{"id":2224,"date":"2021-01-31T16:36:43","date_gmt":"2021-01-31T16:36:43","guid":{"rendered":"https:\/\/modern-workplace.uk\/?p=2224"},"modified":"2021-01-31T20:42:00","modified_gmt":"2021-01-31T20:42:00","slug":"teams-virtual-sbc-closing-azure-network-ports-warnings-for-azureloadbalancer-and-virtualnetwork-2-2-2-2","status":"publish","type":"post","link":"https:\/\/modern-workplace.uk\/?p=2224","title":{"rendered":"Teams – Direct Routing – The impact of Media Bypass on remote working (home working) users"},"content":{"rendered":"\n

Direct Routing<\/strong> with Media Bypass<\/strong> has been available for almost two years now and its benefits in different scenarios are clear.<\/p>\n\n\n\n

For example, in a corporate environment with SBCs deployed inside the internal network, there are positive results when the users are connecting from the company’s offices.<\/p>\n\n\n\n

However, with the existing situation pushing companies to remote work (and this will probably be still the case for a few months at least), it is more relevant than ever to optimise the remote users\u2019 connectivity (especially the Media traffic) to Teams<\/p>\n\n\n\n

Whilst Signaling traffic always flows via the Microsoft Cloud (and it does not contribute much to the overall network usage), Media traffic is managed really in a different way if we use Direct Routing with or without Media Bypass (and the Media traffic is the one that uses more bandwidth, so important to optimise)<\/p>\n\n\n\n

There are two components in the Microsoft Cloud that can be in the path of media traffic: Media Processors (MPs)<\/strong> and Transport Relays (TRs)<\/strong>. Depending on our configuration, they could be involved in the path for media traffic.<\/p>\n\n\n\n

I am not going to deep dive them here, but there are some important information to understand, as stated in this Microsoft document https:\/\/docs.microsoft.com\/en-us\/microsoftteams\/direct-routing-plan-media-bypass<\/a><\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Media Processors<\/strong>:<\/p>\n\n\n\n

  1. will always be used in a non-bypass scenario<\/li>
  2. are not always available in a region (5 regions are available so far)<\/li>
  3. will be always used for voice applications like Auto Attendant and Call Queues<\/li><\/ol>\n\n\n\n

    Transport Relays<\/strong>:<\/p>\n\n\n\n

    1. will be used only if the public IP of the SBC is not reachable<\/li>
    2. will always be used for scenarios with Media Bypass<\/li>
    3. are more extensively available in regions near to the users<\/li><\/ol>\n\n\n\n

      As an additional information, as for conferencing, MPs will be always selected based on the location of the SBC, not on the location of the user<\/em> <\/strong>(Mark Vale did some testing around that some time ago https:\/\/commsverse.blog\/2019\/09\/20\/microsoft-teams-media-with-privacy-boundaries\/<\/a> )<\/p>\n\n\n\n

      So, let\u2019s outline a few scenarios, assuming that
      \u2022 We are focusing on home-based users
      \u2022 The users are able to connect to Office 365 and Teams directly using their local Internet connection (no VPN or split-tunnel VPN deployed)
      \u2022 When possible, the client will use the nearest geographical public IP address for the Office 365 and Azure services
      \u2022 The SBC is deployed in Azure (there is not a big difference if it is in your datacentre for this conversation, though)<\/p>\n\n\n\n

      First Scenario: Direct Routing, Media Bypass, SBC with no filters on incoming IPs or ports<\/strong><\/p>\n\n\n\n

      \"\"<\/a><\/figure>\n\n\n\n


      \u2022 Media flow will go directly from the Teams client to the public IP of the SBC
      \u2022 The traffic will not use the Microsoft Azure network, so there could be a lot of unmanaged hops between the client and the SBC (opposite to using the nearest access to the Azure network)
      \u2022 There are risks about security with this solution that does not control the Internet access to the SBC services<\/p>\n\n\n\n

      Second Scenario: Direct Routing, No Media Bypass, SBC allowing only Microsoft IPs<\/strong><\/p>\n\n\n\n

      \"\"<\/a><\/figure>\n\n\n\n