18 Feb Implement VPN split tunnel for Microsoft Teams media traffic
Implement VPN split tunnel for Microsoft Teams media traffic
Most of the time, the organization uses Remote access or Virtual Private Network (VPN) solution that offers an encryption tunnel between endpoints, like remote users and the corporate network. Usually, VPNs are not designed to support real-time media traffic and introduce an extra layer of encryption on top of Teams media traffic that’s already encrypted. This means it adds overhead to Teams media packets. Additionally, connectivity to the Teams service (Office 365) might not be efficient due to hair-pinning traffic through a VPN device. For VPNs, the suggestion is to provide an alternate path that bypasses the VPN tunnel for Teams traffic. This is generally known as split-tunnel VPN.
Why does VPN Split Tunnel require for Teams media traffic?
Since there are multiple VPN solutions available in the market and every solution vendor may have a different process to implement VPN split tunnel, so this topic covers general recommendations as to what should be configured on the VPN solutions. There are multiple rationales for which you, as a Teams admin, must implement VPN Split tunnel.
- For Microsoft Teams conversation and collaboration features VPN or remote access connections usually acceptable because the network qualities were frequently not visible by the end-user because if a chat message arrived a second or two later, there would be a minor impact. The same cannot be applicable for keeping a bi-directional conversation in real-time, like Teams audio call.
- Microsoft Teams uses a number of codecs, and they have different packetization times. However, VPN solutions add another layer of encryption and decryption, which greatly increases network latency on these packets getting to their destination in a timely manner. When these Teams media packets are delayed and/or received out of order, jitter increases and the receiving endpoint will attempt to fill in and stretch the audio to fill in the gaps, which usually results in undesired audio like, robotic noise, voice speed up and so on.
- VPN solution contributes to intermittent difficulties like random network disconnects, which will cause the Microsoft Teams session to disconnect (disruption of the signaling path) and/or media quality issues. This would generally indicate a need for increased capacity on the VPN solution. However, when the VPN solution was designed, it may be the case that this wasn’t considered in, and the media usage is degrading the overall VPN experience for other applications as well.
- Clients who have configured their VPN solution to exclude Microsoft Teams traffic or implement split-tunnel VPN, have seen great returns in user satisfaction opposite those who do not specific to Teams audio/video experience. For this purpose, we strongly recommend leveraging the below steps to complete split-tunnel VPN for Teams media traffic over VPN solutions.
How Split tunnel VPN works for Teams media traffic?
To provide optimal call quality to the end-user who uses Teams over VPN requires VPN split tunnel solution. In a split-tunnel VPN configuration, all IP addresses that are used by the Microsoft Teams Services (Office 365) environment are excluded, so that traffic to and from those IP addresses is not included in the VPN tunnel. This means the way VPN split tunnel must work exactly the same as external Teams client should. Most VPN solution provider supports split-tunnel; you must check the configuration for your VPN solution by checking vendor documentation. Refer the figure 3.19, which shows VPN Split tunnel works.
Figure 1 VPN Split Tunnel Traffic flow
All Microsoft Teams signaling and media traffic split from VPN secure tunnel, as shown in figure 3.19, and going through Microsoft Teams service (Office 365). In order to redirect users away from the VPN solution for Teams, it must first be configured to support a split tunnel, which is a popular feature of today’s VPN appliances. VPN split-tunnel allows Teams traffic without going through the VPN Tunnel. For example, the Teams site teams.microsoft.com external web traffic to not traverse over VPN solution. Without split-tunnel, the default VPN configuration will force all the Teams traffic through the VPN tunnel.
Common methods to implement VPN split tunnel:
There are different ways to achieve a VPN split tunnel for Teams media and signaling traffic.
Using 3rd party VPN solution: in this topic, we are covering VPN split tunnel configuration based on Pulse secure VPN solution as an example. I would strongly recommend contacting your VPN vendor for split tunnel configuration documentation. There are different approaches and solutions to implement VPN Split tunnel, and I am presenting here a combined solution to using a VPN concentrator and your corporate firewall.
What we are doing is, creating a policy on VPN concentrator to exclude Microsoft Teams service IP addresses (Office 365) traffic from VPN tunnel, mean deny signaling and media traffic via VPN tunnel for Teams service IP addresses (Office 365). Then using your corporate firewall creating deny rule to deny traffic source from VPN user subnet to Teams service IP addresses (Office 365) and from Teams service IP addresses (Office 365) to VPN User subnets both ways.
Split Tunnel solution is a combined solution using a VPN concentrator and your firewall.
- First, get all Teams Service IP addresses, including optimized required and allow required. Refer the Microsoft documents for Teams Service IP addresses (https://docs.microsoft.com/en-us/Office365/Enterprise/urls-and-ip-address-ranges)
- Create a policy on a VPN concentrator, which will ‘Exclude’ traffic via VPN tunnel for all Teams service IP addresses (refer the above link for Teams IP addresses). In otherward, deny traffic or split tunnel to this Teams IP addresses from your VPN Tunnel and assign this policy to all other policies/users.
- Now work with your network Firewall team and do this; Split Teams conferencing (media) traffic to external (not via VPN Tunnel),
Remember, all-conference modality traffic involved through MCU (Multi-Control Unit) running on Teams service (Office 365). First, do below firewall rules:
- Create firewall rule which will block traffic going from VPN User subnets to Teams service IP addresses/ subnets (Office 365) refer the above Microsoft document link.
- Create another Firewall rule which will say, block traffic going from Teams service IP addresses/subnets (Office 365) to VPN User Subnet.
To implement a VPN split tunnel for Teams one-to-one call traffic, you must create below rules on your corporate firewall.
Apart from above Teams conferencing traffic, you can enable the blockage to UDP/TCP source port for Teams Audio, Video, and application sharing. Basically, Microsoft Teams, by default, has a limited scope of UDP/TCP port it will be using as the source port for communication. If you block these source ports from coming in the VPN tunnel, then the media should go via the externally splitting from the VPN tunnel. That will ensure even two users both connected via VPN, and their Teams media traffic will not allow hairpin via their VPN connection but directly goes from their internet connection to each other.
The sample firewall rules look like below:
- Create firewall rule Source address from “VPN_Users” Subnet to destination as “Any” with the application “Stun” and MS Teams (if allow identifies) and Service port (UDP/TCP port ranges of Audio, Video & App Sharing)
- Create another firewall rule Source from “any” address to destination “VPN_Users” Subnet with application “Stun” and Teams (if allow identifies) and Service port (UDP/TCP port ranges of Audio, Video & App Sharing)
You can get Teams Audio/Video, and Application Sharing client port ranges from Teams admin center: login to Teams admin center, then go to a meeting and then meeting settings under Network. Refer below figure 2.
Does this topic apply to Skype for Business Online?
Yes, this topic is applicable to Skype for Business Online as well. Because of Microsoft Teams and Skype for Business online sharing the same IP subnets and ports.
How to verify VPN Split Tunneling?
To verify the VPN split tunnel, you must connect using the external network (wired or wireless) and then connect the VPN, which has the Split Tunnel implemented.
- Then make Teams one-to-one call and capture network traces using Wireshark or Network monitor and verify Teams media (UDP) traffic going between your local IP and other party local IP addresses (not via VPN IP addresses).
- Join the Teams meeting, and capture network traces using Wireshark or Network monitor and verify Teams media traffic (UDP) going between your local IP address and Teams service IP address (Office 365) transport relay and not via VPN IP addresses.
Note: For Teams Service IP addresses/subnet block rule on the firewall, action set as RESET instead of denying that allows Teams client sign-in process faster.
Providing optimal experience to the end-user community is our main goal, and using VPN split tunneling is helps to achieve this through blocking the Teams client from connecting via VPN tunnel, and the media will always go through the externally not via VPN tunnel, which will eliminate extra hop, double encryption, etc.