Forum Discussion

Donnei_Tsai1128's avatar
Donnei_Tsai1128
Copper Contributor
Jun 01, 2022

Question about connection Microsoft Teams behind Firewall NAT device use Single IP Address

Hi Folks :

We use the Foritgate as Firewall , Provide NAT function let internal network user (About 80Users)to connect to internet.
We have config Fortigate use a single Public Internet IP address , and let Microsoft Teams Service
use this IP to connect to Microsoft Teams Cloud Service
The Fortigate have been disable SSL inspect and Security Check when use this IP
When user about 5-6 create a conference Teams meeting. the meeting is good
But When user about 30-50 User join the same Teams Conference Meeting. 
We use RTA to check the Audio is good. But when one user do a Screen Share . 
Most the other use's Application sharing details(inboud) will have consistent Packet lost (%18)
We have check the network bandwidth just use 15Mbps. (This line have 80Mbps)

The question is:
Does Microsoft Teams Service will have limit about concurrent connection from the same IP Address? 
or any idea?   Thanks

  • There is no limitation about concurrent connections behind a single IP address. What I believe that you are seeing is simple "not enough bandwidth" Screen sharing is one of the most network intensive things that you can do, and you see the results.
    If you are looking at routers or other devices to measure the throughput, then be careful with what they are measuring. They are often measuring usage over a period of time, like 15 minutes, which isn't going to answer your needs.
    Also, it is possible that it isn't your Internet connectivity alone, it could be the Fortigate or any other devices in the path.
  • EWoodrick's avatar
    EWoodrick
    Iron Contributor
    There is no limitation about concurrent connections behind a single IP address. What I believe that you are seeing is simple "not enough bandwidth" Screen sharing is one of the most network intensive things that you can do, and you see the results.
    If you are looking at routers or other devices to measure the throughput, then be careful with what they are measuring. They are often measuring usage over a period of time, like 15 minutes, which isn't going to answer your needs.
    Also, it is possible that it isn't your Internet connectivity alone, it could be the Fortigate or any other devices in the path.
    • Donnei_Tsai1128's avatar
      Donnei_Tsai1128
      Copper Contributor

      Our largest Team conference meeting have about 25 User at company network and other 25 will at work from home
      We reference the document. The Screen Sharing best performance bandwidth will be 4Mbps per client . So we can estimate 25 users will use 100Mbps (the largest bandwidth)
      We will monitor this value carefully and try to not use web balance device at the internet access path.
      Thanks

      • Donnei_Tsai1128's avatar
        Donnei_Tsai1128
        Copper Contributor

        We have make some network setup like below

        1.Our original path to internet : LAN (Internal Network)->FortiGate->WAN Load Balance(Ascenlink)-> 2 ISP Internet Access (for Load Balance and Line Backup)
        2.at FortiGate Policy. We create a new Poicy , setting is . Source (Internal Network) -> Destination , Internet Service DB( ISDB) pickup Microsoft_Skype_Teams) , and no SSL Inspection and any UTM Security Profile check. NAT can use 1 IP or 5 IP (IP Pools) configure
        3.We use another ISP Line(100/40Mbps) and setup a Policy Route UDP Port 3478-3481 , route to the new created Policy (for Microsoft Teams)
        This Policy can make sure Microsoft Teams service access internet don't passthough WAN Load Balance

        This moring we have a 47 user conference call, Some WFH and Some at Office ,The meeting host use Desktop Sharing to show his screen (one to many). The finding is:

        1.When meeting start . we observe user count over 20 users into the meeting room. We use the RTQ function to monitor my Teams client
        We can see The Application sharing detail (inbound) start to grow rapidly to Packet Loss (14%)
        Then we change NAT config from 1 IP to 5 IP Pools Config. The Packet Loss will to decrease obvious (about below 0.5%)
        2.The line MRTG bandwitdh show 5 Minus average is 20Mbps(Inbound)
        3.This configure . Our Desktop Share screen lag will decrease to 1-2 Sec. The original config will be 5-9 Sec.

        Very intresting. When the packet loss start to increase obvious. We change NAT use 1 IP change to use 5 IP Pools . It will start to decrease....

        sharing the result to people like us.

  • Donnei_Tsai1128 

     

    Prepare your organization's network for Teams - Microsoft Teams | Microsoft Docs

     

    May be this

     

    "Validate the network address translation (NAT) pool size required for user connectivity. When multiple users and devices access Microsoft 365 or Office 365 using Network Address Translation (NAT) or Port Address Translation (PAT), you need to ensure that the devices hidden behind each publicly routable IP address do not exceed the supported number. Ensure that adequate public IP addresses are assigned to the NAT pools to prevent port exhaustion. Port exhaustion will contribute to internal users and devices being unable to connect to the Microsoft 365 or Office 365 service."

     

    This is also a great blog by my friend Lee Ford to run through

     

    Preparing Your Network for Microsoft Teams - Lee Ford's Blog (lee-ford.co.uk)

     

    Hope that helps and works toward an answer

     

    Best, Chris

    • Donnei_Tsai1128's avatar
      Donnei_Tsai1128
      Copper Contributor
      Hi Chris , Thanks for reply and great Blog article
      I also have been read the document you mention.
      I think My issue is not relative to PAT or NAT address pool size.
      Because my internal user only have 80 User. The NAT Address pool size can support
      up to 5,000 User.
      Anyway Thanks.
      • StevenC365's avatar
        StevenC365
        MVP

        Donnei_Tsai1128 I would be suspicious of the Fortinet doing any kind of inspection, the volume of Teams media traffic typically quickly overwhelms any capacity on any firewall. Specifically Microsoft recommend against and won't support any inspection of media traffic.

         

        I would simple allow 3478-3481 outbound without any interference on the firewall, the only supported way to make Teams work well.

Resources