In this section:
The Direct Routing Virtual Survivable Branch Appliance (vSBA) is a Ribbon Communications SBC SWe Edge offer accomplished through close cooperation with Microsoft®. The vSBA allows you to make and receive Public Switched Telephone Network (PSTN) calls when there is an outage.
SBC SWe Edge Direct Routing vSBA offering Direct Routing Call Services to Teams Clients
Direct Routing vSBA - Quick Facts
Direct Routing vSBA is available on the SBC SWe Edge Release 11.0x and later.
Contact your authorized Ribbon sales representative/partner for more information regarding approved SBC SWe Edge Direct Routing vSBA platforms and acquisition.
Direct Routing vSBA Facts | Details |
---|---|
Platforms Supported | The Direct Routing vSBA is available in the SBC SWe Edge and hosted on one of the Windows VMs on your hypervisor. The Direct Routing vSBA is activated based on a license key. Refer to Working with Licenses for license specifics. |
How vSBA is Offered | The Direct Routing vSBA is offered in a software format; the vSBA is not available within the SBC 1000/2000. |
vSBA Deployment | The Direct Routing vSBA should be deployed on the same site as an SBC connected to Direct Routing. |
vSBA Services | The following services are available to Teams clients from the vSBA:
|
Local Media/Media |
|
Prerequisites
Microsoft Teams
- Configure the Microsoft Teams Tenant for Direct Routing SBA (refer to Survivable Branch Appliance (SBA) for Direct Routing).
Azure Active Directory
- Register the vSBA application with the Azure Active Directory so that it can connect to Microsoft 365 and read the required Teams Tenant data.
- Create Azure AD Application credentials either before deployment (refer to Survivable Branch Appliance (SBA) for Direct Routing and Register an application with the Microsoft identity platform) or during the SBA Configuration.
Virtual SBA
VM Requirements
- A Windows Server 2019 VM with a minimum of four virtual processors, 8GB memory, and 80GB of disk space
Software Requirements
- Install the .NET 4.8 Framework Runtime (refer to Download .NET Framework 4.8).
Install the .NET 3.5 Framework (using Program and Features -> Turn Windows Features on or off). This is needed for the SBC Communications Service.
NoteFor more information on turning your Windows Features on or off, refer to: https://answers.microsoft.com/en-us/windows/forum/all/turning-onoff-windows-features-in-control-panel/c6a13784-80dd-4cf9-98a5-1ca18e0e340b.
Firewall Requirements
- Open the following ports for incoming traffic:
TCP 2049, 3443, 4444, 5061, and 8443
UDP 30000
SBC SWe Edge
- Activate the license for the Virtual Direct Routing SBA feature.
Name Resolution
A Public or Private Fully Qualified Domain Name (FQDN) that points to the Direct Routing vSBA IP. No Public IP is required for the Direct Routing vSBA.
The Direct Routing vSBA should resolve the SBC Public FQDN with an address it can access.
Certificates
Microsoft requires a SHA256 certificate for the Direct Routing vSBA in order to establish a TLS connection with the SBC (see the following options):
Shared SBC Public certificate (recommended). This is only possible if your SBC certificate matches one of the following options:
SBC Certificate is a wildcard certificate
SBC Certificate Common Name "CN: *.mydomain.com" or SBC Certificate Subject Alternative Name "SAN: *.mydomain.com".
SBC Certificate has a SAN for Direct Routing vSBA
SBC Certificate Common Name "CN: sbc.mydomain.com" and SBC Certificate Subject Alternative Name "SAN: sba.mydomain.com".
Use an existing Public or Private Certificate that covers the Direct Routing vSBA FQDN.
Create a new Public or Private Certificate that covers the Direct Routing vSBA FQDN. In this case, a Public or Private Certificate Authority must be ready to sign the certificate for the Direct Routing vSBA.
Step 1: Install Virtual SBA Software
To ensure the SBC SWe Edge can run the Teams vSBA, install the virtual SBA software package on your hypervisor's Windows VM.
Install the vSBA Software
Run the installer for the Teams vSBA software packages on one of your hypervisor's Windows VM.
Supply a Windows Server 2019 VM with a minimum of four virtual processors, 8GB memory, and 80GB of disk space.
- Download and install .NET 4.8 Runtime.
- Run the Virtual Direct Routing SBA Installer (available in a Ribbon software package) to install all other required software, which includes the Microsoft vSBA and the Ribbon SBC Communication Service software.
- In the License Agreement screen, review the agreement and click I Agree.
- In the SBC IP Address screen, enter the IP address the SBC SWe Edge will use to reach the vSBA VM. Click Next.
- In the Choose Components screen, check the Required Components box. Click Install.
- Use the Windows firewall and open the following inbound ports:
- TCP 2049, 3443, 4444, 5061, and 8443
- UDP 30000
Step 2: Setup the Office 365 Direct Routing vSBA
Setting up the Office 365 Direct Routing vSBA consists of four steps:
Configure Virtual Direct Routing SBA
Log into the WebUI of the SBC SWe Edge.
Navigate to Tasks > Office 365 Direct Routing SBA > Setup.
Click the Virtual DR SBA tab.
From the Virtual DR SBA Enabled drop-down menu, select Yes.
In the IPv4 Address field, enter the IPv4 address of the Windows VM that runs the vSBA software that this SBC SWe Edge should connect to.
- Click Apply.
Generate CSR
These steps are required only if you need to create a new Public or Private Certificate that covers Direct Routing vSBA FQDN.
Log into the WebUI of the SBC SWe Edge.
Navigate to Tasks > Office 365 Direct Routing SBA > Setup.
Click the Generate CSR tab. Configure the fields in this tab with the required information.
The following table outlines the fields in this tab.Field Description Common Name The Fully Qualified Domain Name of the server running the Virtual SBA application.
Subject Alternative Name DNS Caution: This field should not be entered unless required by your environment/topology.
The alternative common name, which is either a wildcard or non-wildcard name. Specifies a list of comma-separated names covered by an SSL certificate in the common name field.
ISO Country Code The two letter code of the country in which your organization resides. State/Province Caution: Do not abbreviate the location's name.
The state or region in which your organization resides.
Locality The city in which your organization resides. Organization The legal name of your organization that handles the certificate. Organizational Unit The division of your organization that handles the certificate. Key Length Key Length used to generate the Certificate Signing Request (CSR).
Possible Values:
- 2048 bits
- 3072 bits
- 4096 bits
Click OK.
Copy the CSR from the lower pane of the Generate CSR page and save it as a .txt file.
After the CSR is signed by the Certificate Authority, you receive the PKCS7 Certificate file.
Manage Certificates
Import SBC CA in Direct Routing vSBA
These steps are required only if the Direct Routing vSBA does not share the SBC Public certificate. Use this if you generated a CSR and this is the initial deployment.
Log into the WebUI of the SBC SWe Edge.
Navigate to Tasks > Office 365 Direct Routing SBA > Setup.
Click the Manage Certificate tab.
Click the Action drop-down menu and select Import X.509 Signed Certificate.
Paste the SBC CA certificate in the window and click OK.
Import Direct Routing vSBA Certificate
Make sure you import the Root and Intermediate certificate before importing the vSBA certificate. To import these certificates, perform the Import SBC CA in Direct Routing SBA procedure.
Log into the WebUI of the SBC SWe Edge.
Navigate to Tasks > Office 365 Direct Routing SBA > Setup.
Click the Manage Certificate tab.
Click the Action drop-down menu and select Import PKCS12 Certificate and Key.
Enter the password, select the file (certificate) to import, and click OK.
Configure Office 365 Direct Routing SBA
Log into the WebUI of the SBC SWe Edge.
Navigate to Tasks > Office 365 Direct Routing SBA > Setup.
Click the Configure Office 365 Direct Routing SBA tab.
Configure the information appropriately for your Direct Routing vSBA.
SBA FQDN. Must match the FQDN used to define this Direct Routing SBA in the Teams tenant item Teams Survivable Branch Appliance (New-CsTeamsSurvivableBranchAppliance).
SBC Public FQDN. Must match the FQDN used to define the SBC SWe Edge that hosts this Direct Routing vSBA in the Teams tenant item Online PSTN Gateway (New-CsOnlinePSTNGateway).
Create Azure AD Application. Enables the option to create new Azure AD Application credentials for this Direct Routing vSBA.
If you already created Azure AD Application credentials, select No and enter the credentials in Application ID and Application Secret.
If you did not previously create Azure AD Application credentials (or if you are not sure what this means), select Yes and enter the credentials in Azure Administrator Account Name and Azure Administrator Account Password.
Azure Administrator Account ConsiderationsThis Azure Administrator Account account needs Global Administrator, an Application Administrator, or a Cloud Application Administrator role.
Enter a Teams Tenant ID. To locate this information, refer to Find your Microsoft 365 tenant ID.
Click Apply.
Step 3: Configure SBC SWe Edge
Run Easy Configuration Wizard
Follow the instructions for your specific scenario; both are listed below:
SCENARIO 1: If your SBC is not yet configured to a connected Direct Routing (Greenfield), use the SBC Not Configured for Direct Routing ("Greenfield") procedure.
SCENARIO 2: If your SBC is already configured to a connected Direct Routing (Upgrade from Standalone Direct Routing), use the SBC Already Connected to Direct Routing (Upgrade from Standalone Direct Routing) procedure.
SBC Not Configured for Direct Routing ("Greenfield")
The Direct Routing vSBA is not capable of offering Local Media Optimization (LMO) features, such as:
Teams Downstream SBC operations
Teams Central SBC operations
Teams Central Proxy operations
To connect Direct Routing with a SIP Trunk, refer to: Configure SIP Trunk with Microsoft Teams. On Step 2, set Configure Direct Routing SBA as True and enter the Direct Routing SBA FQDN.
Sample Easy Configuration Screen
SBC Already Connected to Direct Routing (Upgrade from Standalone Direct Routing)
Perform the Configure Single Leg Endpoint for Microsoft Teams procedure. On Step 2, configure Configure Direct Routing SBA as True and enter the Direct Routing SBA FQDN.
Remap the call routing Direct Routing vSBA Signaling Group:
In the WebUI, click the Settings tab.
From the left navigation pane, under Signaling Groups, select the Office 365 Direct Routing SBA SIP Signaling Group.
Modify the Call Routing Table to select the From Microsoft Teams Direct Routing call routing table previously used on your device.
Enable Forking to the Direct Routing Server:
From the left navigation pane, select Call Routing > Call Routing Table.
Select the From SIP Trunk call routing table.
Select the existing entry with First Signaling Group set to Teams Direct Routing.
Set the Fork Call to Yes.
Click Apply.
Add a call route entry for Direct Routing vSBA:
From the left navigation pane, select Call Routing > Call Routing Table.
Select the From SIP Trunk call routing table.
Click the Create Routing Entry icon (
).Configure the parameters as shown below. Leave all other parameters as default.
Click OK.
Delete unused resources:
From the left navigation pane, select Signaling Groups.
Delete the SIP Signaling Group called Teams Direct Routing that was created by the last Easy Config Wizard.
Signaling Group AccuracyIf you receive an error that a route entry is using this resource, you may have attempted to delete the wrong Signaling Group.
From the left navigation pane, select Call Routing > Call Routing Table and delete the Call Routing Table From Microsoft Teams Direct Routing created by the most recent use of the Easy Configuration Wizard.
SIP Signaling Group ErrorIf you receive an error that the SIP_SG entry is using this resource, you may have attempted to delete the wrong Call Routing Table.
Step 4: Configure Sharing Trusted Certificate Authority Information
These steps are required only if the Direct Routing vSBA does not share the SBC Public certificate.
The Trusted Certificate Authority information associated with the SBC and the Direct Routing vSBA must be shared within the platform.
Export the SBC's Certificate Authority Information to the Direct Routing vSBA
In the WebUI, click the Tasks tab.
Under the SBC Easy Setup, select Certificates.
From the Trusted CAs tab, select the certificate and click Export Trusted CA Certificate.
Save the file on your PC.
Repeat this procedure from the Trusted CAs step for each CA certificate in the table. These are the SBC CA Certificates used in Import SBC CA in Direct Routing SBA.
Import the Direct Routing vSBA's Certificate Authority Information to the SBC
Export the Root and Intermediate Certificate of the Certificate Authority (Public or Private) that generates the Direct Routing vSBA certificate.
In the WebUI, click the Tasks tab.
Under SBC Easy Setup, select Certificates.
From the Trusted CAs tab, select Import Trusted CA Certificate.
Select the right format (Copy and Paste or File Upload) and click OK.
Repeat this procedure from the Trusted CAs step for each CA certificate.
Step 5: Verify System Configuration
Complete the following steps to confirm the configuration.
Verify SBA Certificate
Navigate to Tasks > Office 365 Direct Routing SBA > Certificate.
Ensure the Certificate Chain is reported as valid.
If the page reports Missing Root or Intermediate CA, return to Setup > Manage Certificate and select Import X.509 Signed Certificate. Import all the root and trusted certificates that generate the Certificate of the Direct Routing SBA. Once completed, return to the Certificate tab and ensure the Certificate Chain status is valid.
Confirm vSBA Status
Log into the WebUI of the SBC SWe Edge.
Navigate to Settings > Virtual DR SBA > Operational Status.
Confirm the Office 365 Direct Routing SBA Service:
Service Status is reported as Running
Service Information is reported as ready
Confirm SIP Connectivity
The signaling groups configured for the Microsoft Teams Direct Routing vSBA include counters for SIP request and response messages related to incoming and outgoing options. As the SBC SWe Edge operates with the Microsoft Teams Direct Routing vSBA, the message counters show increasing numbers. Ensure the message counts and investigate potential sources of related integration issues are as follows:
In the WebUI, click the Settings tab.
In the left navigation pane, click Signaling Groups.
From the signaling group configured for Microsoft Teams Direct Routing SBA, click Counters.
Check for an increasing message count in Outgoing Options.
Check for an increasing message count in Incoming 2xx.
If there is not an increasing message count, check that the Sip Server Entry for the Direct Routing vSBA matches the cases of the Certificate CN or SAN used by Direct Routing vSBA.
- If you just completed the deployment of vSBA, a restart of the vSBA service may be required before you see the 200 OK increasing message count.
Check for an increasing message count in Incoming Options.
Check the message count in Outgoing 2xx. If the number is increasing, the changes you made during validation have resolved the integration issue(s).
Confirm Teams Client Connection to vSBA
Log into the WebUI of the SBC SWe Edge.
Navigate to Tasks > Office 365 Direct Routing SBA > Teams Clients Connected.
Confirm that your Teams client is reported.
Confirm Teams Client Can Run in Offline Mode
- Remove the Internet link between the Branch Office and the Microsoft Teams cloud.
Open the Teams client. A banner is displayed, which indicates that the Teams client will only use the vSBA to make/receive calls when it is in offline mode.
Step 6: Place Test Call
Complete the following steps to place a test call:
In the WebUI, click the Diagnostics tab.
In the left navigation pane, select Tools > Test a Call.
Configure the parameters for test calls as follows:
Click OK; the call should ring the Teams Client.
If the test call does not ring the Teams client:
Check that the SBC IP routing is properly configured.
Check whether you can place a call from Teams to the SBC.
If the call does not reach the SBC, then complete the following:
Confirm that the firewall is properly configured to allow incoming SIP TLS messages.
Confirm that the federated IP addresses are properly configured.
If the call is Anonymous, refer to Configuring SBC Edge for Select Microsoft Teams Direct Routing Related Migration Scenarios for more details.
Step 7: Access Logs
Log into the WebUI of the SBC SWe Edge.
Navigate to Diagnostics > Teams Direct Routing > SBA logs.
From the Log Level drop-down menu, select the desired log level for the Direct Routing vSBA.
Use the table on the same page to view or Download the Direct Routing vSBA log files.
Step 8: Restart Services
Log into the WebUI of the SBC SWe Edge.
Navigate to Tasks > Office 365 Direct Routing SBA > Start/Stop Services.
From the Service Action drop-down menu, select Stop Service.
From the Service Name drop-down menu, select Teams Server.
Click OK. Wait for the action to complete.
From the Service Action drop-down menu, select Start Service.
From the Service Name drop-down menu, select Teams Server.
Click OK. Wait for the action to succeed.