Forum Discussion
brimdavis
Mar 23, 2021Copper Contributor
Yealink Teams Phone, firewall rules.
Doing a Teams migration. Testing a 3 yealink phones on the network. Most users will use laptops and only a few phones on the network. I white listed the IP's and Ports here: Skype for Business Onlin...
rovert506
Mar 23, 2021Iron Contributor
A few thoughts:
1) Make sure you have IPs/Ports listed in the article set as *destination*. RFC1918->52.112.0.0/14, for instance. The overwhelming majority of ports flow in a direction of client *to* server. Be careful of IPv6 ranges, too, if it is enabled on your networks!
2) Make sure you also include all the "Microsoft 365 Common" IPs/URLS, as well. Since Teams is an amalgamation of services from M365, there are some core services (such as authentication and Intune) that are not mentioned within the Teams specific section. You *must* make the Common services available to all endpoints, phones included.
3) If you've got a proxy server, enforced by WPAD for instance, you need to make sure that the URLs listed by Microsoft are not subject to a) SSL break/inspection, and b) proxy server authentication. You can use the Get-PacFile script to easily gather all the URLs necessary:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/managing-office-365-endpoints?view=o365-worldwide#use-a-pac-file-for-direct-routing-of-vital-office-365-traffic
4) Be careful of Data VLANs vs Voice VLANs. Many customers I've worked with have more stringent configurations in place for Voice VLANs and Teams phones don't work correctly as a result. This could be due to proxy requirements, or firewall restrictions, or even routing restrictions, but in the end do not assume your voice VLANs have the same setup and capabilities as data VLANs.
1) Make sure you have IPs/Ports listed in the article set as *destination*. RFC1918->52.112.0.0/14, for instance. The overwhelming majority of ports flow in a direction of client *to* server. Be careful of IPv6 ranges, too, if it is enabled on your networks!
2) Make sure you also include all the "Microsoft 365 Common" IPs/URLS, as well. Since Teams is an amalgamation of services from M365, there are some core services (such as authentication and Intune) that are not mentioned within the Teams specific section. You *must* make the Common services available to all endpoints, phones included.
3) If you've got a proxy server, enforced by WPAD for instance, you need to make sure that the URLs listed by Microsoft are not subject to a) SSL break/inspection, and b) proxy server authentication. You can use the Get-PacFile script to easily gather all the URLs necessary:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/managing-office-365-endpoints?view=o365-worldwide#use-a-pac-file-for-direct-routing-of-vital-office-365-traffic
4) Be careful of Data VLANs vs Voice VLANs. Many customers I've worked with have more stringent configurations in place for Voice VLANs and Teams phones don't work correctly as a result. This could be due to proxy requirements, or firewall restrictions, or even routing restrictions, but in the end do not assume your voice VLANs have the same setup and capabilities as data VLANs.