Strange teams network traffic to 192.168.1.x IPs on our DMZ subnet

Brass Contributor

When doing firewall audits (Palo Alto) we used the following query to investigate very strange teams behavior sometimes talking to certain IP addresses on our DMZ which in some cases don't even exist (there's no device there).  

The filter in palo alto we are using is: ( rule eq 'Allow Inside to DMZ' ) and ( app eq ms-teams-audio-video )

Palo Alto's Applicaiton layer firewall is detecting lots of random small kbps from users on our regular network to ports 50032, 50010, 50019, 20024, 50030, 50014, 50046, 50050 and a few other in that range.  These are regular users trying to hit these IPs: - (no device exists here) - A vendors second VPN to their private network but real traffic would go out their HSRP IP - (no device exists here) - A locked down Windows 10-based KIOSK that faces the public and is locked onto our website - (no device exists here) - An SFTP server


Why would teams be trying to send random bits of data recognized as ms-teams-audio-video to random IP's that sometimes exist, or not exist on our DMZ?  These users are not having teams issues, except maybe the random thumbnails are broken images but click off chat to another area, then click back and they are fixed.

2 Replies
Do you have direct routing in MS Teams? Or use a hosted SBC? 50,000 port range is pretty common for folks to use for media ports on SBCs, and if you have Direct Routing or a hosted SBC, you may have "media bypass" enabled, which would make the clients attempt to talk to the SBC directly. With no response from those addresses, it'll fall back to using the media transport services in MS Teams instead.
We do not have any voice , or teams to phone system features. When I go to Voice > Direct Routing there's just a local route there
Priority 1 dialed number pattern: ^(\+1[0-9]{10})$
You haven't selected any SBCs yet.
You haven't selected any PSTN usage records yet.