Understanding Media Flows in Microsoft Teams and Skype for Business Microsoft Ignite 2016 4/16/2018 9:47 PM Understanding Media Flows in Microsoft Teams and Skype for Business Thomas Binder Senior Program Manager © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda The challenge The solution In action Call flows Tools & Troubleshooting
Session Objectives And Takeaways Tech Ready 15 4/16/2018 Session Objectives And Takeaways What are the challenges for media connectivity? How can endpoints find the optimal media path? How do I identify connectivity issues? Traffic can be peer-to-peer between clients Leverage local internet breakout Open 3478-3481 UDP on your firewall © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
About Thomas tbinder @microsoft.com Me Since 2007 IT Pro Readiness Vienna, Austria IT Pro Readiness My daughter Product Group
About this session Scope Media scenarios Connectivity, not quality Skype for Business Online and Microsoft Teams For logs we will be looking (mostly) at Skype for Business logs
Terms & Acronyms Candidate ICE STUN TURN Relay Possible combination of IP address and port for media channel ICE Interactive Connectivity Establishment STUN Simple Traversal of UDP through NAT Session Traversal Utilities for NAT TURN Traversal Using Relay NAT Relay Media relay or Transport relay
4/16/2018 9:47 PM The challenge © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
The Challenge Signaling Media NAT NAT Alice Bob Corporate firewall TechReady 18 4/16/2018 The Challenge Signaling Media NAT NAT Alice Bob Corporate firewall Charlie Dan © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Challenge 1: NAT Network Address Translation Function Tradeoff Translates one or more internal addresses to one external address Allows connections from private network Blocks connection from public networks Tradeoff Security vs. usability Blocks unwanted traffic Might also block wanted traffic NAT Alice
Challenge 2: Corporate Firewalls Though more scrutinized, goals are similar Sharing of IP addresses Controlling data traffic from the internet Might apply additional features like Deep Packet Inspection external internal Firewall
Challenge 3: HTTP Proxy Servers Proxies traffic from corporate network to internet Based on HTTP application level Will always use TCP Can apply additional security Filter HTTP requests Filter HTTP traffic Scan downloads Challenges for Skype for Business HTTP scanning might corrupt traffic Customer might block all non-proxy traffic – including UDP
4/16/2018 9:47 PM The solution © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Solution: ICE, STUN, TURN 4/16/2018 9:47 PM Solution: ICE, STUN, TURN Skype for Business uses SIP; Teams uses REST API via https and WebSocket Signaling goes directly against cloud Media leverages a separate channel Add a Relay STUN reflects NAT addresses (b) and (e) TURN relays media packets (c) (d) ICE exchanges candidates and determines optimal media path Signaling client a b c STUN/ TURN server e d © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Which components use ICE? ICE endpoints Clients, service components Modalities Audio Video Desktop Sharing Skype for Business only: 1:1 File Transfer Relay Provides STUN and TURN Does not terminate any media Is not an ICE endpoint
Media Relay Transport Relay Two types of relay 4/16/2018 9:47 PM Two types of relay Media Relay Transport Relay Customers can only benefit of this, if local internet breakouts are used. Build for on-premises Cloud born service Static in one datacenter Dynamic discovery via Anycast IP View sessions BKR1005 and BKR3029 Same UDP ports for all workloads Different UDP ports per workload Used by Skype for Business In progress for Skype for Business Used by Teams © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Transport Relay Anycast IP address Same IP assigned to geographical dispersed servers IP routing ensures to always use the “closes” instance “Closest” available Transport Relay will receive traffic Based on actual endpoint location And based on privacy boundaries Sovereign tenants users use local infrastructure EU tenants use Transport Relay in EU and US Other tenants use Transport Relays world wide Customers can only benefit of this, if local internet breakouts are used.
Discovery and Load Distribution Anycast IP address Wikipedia: Anycast addressing uses a one-to-nearest association; datagrams are routed to a single member of a group of potential receivers that are all identified by the same destination address. Each Transport Relay will use the same IP address (for candidate allocation) The Anycast IP allows to find the most local Transport Relays Equal-cost multi-path routing (ECMP) Distributes load based on hash: Source IP, Destination IP, Layer 4 protocol, Source Port, Destination Port Transport Relay can add/remove itself from traffic distribution by starting/stopping to announce its IP ECMP distribute the load within one location
4/16/2018 9:47 PM In action © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Five phases of ICE During sign-in When establishing a call Requesting credentials via Media Relay Authentication Service (MRAS) or Transport Relay Authentication Provider (TRAP) When establishing a call Candidate Discovery Candidate Exchange Connectivity Checks Candidate Promotion
Relay Credentials Client signs-in Client learns about relay via signaling Client requests credentials via signaling Credentials creation Client receives credentials via signaling
Same but different Option 1 Option 2 Option 3 Skype for Business Online with Media relay or Lync 2010 MRAS on assigned relay will create credentials Option 2 Skype for Business Online with Transport Relay Lync 2013 or newer MRAS will request credentials from TRAP Option 3 Teams TRAP will create credentials MRAS http TRAP request MRAS TRAP credentials TRAP
Demo Log Analysis: acquiring MRAS credentials
MRAS: Same but different Skype for Business with Media Relay Client learns FQDN of specific Media Relay pool Skype for Business with Transport Relay Client leans FQDN that points to Transport Relay Anycast IP Teams Client learns Anycast IP
Address Discovery UDP TCP a NAT/Firewall b c d e d e Endpoint Relay c NIC 1 NAT/Firewall c default a b c candidates allocate UDP b c d e allocate TCP d e local remote Endpoint Relay
Allocations: same but different Skype for Business with Media Relay Connects to specific media relay via port 3478 UDP and 443 TCP Will keep connection Skype for Business with Transport Relay Connects to relay via Anycast via port 3478 UDP and 443 TCP Will be redirected to IP of specific relay UDP will be redirected to workload specific port Teams UDP will keep connection via port 3478 UDP
Candidates: Same but different 4/16/2018 9:47 PM Candidates: Same but different Skype for Business Some scenarios are TCP only 1:1 file transfer Desktop Sharing via Remote Desktop Protocol Allocated relay port will be in 50,000-59,999 range Teams Will include only UDP candidates in candidate list Allocate workload specific port on relay © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Address Exchange a b NAT/Firewall w v NAT/Firewall d x Relay Relay c y NIC NIC d x INVITE c :: a, b, c, d, e c default y c default y Session progress y :: v, w, x, y, z a v a v OK y :: v, w, x, y, z b w b w Relay Relay c candidates x c candidates x c y d y d y e z e z e z local remote local remote Endpoint Endpoint Signaling
Demo Log Analysis: Candidates
Media encryption MRAS/TRAP credentials Real Time Protocol Allow endpoint to allocate candidates from relay Nothing to do with Media encryption Real Time Protocol Secure Real Time Protocol (SRTP) Encryption negotiated during call setup Encryption cypher and keys exchanged in Session Description Protocol
Connectivity Checks Determine all possible UDP and TCP port pairings Relay can bridge between IPv4 and IPv6 For Teams, Relay can bridge TCP to UDP STUN packets sent between port pairs in order STUN packet response indicates connectivity Stop checks when candidate pair has bi-directional connectivity
Candidate Promotion Select highest order candidate with validated connectivity IPv4 before IPv6 UDP before TCP Direct before relay Re-invite with only one candidate in SDP Confirmation also contains only one candidate in SDP Media is on optimal, validated path
TCP vs UDP TCP UDP Real time communication Requires each packet to be acknowledged by the receiver Lost packets are resent, causing subsequent packets to be delayed UDP “Fire and forget”, what is lost is lost Real time communication We want packets quickly If we lose (some) packets, we do not really care: audio and video might experience glitches, but session continues
Demo Log Analysis: Final Candidates
4/16/2018 9:47 PM Call flows © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
1:1 calls 50,000 port range 50,000 port range 443 TCP 3478-81 UDP 50,000 port range 443 TCP 3478 UDP* 3479-3481 UDP 443 TCP 3478-81 UDP 50,000 port range * Teams will speak to it‘s own relay on port 3478.
Skype for Business: Client to service 443 TCP 3478-81 UDP 50,000 port range 443 TCP 3478-81 UDP 50,000 port range
Teams: Client to service 443 TCP 3478 UDP* 3479-3481 UDP
Ports overview *Teams will speak currently to it‘s own relay on port 3478. Workload Skype for Business Client Port Teams Client port Service Port (Media Relay) (Transport Relay)* Allocate candidates Audio: 50,000-50,019 Video: 50,020-50,039 Desktop Sharing: 50,040-50,059 High ports 443 TCP, 3478 UDP Audio 50,000-50,019 443 TCP, 3479 UDP Video 50,020-50,039 443 TCP, 3480 UDP Desktop sharing 50,040-50,059 443 TCP, 3481 UDP
Do’s and Don’ts Direct connectivity required 4/16/2018 9:47 PM Do’s and Don’ts Direct connectivity required Clients need to directly connect to O365 Configure your firewalls, proxies, packet shapers etc. accordingly Use local internet breakouts Don’t make the traffic travel around the world UDP and TCP Media will prefer UDP TCP required for some scenarios and workflows Documented IPs and FQDNs “Office 365 URLs and IP address ranges” http://aka.ms/o365endpoints Subscribe to the RSS feed! Open UDP ports Verify that 3478-3481 UDP are open © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Skype for Business: Hybrid Edge Server on-premises Requirements unchanged Server to service will not leverage new 3479-3481 UDP ports Endpoints Deployment location determines relay service Endpoints homed in service use Online Relay Endpoints homed on-premises use on-premises Edge Server Combination of all requirements Users homed online need direct connectivity with Online services AV Edge Server on-premises needs required ports open
Tools & Troubleshooting 4/16/2018 9:47 PM Tools & Troubleshooting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Capturing logs Skype for Business Teams Collect UccApilog.log Open in Snooper Snooper is part of Skype for Business Server 2015, Debugging Tools Teams Capture traffic with local proxy tool Will require you to trust certificate to perform man-in-the-middle Examples: Fiddler, Charles Web Debugging Proxy
Skype for Business: Where are the logs? Turn on logging first! Skype for Business 2016 %localappdata%\Microsoft\Office\16.0\Lync\Tracing Lync 2013/Skype for Business 2013 %localappdata%\Microsoft\Office\15.0\Lync\Tracing Lync 2010 (and earlier) %userprofile%\tracing Skype for Business for Mac Click “Collect Logs” in preferences
Snooper UccApilog.log search tips MRAS Finds inband provisioning MRAS request MRAS provisioning a=candidate Finds candidate exchange a=remote-candidate Finds promoted candidates that were used for call
Teams: How to configure Charles Install Charles Root Certificate “Help” > “SSL Proxying” > “Install Charles Root Certificate” Choose certificate store “Trusted Root Certification Authorities” Enable SSL Proxy “Proxy” > “SSL Proxy Settings” Add * for host and port Enable SOCKS proxy “Proxy” > “Proxy Settings” > “SOCKS Proxy” > “Enable HTTP proxying over SOCKS” Start Charles before Teams If you restart Teams, wait couple minutes after closing Teams before starting again Your mileage will very
Charles search tips Your mileage may vary! MDN_TRAP a=candidate Relay information a=candidate Finds candidate exchange a=remote-candidate Finds promoted candidates that were used for call
Call Quality Dashboard Every endpoint sends quality data after each call “Quality of Experience” data Call Quality Dashboard allows to view data Not individual calls, but based on different filtering Subnet reports and building reports allow to identify problematic sites For media connectivity Look for subnets with high TCP traffic Practical guidance http://aka.ms/myadvisor Session: BRK2010 “Call quality management for Skype for Business and Microsoft Teams”
Session: RK2031 “Real Time Communications with Network Planner” 4/16/2018 9:47 PM Networking tool Skype for Business Network Assessment Tool Test network quality Conducts actual call with sending media Collects latency, jitter and packet loss Test connectivity* Test UDP and TCP ports Run from client computer to test connectivity Session: RK2031 “Real Time Communications with Network Planner” * Connectivity test coming “soon” © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Testing ports
Resources and Summary 4/16/2018 9:47 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resources Troubleshoot media flows in Skype for Business across online, server and hybrid http://aka.ms/AVEdge Office 365 URLs and IP address ranges http://aka.ms/o365endpoints Skype for Business Server 2015, Debugging Tools https://aka.ms/SfBDebuggingTools Skype for Business Network Assessment Tool http://aka.ms/NWATool Call Quality Dashboard http://cqd.lync.com Guidance http://aka.ms/myadvisor
Related sessions “Real Time Communications with Network Planner” BRK2031, Friday 12:45 PM “Learn about the Microsoft global network and best practices for optimizing Office 365 connectivity” BRK1005 “Call quality management for Skype for Business and Microsoft Teams” BRK2010 “Demystifying internet connectivity to Skype for Business Online and Microsoft Teams” BRK3029
Session Objectives And Takeaways Tech Ready 15 4/16/2018 Session Objectives And Takeaways What are the challenges for media connectivity? How can endpoints find the optimal media path? How do I identify connectivity issues? Traffic can be peer-to-peer between clients Leverage local internet breakout Open 3478-3481 UDP on your firewall © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Please evaluate this session Tech Ready 15 4/16/2018 Please evaluate this session From your PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/16/2018 9:47 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.