Overview

This document details the configuration required for an SBC SWe Edge to offer Microsoft Teams Phone System-related Direct Routing services in Microsoft Azure. The SBC SWe Edge can be used to connect an enterprise's Teams clients to:

  • Third-party party PBX and subtended clients
  • SIP trunk from a third-party provider (PSTN)


    SBC SWe Edge in Microsoft Azure offering Direct Routing Services to Teams Clients

From the Azure public cloud, the SBC SWe Edge offers the same features offered in an on-premises deployment (based on Microsoft®, Hyper-V®, VMware® vSphere® ESXi, or Linux® KVM) in support of Direct Routing, such as:

  • Security: Call encryption/decryption, denial-of-service (DoS)/distributed DoS attack neutralization, and protection from toll fraud.
  • Interoperability: Call mediation services to connect Teams certified clients to non-Teams clients, including popular 3rd  party SIP trunking and SIP PBX platforms such as the Avaya® Aura® Communication Manager and the Cisco® Unified Communications Manager.
  • Survivability: Uninterrupted calling services for SIP clients (including Polycom® and Yealink® phones) through built-in SIP registrar and re-routing around failed routes/proxy servers/destination endpoints.

The SBC SWe Edge is certified for Teams Direct Routing media bypass and non-media bypass services. Please refer to Microsoft Teams Phone System Direct Routing certification page.

Step 1: Deploy SBC SWe Edge via Azure Marketplace

These instructions assume the SBC SWe Edge product is deployed via Microsoft Azure and running. If the product is not installed, refer to Deploying an SBC SWe Edge from the Azure Marketplace.

Step 2: Review Prerequisites for Microsoft Teams Direct Routing


Microsoft Teams Direct Routing Configuration

Consult the Microsoft documentation for detailed information on Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.

SBC Edge Software

Ensure you are running the latest version of SBC software:

Obtain IP Address and FQDN

Requirements for configuring the SBC Edge in support of Teams Direct Routing include:

SBC Edge Requirements

RequirementHow it is Used

Public IP address of NAT device (must be Static)*

Private IP address of the SBC

Required for SBC Behind the NAT deployment.

Public IP address of SBCRequired for SBC with Public IP deployment.
Public FQDN The Public FQDN must point to the Public IP Address.

*NAT translates a public IP address to a Private IP address.

Domain Name

For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:

  1. On the Microsoft Teams Tenant side, execute Get-CsTenant.
  2. Review the output.
  3. Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.

Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

Domain Name Examples

Domain Name*Use for SBC FQDN?FQDN Names - Examples
SonusMS01.com(tick)

Valid names:

hybridvoice.org

(tick)

Valid names:

Non-Valid name:

sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

*Do not use the *.onmicrosoft.com tenant for the domain name.

Configure Domain Names - Example


Obtain Certificate

Public Certificate

The Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.

Configure and Generate Certificates on the SBC

Warning: Common Encryption Certificate Issues Arise from Missing Root Certificates
  • Did you only install the CA-signed SBC certificate, along with the intermediate certificate(s) sent by your issuing CA?
  • Did you get the following error message from the SBC?




If so, the likely reason is a missing CA Root Certificate. The SBC does not have any pre-installed CA root X.509 certificates, unlike typical browsers found on your PC. Ensure the entire certificate chain of trust is installed on the SBC, including the root certificate. Acquire the CA root certificate as follows:

  1. Contact your system administrator or certificate vendor to acquire the root, and any further missing intermediate certificate(s) to provision the entire certificate chain of trust within the SBC;
  2. Load the root certificate, along with the intermediate and SBC certificates, according to Importing Trusted Root CA Certificates.

NOTE: Root certificates are easily acquired from the certificate authorities. For example, the root certificate for the GoDaddy Class 2 Certification Authority may be found at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO . For more information about root certificates, intermediate certificates, and the SBC server (“leaf”) certificates, refer to this tutorial.

For other certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge Portfolio.

Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.

Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:

  • Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
  • Import the Public CA Root/Intermediate Certificate on the SBC.
  • Import the Microsoft CA Certificate on the SBC.
  • Import the SBC Certificate.

The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.

Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)

Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.

  1. Access the WebUI.
  2. Access Settings > Security > SBC Certificates.
  3. Click Generate SBC Edge CSR.

  4. Enter data in the required fields.

  5. Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.

  6. Use the generated CSR text from the clipboard to obtain the certificate. 

Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC

After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:

  1. Obtain Trusted Root and Intermediary signing certificates from your certification authority.
  2. Access the WebUI.
  3. To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted Root Certificates.
  4. Click Import and select the trusted root certificates.
  5. To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.
  6. Validate the certificate is installed correctly.

  7. Click Import  and select X.509 Signed Certificate.
  8. Validate the certificate is installed correctly.

Firewall Rules

Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Portfolio Security Hardening Checklist for more information about the SBC and firewalls.

This section lists the ports, protocols and services for firewalls that are in the path of the SBC connecting to Teams Direct Routing.

Basic Firewall Rules for All Call Flows

Inbound Public (Internet to SBC)
  • SIP TLS: TCP 5061*

  • Media for SBC 1000: UDP 16384-17584**
  • Media for SBC 2000: UDP 16384-19384*
  • Media for SBC SWe Edge: UDP 16384-21384
Outbound Public (SBC to Internet)
  • DNS: TCP 53

  • DNS: UDP 53

  • NTP: UDP 123

  • SIP TLS: TCP 5061

  • Media: UDP 49152-53247

Public Access Information

The tables below represent ACL (Access Control List) examples that protect the SBC Edge. When using Easy Configuration Teams related wizards in an Enterprise deployment, these attributes are automatically provisioned. If you are manually configuring the SBC Edge as part of a Microsoft Teams Direct Routing migration scenario (for example Skype for Business or CCE), you must manually configure these ports. For details on ACLs, refer to Creating and Modifying Rules for IPv6 Access Control Lists.

Public Access In - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Reply

TCP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound DNS Reply

UDP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound NTP Reply

UDP

Allow

0.0.0.0/0

123

SBC/32

123

Outbound SIP Reply

TCP

Allow

0.0.0.0/0

5061

SBC/32

1024-65535

Inbound SIP Request

TCP

Allow

0.0.0.0/0

1024-65535

SBC/32

5061*

Inbound Media Helper

UDP

Allow

52.112.0.0/14

52.120.0.0/14

49152-53247

SBC/32

16384-17584**

Deny All

Any

Deny

0.0.0.0/0


0.0.0.0/0


Public Access Out - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound DNS Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound NTP Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

123

Outbound SIP Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

5061

Inbound SIP Reply

TCP

Allow

SBC/32

5061*

0.0.0.0/0

1024-65535

Outbound Media Helper

UDP

Allow

SBC/32

16384-17584**

52.112.0.0/14

52.120.0.0/14

49152-53247

Deny All

Any

Deny

0.0.0.0/0


0.0.0.0/0


* Define in Tenant configuration

** SBC SWe Edge does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.

Firewall Rules for the SBC with Media Bypass

Apply the following firewall rules below:

The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).

Inbound Public (Internet to SBC) 

Media for SBC 1000: UDP 17586-21186**

Media for SBC 2000: UDP 19386-28386**

Outbound Public (SBC to Internet)

Media: UDP 50000-50019

If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.

For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP.

For SBC not using NAT, there must be access between the firewall and the SBC's Public IP.

Public Access

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

Public Access In - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Inbound Media Bypass Helper

UDP

Allow

0.0.0.0/0

1024-65535

SBC/32

16384-21186**

Public Access Out - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound Media Bypass Helper

UDP

Allow

SBC/32

16384-21186**

0.0.0.0/0

1024-65535

* Define in Tenant configuration

** SBC SWe Edge does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.





Step 3: Configure Azure for Microsoft Teams Direct Routing

Assign a Static Public IP Address on the Media Port

Assign a Static Public IP address on the media interface in Azure for Microsoft Teams Direct Routing.

  1. Connect to the Azure portal. Refer to portal.azure.com.
  2. From the left navigation pane, click Virtual Machines.
  3. Click the desired VM to be used for Microsoft Teams Direct Routing.

  4. Under Settings, click Networking to open the media interface.

  5. Click on the network interface.

  6. Under Settings, click IP Configuration.

  7. Click ipconfig1.
  8. Enable a Public IP address and create a new Static Public IP address on the media interface through a series of windows:
    1. From the Public IP address settings option, select Enabled.

    2. Click IP address.
    3. From the Choose public IP address window, click Create new.

    4. From the Create public IP address window and the Assignment options, select Static.


Step 4: Configure SBC SWe Edge for Microsoft Teams Direct Routing

Run the Easy Configuration Wizard to configure Microsoft Teams Direct Routing:

  1. Access the WebUI. Refer to Logging into the SBC Edge.
  2. Click on the Tasks tab.
  3. From the left side menu, click SBC Easy Setup > Easy Config Wizard.
  4. From the Application drop down box, select the relevant Easy Configuration wizard. Depending on your network, follow a relevant Easy Configuration wizard. Refer to the table below for guidance.
    Easy Configuration - Microsoft Teams Direct Routing Configuration

    Deployment TypeRefer to Configuration:
    SBC Connects to Microsoft Teams via SIP TrunkSIP trunks ↔ Microsoft Phone System Direct Routing
    SBC connects to Microsoft Teams via IP PBXIP PBX ↔ Microsoft Phone System Direct Routing
  5. The Configuration Wizard is complete

Step 5: Complete SBC SWe Edge Configuration for Microsoft Teams Direct Routing in Azure

Configure IP Routing

IP Routing must be customized in the SBC SWe Edge for Microsoft Teams Direct Routing in Azure. Two options are available for configuration:

  • Set the Default Route on the Media Interface.
  • Add a Static Route for Microsoft Teams Direct Routing traffic to the Media Interface.

Option 1: Set the Default Route on a Media Interface

When using multiple NICs on the SBC SWe Edge, Azure designates the first Network's Interface as the Primary Network Interface. Only the Primary Network Interface receives a network default gateway and routes via DHCP. To assign the Network Default Route on another Subnet, you must designate another Network's Interface as the Primary Network Interface.

To assign the network default route, refer to Change Azure Default Route.

Option 2: Add a Static Route for Microsoft Teams traffic to a Media Interface

Add a static route for the traffic to the following IP address and Mask: 52.112.0.0/14 (52.112.0.0/255.252.0.0).

For details on creating Static Routes, refer to Creating Entries in a Static IP Route Table.

  1. Access the WebUI and click the Settings tab. Refer to Logging into the SBC Edge.
  2. In the left navigation pane, go to Protocols > IP > Static Routes. 
  3. Click Create Static IP Route at the top of the Static IP Route Table page.
  4. Add the following Static Route using your media interface:

    1. Destination IP: 52.112.0.0

    2. Mask: 255.252.0.0

    3. Gateway: 10.1.9.1

  5. Click OK.

Confirm the IP Configuration

For details on IP Interfaces, refer to Managing Logical Interfaces

Ensure that all network interfaces are configured as follows:

  1. Access the WebUI and click the Settings tab. Refer to Logging into the SBC Edge.
  2. In the left navigation pane, go to Networking Interfaces > Logical Interfaces.
  3. Verify the following is configured:
    1. IP Assign Method: DHCP.
    2. DHCP Options to Use: IP Address and Default Route.

  4. Update if required.

Step 6: Confirm SBC SWe Links to Microsoft Teams


  1. Access the WebUI. Refer to Logging into the SBC Edge.
  2. Click Monitor.
  3. Under each newly created Signaling Group (created for each Tenant), confirm the channels are green. For details on channel status, refer to Monitoring Real Time Status.

For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.


Step 7: Place a Test Call


Place a test call as follows:

  1. Access the WebUI. Refer to Logging into the SBC Edge.
  2. In the WebUI, click the Diagnostics tab.
  3. In the left navigation pane, click Test a Call.
  4. Configure the parameters as shown below.
  5. Click OK. 
    Place a Test Call - Parameters

    ParameterValue
    Destination NumberNumber assigned to a Teams user.
    Origination/Calling NumberNumber assigned to a Local user
    Call Routing TableThe routing table that handles the call from Local resource.


    Test a Call - Configuration


The test call is now complete. For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.