Optimize your Microsoft Teams traffic with QoS on a UniFi USG

This post is also available in English

At times like these, when everybody is working from home and the whole family uses the internet as well, the traffic requirements can be tough on your internet connection. When you are using real-time collaboration tools, such as Microsoft Teams, that rely on a good and stable internet connection for voice, video and screen sharing, parallel Netflix/Disney+/Hulu/Amazon Prime traffic can make the experience subpar for everybody involved.

Thankfully it’s possible to optimize your outgoing traffic based on what services are used.

In this example I show you how to setup traffic shaping on a UniFi USG or EdgeRouter using DSCP to optimize your Microsoft Teams meetings. This setup is only an example and you can easily adapt it to your router if it supports DSCP. If it does not, the Ubiquiti EdgeRouter X is about 50 bucks.

Test your setup before you begin

Use fast.com or another internet speed test to check your download and upload speed before and after you configure this in your network.
Use the „Show more info“ option to also include an upload test results.

Why this is important you will see at the end of this blog post.

Microsoft Teams settings

To differentiate the outgoing Teams traffic and set the correct DSCP values you will have to set the UDP ports used by Microsoft Teams globally for your tenant. If you cant do this, changes are high that Teams still uses the defined UDP port settings because they are the default value.

Switch to Meetings Settings in you Teams Admin Console

Set the values according to this screenshot

Microsoft Teams UDP settings

Teams DSCP reference

Media traffic typeClient source port rangeProtocolDSCP valueDSCP class
Audio50,000–50,019TCP/UDP46Expedited Forwarding (EF)
Video50,020–50,039TCP/UDP34Assured Forwarding (AF41)
Application/Screen Sharing50,040–50,059TCP/UDP18Assured Forwarding (AF21)

Windows Settings

If you have setup your Microsoft Teams ports according to those values you still have to do some configuration on your workstation as well.

Test Workstation

If you only have one or two machines you can use PowerShell Cmdlets to create the policies you need.

New-NetQosPolicy -Name "Teams Audio" -AppPathNameMatchCondition "teams.exe" -IPSrcPortStartMatchCondition 50000 -IPSrcPortEndMatchCondition 50019 -DSCPAction 46
New-NetQosPolicy -Name "Teams Video" -AppPathNameMatchCondition "teams.exe" -IPSrcPortStartMatchCondition 50020 -IPSrcPortEndMatchCondition 50039 -DSCPAction 34
New-NetQosPolicy -Name "Teams Application-Screen Sharing" -AppPathNameMatchCondition "teams.exe" -IPSrcPortStartMatchCondition 50040 -IPSrcPortEndMatchCondition 50059 -DSCPAction 18

Group Policy based distribution

If you have hundreds or thousands of workstations you most likely already use Group Policies to manage settings centrally. Of course you can apply those settings via GPO as well.

  1. Create a new GPO
  2. Computer Configuration -> Windows Settings -> Right click „Policy-based QoS“ -> „Create new policy“
    Create new policy
  3. You need to create three QoS policies. Start with „Team Audio“ and set DSCP to „46“
    Teams Audio Policy
  4. Specify the application name „teams.exe“
    Teams Application
  5. Do not restrict this on any specific IP ranges…
    Valid for all IP Ranges
  6. …but to the UDP source port range „50000:50019“
    UDP Source Ports
  7. Repeat the steps 2 – 6 for „Teams Video“ and „Teams Application-Screen Sharing“. Lookup the correct values for DSCP and UDP ports in the table above.
    All QoS policies setup

Check with Wireshark

Capture UDP packets and check if the DSCP value is added to the IP header

Default behavior

WireShark capture of default packet

After setting up the policy

WireShark capture of DSCP

Router configuration

Now it’s time to configure your router to restrict the network traffic based on the DSCP values.

In my setup I have a 1 Gbps download and 50 Mbps of upload speed.

The traffic shaping configuration should only apply to the outgoing traffic, on interface eth0 (WAN), which is the internet upload.

Configure mode on USG

Connect via SSH to your UniFi router and enter the „configure“ mode

configure

Upload traffic shaping

The following commands setup a traffic shaping policy that distributes the 50 Mbit upload speed between four different traffic classes.

It guarantees the specified percentage of the total upload bandwidth (50Mbps) to those classes but because of the „ceiling“ value of 100% is does not restrict the traffic to this percentage. So after you finish work you are not restricted to only 70% of the total upload speed, but can use it all.

Policy classGuaranteed bandwidth %Max bandwidth %
Default70100
10 (Voice)15100
20 (Video)8100
30 (Screensharing)7100
set traffic-policy shaper upload description "Microsoft Teams QoS"

set traffic-policy shaper upload bandwidth 50mbit
set traffic-policy shaper upload default bandwidth 70%
set traffic-policy shaper upload default ceiling 100%

set traffic-policy shaper upload class 10 bandwidth 15%
set traffic-policy shaper upload class 10 ceiling 100%
set traffic-policy shaper upload class 10 match rtp ip dscp 46

set traffic-policy shaper upload class 20 bandwidth 8%
set traffic-policy shaper upload class 20 ceiling 100%
set traffic-policy shaper upload class 20 match sip ip dscp 34

set traffic-policy shaper upload class 30 bandwidth 7%
set traffic-policy shaper upload class 30 ceiling 100%
set traffic-policy shaper upload class 30 match sip ip dscp 18

Apply and save configuration

After you have setup the configuration, you will need to activate and safe it.

set interfaces ethernet eth0 traffic-policy out upload
commit ; save ; exit

Export config as JSON

If you are using the USG the configuration would be overwritten the next time you are changing something on the UniFi controller. To avoid this you have to use a file called config.gateway.json. Please refer to the linked articel to setup this file on your UniFi controller.

You can use the following command to dump the complete configuration and extract the parts you need.

mca-ctrl -t dump-cfg

Or you could use this amazing script that Daniil Baturin wrote to only extract the part of the config you really need.

./usg-config-export.py "interfaces ethernet eth0 traffic-policy" "traffic-policy"

config.gateway.json and Docker

If your UniFi controller is running as a docker container and your site name is „default“ add the following to you docker-compose file.

volumes:
  - /path/to/persitent/config/unifi/config.gateway.json:/unifi/data/sites/default/config.gateway.json

Test your configuration

Use a internet speed test to see if there is any degradation in your network performance because you activated the traffic shaping feature.

Sadly my download speed was hit with a massive performance degradation and this while the configuration just applies traffic shaping to the outgoing traffic.

As you can see in this results, the configuration nearly halved my download speed. This might be because the USG can’t handle gigabit download while also applying traffic shaping.

So for my this means back to the original configuration. There are some posts in the Unifi forums that say it’s reliable up to 100 Mbps with the EdgeRouter. With the USG based on the results I would say up to 400 Mbps down should be fine.

I’m currently in contact with the Ubiquiti support to get some official answers on this. I will update this post as soon as possible.

Update 04.04.20 20:46

This is the final response from support

Note: These are custom configurations made on the USG through CLI. Custom configurations are not supported over chat or email.

Refer to the KB article below for advanced configurations.
https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration
https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration#2

Remove configuration

If you have any trouble with this setup, here are the steps to remove the configuration.

Windows QoS

If you used PowerShell you can use the following to delete all QoS policies. If you used a GPO just un-link it from the workstations affected.

Get-NetQosPolicy | Remove-NetQosPolicy -Confirm:$false

EdgeRouter

configure
delete traffic-policy shaper upload
delete interfaces ethernet eth0 traffic-policy out upload
commit ; save ; exit

USG

To immediately disable the configuration use the same commands shown for the the EdgeRouter, but don’t forget to remove the configuration from the config.gateway.json as well.

Sources

I used the following documentation and sources to setup this configuration.