TPG Community

Get online support

Microsoft Teams Blocked from 19 October

SteveB
Level 3

I work from home via my agency's VPN using their standard build PC.

 

On Wed 19 October my Teams client could no longer connect.

Using the web version on Chrome was also blocked but strangely Edge still worked.

F12 request header messages in Chrome suggested something was sub-par in the response, obviously Edge isn't so tight.

I'm struggling along usind the Edge web Teams at the moment but it isn't satisfactory.

 

I reported this to our support area and after referring logs to Microsoft they could find nothing wrong with the agency setup.

 

I am not the only person affected, there are several at my agency.

The common theme seems to be TPG or iiNet ISP.

Today iiNet started working for my teammate but he isn't sure if it was because he fiddled turning off port blocking at his iiNet account. I couldn't find an equivalent control for my TPG account to try that theory.

 

I suspect my modem is possibly a cause but I've rebooted and basically tried turning off/on everthying probable but no change (eg router firewall and internal proxies etc).

 

My modem is the standard one supplied for my FTTP account, TP-Link Archer C1200 V1.

Firmware is dated 1.0.0 Build 20180208 rel.59779 (EU)

 

I can't find a firmware update for this and I don't have another router to try.

If there is a router update please let me know.

If not then what do you suggest I do now!

 

The smoking gun is pointing firmly at this being a TPG/iiNet ISP related problem, whether ISP end or standard modem security protocol limitation.

 

We all need a resolution to this problem asap.

 

Regards

 

Steve Bradford

12 REPLIES 12
Ahra_G
Moderator

Hi @SteveB

 

We'd be happy to check if your modem's firmware needs updating. Please send in your TPG username or customer ID via PM so we can assist.

 

Thanks! 

Ahra_G

david64
Master

Hi @SteveB . Does the Teams client give an error message when it starts and fails to connect?

Do you know the hostname or ip address that the Teams client tries to connect to?

Do a    ping   and    tracert    to the hostname or ip address. There might be a routing problem.

SteveB
Level 3

Basically Teams client can't connect at all.
When in Chrome anything going to "teams.microsoft.com" is blocked for some vauge security reason.

"Upgrade-Insecure-Requests: 1" whatever that means (from the response header)

 

Teams client also uses this URI and dies but for some reason Edge is not blocking the vauge security issue outright.

david64
Master

@SteveB . When your work PC starts, does the VPN connect automatically or do you have to do something?

If the VPN is not automatic, this means you can use the PC like a regular (non-VPN) computer.

Do you use the Teams client only when connected to VPN or can it be used without VPN?

 

There is a setting in Chrome in "Privacy and security": Always use secure connections.

If it is enabled, can you disable it and try using Teams again.

If it doesn't work, set it back to enabled.

This doesn't explain why the problem has only been seen on TPG and iiNet.

SteveB
Level 3

While the VPN is started manually the whole desktop is very locked down so you can only work locally without it.

ie No Internet unless through VPN and even then it's border managed.

 

Also every security setting is managed, I can do nothing with those settings or using non white listed tools etc.

 

Our support area are also perplexed as the whole network is fine according to Microsoft who were assisting with this issue (I'm talking thousands of workstations on our network, some working from home having issues if on TPG or iiNet) 

 

Regards

 

Steve

david64
Master

@SteveB . If you took your work PC to a friend's house who uses provider other than TPG or iiNet, would you expect Teams client to work?

Have you tried getting Teams client log files from your PC? This article explains log files:

https://learn.microsoft.com/en-us/microsoftteams/log-files

 

You say Chrome gives this error: "Upgrade-Insecure-Requests: 1". Microsoft should know what this request means in terms of HTTP/HTTPS and whether Teams server supports this request. This might be a recent enhancement in Chrome that isn't in Edge.

 

 

SteveB
Level 3

I can connect to Teams if I use my phone's hotspot, it's only going through the ISP/router combination the issue happens.

 

As for Microsoft, they probably don't go beyond proving their stuff is all OK.

 

Our support remoted in and did Fiddler logs, again going to be sent to Microsoft, no answer yet.

 

It's likely a recent security protocol enforcement by something in the chain.

As I said, our organisation is paranoid security wise and likely use very recent features that old, obsolete routers etc don't get unless they are updated or replaced.

There has never been a firmware upgrade to my router since going FTTP because there isn't one.

We don't live in a world where that is acceptable any more.

 

I may have to get a new router and see if it fixes the issue.

One colleague on iiNet was fine but they had a high end gaming router so I suspect that the default router is the likely problem.

 

Regards

 

Steve

david64
Master
@SteveB. From my reading, the Teams client uses a browser as interface to Teams server. Client might be using Chrome to connect to server. Can you ask your support if they can make client use Edge instead?
SteveB
Level 3

Chrome does its own thing as does Teams client, if Teams was going to use any browser component it would be Edge.

This is NOT an issue with teams.microsoft.com being blocked in the ISP/router, Edge can get there OK.

 

It's an issue with some new security aspect of the response not being acceptable to Teams or Chrome while Edge is OK with it (for the moment). 

The info (F12) in the Chrome response header indicates something is sub-par but then Chrome is a mental thing about security.

 

Given that the internet traffic is all via a high grade VPN client going directly to a local agency hosted VPN server you would think that the internal traffic would be independent of the ISP infrastructure.

 

My suspicion is that the VPN internal response traffic is inheriting some security aspects from the VPN container's header and that for some reason there is a new feature or header attribute that the ISP/router cannot process or pass through.

My guess is it's a CORS or security attribute that is relatively new.

 

I'm 90% convinced it's likely to be a router limitation, those old Archer C1200 routers are way obolete and out of support.

My likely only solution is to get a modern router instead of the TPG supplied one but there is still the risk that the limitation actually exists in the TPG infrastructure.

 

Happy to hear other suggestions or things to try though.

 

Regards

 

Steve