cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Strange teams network traffic to 192.168.1.x IPs on our DMZ subnet

kjstech
Brass Contributor

‎Oct 16 2023 09:57 AM

‎Oct 16 2023 09:57 AM

Strange teams network traffic to 192.168.1.x IPs on our DMZ subnet

When doing firewall audits (Palo Alto) we used the following query to investigate very strange teams behavior sometimes talking to certain IP addresses on our DMZ which in some cases don't even exist (there's no device there).  

The filter in palo alto we are using is: ( rule eq 'Allow Inside to DMZ' ) and ( app eq ms-teams-audio-video )

Palo Alto's Applicaiton layer firewall is detecting lots of random small kbps from users on our regular network to ports 50032, 50010, 50019, 20024, 50030, 50014, 50046, 50050 and a few other in that range.  These are regular users trying to hit these IPs:
192.168.1.157 - (no device exists here)

192.168.1.24 - A vendors second VPN to their private network but real traffic would go out their HSRP IP

192.168.1.16 - (no device exists here)

192.168.1.3 - A locked down Windows 10-based KIOSK that faces the public and is locked onto our website

192.168.1.170 - (no device exists here)

192.168.1.199 - An SFTP server

 

Why would teams be trying to send random bits of data recognized as ms-teams-audio-video to random IP's that sometimes exist, or not exist on our DMZ?  These users are not having teams issues, except maybe the random thumbnails are broken images but click off chat to another area, then click back and they are fixed.

283 Views
0 Likes
2 Replies
Reply
2 Replies
jangliss

‎Oct 17 2023 06:03 PM

‎Oct 17 2023 06:03 PM

Re: Strange teams network traffic to 192.168.1.x IPs on our DMZ subnet

Do you have direct routing in MS Teams? Or use a hosted SBC? 50,000 port range is pretty common for folks to use for media ports on SBCs, and if you have Direct Routing or a hosted SBC, you may have "media bypass" enabled, which would make the clients attempt to talk to the SBC directly. With no response from those addresses, it'll fall back to using the media transport services in MS Teams instead.
0 Likes
Reply
kjstech

‎Oct 18 2023 08:43 AM

‎Oct 18 2023 08:43 AM

Re: Strange teams network traffic to 192.168.1.x IPs on our DMZ subnet

We do not have any voice , or teams to phone system features. When I go to Voice > Direct Routing there's just a local route there
Priority 1 dialed number pattern: ^(\+1[0-9]{10})$
You haven't selected any SBCs yet.
You haven't selected any PSTN usage records yet.
0 Likes
Reply