When using proxy on localhost teams fails to establish TCP connection for login

Copper Contributor

This is a strange problem, and it took us quite a while to get to the bottom of it.

We tested on Windows 10 and Windows 11 with the latest Teams app.

 

What is the problem?

 

We are working on a solution the monitors network traffic for a safe school environment. As part of that we install a local proxy on Windows devices. The proxy is configured as manual proxy in the proxy settings.

 

When requesting to sign into Teams, Teams establishes a connection to `login.microsoftonline.com`. Without the proxy that works without problems. Teams establishes a TCP connection, sends a CONNECT, TLS handshake and then encrypted data.

When activating the local proxy any connection is fine  (e.g. `teams.events.data.microsoft.com`, `nav.smartscreen.microsoft.com` are established just fine), but the one to `login.microsoftonline.com` is not established. In Teams this results in an error page that the login page can't be reached (it reports a 404, but it's not a 404).

We ensured that nothing was blocked and there are no lower level connection errors, then we dug deeper with Wireshark.

 

Once accessing the login page (which would trigger connection making for `login.microsoftonline.com`) we see a `SYN` being sent to establish the TCP connection, but there is never a `SYN/ACK`. The local proxy never receives this `SYN` (no connection is ever established), somehow it never reaches the destination but is "dropped". We can see that Teams tries to re-transmit the SYN, but it never arrives at the destination.

 

A tcp `SYN` not reaching it's destination points to it being blocked somewhere, so we:

 

- Turned the firewall off (anything that can be turned off is turned off)

- Added specific allow rules for any other device control that could block.

 

This did not help, the problem keeps persisting.

(Note: We were able to reproduce this problem with a different proxy solution as well. Once we configure the proxy on localhost we run into this issue.)

 

We also tried:

 

- Configure the local proxy with the IP address of the machine within the local network (i.e. 10.12.128.2)  instead of  `127.0.0.1`: Leads to the same problem.

- Run the local proxy on another Windows machine, turn off firewall and connect to the proxy on the other machine: No problems with this solution, the connection is established fine.

 

We then tried to configure the proxy via PAC file (without a DIRECT fallback), which result in different weird behavior. In the browser the behavior is as expected - pages that are blocked by the proxy report a connection failure, pages that are allowed can be accessed.

For Teams login we don't run into problems with the PAC file based settings, but Teams does not route the connection to `login.microsoftonline.com` through the proxy! The connection to `login.microsoftline.com` somehow implicitly bypasses the system wide proxy settings when using a PAC file (i.e. I see the connection in Wireshark, but it's directly established, not going through the proxy even though it is configured via PAC file). Other connections related to Teams are established through the proxy as expected. I don't think this is expected behavior.

 

I have Wireshark traces that show all the different behaviors. If needed I'm happy to add them to this ticket.

 

It would be great to get help with a better understanding what could be the problem. What could cause this behavior (in Teams / in Windows)?

With a better understanding of the behavior we could work on overcoming this problem.

 

3 Replies

Hi @dakami,

To resolve the issue of Teams failing to establish a TCP connection for login when using a proxy on localhost, ensure that necessary endpoints are allowed by your firewall or proxy server. Specifically, allow traffic on TCP ports 80 and 443 for

  • *.microsoft.com
  • *.office.com
  • *.office.net
  • login.microsoftonline.com

Verify that proxy settings on Windows devices do not block connections to login.microsoftonline.com and check your network configuration for any restrictive rules. Use Wireshark to analyze traffic and identify where connections are being blocked. If using a PAC file, ensure it correctly applies proxy settings without bypassing login.microsoftonline.com. Testing different proxy configurations can help isolate the issue. For further guidance, refer to Microsoft's documentation on proxy servers for Teams and Prepare your organization's network for Teams.

@Dinesh-MSFTthanks for the answer! I still think it would be good for the Microsoft Teams Dev team to evaluate what's going on in teams when connecting to a proxy on local host.

 

What we are experiencing it not expected behavior, and it only happens on Windows when connecting to a proxy on localhost. We tested with multiple proxies and of course we made sure that the proxies are configured correctly, so that traffic is not blocked from the proxy side.

 

I posted a lengthy question that includes Wireshark traces on stackoverflow as well: https://stackoverflow.com/questions/78509456/windows-10-11-connection-to-localhost-proxy-fails-on-tc...

 

What we see is, that Teams sends different SYN packages when connecting to localhost -I don't think this is expected behaviour!

 

I read through Microsoft's recommendation for proxy servers - but to be frank - they are not very helpful for getting to the bottom of the specific problem we found. It would be great if we could connect to someone from the Microsoft Teams dev team to discuss our findings in depth. If there is a better place to raise this ticket please let me know.

 

Hi @dakami,

We are mainly responsible for Microsoft Teams app development related issues.

For Microsoft Teams product issues/failures your tenant Admin can reach out to Microsoft 365 Product Support.

For general questions about Microsoft Teams please post your question on Microsoft Teams Community.