When you deploy your Survivable Branch Appliance (SBA), the following happens:
- The SBA sends an Internet Control Message Protocol (ICMP) request to Microsoft and requires an ICMP reply to declare connectivity between Microsoft Teams and the SBA is up.
- The SBA requests and receives a token from Azure.
- The SBC uses the token to receive the configuration from Teams.
- Meanwhile, the SBC sends SIP Options to the SBA and the SBA checks its configuration to see if the SBC is a known PSTN gateway. If the SBA finds the SBC, the signaling group comes up. If the SBA cannot find the SBC, it fails the call with a 480 Temporarily Unavailable response.
The primary causes for SBA deployments to fail are as follows:
- The ICMP is blocked.
- The SBA does not receive a token due to permissions.
- The required ports are not open in the network or on the firewall.
Other causes include:
- SBA configuration problem.
- Microsoft Teams tenant configuration problem.
This document provides information on troubleshooting Direct Routing SBA.
Troubleshooting a Direct Routing SBA
The following workflow defines the procedures for troubleshooting a Direct Routing SBA.
Workflow
Prerequisites
Before you begin, make sure you have completed the following:
- fulfill the prerequisites and complete the procedures in Best Practice - Configure Direct Routing Survivable Branch Appliance (SBA).
obtain access to Postman.
NotePostman is a third-party application that you are responsible for downloading it yourself. Ribbon does not supply nor support Postman. For more information on Postman, refer to: https://www.postman.com/.
Check the ICMP Communication between an SBA and Microsoft
Start
- Remote desktop to your SBA.
- From the Windows taskbar, right-click Start > Command Prompt to open a command prompt on the SBA.
- Ping www.microsoft.com to confirm basic ICMP communications.
Check the Authentication Settings in Microsoft Azure Active Directory
The SBA service requires a functional Application (client) ID (appId) and Application Secret (secret) from the Microsoft Azure portal under your tenant. For more information, refer to:
- https://learn.microsoft.com/en-us/azure/time-series-insights/time-series-insights-authentication-and-authorization
- Best Practice - Configure Direct Routing Survivable Branch Appliance (SBA)
Start
- Log in to the Microsoft Azure portal.
- In the left navigation pane, go to Manage > Authentication.
- In the Web section on the right, confirm the that Redirect URIs shows https://login.mocrosoftonline.com/common/oauth2/nativeclient.
- In the Implicit grant and hybrid flows section, confirm that the following two tokens are selected:
- Access tokens (used for implicit flows)
- ID tokens (used for implicit and hybrid flows)
Check the API Permissions Settings in Microsoft Azure Active Directory
Start
- Log in to the Microsoft Azure portal.
- In the left navigation pane, go to Manage > API Permissions.
- In the Configured permissions section on the right, complete the following:
a. confirm Grant admin consent for <your tenant> is enabled.
b. confirm the following API/permissions names are present under Skype and Teams Tenant Admin API:- application_access_custom_sba_appliance
- user_impersonation
- Select Skype and Teams tenant Admin API. The Request API permissions window opens.
- Select APIs my organization uses.
- Confirm that the permission is set for Skype and Teams Tenant Admin API and the Application (client) ID shows 48ac35b8-9aa8-4d74-927d-1f4a14a0b239 or Resource.
For more information on API permissions in the Microsoft Azure portal, refer to:
- https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
- https://learn.microsoft.com/en-us/azure/time-series-insights/time-series-insights-authentication-and-authorization
Test the API Access using Postman
Start
- Log in to Postman.
- Under the HTTP request protocol, select GET as the METHOD and enter https://api.interfaces.records.teams.microsoft.com/Teams.Sba/tenantapp.
- From the menu bar below METHOD, select Authorization.
- In the Configure New Token section, complete the following Configuration Options fields:
- Access Token URL: Enter your tenant ID.
- Client ID: Enter your Application (client) ID from the Microsoft Azure portal.
- Client Secret: Enter your Application Secret from the Microsoft Azure portal.
- In the Configure New Token section, complete the following Advanced Options field:
- Resource: Enter 48ac35b8-9aa8-4d74-927d-1f4a14a0b239.
- Resource: Enter 48ac35b8-9aa8-4d74-927d-1f4a14a0b239.
- Click Get New Access Token.
Verify that the generated token is valid. Below is an example of a valid token:
Example of a Valid Token{ "aud": "48ac35b8-9aa8-4d74-927d-1f4a14a0b239", "iss": "https://sts.windows.net/1z111111-1z11-111z-z1zz-1zz1z111z1z1/", (your tenantid here) "iat": 1681985824, "nbf": 1681985824, "exp": 1681989724, "aio": "E2ZgYOj+cyeyve6Lrei0vqQl+yYkAAA=", "app_displayname": "SBA-S2S-Test", (your app name here) "appid": "9aa99aa9-9a99-9999-a999-99a99a9aa9a9", (your appId here) "appidacr": "1", "idp": "https://sts.windows.net/1z111111-1z11-111z-z1zz-1zz1z111z1z1/", (your tenantid here) "idtyp": "app", "oid": "c2d604b8-3647-48d3-ba72-47e91a153f61", "rh": "0.AScAl1EgelmOfUi5-j_BsQjx5bg1rEiomnRNkn0fShSgsjknAAA.", "roles": [ "application_access_custom_sba_appliance" ], "sub": "c2d604b8-3647-48d3-ba72-47e91a153f61", "tenant_ctry": "US", "tenant_region_scope": "NA", "tid": "1z111111-1z11-111z-z1zz-1zz1z111z1z1", (your tenantid here) "uti": "rkAKMANZi12ISAA", "ver": "1.0", "wids": [ "0997a1d0-0d108-d5ca73121e90" ] }
- In the Manage Access Tokens section, click Use Token.
- At the end of the GET request, click Send. An output appears in the Response section.
Verify the output looks like the following:
GET Request Response{ "id": 1z111111-1z11-111z-z1zz-1zz1z111z1z1", (your tenantid here) "azurePSTNTrunkConfiguration": { "onlinePSTNGatewayList": [] }, "tenantBlockedCallingNumbers": { "enabled": true, "inboundBlockedNumberPatterns": [], "inboundExemptNumberPatterns": [] }, "onlinePstnRoutingSettings": { "onlineVoiceRoutes": [ { "name": "LocalRoute", "numberPattern": "^(\\+1[0-9]{10})$", "onlinePstnUsages": [], "onlinePstnGatewayList": [] } ] }, "tenantPstnTranslationRulesSettings": { "pstnTranslationRules": [] }, "teamsSbaConfiguration": { "teamsSurvivableBranchAppliances": [ { "fqdn": "Global" } ] } }
- If you verified your Application (client) ID (appId) and Application Secret (secret), proceed with Configure the Azure Active Directory Application of an Office 365 Direct Routing SBA.
Configure the Azure Active Directory Application of an Office 365 Direct Routing SBA on an SBC Edge
Start
- Log in to your SBC Edge.
- In the SBC Edge WebUI,, click the Tasks tab.
- In the left navigation pane, go to Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
- Click the Configure Office 365 Direct Routing SBA tab.
- In the Azure Active Directory Application section, complete the following fields:
- Application ID: Enter your Application ID.
- Application Secret: Enter your Application Secret.
Review SBA Logs on an SBC Edge
Start
- Log in to your SBC Edge.
- In the SBC Edge WebUI, click the Diagnostics tab.
- In the left navigation pane, go to Teams Direct Routing > SBA Logs. The Office 365 Direct Routing SBA Logs pane opens on the right.
- From the Log Level drop-down list, select Debug. The following message opens.
- Click OK.
Workaround
Ribbon suggests the following workaround:
Start
- Convert FQDNs to lowercase in the following:
- the Teams tenant
- the SBC Edge
- the encryption-related certificate. For more information, refer to: Best Practice - Configure Direct Routing Survivable Branch Appliance (SBA).
- Redeploy your Direct Routing SBA, starting from the beginning of Best Practice - Configure Direct Routing Survivable Branch Appliance (SBA).