Create a Post
Showing results for 
Search instead for 
Did you mean: 
Champion Champion

Best Practice: Skype for Business (Lync) with(out) QoS

Let's discuss!

When end users consider to use Skype for Business they are interested to know how to prepare their firewall in order to get the best possible performance and quality of the audio/video signals. End users demand an uninterrupted conferencing experience.

QoS - Required or just an option?

Whenever talking about Video Conferencing we need to talk about QoS in order to implement Low Latency Queueing mechanisms. Microsoft provides a dedicated QoS validation service for Skype for Business. At the end it's all about DSCP (Differentiated Services).

Activating QoS on Check Point comes with a lot of public limitations.

Having the need to perform QoS within VPN packets brings up more topics to discuss.

Working with CoreXL / SecureXL and QoS at the same time required proper planning.

Enabling SMT (HyperThreading) might be unsupported.

Other threads show, that QoS and VoIP is not an easy thing to set up and manage.

QoS - Starting without it?

Interestingly Check Point seems to feature priority handling for various types of packets right out of the box without having to enable QoS. Maybe this is why so few Check Point end users need to activate QoS?

That would allow implementing Skype for Business without QoS on oversized Check Point Appliances simply by optimizing the Firewall & Application Control Policies in order to have it processed without adding too much delay. Does anyone of you actually have experience with this?

QoS - Waiting for R80.x?

As Hugo van der Kooij‌ mentioned in the other thread, QoS with R80.x provides new opportunities. In a new Check Point environment, would you go for R80.10 and leave other limitations aside (missing SmartWorkflow etc.) in order to be able to better prioritize Skype via QoS? Note: R80.10 introduced MultiCore Support for IPsec VPN.

HTTPS Inspection - Required in order to work with Skype for Business ?

IPS - Protecting Skype for Business

Check Point offers various IPS protections regarding Skype for Business. Activating these protections means putting more latency on the Skype traffic. Again, it is connectivity vs. security.

Please respond with your real life experience in regards to Skype for Business and the demand for QoS. Thanks!

4 Replies

In my experience adding QoS adds more processing load on the firewall which may result in longer and more diverse latencies.

And in my experience the worst thing you can have with VOIP is diverse latencies.

So in general if you design a firewall for VOIP you have to aim at oversizing. If you design a unit with ~50% in the Appliance Sizing Tool then you will may get some VOIP complaints.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

For me, If firewall is not overburden than we can apply QOS which will prioritize VOIP traffic. It is better if R80 has some additional feature for VOIP traffic.

0 Kudos

For what I have seen so far , qos is not a mandatory thing for working with sfb , despite that I saw a lot of limitations when using https inspection , saw different sk on support recenter regarding this issue , some of them just say to bypass all for making it work and maybe some customers won't allow to do that or end to do it forcefully.

Without https inspection and just with application control I have seen no issue with video or audio conference.

0 Kudos


Is the principle here applicable to Skype for Business Online? I noticed that our particular site with 12M (up/down) bandwidth have intermittent call when we're doing Video/Voice call in Skype for Business Online. Our HQ confirmed that it only happened in our site which I believe we have the same settings with other affiliates in Europe.

The video/voice call lasts only for about few minutes, its drops and reconnect again for nth time. What I did is I add in QOS the IP addresses of Skype for Business online which I got from this link from MS Office 365 URLs and IP address ranges

After reinstalling the policy, still the quality is not acceptable.

Anyone here was able to configure smoothly SFB online behind CheckPoint?

Firewall Info:

Checkpoint 2200 + Cluster

OS: R77.3



Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events