Configuring Network Components for Zoom

For enterprise network environments, it is vital to configure network components to prioritize real-time collaboration media, including Zoom audio and video data. The following examples provide general guidance and best practices for configuring common network devices for Zoom data traffic.

Firewall

Proper external firewall and external router configuration is critical for consistent connectivity and media quality of Zoom products on your network

Efficient routing of data through external routers, and firewalls that are configured to minimize packet inspection delays, and have accurate firewall rules for Zoom IP address, ports, and protocols help to pass Zoom’s real-time media and connectivity signaling effectively.

Implement all Zoom-provided firewall rules allows for consistent Zoom audio and video collaboration

For consistent connectivity and the best available media quality, all Zoom IP addresses, ports, and protocols provided in the Zoom network firewall or proxy server settings must be applied to your outbound traffic firewall rules. Zoom will communicate with the destination port that is received when a Zoom application or Zoom-enabled device on your network makes its initial connection. Configure the firewall to allow the return connections from Zoom.

Use DNS-based packet inspection on your firewall and routers for seamless global collaboration and scalability when adopting new Zoom platform features

Zoom recommends enabling DNS-based inspection in network firewalls and routing infrastructure to secure and consistently access Zoom services. This helps provide a seamless collaboration experience both inside and outside your organization across Zoom’s global footprint.

Using DNS-based inspection as your organization adopts new platform features or as Zoom’s infrastructure changes, additional IP range maintenance and firewall policy support should not be required to onboard these new cloud services using your infrastructure. Zoom provides a comprehensive set of security controls including selecting data center transit and data residency controls in the Zoom account settings portal.

Custom header insertions on next-generation firewalls allow administrators to restrict the amount of bandwidth Zoom products consumes

Zoom has worked with Palo Alto Networks to allow custom headers into Zoom traffic to enforce specific Zoom application settings, including restricting the app’s bandwidth usage.

Through the SSL decryption process, next-generation firewalls may be able to insert a custom header for Zoom traffic over TCP port 443 that can trigger customer-specific policy within Zoom Web Services, applying application settings. This allows admins to enforce Zoom application settings for their users joining external meetings and for unauthenticated Zoom users.

For organizations using DSCP marking, marking inbound Zoom data packets on your external firewall and router is an important measure to maintain equal media prioritization

DSCP marking for Zoom Workplace apps is available through settings in the web portal and Group Policy/Plist. Both options enable the marking of Zoom media and signal traffic outbound from supported Zoom Workplace apps. Inbound Zoom traffic will mostly be stripped of its DSCP tags while traversing the internet, leaving Zoom data packets unmarked when returning to your network.

As a best practice, your network’s external firewall (and external router) should mark inbound Zoom traffic using the media IP addresses and ports provided in our firewall support article to maintain equal prioritization for inbound and outbound Zoom data.

Avoiding centralized ingress and egress for external routers may improve the transmission of Zoom traffic

While centralized ingress and egress may provide a single point of control and security, it can also be a point of congestion on your network which may delay the transmission of Zoom media.

When distributed routing is implemented, Zoom traffic can take more direct paths between source and destination without needing to funnel through a centralized router. This reduces the risk of bottlenecks and congestion at a single point in the network. Distributed routing can help lower latency and improve application performance, particularly for real-time applications like voice and video conferencing.

Packet Inspection

Proper configurations for packet inspection and whitelisting help maintain high-quality audio and video for Zoom Meetings and Webinars

Packet inspection is a key part of network security. However, packet inspection that is performed on real-time Zoom audio and video data, a significant delay can be introduced, degrading the quality of the media being passed between Zoom Workplace apps. By configuring network components that are capable of packet inspection or whitelisting (e.g., external firewalls, routers, proxy servers, etc.), you can help Zoom audio and video data pass to and from Zoom products with less delay.

Policies to avoid deep packet inspection for Zoom data may need to be implemented

It may be necessary to implement policies on devices performing packet inspection so they do not filter the Zoom domains listed in our firewall support article.

Network components that are performing security inspection or filtering may need to have Zoom IP addresses, ports, and domains added to an allow-list

For firewalls, proxy servers, software-defined network controllers, and other network components that operate with allow lists, it may be advisable for network administrators to create an allow list that specifies the IP addresses, domains, or network ports associated with Zoom services (provided in our firewall support article) so that Zoom audio, video, and signaling data is identified and allowed to pass without inspection or blockage.

Use Secure Real Time Protocol (SRTP) and avoid SSL/TLS inspection for Zoom traffic

Proxy servers are not generally built for real-time audio and video data transport, and SSL/TLS packet inspection that may be performed on proxy servers or next-generation firewalls can introduce a significant delay, degrading the quality of Zoom audio and video signaling.

Intra-Network Routing

Optimize network routing to minimize “hairpinning” to reduce latency for internal Zoom traffic

When traffic between two Zoom Workplace apps in the same local network is routed to an external proxy server rather than directly between the apps, latency, packet loss, and additional bandwidth consumption may occur. Additionally, Zoom traffic passing through the external proxy server may negate QoS policies for internal traffic, causing audio and video degradation or delayed meeting connectivity. Optimizing your network to reduce hairpinning for Zoom traffic will help maintain high-quality Zoom media and reduce bandwidth consumption on your network.

Windows supports the implementation of QoS through Group Policy and macOS/iOS supports it through MDMs and Cisco Fastlane

Windows and macOS computers are a point for QoS configuration and prioritization of Zoom traffic. Windows administrators can use Group Policy to deploy policy-based QoS with DSCP marking and bandwidth throttling controls to prioritize Zoom data for specific applications, users, and computers. Apple computers and mobile devices work in tandem with a Mobile Device Management solution to allow for the prioritization of application data. Cisco Fastlane can provide more detailed controls to prioritize specific application traffic such as Zoom for macOS and iOS devices.

Use packet shapers or bandwidth management devices to prioritize Zoom traffic, and allocate bandwidth to Zoom applications

Most packet or traffic shaping devices are capable of identifying applications or protocols used for real-time audio and video collaboration and giving this data priority queuing; allowing media packets to be transmitted with minimal delay. Many of these devices also monitor network performance metrics like latency, jitter, and packet loss to dynamically adjust and allocate network bandwidth to Zoom applications during peaks in network usage. Packet loss prevention tools such as Forward Error Correction (FEC) may also be available to recover lost media data packets without retransmission.

Use network switches capable of handling real-time media data and utilize any available onboard tools to optimize switches for Zoom data traffic

Utilizing network switches with high bandwidth and high throughput (e.g., switches with Gigabit or 10 Gigabit ethernet ports), along with low latency switching and forwarding rates, helps transmit audio and video data packets with minimal delays or bottlenecks.

Research and leverage additional onboard features on your network switches that may aid in efficient transmission and prevention of packet loss for Zoom data

Network switches may have some of the following features that can be used to prioritize Zoom traffic and maintain high-quality audio and video.

Quality of Service (QoS) and DSCP marking

Network switches may be able to implement QoS policies and recognize DSCP tags to prioritize audio and video collaboration media.

Jitter buffering

Enabling jitter buffering on network switches may mitigate the effects of packet delays by storing and re-ordering out-of-order data packets to reduce variations in packet arrivals.

Packet loss prevention and redundant transmission paths

Network switches may have Forward Error Correction (FEC) that adds redundant information to video packets, allowing the recovery of lost packets without retransmission, and redundant paths provide alternative routes for packet delivery in case of network failures.

Configuration SD-WAN solutions for Zoom traffic helps to transmit Zoom audio and video efficiently over your wide area network

SD-WAN solutions offer organizations greater agility, flexibility, and control over their wide-area networks allowing groups to adapt to changing business needs, reduce costs, and improve the performance and reliability of their network infrastructure. Zoom is supported by several SD-WAN platforms.

SD-WAN solutions can recognize delay-sensitive applications, including Zoom, and apply policy-based bandwidth controls for Zoom media traveling over an organization’s WAN. SD-WAN dynamically selects the best path for traffic based on factors such as link quality, latency, packet loss, and available bandwidth. It can route traffic over multiple transport technologies, including MPLS, broadband internet, 4G/5G cellular networks, and even satellite links, to optimize performance and reliability.

Hand Zoom media off to SD-WAN gateways or SD-WAN edge devices to apply policies and use dynamic transmission paths

SD-WAN platforms provide gateways or edge devices that can be hardware or virtual. These gateways are implemented at an organization’s remote locations, e.g.- residences, branch locations, or satellite offices. By routing Zoom audio and video data to the SD-WAN gateways, the desired application-based network prioritization, QoS policies, bandwidth allocation, and dynamic pathway selections will be applied.

Utilizing a dual internet connection with an SD-WAN solution allows for more efficient transmission of Zoom traffic by separating it from non-business critical internet traffic

An SD-WAN solution and dual-internet connections could be used to restrict certain traffic types to a reduced amount of bandwidth or force all non-business critical traffic—such as social media or streaming media—out of a secondary data pipe, or under a restricted bandwidth cap. This would allow for a consistent allocation of bandwidth for delay-sensitive media like Zoom audio and video collaboration applications.

Use available QoS and network settings through your internet service provider, including ISP-provided DNS servers

Higher-level Internet Service Provider (ISP) agreements for businesses or enterprises may provide you with centralized QoS options that you can control or request your ISP to configure on your behalf. These options allow you to prioritize Zoom traffic and other real-time media traffic for expedited transmission through the ISP.

Utilizing a DNS server provided by your ISP, as opposed to a third-party or aggregate DNS server, may provide faster DNS resolution. Internet service provider-based DNS servers may cache commonly used domains and implement optimized routing to popular services, including Zoom.

Confirm that QoS and DSCP marking configurations are consistent among the MPLS networks that your Zoom traffic traverses

Multi-Protocol Label Switching (MPLS) networks provide a robust platform for building wide area networks (WAN) with centralized granular controls, the ability to segregate traffic and optimize its routing, and provide security and QoS control.

When Zoom traffic traverses one or more MPLS networks, confirm that QoS policies and DSCP tag preservation mechanisms are properly configured and that these settings are consistent among multiple MPLS networks. This helps Zoom traffic remain prioritized as real-time communication data and that DSCP tags remain intact as data traverses the MPLS network(s).

Wireless access points with current Wi-Fi standards, strong access point coverage, and traffic prioritization settings help facilitate high-quality Zoom media

For a strong wireless network, capable of handling a multitude of audio and video collaboration streams, wireless access point (AP) coverage, user-to-AP ratio, and updated AP hardware are important factors, along with continual monitoring and troubleshooting of network bottlenecks. For higher throughput and signal clarity, the 5 GHz wireless channel is recommended for Zoom audio and video collaboration.

Use available QoS, bandwidth control, or application prioritization settings to optimize your wireless access points for Zoom

Modern APs may have some of the following onboard configurations, which allow for the prioritization of Zoom audio and video traffic.

Quality of Service (QoS)

Many modern wireless access points support QoS, which allows administrators to configure the priority level of Zoom audio and video data.

Wi-Fi Multimedia (WMM)

Part of the IEEE 802.11e standard, Wi-Fi Multimedia (WMM) is a QoS feature that prioritizes different types of Wi-Fi traffic based on their requirements (voice, video, best effort, and background). Enabling WMM on an access point can help to prioritize real-time traffic like Zoom.

Bandwidth Control

Bandwidth limits and rate-shaping policies can allocate a dedicated portion of the total bandwidth specifically for Zoom traffic.

Application Visibility and Prioritization

Application-level prioritization features allow administrators to assign higher priority to specific applications or protocols. Look for options to prioritize Zoom or video conferencing applications within the AP's settings.

Access Control Lists (ACLs)

To prioritize Zoom traffic, use access control lists (ACLs) to restrict the access of non-essential traffic during peak usage periods on wireless APs.

Channel Selection and Optimization

Optimize the selection and configuration of wireless channels to maximize throughput for Zoom traffic. Choose less congested channels, and adjust channel widths and transmit power levels as needed to optimize performance.

Virtual Private Networks

Use VPN Split Tunneling to avoid Zoom audio and video degradation and overloading your VPN infrastructure

Virtual Private Network (VPN) services are important to securing data accessed by users working from remote locations. However, when media from real-time multimedia collaboration applications like Zoom are transmitted through a VPN, a heavy load is placed on the VPN infrastructure, and significant audio and video degradation can occur.

Working with your VPN provider to deploy a template for VPN Split Tunneling allows you to designate what application data will traverse your VPN and what will bypass it to your local network.