and 50040-50059 for screen sharing. Nevertheless, I set up everything on my Sophos as you described. I just had a meeting with four participants and repeatedly had connection problems with sound and image. On my Internet interface, in the Flowmonitor, I can see how the http application suddenly swallows the entire bandwidth (30MBit). But I don't know what the problem is :-(

Reply
  • FormerMember
    0 FormerMember in reply to BAlfson

    Unfortunately, I cannot find any clear statements on the Internet. On the Microsoft side, the network request is UDP ports 3478 to 3481. In my Teams Admin Center, however, under the meeting settings 50000-50019 for audio, 50020-50039 for video and 50040-50059 for screen sharing. Nevertheless, I set up everything on my Sophos as you described. I just had a meeting with four participants and repeatedly had connection problems with sound and image. On my Internet interface, in the Flowmonitor, I can see how the http application suddenly swallows the entire bandwidth (30MBit). But I don't know what the problem is :-(

Children
No Data