Transport Relay Evaluation - CQD
Published Dec 14 2017 01:12 PM 10.9K Views
Microsoft

As we've shared at Ignite and in other blogs, there is a change underway to Office 365 Skype for Business. With the new IP and Port ranges in use for both Skype for Business and Teams when using Transport Relay there are customers who are having challenges completing media setup using these IPS and ports.  When reviewing quality metrics a problem could be detected which indicates users in the tenants organization will fail when attempting to join meetings, share video, share audio, or share applications. Among the possible causes for this failure we know that customer firewall, proxy, or VPN device/software and client level software can influence customers ability to use Skype for Business and Teams.

 

As we work to complete this change it is paramount that customers review and update Skype For Business Online or Microsoft Teams rules on their firewalls, proxies, and VPN devices/software. Specific attention should be given to the following IP ranges, ports, and protocols that are used for media connectivity:

IPV6 Ranges:

2620:1ec:40::/42

2603:1027::/48

2603:1037::/48

2603:1047::/48

2603:1057::/48

IPV4 Ranges:

13.107.8.0/24

13.107.64.0/18

52.112.0.0/14

104.44.195.0/24

104.44.200.0/23

Ports:

TCP 443

UDP 3478, 3479,3480, 3481

 

For additional information please reference the following articles:

https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...

 

We have also prepared a template for CQD online that you can import that will help narrow down network infrastructure devices in a customer environment that could be impacting the ability to establish media.  Please see the template attached to this blog and we would love to hear from you.

 

 

18 Comments

This template is great @Aaron Steele! this will give us some more insight in the failures.

Deleted
Not applicable

 

Nice report @Aaron Steele thanks.


I'm not sure I'm 100% appreciating the difference between the two subreports?



Microsoft
Thanks Tom. We created two, so you as the end could see one increasing in quantity (UDP) and the other decreasing (TCP), as well in the UDP one, you as the admin could also add second server reflexive for the possibility to see the egress IP that is most impacting this problems for you and your users. That same thing doesn't render in the TCP filtered view any additional information and in the UDP might break out the subnet into other buckets depending on your routing and IP allocations so we left it to you to decide.

how we can open this file. 

@Sankarasubramanian Parameswaran you will need to import these on https://CQD.lync.com

 

Summary Reports > Detailed Reports > Import

Microsoft

Hello, this file needs to be imported into cqd through the detailed reports tab from the top menu. Sign into cqd.lync.com as a tenant or SFB admin, or someone with the Reports Reader role in your Office365 tenant. Open the detailed reports from the top menu that starts at Summary reports, and click import on the left hand pane.

Our firewall team mentioned all the ports and IP address allowed in the firewall, but microsoft deducted us it is not allowed. More over we are also having failure in the audio communication. Please let us know what is the best way to update firewall team

Microsoft

You can open a service request with Microsoft support to help you with this issue. But if our data shows it's not open, and your Firewall team says it is, there must be some way to come to agreement. Data from CQD showing source subnet with source of failure has always been my go-to source of truth.

Hi,

 

Please let us know if there is any architecture diagram for Skype Business online and which shows port communication which help us to update our network team to allow UDP ports. Currently we don't know why we need to allow UDP ports.

Microsoft

https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...

 

3

Required: Audio, Video, & Desktop sharing

client computer | logged on user

*.lync.com

yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481

Optional: TCP & UDP 50,000-59,999

Can you please share the architecture diagram which shows us the port numbers in the diagram.

Microsoft

That's not something I have. The ports are documented that the clients need to be able to connect to and use. If more detailed information is needed to convince your network team, please contact your Microsoft account team, or a qualified consulting firm in your region.

Iron Contributor

@Sankarasubramanian-

Please see this URL:

https://myadvisor.fasttrack.microsoft.com/CloudVoice/Downloads?SelectedIDs=4_4_0_2

  • Slide 48 of the presentation contains an architecture diagram
  • Additionally, slides 16-19 talk about network ports that need be available, and that information directly links to the info Aaron has already provided.
    • These ports are needed for ALL workflows, up to and including IM/Presence/AppShare/Audio/Video/PSTN
    • These ports are the "Common for all Cloud PBX options ports" referenced in slide 48
  • You absolutely must open the proper UDP ports outbound in order for media to work properly
    • Forcing traffic via TCP (and especially through TCP 443) is a recipe for disaster.
      • Expect poor stream quality, media drops for audio/video/application sharing, or outright media startup failure if you force TCP.

Use this info to speak to your network/firewall team so that they can open up the appropriate ports.  If you can't navigate the complexities on your own, then as Aaron suggested, see if you can find a Microsoft partner in your region that would be able to assist you to get things resolved.  There are many moving pieces to account for and a qualified partner can help you outline other issues that may be at play.

 

Our firewall team created new rule to allow these ports to lync.com, but when we tested today and no traffic hit these rules and it got denied with the reason " World.tr.teams.microsoft.com" denied

Hi Aaron

 

We have requested our firewall team to allow this and it does not work. In another Skype community page , they have recommended to allow all the IP address instead of *.lync.com. Our firewall team does not want to allow all the IP address. Please let us know which method we have to follow

 

https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...

 

3

Required: Audio, Video, & Desktop sharing

client computer | logged on user

*.lync.com

yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481

Optional: TCP & UDP 50,000-59,999

Microsoft

The IP addresses and URLs are documented as "Required", if you want the service to work.  We've been working diligently to reduce the number of subnets and are down near 90 subnets for Skype for Business online media from our starting point near 200. There are media flows in Skype for Business online that do not take place using a named service, but just an IP address, and thereby just whitelisting the URL will not allow media to work.

All

 

After long time, updating the same thread. Still we have lot of issues in Skype even we opened all the ports requested by Microsoft, we have issue on media and audio issues, app sharing issues.

 

1. Even we opened all the UDP ports, only connections from 3478 and 443  when we did Skype network analyzer tool testing

2. Still we have old version of Skype clients, we are trying to find option how we can block the connections to office 365 services

3. Even when we meeting failed in the middle. we don't have option to identify why it is failed

 

 

 

Copper Contributor

Hi @Aaron Steele 

Re: "There are media flows in Skype for Business online that do not take place using a named service, but just an IP address, and thereby just whitelisting the URL will not allow media to work."

Do you know if this is still the case? We opened a ticket through support and were told only the named entries were required. This was good as we could simply add *.lync.com to our proxy bypass list. If traffic is going via IP we will need to rethink our design. Do you know if Teams also uses IPs?

 

Thanks, Ryan.

Version history
Last update:
‎Jan 18 2018 07:39 AM
Updated by: