browse
TLDR; In the vast majority of cases no action is required. Real-time audio and video connects over UDP, it isn’t proxied, and all works as expected. The issue only occurs when direct connections over UDP are blocked. This can be usually demonstrated by the application working fine at home (with AC+RSM and SWG enabled) but not on the corporate network where more stringent network restrictions are in place.
Various vendors, including but not limited to: Cisco Webex, Zoom and Microsoft Teams advise the use of UDP for the transport of real-time audio and video
Cisco Webex: https://collaborationhelp.cisco.com/en-us/article/WBX000028782/Network-Requirements-for-Webex-Services#id_134133
“UDP is Cisco’s preferred transport protocol for media and we strongly recommend using only UDP to transport media. Webex apps and devices also support TCP and TLS as transport protocols for media, but these are not recommended in production environments as the connection-orientated nature of these protocols can seriously affect media quality over lossy networks.”
A very useful browser tool to verify connectivity and quality: https://mediatest.ciscospark.com/
Microsoft Teams: https://learn.microsoft.com/en-us/microsoftteams/microsoft-teams-online-call-flows
“In general, media traffic is highly latency sensitive, so you would want this traffic to take the most direct path possible, and to use UDP versus TCP as the transport layer protocol, which is the best transport for interactive real-time media from a quality perspective”
Zoom: https://explore.zoom.us/docs/doc/Zoom%20Connection%20Process%20Whitepaper.pdf
“User Datagram Protocol (UDP) is always the preferred configuration when leveraging real-time collaboration tools. Our platform can fall back to TCP if routing through a Web Proxy is required, but this proxy can also create a connection bottleneck
What does this mean?
- The video conferencing solution will attempt to connect over UDP. Note: this will not be proxied.
- If a connection can be established, the call will proceed with the best performance possible on your network.
- However, if this is blocked by some process, e.g. a firewall, it will attempt to connect via TCP, which is not only less efficient, it will be proxied, potentially causing additional latency. Depending on the network, this can cause very poor audio and video quality, or render service unusable.
What can we do to optimise performance?
Follow the vendors recommendations. These typically include:
- Do not proxy real-time audio and video.
- Allow UDP direct connections from your devices to the vendors servers to prevent fallback to TCP.
- Allow the access of the Video Conferencing Solution in Umbrella
- Video conferencing solutions will communicate over HTTP/HTTPS for other communication flows / non-real-time media flows (such as status checks and initial setup of the meeting), and this traffic could be sent via Umbrella. Ensure that Umbrella policies permit the use of the application.
Are there any security implications by not sending this traffic to the Umbrella SWG?
No. Most video conferencing solutions use end-to-end encryption for audio and video streams, and so proxying this traffic will not provide any security benefit. No decryption of this traffic can be applied within the SWG either.
Does this also apply to the browser-based clients too?
Yes. Most Video Conferencing solutions have a browser-based client (“Join via Web” capability), and these services may also use their respective UDP ports for connectivity. Typically, these services use WebRTC, but other services for browsers could be used.