question

TomSpevk-9780 avatar image
0 Votes"
TomSpevk-9780 asked SharonZhao-MSFT edited

Microsoft Teams over Proxy (Cisco WSA)

Dear all,

I'm forwarding question that I have on Microsoft community here, hoping that I will get some help. Thank you all in advance.

In our company, we are facing huge troubles with Microsoft products to work over our proxy server - especially Teams and Skype (also Skype for Business).

Does anybody know if there is some list of URLs to make these two, but especially to make Teams work over WSA?
We are also using firewall.
We allowed these subnets on our firewall with these services, just like it is requested on Microsoft site:

Destination:
13.107.64.0/18
52.112.0.0/14
52.120.0.0/14

Ports
UDP 3478-3481


We also allowed ALL of these URLs, IPs and subnets on our proxy:
20.202.0.0/16, 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42, .lync.com, lync.com, xboxlive.com, .xboxlive.com, outlook.office365.com, .outlook.office365.com, teams.microsoft.com, .teams.microsoft.com, msedge.net, .msedge.net, skype.com, .skype.com, live.net, .live.net, statics.teams.cdn.office.net

Regular Expressions:
.teams.microsoft.com$
.msedge.net$
.skype.com$
.live.net$

We even had a serious troubleshooting with Cisco Support, which told us that everything seems to be OK on our side for Teams. Skype wasn't even sending traffic to proxy, it was totally bypassing it and trying to go directly through firewall to the internet. The amount of sites where it was trying to reach was enormous, therefore we couldn't allow it because of security reasons (security is the most important in our company).

Now, with all these URLs / IPs allowed on proxy / firewall, this is the response from Teams:

124612-image.png

What is strange, that SOMETIMES it works, meaning, that if I relaunch this application 15, sometimes 20, sometimes only 8 times it starts to work. Meeting itself is also sometimes working, sometimes not. Right now we can't even connect to Teams, and in the sites in America where they can connect, the meeting isn't working.

If ANYONE can help us, with making Teams to work over Cisco WSA, I will be really really grateful! It is crucial for us. We are using mostly WebEx, but Teams is also required in our company and it is needed by top-management and also by other people.

Thank you all in advance!




office-teams-windows-itpro
image.png (14.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SharonZhao-MSFT avatar image
0 Votes"
SharonZhao-MSFT answered SharonZhao-MSFT edited

@TomSpevk-9780,

When you use proxy server in your organization, Microsoft strongly recommends:

  • Using external DNS resolution

  • Using direct UDP based routing

  • Allowing UDP traffic

  • Following the other recommendations in our networking guidelines: Prepare your organization's network for Teams

Even though, this guidance just minimizes potential problems. Please don’t worry about the security problem because Teams and Skype for Business traffic is already encrypted. The following image captured from official document shows the potential issues caused by a proxy:
124625-image.png


If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.





image.png (35.8 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, I understand that it would be the best to avoid proxy, but we don't see any other way than using proxy.

You see, we are using WSA on each site in the company + firewall is also on each site. We can manage the proxy rules easily, because they are centrally managed and we can deploy configuration to all of them in a second, in case that some new URL will be needed..

However, as I mentioned, we also have firewall in each site, there are dozens of them - far over 50 firewalls already. Since we have the proxies, we would like to utilize them so we don't have to create many objects and allow many ports on firewalls directly.

Isn't there other option to make it work over WSA, please?
I understand that the traffic is encrypted, but still, we would like to avoid creating everything on firewall. Also we use strict policies of what is created and what is not created on firewall, and I doubt that management would approve it in this way.

If you could advise anything, to make it work over WSA, I would be grateful. THANK YOU.


IF it will be really needed to create everything on firewall, can you please provide us some list of all IPs and ports that need to be allowed on firewall? Thank you.

0 Votes 0 ·

@TomSpevk-9780,

Please refer to Skype for Business Online and Microsoft Teams section in this document. It lists all required addresses and ports for Microsoft Teams and Skype for Business Online.


0 Votes 0 ·

@TomSpevk-9780,
How is going now?
Please be free to drop us any notes.
Have a nice day!

0 Votes 0 ·