Best Practice - Configure Direct Routing Virtual Survivable Branch Appliance

The Direct Routing Virtual Survivable Branch Appliance (vSBA) is a Ribbon Communications SBC SWe Edge offer accomplished through close cooperation with Microsoft®. The vSBA allows you to make and receive Public Switched Telephone Network (PSTN) calls when there is an outage.

SBC SWe Edge Direct Routing vSBA offering Direct Routing Call Services to Teams Clients

Direct Routing vSBA - Quick Facts

Prerequisites

Microsoft Teams

• Configure the Microsoft Teams Tenant for Direct Routing SBA (refer to Survivable Branch Appliance (SBA) for Direct Routing).

Azure Active Directory

• Register the vSBA application with the Azure Active Directory so that it can connect to Microsoft 365 and read the required Teams Tenant data.
• Create Azure AD Application credentials either before deployment (refer to Survivable Branch Appliance (SBA) for Direct Routing and Register an application with the Microsoft identity platform) or during the SBA Configuration.

Virtual SBA

VM Requirements

• A Windows Server 2019 VM with a minimum of four virtual processors, 8GB memory, and 80GB of disk space

Software Requirements

• Install the .NET 4.8 Framework Runtime (refer to Download .NET Framework 4.8).

• Install the .NET 3.5 Framework (using Program and Features -> Turn Windows Features on or off). This is needed for the SBC Communications Service.

  Note

  For more information on turning your Windows Features on or off, refer to: https://answers.microsoft.com/en-us/windows/forum/all/turning-onoff-windows-features-in-control-panel/c6a13784-80dd-4cf9-98a5-1ca18e0e340b.

Firewall Requirements

• Open the following ports for incoming traffic:

  • TCP 2049, 3443, 4444, 5061, and 8443

  • UDP 30000

SBC SWe Edge

• Activate the license for the Virtual Direct Routing SBA feature.

Name Resolution

• A Public or Private Fully Qualified Domain Name (FQDN) that points to the Direct Routing vSBA IP. No Public IP is required for the Direct Routing vSBA.

• The Direct Routing vSBA should resolve the SBC Public FQDN with an address it can access.

Certificates

Microsoft requires a SHA256 certificate for the Direct Routing vSBA in order to establish a TLS connection with the SBC (see the following options):

1. Shared SBC Public certificate (recommended). This is only possible if your SBC certificate matches one of the following options:

   • SBC Certificate is a wildcard certificate

     • SBC Certificate Common Name "CN: *.mydomain.com" or SBC Certificate Subject Alternative Name "SAN: *.mydomain.com".

   • SBC Certificate has a SAN for Direct Routing vSBA

     • SBC Certificate Common Name "CN: sbc.mydomain.com" and SBC Certificate Subject Alternative Name "SAN: sba.mydomain.com".

2. Use an existing Public or Private Certificate that covers the Direct Routing vSBA FQDN.

3. Create a new Public or Private Certificate that covers the Direct Routing vSBA FQDN. In this case, a Public or Private Certificate Authority must be ready to sign the certificate for the Direct Routing vSBA.

Step 1: Install Virtual SBA Software

To ensure the SBC SWe Edge can run the Teams vSBA, install the virtual SBA software package on your hypervisor's Windows VM.

Install the vSBA Software

Run the installer for the Teams vSBA software packages on one of your hypervisor's Windows VM.

1. Supply a Windows Server 2019 VM with a minimum of four virtual processors, 8GB memory, and 80GB of disk space.

2. Download and install .NET 4.8 Runtime.
3. Run the Virtual Direct Routing SBA Installer (available in a Ribbon software package) to install all other required software, which includes the Microsoft vSBA and the Ribbon SBC Communication Service software.
   1. In the License Agreement screen, review the agreement and click I Agree.
   2. In the SBC IP Address screen, enter the IP address the SBC SWe Edge will use to reach the vSBA VM. Click Next.
   3. In the Choose Components screen, check the Required Components box. Click Install.
4. Use the Windows firewall and open the following inbound ports:
   • TCP 2049, 3443, 4444, 5061, and 8443
   • UDP 30000

Step 2: Setup the Office 365 Direct Routing vSBA

Setting up the Office 365 Direct Routing vSBA consists of four steps:

• Virtual DR SBA Configuration
• Generate CSR
• Manage Certificates
• Configure Office 365 Direct Routing SBA

Configure Virtual Direct Routing SBA

1. Log into the WebUI of the SBC SWe Edge.

2. Navigate to Tasks > Office 365 Direct Routing SBA > Setup.

3. Click the Virtual DR SBA tab.

4. From the Virtual DR SBA Enabled drop-down menu, select Yes.

5. In the IPv4 Address field, enter the IPv4 address of the Windows VM that runs the vSBA software that this SBC SWe Edge should connect to.
   
   

6. Click Apply.

Generate CSR

1. Log into the WebUI of the SBC SWe Edge.

2. Navigate to Tasks > Office 365 Direct Routing SBA > Setup.

3. Click the Generate CSR tab. Configure the fields in this tab with the required information.
   
   The following table outlines the fields in this tab.

   Field	Description
   Common Name	The Fully Qualified Domain Name of the server running the Virtual SBA application.
   Subject Alternative Name DNS	Caution: This field should not be entered unless required by your environment/topology. The alternative common name, which is either a wildcard or non-wildcard name. Specifies a list of comma-separated names covered by an SSL certificate in the common name field.
   ISO Country Code	The two letter code of the country in which your organization resides.
   State/Province	Caution: Do not abbreviate the location's name. The state or region in which your organization resides.
   Locality	The city in which your organization resides.
   Organization	The legal name of your organization that handles the certificate.
   Organizational Unit	The division of your organization that handles the certificate.
   Key Length	Key Length used to generate the Certificate Signing Request (CSR). Possible Values: 2048 bits 3072 bits 4096 bits

4. Click OK.

5. Copy the CSR from the lower pane of the Generate CSR page and save it as a .txt file.

After the CSR is signed by the Certificate Authority, you receive the PKCS7 Certificate file.

Manage Certificates

Import SBC CA in Direct Routing vSBA

1. Log into the WebUI of the SBC SWe Edge.

2. Navigate to Tasks > Office 365 Direct Routing SBA > Setup.

3. Click the Manage Certificate tab.

4. Click the Action drop-down menu and select Import X.509 Signed Certificate.
   

5. Paste the SBC CA certificate in the window and click OK.

Import Direct Routing vSBA Certificate

1. Log into the WebUI of the SBC SWe Edge.

2. Navigate to Tasks > Office 365 Direct Routing SBA > Setup.

3. Click the Manage Certificate tab.

4. Click the Action drop-down menu and select Import PKCS12 Certificate and Key.
   

5. Enter the password, select the file (certificate) to import, and click OK.

Configure Office 365 Direct Routing SBA

1. Log into the WebUI of the SBC SWe Edge.

2. Navigate to Tasks > Office 365 Direct Routing SBA > Setup.

3. Click the Configure Office 365 Direct Routing SBA tab.
   

4. Configure the information appropriately for your Direct Routing vSBA.

   1. SBA FQDN. Must match the FQDN used to define this Direct Routing SBA in the Teams tenant item Teams Survivable Branch Appliance (New-CsTeamsSurvivableBranchAppliance).

   2. SBC Public FQDN. Must match the FQDN used to define the SBC SWe Edge that hosts this Direct Routing vSBA in the Teams tenant item Online PSTN Gateway (New-CsOnlinePSTNGateway).

   3. Create Azure AD Application. Enables the option to create new Azure AD Application credentials for this Direct Routing vSBA.

      • If you already created Azure AD Application credentials, select No and enter the credentials in Application ID and Application Secret.

      • If you did not previously create Azure AD Application credentials (or if you are not sure what this means), select Yes and enter the credentials in Azure Administrator Account Name and Azure Administrator Account Password.

        Azure Administrator Account Considerations

        This Azure Administrator Account account needs Global Administrator, an Application Administrator, or a Cloud Application Administrator role.

   4. Enter a Teams Tenant ID. To locate this information, refer to Find your Microsoft 365 tenant ID.
      
      

5. Click Apply.

Step 3: Configure SBC SWe Edge

Run Easy Configuration Wizard

Follow the instructions for your specific scenario; both are listed below:

• SCENARIO 1: If your SBC is not yet configured to a connected Direct Routing (Greenfield), use the SBC Not Configured for Direct Routing ("Greenfield") procedure.

• SCENARIO 2: If your SBC is already configured to a connected Direct Routing (Upgrade from Standalone Direct Routing), use the SBC Already Connected to Direct Routing (Upgrade from Standalone Direct Routing) procedure.

SBC Not Configured for Direct Routing ("Greenfield")

To connect Direct Routing with a SIP Trunk, refer to: Configure SIP Trunk with Microsoft Teams. On Step 2, set Configure Direct Routing SBA as True and enter the Direct Routing SBA FQDN.

Sample Easy Configuration Screen

SBC Already Connected to Direct Routing (Upgrade from Standalone Direct Routing)

1. Perform the Configure Single Leg Endpoint for Microsoft Teams procedure. On Step 2, configure Configure Direct Routing SBA as True and enter the Direct Routing SBA FQDN.

2. Remap the call routing Direct Routing vSBA Signaling Group:
   

   1. In the WebUI, click the Settings tab.

   2. From the left navigation pane, under Signaling Groups, select the Office 365 Direct Routing SBA SIP Signaling Group.

   3. Modify the Call Routing Table to select the From Microsoft Teams Direct Routing call routing table previously used on your device.

      Select Signaling Group

      

3. Enable Forking to the Direct Routing Server:
   

   1. From the left navigation pane, select  Call Routing > Call Routing Table.

   2. Select the From SIP Trunk call routing table.

   3. Select the existing entry with First Signaling Group set to Teams Direct Routing.

   4. Set the Fork Call to Yes.

   5. Click Apply.

      Enable Forking

      

4. Add a call route entry for Direct Routing vSBA:
   

   1. From the left navigation pane, select Call Routing > Call Routing Table.

   2. Select the From SIP Trunk call routing table.

   3. Click the Create Routing Entry icon ().

   4. Configure the parameters as shown below. Leave all other parameters as default.

      Routing Entry - Example Values

      Parameter	Value
      Description	To Office 365 Direct Routing vSBA
      Number/Name Transformation Table	From SIP Trunk: Passthrough
      Destination Signaling Groups	Office 365 Direct Routing vSBA

   5. Click OK.

      Create Call Route Entry

      

5. Delete unused resources:
   

   1. From the left navigation pane, select Signaling Groups.

   2. Delete the SIP Signaling Group called Teams Direct Routing that was created by the last Easy Config Wizard.

      Signaling Group Accuracy

      If you receive an error that a route entry is using this resource, you may have attempted to delete the wrong Signaling Group.

      
      

      Delete Signaling Group

      

   3. From the left navigation pane, select Call Routing > Call Routing Table and delete the Call Routing Table From Microsoft Teams Direct Routing created by the most recent use of the Easy Configuration Wizard.

      SIP Signaling Group Error

      If you receive an error that the SIP_SG entry is using this resource, you may have attempted to delete the wrong Call Routing Table.

      Delete Call Route Table

      

Step 4: Configure Sharing Trusted Certificate Authority Information

The Trusted Certificate Authority information associated with the SBC and the Direct Routing vSBA must be shared within the platform.

Export the SBC's Certificate Authority Information to the Direct Routing vSBA

1. In the WebUI, click the Tasks tab.

2. Under the SBC Easy Setup, select Certificates.

3. From the Trusted CAs tab, select the certificate and click Export Trusted CA Certificate.

4. Save the file on your PC.

5. Repeat this procedure from the Trusted CAs step for each CA certificate in the table. These are the SBC CA Certificates used in Import SBC CA in Direct Routing SBA.

Import the Direct Routing vSBA's Certificate Authority Information to the SBC

1. Export the Root and Intermediate Certificate of the Certificate Authority (Public or Private) that generates the Direct Routing vSBA certificate.

2. In the WebUI, click the Tasks tab.

3. Under SBC Easy Setup, select Certificates.

4. From the Trusted CAs tab, select Import Trusted CA Certificate.

5. Select the right format (Copy and Paste or File Upload) and click OK.

6. Repeat this procedure from the Trusted CAs step for each CA certificate.

Step 5: Verify System Configuration

Complete the following steps to confirm the configuration.

Verify SBA Certificate

1. Navigate to Tasks > Office 365 Direct Routing SBA > Certificate.

2. Ensure the Certificate Chain is reported as valid.

   • If the page reports Missing Root or Intermediate CA, return to Setup > Manage Certificate and select Import X.509 Signed Certificate. Import all the root and trusted certificates that generate the Certificate of the Direct Routing SBA. Once completed, return to the Certificate tab and ensure the Certificate Chain status is valid.

     Verify Certificate

     

Confirm vSBA Status

1. Log into the WebUI of the SBC SWe Edge.

2. Navigate to Settings > Virtual DR SBA > Operational Status.

3. Confirm the Office 365 Direct Routing SBA Service:

   • Service Status is reported as Running

   • Service Information is reported as ready

     Direct Routing SBA Service Status

     

Confirm SIP Connectivity

The signaling groups configured for the Microsoft Teams Direct Routing vSBA include counters for SIP request and response messages related to incoming and outgoing options. As the SBC SWe Edge operates with the Microsoft Teams Direct Routing vSBA, the message counters show increasing numbers. Ensure the message counts and investigate potential sources of related integration issues are as follows:

1. In the WebUI, click the Settings tab.

2. In the left navigation pane, click Signaling Groups.

3. From the signaling group configured for Microsoft Teams Direct Routing SBA, click Counters.

4. Check for an increasing message count in Outgoing Options.

5. Check for an increasing message count in Incoming 2xx. 

   1. If there is not an increasing message count, check that the Sip Server Entry for the Direct Routing vSBA matches the cases of the Certificate CN or SAN used by Direct Routing vSBA.

   2. If you just completed the deployment of vSBA, a restart of the vSBA service may be required before you see the 200 OK increasing message count.

6. Check for an increasing message count in Incoming Options.
   

7. Check the message count in Outgoing 2xx. If the number is increasing, the changes you made during validation have resolved the integration issue(s).
   

   Signaling Group Counters

   

Confirm Teams Client Connection to vSBA

1. Log into the WebUI of the SBC SWe Edge.

2. Navigate to Tasks > Office 365 Direct Routing SBA > Teams Clients Connected.

3. Confirm that your Teams client is reported.

   Confirm Teams Client Connection to SBA

   

Confirm Teams Client Can Run in Offline Mode

1. Remove the Internet link between the Branch Office and the Microsoft Teams cloud.

2. Open the Teams client. A banner is displayed, which indicates that the Teams client will only use the vSBA to make/receive calls when it is in offline mode.

   Confirm Teams Client Can Run in Offline Mode

   

Step 6: Place Test Call

Complete the following steps to place a test call:

1. In the WebUI, click the Diagnostics tab.

2. In the left navigation pane, select Tools > Test a Call.  

   Test a Call Parameters in WebUI

   

3. Configure the parameters for test calls as follows:

   Values for Test Call Parameters

   Parameter	Value
   Destination Number	Type a telephone number assigned to a Teams user.
   Origination/Calling Number	Type a telephone number assigned to a Local (SIP Trunk or PSTN) user.
   Call Routing Table	Select the routing table that handles the calls from Local resources (From PSTN or From SIP Trunk).

4. Click OK; the call should ring the Teams Client.

   Active Call Example

   

5. If the test call does not ring the Teams client: 

   1. Check that the SBC IP routing is properly configured.

   2. Check whether you can place a call from Teams to the SBC. 

   3. If the call does not reach the SBC, then complete the following:

      1. Confirm that the firewall is properly configured to allow incoming SIP TLS messages.

      2. Confirm that the federated IP addresses are properly configured.

      3. If the call is Anonymous, refer to Configuring SBC Edge for Select Microsoft Teams Direct Routing Related Migration Scenarios for more details.

Step 7: Access Logs

1. Log into the WebUI of the SBC SWe Edge.

2. Navigate to Diagnostics > Teams Direct Routing > SBA logs.
   

3. From the Log Level drop-down menu, select the desired log level for the Direct Routing vSBA.
   

4. Use the table on the same page to view or Download the Direct Routing vSBA log files.

Step 8: Restart Services

1. Log into the WebUI of the SBC SWe Edge.

2. Navigate to Tasks > Office 365 Direct Routing SBA > Start/Stop Services.
   

3. From the Service Action drop-down menu, select Stop Service.

4. From the Service Name drop-down menu, select Teams Server.

5. Click OK. Wait for the action to complete.

6. From the Service Action drop-down menu, select Start Service.

7. From the Service Name drop-down menu, select Teams Server.

8. Click OK. Wait for the action to succeed.