Cybersecurity / Microsoft Teams / SonicWALL / Uncategorized

This blog describes how to configure Sonicwall firewalls and their security services to work better with the streaming audio and video network traffic in Microsoft Teams. There are times when the Deep Packet Inspection(DPI) services may cause a slight delay in packet transmission of streaming audio and video that users may then notice in conversations. This same procedure can be used for additional streaming services such as Microsoft Skype, Microsoft Skype for Business, Microsoft Lync, Slack, Zoom and more.

Sonicwall firewalls are fantastic devices that provide some of the most innovative security services on the market. Sonicwall services monitor various aspects of network and application security services, but in this article we are going to focus on the gateway security services. While these gateway security services are fast and do a great job, they are primarily designed for packet inspection of data services such as file transfers, email, web surfing, and more. Collaboration services utilize streaming services which can be susceptible to packet inspection that may cause issues with voice and video streams for users.

Below are several areas to review the configuration settings of Sonicwall firewalls. The following items and possible corrective actions are discussed:

  • Section One:
    • UDP Flood Protection Rules: Configuration Settings and Testing
    • UDP Flood Protection Rules: Adjust Threshold Settings and Testing
  • Section Two:
    • Deep Packet Inspection(DPI) Services: Disable for Microsoft Teams Collaboration Services

Section One: UDP Flood Protection Rules

Part One: Disable UDP Flood Protection (optional). By default, this option is not enabled. As an extra means of security, an administrator may have enabled this option and is causing issues with the collaboration streams in your environment.

  1. Logon to your Sonicwall device as an admin
  2. Select the Network Tab on the top of the screen
  1. Select the Firewall section on the left of the screen
  1. In the Firewall section, select Flood Protection(above)
  2. Then select the UDP tab at the top of the screen
  1. Locate the option “Enable UDP Flood Protection.” As indicated above, this option is disabled by default but an administrator in your environment may have enabled it at some point. Disable the option and test if the collaboration audio/video stream poor experiences are resolved. Decide if this is an option you want to keep disabled and the acceptable risk.
  1. If using IPv6, repeat the steps above.

Part Two: Define the UDP Flood Attack Threshold value

  1. Logon to your Sonicwall device as an admin
  2. Select the Network Tab on the top of the screen
  1. Select the Firewall section on the left of the screen
  1. In the Firewall section, select Flood Protection(above)
  2. Then select the UDP tab at the top of the screen
  1. Locate the option “Enable UDP Flood Protection.” As indicated above, this option is disabled by default but an administrator in your environment may have enabled it at some point. If this is an option you would to keep enabled for enhanced network security, enter a larger value in the UDP Flood Attack Threshold. By default, the value is 1000 UDP Packets per second. Audio and Video conferencing applications use larger UDP packets as part of their operation. Raise this value to 2000 and click on Accept.
  2. Work with your users to provide feedback on their collaboration experiences after the value has been set. If needed, this value can be raised up to 10,000. Attempt to raise the number in increments of 1000 until user feedback becomes satisfactory.

Section Two: Disable Deep Packet Inspection(DPI) on Microsoft Teams Services

Keep in mind that streaming services are very susceptible to latency caused by other services. This includes the delay in packet transmission that Deep Packet Inspection(DPI) of traffic may cause. Although Sonicwall does a fantastic job in this area, there may be times where the packet inspection services on the firewall are peaked and begin to cause issues with audio and video calls in Microsoft Teams. This section describes how to remove DPI on only the Microsoft Teams services.

Below are the Microsoft Teams Service Objects that will be created in the following steps:

Microsoft Teams Audio – TCP ports 50000-50019

Microsoft Teams Audio – UDP ports 50000-50019

Microsoft Teams Video – TCP ports 50020-50039

Microsoft Teams Video – UDP ports 50020-50039

Microsoft Teams Sharing – TCP ports 50040-50059

Microsoft Teams Sharing – UDP ports 50040-50059

Microsoft Teams – UDP ports 3478-3481

Part One: Create the new Microsoft Teams Service Objects

  1. Login to your Sonicwall as an administrator
  2. Select Object at the top of the screen
  1. In the Match Objects section on the left, select Services
  2. In the Service Objects tab at the top, select +Add to begin adding new objects. In these fields, use the information in the list above. The first Service Object in the list is defined below as Microsoft Teams Audio TCP(6). Click Save when completed.
  1. Create a new Service Object for each of the items listed above. In the next section we will group these together into a single Service Group that will be used in the Firewall policy.
  2. When the list of Service Objects have all been entered, search for the keyword Teams under Service Objects. This will display all of the Service Objects you just created for Microsoft Teams.

Part Two: Create A New Service Group for the Microsoft Teams Service Objects

Now that all of the Microsoft Teams related Service Objects have been defined, we now need to add them into a single group called Microsoft Teams Service Group.

  1. While still logged into the Sonicwall, under Object / Match Objects / Services, click the Service Groups tab.
  1. Click the +Add option on the far right of the screen
  1. Name the new Service Group Microsoft Teams Service Group
  1. The column on the left holds all of the Service Objects. There are hundreds of them, so instead of manually scrolling, type in the word Teams into the search field(highlighted below). Each of the Service Objects you recently created will now appear.
  1. Highlight each service one at a time and move it to the column on the right using the arrows. Below is a screen picture of what your screen should look like when completed.
  1. Select Save when done to finish creating the new Microsoft Teams Service Object. A quick search for the keyword Teams will now display the new Microsoft Teams Service Group. Expand the new group to view each Service Object.

Part Three: Define the Access Rules for Microsoft Teams Streaming Services Where DPI Services will be Disabled

  1. While logged into the Sonicwall as an administrator, Select Policy on the top, then Rules and Policies on the left. Then select Access Rules to get started.
  1. At the bottom of this screen, select the +Add option to create the new Access Rule.
  1. In the new Access Rule, enter a name and description (include the date for your reference)
  1. Select the Security Profiles tab. Under Decryption Services, disable each of the three settings: DPI, Client DPI-SSL, and Server DPI-SSL. Highlighted below.
  1. In the Source/Destination tab, define the Source Zone/Interface as WAN and the Destination Zone/Interface as LAN. Under Ports/Services, type in the search keyword Teams. Then select the Microsoft Teams Service Group created earlier.
  1. Select Save when done. *Note: To further secure your network, consider creating a Service Group of Microsoft Teams service IP addresses and namespaces. Then, use this group for the Source Address field. Doing this will make sure this rule only ignores DPI for traffic originating from these trusted locations. Otherwise, what if an attacker was using UDP port 3478 as a point of entry from any given IP address. In the case where the source address (Teams services) was not defined, the DPI services would not evaluate this traffic. For a list of Microsoft 365 service sources with URLs, IP addresses, ports, and protocols that must be correctly configured for Teams, see this link: Office 365 URLs and IP address ranges – Microsoft 365 Enterprise | Microsoft Docs
  2. With the configuration now implemented, work with the users who were reporting issues to see if they are now resolved.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.