Prioritize DSCP marked traffic over IPSEC tunnel / External interface

Question

Hello, 
 I have several UTM 9 devices. Version 9.315-2. 
 One is at a data centre, and other locations connect to it using IPSEC tunnels. 
 I've done some searching and some reading - and experimenting! There seems to be conflicting answers as to what works with QoS and IPSEC tunnels; and the UTM devices. I thought it would be easier to explain the situation and ask for some advice. 
 We are running a test of Microsoft's Lync communication system. The Lync server(s) are at the data centre, with the communications between the servers and the client traveling via the IPSEC tunnels. Lync uses DSCP QoS. Voice is marked as EF (DSCP 46) and video is marked as AF41 (DSCP 34). I have configured the switches at all locations to use / respect these values. I have used wireshark to prove these values are being set on the packets traveling to and coming from the Lync server. 
 Upload speeds from the remote locations is the bottleneck - for example - 120Mbps download / 6Mbps upload. For reference, the data centre is 100Mbps in both directions. 
 If I start uploading a large file from the remote location, across the IPSEC tunnel, to the data centre, and then establish a test call in Lync, the Lync client experiences bad call quality. If I stop the upload, the call quality is usually fine (unless someone's else at the remote location is also moving a lot of data up to the data centre!). 
 I need to prioritize the voice / video traffic across the IPSEC tunnels. 
 I've tried switching on QoS on the UTM device at a remote location, setting the upload and download speeds, establishing traffic selectors to identify DSCP 46 and 34 marked traffic, and then establishing a bandwidth pool. I have also switched on the advanced option of "Keep classification after encapsulation". The voice call is still affected during a heavy upload test. 
 Are the traffic selectors / bandwidth pool not effective because the DSCP marked packets are already encapsulated into an IPSEC package before they reach the external interface? 
 Do I need to be creating rules on the 'download' of the internal interface to control traffic? 
 
 As you can tell, I'm a little confused as to the exact sequence of events within the UTM device. I would welcome some advice. Thank you in advance. 
 
 Regards 
 Paul Adams

BAlfson · Accepted Answer

I just saw this now. I can think of a couple reasons this wouldn't work, but your Traffic Selector is good. If the only traffic involved is that going through the tunnel, you could have used the "IPsec" services group instead of "Any" in the 'Service' slot. 
 
On the 'Status' tab, QoS should be enabled for the External interface and you will want to edit it there to make sure you have the right values for up/down speeds. Also, UN-select 'Download equalizer' & 'Upload optimizer' (that's my personal preference). 
 
On the 'Bandwidth Pools' tab, confirm that the pool is on the External interface and that it's enabled. You can afford to be generous with the bandwidth guarantee. If you guarantee 1000Kbits/s and never use more than 100, the effect will be the same as if you'd guaranteed 100. The only limitation is that the combination of all guarantees should not be more than 95% of the available bandwidth. 
 
On the 'Advanced' tab, you don't need 'Keep classification after encapsulation' 
 
Cheers - Bob