I have been working on some calling problems with Microsoft Teams with a customer and thought I would share some information that could be quite useful in situations where you’re asked why this happens.
If you are working in an enterprise with restricted access to the Internet via a default gateway you’ll be paying particular attention to the Office 365 URLs and IP Ranges listed here
You’ll notice that for Microsoft Teams media in particular the IP and port requirements have reduced significantly to one optimization rule (Rule 11) that states UDP ports 3478-3481 should be allowed out through your default route to the 18.104.22.168/14 address space leaving the remaining requirements to follow your normal internet egress, maybe a web proxy server.
Those keen eyed people will notice that the requirement for the 49152:59999 UDP Ports have been removed some time ago.
So what is the significance of this for Microsoft Teams? Well, the current publication means that Microsoft Teams will
should always connect to the Media Relays in Azure in the 22.214.171.124 address space rather than connect directly to the Media Processors which required the 49k-60k port range to be opened to an ever changing list of public IPs.
The rationale is just, in that it simplifies security requirements and the effect of relaying media via media relays in Azure to the Media Processors using the Microsoft streaming network is negligible.
However, when starting a Teams conference or indeed a PSTN call, Microsoft Teams seems to discover the Media Processor IP and attempt to connect to it by default. Notice here that 126.96.36.199 does not appear in the Office 365 IP addresses, but we are most definitely connected to it.
In an unrestricted environment such as where this traffic was generated from this is not an issue, but it is at odds with the Microsoft recommended optimizations for Microsoft Teams as stated before.
If we now block these destination ports and try to connect to the same Microsoft Teams meeting we can see that Teams cannot connect to the Media Processors as the firewall prevents it. It then falls back to Media Relay and connects via 3478-3481 UDP ports as per the documented optimizations
So what is the impact? Well, in reality there is no real impact to users or the way Microsoft Teams works. There may be a slight (almost unnoticeable) delay in media connection as Teams fails back to relay and maybe marginally more network chatter to set the call up. It would be nice that if it is preferred that connectivity must always be via relay IP that Teams should be prevented from discovering Media Processor IPs in SDP just to extract that extra little bit of performance.
However, when security teams come to you and say that they’ve notice connection attempts to these high ports, then you can inform them that this is expected behaviour and doesn’t need to be investigated further.