Forum Discussion

VicenteN's avatar
VicenteN
Copper Contributor
May 23, 2022

Split Tunnel Implemented. But, some of the traffic still going via VPN

Hi, I am new to Microsoft Teams and I am wondering why some of Microsoft Teams traffic and going straight to the internet and some are going via VPN. We use Cisco AnyConnect and has configured dynam...
calling
messaging
microsoft teams
Settings
tips & tricks
StevenC365's avatar
StevenC365
MVP
May 24, 2022

VicenteN 

 

When you say

 

note: We added all Microsoft Teams and Skype  for Business Online addresses in the dynamic exclusion list

 

what exactly do you mean, the DNS entries or the IP addresses? For media traffic it should be best to simply exclude UDP 3478-3481 so it always goes direct. That's the Optimise category that needs to avoid corporate networks.

 

As already pointed out, Teams client can't choose, it's all up to how the cisco VPN interacts with the clients routing table for the addresses that Teams is accessing.

VicenteN's avatar
VicenteN
Copper Contributor
May 25, 2022
Hi Steven,

Thank you for reply. But, i have a follow up question for you and the community
We jut added the DNS entries.
Sorry, this a dumb question, I guess when you say "For media traffic it should be best to simply exclude UDP 3478-3481 so it always goes direct" You mean block those ports in ASA, right? May I know what are UDP ports "3478-3481" is used for? When I did a Wireshark trace the media is using UDP ports 50000-50019 range for Audio, UDP ports 50020-50039 range for Video and UDP ports 50040-50059 range for screen sharing. Thank you.
  • StevenC365's avatar
    StevenC365
    MVP
    May 25, 2022

    VicenteN 

     

    DNS isn't sufficient, media traffic goes straight to IP addresses and doesn't make use of DNS. Look at Rule 11 in the Microsoft list Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Docs

     

    UDP 3478-3481 is the destination ports used for Teams media, 50,000 - 50,059 are source ports if you choose to configure Team to force those. It's generally not the case that you use source in a VPN/firewall.

     

    You do need to review the Microsoft list very carefully, and for Teams to work fully you need to consider all the different sections (Teams relies on Exchange, SharePoint and the common services). 

    • VicenteN's avatar
      VicenteN
      Copper Contributor
      May 31, 2022
      Hi Steven,

      Sorry, I was not able to reply to you. When you say Rule 11 (you mean ID 11? "Optimised IP's 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14"). I think we've also added these IP's together with the DNS's. But, was still getting the same result. I will review the rules again and will come back to you. Thank you for advise.