May 23 2022 05:09 AM
Hi,
I am new to Microsoft Teams and I am wondering why some of Microsoft Teams traffic and going straight to the internet and some are going via VPN. We use Cisco AnyConnect and has configured dynamic split tunnel. What, I noticed is that traffic flow for Audio Calling, Video Calling, Sharing and Meetings are all going via VPN. But, the rest are going straight to the internet. Is this a normal behavior? I thought, that once we implemented Split tunnel all Microsoft Teams traffic are going straight to internet. Thank you.
note: We added all Microsoft Teams and Skype for Business Online addresses in the dynamic exclusion list
May 23 2022 07:24 AM
May 23 2022 12:03 PM
May 24 2022 07:06 AM
May 24 2022 07:56 AM
Teams doesn't really make a decision on where the data goes, That's DNSs job. Teams looks up the endpoint and starts sending traffic to it.
Now, if for some reason the other end doesn't respond, Teams may back down another protocol to get the data through. For instance, Media data wants to go UDP, but if it can't, it will switch to TCP and even HTTPS:.
Try using the tool at Microsoft 365 network connectivity test tool - Microsoft 365 Enterprise | Microsoft Docs and do this from multiple locations using multiple computers and both domain joined and non-domain joined machines with VPN on and off. I think you find it enlightening.
May 24 2022 07:57 AM
May 24 2022 01:05 PM
May 24 2022 03:07 PM
When you say
note: We added all Microsoft Teams and Skype for Business Online addresses in the dynamic exclusion list
what exactly do you mean, the DNS entries or the IP addresses? For media traffic it should be best to simply exclude UDP 3478-3481 so it always goes direct. That's the Optimise category that needs to avoid corporate networks.
As already pointed out, Teams client can't choose, it's all up to how the cisco VPN interacts with the clients routing table for the addresses that Teams is accessing.
May 25 2022 01:54 AM
May 25 2022 02:47 AM
DNS isn't sufficient, media traffic goes straight to IP addresses and doesn't make use of DNS. Look at Rule 11 in the Microsoft list Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Docs
UDP 3478-3481 is the destination ports used for Teams media, 50,000 - 50,059 are source ports if you choose to configure Team to force those. It's generally not the case that you use source in a VPN/firewall.
You do need to review the Microsoft list very carefully, and for Teams to work fully you need to consider all the different sections (Teams relies on Exchange, SharePoint and the common services).
May 31 2022 05:46 AM