Forum Discussion

Donnei_Tsai1128's avatar
Donnei_Tsai1128
Copper Contributor
Jun 01, 2022
Solved

Question about connection Microsoft Teams behind Firewall NAT device use Single IP Address

Hi Folks : We use the Foritgate as Firewall , Provide NAT function let internal network user (About 80Users)to connect to internet. We have config Fortigate use a single Public Internet IP address ...
microsoft teams
  • EWoodrick's avatar
    EWoodrick
    Jun 01, 2022
    There is no limitation about concurrent connections behind a single IP address. What I believe that you are seeing is simple "not enough bandwidth" Screen sharing is one of the most network intensive things that you can do, and you see the results.
    If you are looking at routers or other devices to measure the throughput, then be careful with what they are measuring. They are often measuring usage over a period of time, like 15 minutes, which isn't going to answer your needs.
    Also, it is possible that it isn't your Internet connectivity alone, it could be the Fortigate or any other devices in the path.
ChrisHoardMVP's avatar
ChrisHoardMVP
MVP
Jun 01, 2022

Donnei_Tsai1128 

 

Prepare your organization's network for Teams - Microsoft Teams | Microsoft Docs

 

May be this

 

"Validate the network address translation (NAT) pool size required for user connectivity. When multiple users and devices access Microsoft 365 or Office 365 using Network Address Translation (NAT) or Port Address Translation (PAT), you need to ensure that the devices hidden behind each publicly routable IP address do not exceed the supported number. Ensure that adequate public IP addresses are assigned to the NAT pools to prevent port exhaustion. Port exhaustion will contribute to internal users and devices being unable to connect to the Microsoft 365 or Office 365 service."

 

This is also a great blog by my friend Lee Ford to run through

 

Preparing Your Network for Microsoft Teams - Lee Ford's Blog (lee-ford.co.uk)

 

Hope that helps and works toward an answer

 

Best, Chris

Donnei_Tsai1128's avatar
Donnei_Tsai1128
Copper Contributor
Jun 01, 2022
Hi Chris , Thanks for reply and great Blog article
I also have been read the document you mention.
I think My issue is not relative to PAT or NAT address pool size.
Because my internal user only have 80 User. The NAT Address pool size can support
up to 5,000 User.
Anyway Thanks.
  • StevenC365's avatar
    StevenC365
    MVP
    Jun 01, 2022

    Donnei_Tsai1128 I would be suspicious of the Fortinet doing any kind of inspection, the volume of Teams media traffic typically quickly overwhelms any capacity on any firewall. Specifically Microsoft recommend against and won't support any inspection of media traffic.

     

    I would simple allow 3478-3481 outbound without any interference on the firewall, the only supported way to make Teams work well.

    • Donnei_Tsai1128's avatar
      Donnei_Tsai1128
      Copper Contributor
      Jun 01, 2022

      Hi Steven. Thanks for reply!
      Yes. Our FortiGate Firewall have config Policy to allow Microsoft Teams traffic pass quickly
      don't use any SSL Inspection, Security Inspection.....and UDP port 3478-3481 is work
      our last to doubt was Ascenlink (WAN Load balance device)
      We will try to let Teams traffic not pass through this device and monitor the result.

Resources