28 Aug Implement Quality of Service (QoS) for Microsoft Teams
As you know that Microsoft Teams is Collaboration and Unified Communication application, means Teams provides Real-Time Communication including Persistent Chat, Audio/ Video call (Voice Over IP), Meetings, application Sharing, PSTN calls, content sharing etc. these capabilities will increases the traffic on your existing network, it is increasingly important for you to balance network performance with the cost of service.
Microsoft Teams is latency-sensitive application, to provide optimal experience using Teams audio, video and application sharing you must prioritize the Teams real-time traffic against lower priority traffic.
There are different ways to prioritize network traffic, but the most common way by using Differentiated Services Code Point (DSCP) markings. DSCP values can be applied or tagged based on port ranges and also via Group Policy objects (GPOs). Since Microsoft Teams is available across platform including Windows, MacOS, iOS, Android etc. applying port ranges via GPO will not work for non-windows devices. It is recommended that you use DSCP tagging based on port ranges on network layer because it will work for all devices including MacOS, iOS and Android devices. In fact, combination of Group Policy Object and DSCP tagging at network layer will work better.
QoS is more beneficial when you configure a QoS-capable connection from end to end means from Computer to network switches to routers to the cloud (Office 365 Service), because any part of the path that fails to support QoS can degrade the quality of the entire call.
QoS works well when implemented end-to-end that connect caller to callee and vice versa. If you use QoS on the internal network and a user signs in from a remote location, you can only prioritize Teams traffic within your internal (managed network).
Since Microsoft Teams is cloud only service, so you don’t have end-to-end control on network because when network traffic leaves your managed network you will be dependent on internet where you don’t have much control. Basically, the interconnect network will be an unmanaged network internet connection, which is showed in below image. One option available to address end-to-end QoS is Azure ExpressRoute which cost additional investment.
QoS will help to enhance user experience using Teams, so you can implement QoS in your organization when you are deploying Teams, or you already deployed Teams.
Even though you will not have end-to-end control on network, but it is recommended that you implement QoS on the portions of the network you have control over, namely you’re on-premises network. This will increase the quality of real-time communication workloads throughout your deployment and improve chokepoints in your existing deployment.
Teams is great product, applying QoS policies will gives optimal experience to your end user, this user guide will help you to implement QoS and validate the same.
How to setup Quality of Service for Microsoft Teams?
As I mention earlier for Teams traffic you should use Group Policy Object and DSCP marking using port ranges to accommodate windows and non-windows devices. This guide is covering Quality of Services setting at endpoint level as well network layer.
It is best practice to use a Group Policy Object to catch the majority of clients, and also use port-based DSCP tagging to ensure that mobile, Mac, and other clients will still get QoS treatment (at least partially).
Below mentioned DSCP values and client source port ranges are recommended for Microsoft Teams media traffic.
DSCP Marking and Teams Client Source port ranges:
Client source port range
|Protocol||Media category||DSCP value||DSCP class|
|50,000–50,019||TCP/UDP||Audio||46||Expedited Forwarding (EF)|
|50,020–50,039||TCP/UDP||Video||34||Assured Forwarding (AF41)|
|50,040–50,059||TCP/UDP||Application/Desktop Sharing||18||Assured Forwarding (AF21)|
Apply DSCP Marking at network Layer (L2):
Port-based DSCP tagging by using access control lists (ACLs) on network devices (Switches and routers, basically the network team marks the Teams Audio, Video and Application sharing traffic at the ingress/egress routers typically located on the Wide Area Network (WAN) based on the client source port ranges defined for each modality. Although this works across platforms, it only marks traffic at the WAN edge—not all the way to the client machine—and therefore incurs management overhead.
To setup this you can discuss and share Teams client source port ranges with DSCP Class and Value with your network team.
DSCP marking at endpoint level using Policy-based QoS:
QoS policies are applied to a user login session or a computer as part of a Group Policy object (GPO) that you have linked to an Active Directory container, such as a domain, site, or organizational unit (OU). QoS traffic management occurs below the application layer, which means that your existing applications do not need to be modified to benefit from the advantages that are provided by QoS policies.
For Microsoft Teams, we need setup QoS policies for Computer configuration so that whoever login to computer and use Teams client will get policy applied.
GPO Path: Default Domain Policy | Computer Configuration | Policies| Windows Settings | Policy-based QoS
Follow the below steps to implement policy-based QoS for Teams:
- First define the Teams client source port ranges on Teams Admin Center modern portal:
- Turn on “Insert Quality of Service (QoS) markers for real-time media traffic”, refer the below image.
- Select “Select a port range for each type of real-time media traffic”, refer the below image.
- Update starting and ending port ranges with media traffic type. Refer below the image.
You may setup port range using PowerShell as well.
- Configure separate Group Policy Object for each modality:
After defining port ranges in Teams Admin portal, you have to create Quality of Service policies that specify the DSCP values to be associated with each port range
Simply, restricting a set of ports to a specific type of traffic does not result in packets traveling through those ports being marked with the appropriate DSCP value. In addition to defining port ranges you must also create Quality of Service policies that specify the DSCP value to be associated with each port range.
This DSCP values association with port ranges can be achieve via GPO which called as policy based QoS. With QoS Policy, you can configure and enforce QoS policies that cannot be configured on routers and switches. QoS Policy provides the following advantages:
- QoS Policies are easier to configure a user-level QoS policy on a domain controller and propagate the policy to the user’s computer.
- QoS policies are flexible regardless of where or how a computer connects to the network, QoS policy is applied – the computer can connect using WiFi or Ethernet from any location.
- Some QoS functions, such as throttling, are better performed when they are closer to the source. QoS Policy moves such QoS functions closest to the source.
If you already have all port ranges and DSCP value with media category type then processed below, if not then decide port ranges and follow the step two for configure port ranges. Microsoft outline complete steps and port ranges here: https://docs.microsoft.com/en-us/microsoftteams/qos-in-teams
- You must have consolidated all your computer object to single OU (Organization Unit). E.g. Computer to apply GPO correctly.
2. Login to the Domain Controller or computer which have Group Policy Management installed.
3. Open Group Policy Management tool (run > gpmc.msc) and then right click the OU (Computer) and then click “Create a GPO in this domain and Link it here” to create a new GPO. E.g. TeamsClient-QoS. You must have required permission (Domain Admin) or like create and link policy object permission.
4. Select the newly created Group Policy Object and right click on it and select Edit to Open Group Policy Management Editor > expand Computer Configuration > expand Policies > expand Windows Settings > right click Policy-based QoS > then click ‘Create new policy’. Refer below image.
5. In Policy-based QoS page > give policy name as “Teams Audio” > Select Specify DSCP Value: “46” > click Next. Below screenshot shows Policy name and DSCP value information:
6. On next page > Select “Only applications with this executable name: “Teams.exe” > click Next. Below screenshot shows Application name information: Note: This simply ensures that Teams.exe application will match packets from the specified port range with the specified DSCP code.
7. On next page, make sure that both Any source IP address and Any destination IP address are selected > then click Next. Note: These two settings ensure that packets will be managed regardless of which computer (IP address) sent those packets and which computer (IP address) will receive those packets. Below screenshot shows IP address configuration information.
8. On next page select TCP and UDP > select ‘From this source port or range’. Note: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two networking protocols most-commonly used by Microsoft Teams Service and its client applications. Also, typed port range reserved for audio transmissions (50000 to 50019) and select “To any destination port”. Below screenshot shows protocol and port range configuration information:
9. Follow step “4” to “10” and create new policy object as “Teams Video and Teams Sharing” with above ports ranges and DSCP values. After you are configuring all policy object, it will look like below:
3. Finally test the QoS, as a best practice you must validate QoS configuration and DSCP tagging quarterly basis.
How to verify QoS policies applied and working?
There are multiple ways to verify the QoS:
- Using Registry on Windows Local computer: Once GPO pushed and applied to computer, you can force the GPO to local computer by running command “gpudate.exe /force”, and then visit below path to verify QoS policies applied. You will see result like below image. It shows Teams Audio, Video and Sharing policy with port ranges and DSCP Values. Registry Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\Teams Audio 2. Validate using Packet capture: Start teams audio/video meeting and capture the network traffic via Wireshark tool (it is freeware tool, you can download and install on your computer). Below shows Teams audio traffic (source is 10.0.0.207 and destination 188.8.131.52) protocol UDP with port number “50018” this packet shows DSCP marking as EF (expedite forwarding as DSCP 46 ). Verify the two-way traffic to get QoS benefits.