Redaguoti

Bendrinti naudojant


Proxy servers for Teams and Skype for Business Online

This article provides guidance about using a proxy server with Teams or Skype for Business.

Microsoft 365 connectivity

High quality, low latency connectivity is key to achieving call quality within Microsoft Teams and Skype for Business.

We recommend that the path between the end users device and Microsoft 365 is as short and direct as possible and utilizes local Internet egress that is close to the end user. This enables traffic to quickly reach the closest Microsoft network service front door location.

Many organizations utilize proxy servers today within their network. As Microsoft Teams and Skype for Business media traffic is already encrypted, passing this traffic through a proxy server doesn't make the traffic any more secure.

Proxies can cause issues too. Performance-related problems can be introduced to the environment through latency and packet loss by attempting to route Teams traffic through a proxy server. This can be caused by the proxy being unable to handle the amount of traffic passing through it, or by incorrectly routing the traffic to a Microsoft network service front door location that is further away from the end user.

Issues such as these will result in a negative experience within Teams and Skype for Business.

We recommend that Teams traffic bypasses proxy server infrastructure, including SSL inspection. You may wish to achieve this by putting Teams Phones and Meeting Room devices on their own VLAN and providing them with Internet access.

Windows-Based Teams Devices

Windows-based Teams meeting rooms, and Surface Hubs support some proxy servers, but don't support proxy servers that require authentication.

We recommend that these devices bypass your proxy infrastructure and access Microsoft 365 services via your firewall.

Android-Based Teams Devices

Android-based Teams devices, including Teams phones, panels, displays and boards don't support authenticated proxy servers or tenant restrictions. Contact your OEM partner for details on unauthenticated proxy support.

We recommend that these devices bypass your proxy infrastructure and access Microsoft 365 services via your firewall.

If you need to use a proxy server

Some organizations have no option to bypass a proxy for Teams or Skype for Business traffic. If that's the case for you, the problems mentioned above need to be kept in mind.

Note

If you use a privately signed certificate on your proxy infrastructure (commonly used for SSL inspection), you'll need to install the privately signed certificate and the certificate chain on the Teams meeting room device to allow the device to trust the certificate. Installing privately signed certificates on Teams Phones and other Android-based Teams devices is not supported.

Microsoft also strongly recommends:

  • Using local, external DNS resolution (some cloud-based proxy solutions can cause DNS resolution to occur in another location).

  • Ensuring the path between the Teams device and our service is as short and direct as possible

  • Using direct UDP based routing rather than relying on TCP based routing for media

  • Allowing UDP traffic for Teams Media (3478-3481) through your firewall

  • Allowing all required URLs and IPs, including those for Azure, Office 365, Intune, and Teams Rooms Pro (where used) through your firewall

  • Following the other recommendations in our networking guidelines: Prepare your organization's network for Teams

Following this guidance should minimize potential problems.

Additional recommendations for Teams live events and Teams view-only meetings

Viewers of Teams live events and Teams view-only meetings receive the stream via TCP HTTPS. We recommend that you bypass proxy servers and disable SSL inspection for the following URLs:

  • *.media.azure.net
  • *.bmc.cdn.office.net

Microsoft 365 and Office 365 Network Connectivity Principles

Prepare your organization's network for Teams