I have been working on some calling problems with Microsoft Teams with a customer and thought I would share some information that could be quite useful in situations where you’re asked why this happens.

If you are working in an enterprise with restricted access to the Internet via a default gateway you’ll be paying particular attention to the Office 365 URLs and IP Ranges listed here

You’ll notice that for Microsoft Teams media in particular the IP and port requirements have reduced significantly to one optimization rule (Rule 11) that states UDP ports 3478-3481 should be allowed out through your default route to the 52.112.0.0/14 address space leaving the remaining requirements to follow your normal internet egress, maybe a web proxy server.

Those keen eyed people will notice that the requirement for the 49152:59999 UDP Ports have been removed some time ago.

So what is the significance of this for Microsoft Teams? Well, the current publication means that Microsoft Teams will should always connect to the Media Relays in Azure in the 52.112.0.0 address space rather than connect directly to the Media Processors which required the 49k-60k port range to be opened to an ever changing list of public IPs.

The rationale is just, in that it simplifies security requirements and the effect of relaying media via media relays in Azure to the Media Processors using the Microsoft streaming network is negligible.

However, when starting a Teams conference or indeed a PSTN call, Microsoft Teams seems to discover the Media Processor IP and attempt to connect to it by default. Notice here that 23.97.154.68 does not appear in the Office 365 IP addresses, but we are most definitely connected to it.

Microsoft Teams Meeting with Direct Connection to Media Processors

In an unrestricted environment such as where this traffic was generated from this is not an issue, but it is at odds with the Microsoft recommended optimizations for Microsoft Teams as stated before.

If we now block these destination ports and try to connect to the same Microsoft Teams meeting we can see that Teams cannot connect to the Media Processors as the firewall prevents it. It then falls back to Media Relay and connects via 3478-3481 UDP ports as per the documented optimizations

Media Connected to Media Relay

So what is the impact? Well, in reality there is no real impact to users or the way Microsoft Teams works. There may be a slight (almost unnoticeable) delay in media connection as Teams fails back to relay and maybe marginally more network chatter to set the call up. It would be nice that if it is preferred that connectivity must always be via relay IP that Teams should be prevented from discovering Media Processor IPs in SDP just to extract that extra little bit of performance.

However, when security teams come to you and say that they’ve notice connection attempts to these high ports, then you can inform them that this is expected behaviour and doesn’t need to be investigated further.

Advertisements

4 thoughts on “Microsoft Teams Error in SDP”

  1. nice writeup Mark… There were alot of questions around this to Thomas Binder… but I think you drained the rag and released what all may have thought will/would happen.. thanks for sharing

  2. Hey Mark, very useful information and I have seen the same actually. Some interesting info is that also the IP for the MP is conflicting with Azure Express-route IP-Plan in Western Europe data center it seems. Cause some of the MP’s IP addresses is routes over Express-route which is not wanted in all cases.IS there any way of understand all IP subnets which is handle the MP role?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.