topic Re: skype for business issues in Firewall and Security Management

skype for business issues

Shahar_Grober — Fri, 10 May 2019 13:14:03 GMT

Hi,

I am facing an issue where VOIP calls from our Polycom device to Skype for business online are dropped after about 1 minute.

The drops are one-way (incoming voice) which looks like the incoming SIP traffic is dropped.

The topology is quite simple:

Polycom --> CP GW --> Internet --> Skype for Business online

some insights:

1. the problem doesn't occur when connecting the Polycom directly to the internet via a hotspot. so it is a Check point issue

2. issue still occurs when disabling SecureXL so it is not a SXL issue

3. Hide NAT changes source port for SIP over UDP IP is checked in inspection settings

4. No IPS drops on VOIP. The Polycom IP is excluded from IPS and all inspection settings

5. we see incoming connections from the Skype for business online IP range are blocked by the stealth rule

the last point made me think that it might be a NAT issue with SIP ports range (outgoing connections are NATed but incoming connections are not recognized by the firewall as part of the same connection)

I see the following drops coming from Skype for business online IP range to the GW external IP address

My questions are:

Are there any best practices to configure Skype for business with Check Point

What is the recommendation for NAT with SIP?

Any insights on how to solve this issue

Re: skype for business issues

Jerry — Fri, 10 May 2019 13:37:39 GMT

hi mate

be4 we can give you a hint maybe first introduce your CP GW to us?

what is the os build ? best put here cpinfo -y all so we can advise accordingly.

imho this isn't about the NAT but either IPS or SecureXL (PXL?) but let's make a first things first.

versions matters !

Re: skype for business issues

Shahar_Grober — Fri, 10 May 2019 13:45:46 GMT

R80.10 T_189

as I said IPS protections are excluded + the issue occurs when SecureXL is disabled so it looks like it is

Re: skype for business issues

PhoneBoy — Sat, 11 May 2019 00:51:50 GMT

VoIP Protections are not IPS but they are enforced in the firewall via the Inspection Settings.
Have you excluded these as well?

Re: skype for business issues

Shahar_Grober — Sat, 11 May 2019 14:11:52 GMT

I have mentioned that I have configured both IPS and Inspection exceptions just to make sure that the traffic is not dropped.

It looks like a NAT issue with UDP SIP Ports which make the returning connections not to be NATed and dropped by the stealth rule.

I have configured the following rule as follow:

src	dst	service	action
polycom with SFB	any	any	allow

Hide NAT is configured on the Polycom object

Did anyone have experience with how to configure NAT and Skype for business (And Yes, I have already involved TAC but I need a quick solution from someone with experience with such configuration)

Re: skype for business issues

infosec — Mon, 20 May 2019 14:26:19 GMT

Running the same kind of issue. Workarround found with the TAC: Disable the "cluster sync" for those UDP ports. Seems a bug is deleting UDP virtual sessions.

You should see drops for returning traffic (seen wrongly as new traffic) in your management logs or in fw ctl zdebug + drop | grep "IP of your RTP device".

Waiting a real fix from the CKP DEV team.

Re: skype for business issues

Shahar_Grober — Thu, 23 May 2019 07:33:27 GMT

Actually, the problem is with STUN protocol used by Skype for Business but not supported by Check Point

according to sk34538, which "suddenly" popped up in User Center

"Check Point Security Gateway does not support Session Traversal Utilities for NAT (STUN) server.

Check Point Security Gateway will pass and forward STUN traffic, but will not reply to STUN requests sent to the Check Point Security Gateway."

This requires to create manual rules to allow STUN traffic to traverse the GW or else they will be blocked by the stealth rule because the GW doesn't NAT this service

Skype for business is a widely used service. How come Check Point doesn't support it

@PhoneBoy

@Dima_M

WDYT?

Re: skype for business issues

PhoneBoy — Thu, 23 May 2019 22:25:34 GMT

STUN is meant to work around NAT.
However, it usually runs on the SIP proxy/server.
If we're not the SIP proxy, not sure how we'd support STUN beyond just manually mapping NAT ports.

In any case, the fact we don't proxy STUN at all, only pass it through, isn't particularly new.
The SK you mention was first created in 2008.

Re: skype for business issues

Shahar_Grober — Fri, 24 May 2019 08:03:37 GMT

The SK was not public and suddenly appeared in User Center (was edited in 13 may 2019).
SIP proxy servers are nice but they are overkill when you have Skype for business in cloud and Polycom devices with out of the box functionality to talk to MS cloud.

Re: skype for business issues

Mark_Gurevich — Tue, 02 Jul 2019 08:51:43 GMT

Hi @infosec, could you please share SR number so we can check if the sympthoms we have are the same as on your side?

Thank you

Re: skype for business issues

HeikoAnkenbrand — Tue, 02 Jul 2019 08:46:14 GMT

Hi @Shahar_Grober,

It is the old known SIP/RTP issue.

I think it is the same issue:

VoIP Issue and SMB Appliance (600/1000/1200/1400)

Re: skype for business issues

G_W_Albrecht — Tue, 02 Jul 2019 11:04:32 GMT

The missing STUN support as well as the mentioned sk are very very old, from 04-Mär-2008 ! Also consult sk108815: Basic VoIP debugging when phones located behind firewall and PBX is external, sk113573: How to configure VoIP on Locally Managed 600 / 700 / 910 / 1100 / 1200R / 1400 appliances and sk112354: How to allow Office 365 services in Application Control R77.30 and above !

Re: skype for business issues

infosec — Mon, 26 Aug 2019 09:51:50 GMT

Hi,

Here is the ticket id : 6-0001628443

Note: This was a general UDP issue (random delete fromsession table for UDP sessions in hide nat). Impacted other UDP (les critical) traffic like openVPN. Issue gone without any update finally... Very strange issue.

Regards,

Re: skype for business issues

Mark_Gurevich — Mon, 02 Sep 2019 13:50:22 GMT

Thanks for sharing! Same steps has solved the issue on our side

Re: skype for business issues

upmitnetworksec — Tue, 15 Oct 2019 08:28:57 GMT

Hello,

we are also facing the same Problem for stun .we have seen drops from Microsoft to gateway IP on the same source and destination Port which is 3478.

so anyone please tell me what we should do for this as users are facing skype call drops issue.

Re: skype for business issues

Equipe_Reseau2 — Tue, 17 Dec 2019 13:51:49 GMT

Hello,

Have exactly the same issue with Teams, i've try to disable the cluster Sync on my UDP3478-3481 port, check the keep connection open after policy installation... same issue.

Any idea ?

Re: skype for business issues

Shahar_Grober — Tue, 17 Dec 2019 13:54:56 GMT

sk34538
you have to bypass it by allowing this port explicitly since it is not NATed by the GW

Re: skype for business issues

Equipe_Reseau2 — Tue, 17 Dec 2019 14:16:36 GMT

Thanks, you mean i need to allow Microsoft 52.114.0.0/14 to allow my Public IP on UDP3478 and more ???

Re: skype for business issues

Shahar_Grober — Tue, 17 Dec 2019 14:18:38 GMT

Yes, you can use updateable objects if you use R80.20

Re: skype for business issues

Equipe_Reseau2 — Tue, 17 Dec 2019 14:24:41 GMT

No, i'm in R80.10 T225. I have Application filtering so i've allow Stun Application, it match but i always have drop UDP inbound sessions.
I have UDP 10400, 10500, 10600.... not only 3478 !! I can't allow that !!