Best Of
Video Conferencing dropouts behind a Sonicwall
With the explosion of people using Teams / Zoom etc for video conferencing while working remotely, we hit an issue with some customers when users started returning into the office, with video and audio dropouts.
This really confused me as I have had no issues behind my firewall at home, nor have we had issues in the office.
Both customers that reported this are fairly big with 100mb+ leased line connections.
After a lot of testing, it appears that there are some changes that are required:
No.1 – UDP Flood Protection is what was killing both – I increased both customer firewalls from 1000 UDP Packets/sec to 10,000 – this resolved most of the issues
No.2 – Teams primarily talks to ports 80/443 as destination ports, so impossible to add exclusions… therefore, you need to add the listed source ports as provided by Microsoft.
Service Objects:
Teams Audio – TCP & UDP – 50000 – 50019
Teams Video – TCP & UDP – 50020 – 50039
Teams Sharing – TCP & UDP – 50040 – 50059
Teams UDP – 3478-3481
Create a Teams Service Group containing the above
Create an Access Rule:
Local Zone -> WAN
Source Port – Teams
Service - Any
Destination – Any
Advanced Tab – Disable DPI
Access rule required for each zone required to use Video / Audio
This should resolve any issues they may have. I’ve only tested the above with Teams and Zoom… but could resolve for others too.
justin
Urgent Security Advisory - NetExtender VPN Client Version 10.x and SMA 100 Series
Hi All,
In the interest of consolidating updates and dispersing information quickly to our Community, we will be closing all other threads related to this Security Advisory. Please leave your comments and questions on this thread and we will ensure that as answers are provided, and validated to be accurate, we will post them here in response.
Knowledge base article: Urgent Security Notice: NetExtender VPN Client 10.x, SMA 100 Series Vulnerability | SonicWall
We are expecting an update to both the Advisory and the Knowledge Base article within 24 hours (at some point on January 23, U.S. CT)
Thanks,
Terri O'Leary
Terri
Re: Two Internet connections, Two network segments, bur different default routes.
Hello @Joseph909,
Welcome to SonicWall community.
You can use the following configuration,
1) Enable WAN Load balancing and use X1 as primary and X2 is secondary with basic failover mode
2) Create a static route to send outgoing traffic from X3 subnet to exit on X2
Please make sure you set logical probing on both the interfaces so that we can determine the internet connectivity status from either interfaces.
Result:
1) X0 exits out of X1 as that is the primary connection and if that interface fails, falls back to X2 as that is the secondary connection on WLB group
2) X3 exits out of X2 due to static routing and uses X1 if the X2 fails probing on WLB disabling the static route.
Thanks!
Re: VLAN clarification
Hello @R20,
Nice to meet you! And this is the perfect location.
In short, Yes! VLANs on a single interface can indeed communicate with one another based on what you allow via access rules.
In terms of setup, please see the following SonicWall articles. Naturally, you will need to work with your switch vendor to create the corresponding VLANs.
Kind Regards,
Micah
Re: VLAN clarification
Hi @R20 ,
SonicOS Enhanced zones allows you to apply security policies to the inside of the network. This allows the administrator to do this by organizing network resources to different zones, and allowing or restricting traffic between those zones. This way, access to critical internal resources such as payroll servers or engineering code servers can be strictly controlled.
Each zone has a security type, which defines the level of trust given to that zone. There are five security types:
- Trusted : Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted.
- Encrypted : Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.
- Wireless : Wireless is a security type applied to the WLAN zone or any zone where the only interface to the network consists of SonicWALL SonicPoint devices. Wireless security type is designed specifically for use with SonicPoint devices. Placing an interface in a Wireless zone activates SDP (SonicWALL Discovery Protocol) and SSPP (SonicWALL Simple Provisioning Protocol) on that interface for automatic discovery and provisioning of SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a Wireless zone; all other traffic is dropped.
- Public : A Public security type offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed. This means only LAN initiated connections will have traffic between DMZ and LAN. The DMZ will only have default access to the WAN, not the LAN.
- Untrusted : The Untrusted security type represents the lowest level of trust. It is used by both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as being on the WAN (unprotected) side of the security appliance.By default, traffic from Untrusted zones is not permitted to enter any other zone type without explicit rules, but traffic from every other zone type is permitted to Untrusted zones.
For your scenario create a DMZ zone and create the Access rule as per your requirement.
Ajishlal