One of the most frequent problems you probably faced when implementing a Skype for Business architecture was related to the media relay capabilities for users travelling around the world.
In Skype for Business an Edge media Relay is associated to a specific Front End pool.
This means that a user homed on that specific pool will always use that Edge server to relay the Media, no matter where the user is connected from.
The same problem happens also on Skype for Business Online when an user belonging to an European tenant wants to use the Media Relay service when connected from another region.
As you see in the flow above, when the user B is using the Media Relay server, he is connecting to the server in Europe.
Travelling across the sea has a cost in terms of performance and we all know how important the network performance is when it comes to Real Time communication.
If until now this problem was limited to a few on-premises companies, in the cloud era where all the users are connected “from outside” and in mobility, the network optimization became really important.
Together with Microsoft Teams, a new service called Transport Relay (TRAP) is being rolled out to Office 365.
This service is used by Microsoft Teams and, for now, by some O365 tenant allowing users to connect to the closest Transport Service to send real time traffic.
TRAP service is used by Microsoft Teams and Skype for Business/Lync 2013 clients with a different logic (Lync 2010 cannot leverage this service).
Skype for Business/Lync 2013:
Lync 2013 and Skype for Business Online will continue to “speak” to the MRAS service and it will forward the request to the TRAP server.
This mechanism is used to maintain the compatibility with the actual client logic.
Microsoft Teams:
Microsoft Teams is a brand new client and it uses the new service.
As explained in one of my previous post, in order to be able to relay traffic through a Skype for Business Edge server, the client needs to have some valid credentials (MRAS credential). These credentials are generated by the FrontEnd pool associated to the Edge server where the user is connected to.
In a TRAP scenario these credentials are valid for every Transport Server in the O365.
An Anycast IP is used to connect to the closest Transport Relay server.
In the network there are different machines with the same public IP address and the provider is in charge of redirecting the traffic to the closest one.
That’s the technology behind the client capability to identify the closest Transport Relay server.
!Important Consideration:
This is another reason why local internet breakout is crucial if you want to guarantee better quality to internal clients.
Let’s picture a scenario where you have a company with the HQ in Zurich and 2 subsidiaries in the US and APAC.
If you use Zurich as central internet breakout, the user in APAC and US will never benefit from the Transport Relay in the region, but they will always use the one in Europe.
Another benefit of the Transport Relay is the number of UDP ports necessary in the best practice.
You probably wonder why in the ports required by Skype for Business online and Teams you have the UDP range from 3478-3481 and not only the 3478.
When using Transport Relay every kind of stream uses different UDP ports: with TRAP, identifying an Audio or Desktop sharing stream will be easier since they use different UDP ports.
How do I know whether my client is using this new service?
As shown before, Skype for Business or Lync 2013 client can use this Trasport Relay service.
If you want to verify whether your Skype for Business client is using the new service, you can analyze the Media Relay answer.
If you see the tredge.online.lync.com in the hostName field you are using the TRAP server.
<mediaRelayList>
–
<mediaRelay>
<location>intranet</location>
<hostName>tredge.online.lync.com</hostName>
<udpPort>3478</udpPort>
<tcpPort>443</tcpPort>
– </mediaRelay>
– </mediaRelayList>
Since Teams doesn’t use SIP to communicate with the cloud service but HTTPS requests, if you want to analyze that traffic you need to use an HTTPS decryption software such as Fiddler or Charles.
In the following example I traced the Microsoft Teams client sign-in and searched for the TRAP service.
As you noticed, with Teams we don’t have an FQDN address anymore but the anycast IP used by the service.
Cloud services are evolving continuously to guarantee top quality and user experience, but remember that this is possible only when direct connection is possible.
If you close the UDP ports and use a proxy in the path, the call might be established but TCP will be used and the quality cannot be guaranteed.
Remember to open all the required ports as per the O365 IP address list.
For more information about this topic, you can see this session from Microsoft Ignite 2017.
- Lync 2013
- Microsoft Teams
- Microsoft's Phone System
- Skype for Business
