cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Product Manager
Product Manager

Monitoring Microsoft Teams/Skype Traffic with NetFlow Traffic Analyzer

With remote workers becoming more and more common, collaboration software is being leveraged by more organizations.  Monitoring Microsoft Teams traffic in your network can offer some insights into collaboration usage trends over time.

This the second article in our series describing how to craft custom applications in NTA.

Next Generation Network-Based Application Recognition Protocol (NBAR2)

If your networking infrastructure supports the NBAR2 protocol and you are running Protocol Pack 37.0.0 or later, then you are already seeing Microsoft Teams/Skype as its own application family.  It will appear (after being detected) as “skype,” ms-teams, ms-teams-audio, ms-teams-media, and “ms-teams-video. 

If your network infrastructure doesn’t support NBAR2, you can still get the classification for Microsoft Teams/Skype communications. 

Custom Application Build

A custom application to monitor Microsoft Teams/Skype requires two parts.  The first part is building a custom IP Group with the target addresses of the application.  Thankfully, Microsoft is good about publishing the IP information. 

Build the IP Group

From the NetFlow settings page, scroll down to IP Address Groups.

Picture1 (2).png

Build a new group and add the addresses.

Picture1.png

These are rarely small lists, so we’ve expedited the process by attaching a file you can import. See the attachment below. If you choose to import it, be sure to “append” to the existing list of IPs.


Build the Multi-Port Application
The last step for building the custom application is configuring the ports for traffic matching. From the NetFlow settings page, select “Application and Service Ports.”

Click “Add Application” and give it a name, enter “80,443,3478-3481” in the port list, and select Microsoft Teams/Skype in the Destination IP Address.

 

Picture1.pngSubmit all your changes.
Now the new custom application will show up in your Flow Navigator.

Picture1.png

 

Using IP groups to distinguish application traffic is a simple way to pull out a clear view of some application services, and can offer you insight you can act upon. Discuss your experiences with custom applications below!

@jreves 

 

9 Replies
Level 8

I only have 2 interfaces set on my Palo to send netflow traffic to Solarwinds.  I used this doc so now I can see the teams and skype traffic.  If I enable more netflow interfaces on my FW will this app traffic show as an aggregation? e.g. Teams seen on VPN tunnel and inside interfaces of FW.  I want to get an accurate representation of this traffic on our network but if it doubles the traffic then it would be skewed. 

Thank you

0 Kudos
Level 8

Quick question - I am new to the SolarWinds world, if I import the list, I don't get the option to "append".  Where would I do the append and what other IP Addresses will I need for this?

0 Kudos

My company, like most all companies, have closed their offices and we are all working remote. We have O365 licenses for Skype/Teams so I guess this monitoring won't apply to us?

0 Kudos

megabyte24_0-1585755905893.png

 

To my thought also, I would not think so, unless your company has VPN set to NOT split tunnel (so all network requests/data from employee PC's will flow via the corporate infrastructure). Of course this can cause other issues with bandwidth via the VPN endpoint, or possibly even in the corporate LAN.

I do wish SolarWinds/the author of this page would edit it to clarify this point.

0 Kudos
Level 13

Thanks again. This one is even better than the one for Webex

0 Kudos

Thanks @jreves and @KMSigma! I added this to our environment

0 Kudos
Level 16

@jreveswould it be possible for SolarWinds to periodically publish out these application filters for all of the Microsoft Cloud apps? 

I don't have NBAR enabled at all sites so need to create these manually. I had previously created the same application but when I reviewed it some of the IP's had changed. 

Thanks!

 

0 Kudos

Thanks!  Very timely and needed right now.  

0 Kudos
Level 16

Thanks @jreves this was very helpful.