Since version 8.2, when Sophos UTM was called Astaro Security Gateway, the firewall distribution has the ability to filter by application instead of just ports, making it what marketing loves to call a “next-generation firewall”. Sophos calls this Application Control, Palo Alto Networks calls this App-ID, and other vendors have different names for it, but the underlying technology is similar to how an IDS would detect attacks by using signatures. In simple terms, the firewall identifies traffic based on application signatures and takes actions based on that.
The neat thing with Sophos UTM is that you can leverage this Application Control to select traffic and give it priority or throttle down the speed. When using Lync, it’s important to prioritize your media traffic at the edge so calls and sharing for external users or federated users gets the bandwidth it needs. Or perhaps you use Sophos UTM at home (because why not? it’s free), and want to make sure your calls get the right amount of bandwidth. Here’s how to do it:
- Set your interface bandwidths properly and turn on QoS on each. You can leave Automatic QoS checked (it’ll use WRED to balance your traffic nicely).
- Create a Traffic Selector by going to Interfaces & Routing > Quality of Service (QoS) > Traffic Selectors > New Traffic Selector.
- Pick the selector type as Application Selector, with source Any, destination Any, and browse for the Lync application objects. Note there are many, and we’re interested in the real time audio/video ones. Pick them, then hit Apply, then save the Traffic Selector.
- Next move to Bandwidth Pools, pick your external interface, and then New Bandwidth Pool.
- Pick a name for it, a “reserve” bandwidth, and then select your Traffic Selector created earlier. The bandwidth setting should be the maximum Lync will get if your upload is completely saturated. For example, if you’ve got a 10 megabit line, and reserve 2048 kilobits, then Lync will be guaranteed 2 megabits even when the connection is being used 100%.
- Save the rule and then turn it on.
You can also create the same rule on the inside interfaces to make sure your traffic gets priority on the way back as well. Note that you can really only control how you send packets, not how you receive them.
Hope this is helpful! Feel free to drop a comment!