GlobalProtect - excluding MS Teams media traffic _only_
Has anybody managed to successfully split exclude MS Teams media traffic (only) from the VPN?
From the Microsoft documentation, the items listed under ID 11 give some subnets and ports 3478-3481 for optimisation. This document shows that port 3478 is STUN, 3479 is Audio, 3480 is Video, 3481 is sharing/VBSS, so that is the traffic I'm interested in.
The first problem is that in the GlobalProtect configuration, you can only exclude specific ports by domain, not by IP address. And excluding the subnets entirely will exclude more than just media traffic.
Microsoft states in yet another article, alluding to this limitation and providing a workaround:
>Some VPN client software allows routing manipulation based on URL. However, Teams media traffic has no URL associated with it, so control of routing for this traffic must be done using IP subnets.
In certain scenarios, often unrelated to Teams client configuration, media traffic still traverses the VPN tunnel even with the correct routes in place. If you encounter this scenario, then using a firewall rule to block the Teams IP subnets or ports from using the VPN should suffice.
This workaround makes sense, we do that for Google Meet and it works well.
But this is the second problem, if I block GP traffic to those subnets on ports 3478-3481, the MS Teams client just falls back to SSL rather than seeking an alternative route. Interestingly, MS Teams in the browser (Chrome) does behave as expected when the traffic is blocked, and routes outside of the tunnel on the standard media ports. I guess that's a Microsoft problem with the Teams client.
So yeah, has anybody managed to exclude just the media traffic successfully for MS Teams, or do you just exclude everything per the Palo Alto documentation?