MSS FW Best Practices: Zoom & Teams
Description
CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration.
MSS Recomended SonicWall Firewall Best Practices Index
Notes/Considerations
- SonicWalls will interfere with Zoom & Teams traffic by default due to the nature of UDP VoIP traffic.
- If the SonicWall has UDP Flood Protection enabled, you might need to increase the UDP Flood Attack Threshold (UDP Packets / Sec) if the firewall is seeing the VoIP traffic as an UDP flood.
Excluding Services
- Create a Service Object Group with all of the ports that are used by the Zoom and/or Teams service the customer has, Phone, meeting, etc. The lists can be found here:
- Create an outbound firewall rule from the zone where the zoom/teams clients are to the WAN with the following settings:
- Service: Service port group created above
- TCP Connection Inactivity Timeout (minutes): 30
- UDP Connection Inactivity Timeout (minutes): 60
- Allow TCP Urgent Packets
- Disable DPI
- Disable DPI-SSL Client
- Disable DPI-SSL Server
If the customer is running DPI-SSL:
- Exclude the service object group created above.
- Exclude the Zoom Layer 7 application from the firewall’s DPI engine:
- Create a Match Object for Zoom and/or teams:
- Create an App rule to bypass DPI:
Additional Configuration
In addition, implement the SonicWall recommended changes to the Flood Protection and App firewall per the following KB: Troubleshooting dropouts for video conferencing applications | SonicWall
- Ensure the following applications are not blocked in the App Control:
- Encrypted Key Exchange
- Non-SSL traffic over SSL port
Related Articles
not finding your answers?