Note

The procedures in this document apply only to the Application Solution Module (ASM)/Survivable Branch Appliance (SBA) and not the virtual SBA (vSBA).


Overview

An SBA is an application on the ASM that can be used for survivability of Microsoft Teams VoIP calls from the network over to the PSTN, increasing the resiliency of branch office communications during network failures. This document describes how to upgrade a Direct Routing SBA on the ASM, with procedures defined in the workflow below

For more information on the SBA and the ASM, refer to: Working with the ASM: SBA and 3rd Party Applications.

Note

Ribbon recommends upgrading the ASM to Windows Server 2019, which has a few benefits: it is still supported by Microsoft and will get vulnerability fixes. Microsoft ended general support for Windows Server 2012R2 and it may not provide fixes to vulnerabilities.



Prerequisites

Before you begin, make sure you have completed the following:


Direct Routing SBA (capable of SBC 1000 or SBC 2000)


Hardware and License

  • Activate licenses for the following features:
    • SIP sessions
    • Direct Routing SBA

For more information on activating licenses, refer to: Node-Locked Licensing.

  • Confirm that you are working in a Ribbon SBC Edge 9.0.9 or higher device.

    Note

    The SBC and SBC Communication service must be on Ribbon SBC Edge release 9.0.9 or higher.

  • Confirm that your ASM features a licensed copy of Windows Server 2019 or 2012R2 License.
    Note

    Ribbon recommends upgrading the ASM to Windows Server 2019, which has a few benefits: it is still supported by Microsoft and will get vulnerability fixes. Microsoft ended general support for Windows Server 2012R2 and it may not provide fixes to vulnerabilities.

  • Confirm that your ASM is loaded with the Office 365 Direct Routing SBA image.

    Example of the Windows License and Office 365 Direct Routing SBA Image Type


    Caution

    Do not apply an ASM_Teams_update.pkg until the SBA is fully deployed, as this results in an undesired outcome such as breaking the system.

Workflow


Exporting a PKCS12 Certificate and Key from the ASM 

Start

  1. Log in to your SBC Edge (SBC 1000 or SBC 2000).
  2. In the SBC Edge WebUI, select the Tasks tab.
  3. From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
  4. Select the Manage Certificate tab. The Certificate pane opens.
  5. From the Action dropdown menu, select Export PKCS12 Certificate and Key.
  6. Enter a password for the PKCS12 Certificate and Key.
  7. Click OK.
  8. Save the certificate file in a secure place on your PC.


Downloading the ASM Microsoft Teams SBA Package 

Download the required ASM Microsoft Teams SBA package from the Ribbon Support Portal. The file name of the package is in the format of ASM_Teams_xxxx-xx-xx.pkg (e.g. ASM_Teams_2022-06-14.pkg). For information on downloading the ASM Microsoft Teams SBA package, refer to: Ribbon Support Portal - Download Center.


Installing the ASM Microsoft Teams SBA Package 

For information on installing the ASM Microsoft Teams SBA package, refer to: Installing an ASM Package.


Setting up the Office 365 Direct Routing SBA 

Setting up the Office 365 Direct Routing SBA consists of 4 procedures:


Configure an ASM for Office 365 Direct Routing SBA

Start

  1. Log in to your SBC Edge (SBC 1000 or SBC 2000).
  2. In the SBC Edge WebUI, select the Tasks tab.
  3. From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
  4. Select the ASM Config tab. The ASM Configuration pane opens.
  5. In the ASM Configuration pane, complete the following fields based on your requirements:

    a. In the Network General Configuration section:
    Remote Desktop Enabled 

    Note

    Ribbon recommends you to disable Remote Desktop for security reasons.


    Windows Firewall Enabled

    Note

    Ribbon recommends you to enable Windows Firewall for security reasons.


    Proxy Enabled

    You must set this option to disabled, because the Teams Direct Routing SBA does not support a Proxy Server.


    b. In the Network Adapter 1 Configuration section:
    IP Addressing Mode 
    • DHCPv4 Enabled

    c. In the IPv4 Information section:
    • IPv4 Address 
    • IPv4 Subnet Mask
    • Default Gateway

    d. In the DNS Addresses section:
    • Preferred DNS 
    • Alternate DNS

    e. In the Network Adapter 2 Configuration section:
    • IP Addressing Mode 
    • DHCPv4 Enabled


    For more information on the field descriptions, refer to: Configuring the ASM IP Settings.

  6. Click Apply.


Import a Root and an Intermediate CA Certificate on the SBC  

Prerequisites

Before you begin, make sure you have completed the following:

Start

  1. In the SBC Edge WebUI, select the Tasks tab.
  2. From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
  3. Select the Manage Certificate tab. The Certificate pane opens.
  4. From the Action dropdown menu, perform the following:
    a. (optional) If this is an initial deployment:
        i. Select Import X.509 Signed Certificate.

       ii. 
    In the Paste Base64 Certificate field, paste the CSR certificate you generated.
       
    b. (optional) If you exported a PKCS12 Certificate and Key from the ASM from a previous deployment:
        i. Select Import PKCS12 Certificate and Key.
       ii. Enter a password for the PKCS12 Certificate and Key.
      iii. Select the PKCS12 Certificate and Key file.
       
  5. Click OK.
  6. Repeat steps 1 to 5 for the Intermediate CA Certificate.


Import an Office 365 Direct Routing SBA Certificate

Note

Perform the following steps only if your Direct Routing SBA does not share the SBC Public Certificate

Note

Make sure you have completed Import a Root and an Intermediate CA Certificate on the SBC before importing an Office 365 Direct Routing SBA Certificate.

Start

  1. In the SBC Edge WebUI, select the Tasks tab.
  2. From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
  3. Select the Manage Certificate tab. The Certificate pane opens.
  4. From the Action dropdown menu, select Import PKCS12 Certificate and Key.

  5. Enter a password for the PKCS12 Certificate and Key.
  6. Select the PKCS12 Certificate and Key file you exported in Exporting a PKCS12 Certificate and Key from the ASM.
  7. Click OK.


Configuring Office 365 Direct Routing SBA 

Start

  1. Log in to your SBC 1000/2000.
  2. In the SBC Edge WebUI, select the Tasks tab.
  3. From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
  4. Select the Configure Office 365 Direct Routing SBA tab.
  5. In the Microsoft Office 365 Direct Routing SBA Configuration pane, complete the following fields:
    • SBA FQDN

    Note

    The SBA FQDN must match the FQDN used to define this Direct Routing SBA in the Teams tenant item Teams Survivable Branch Appliance, e.g. New-CsTeamsSurvivableBranchAppliance.


    • SBC Public FQDN

    Note

    The SBC Public FQDN must match the FQDN used to define the SBC that hosts this Direct Routing SBA in the Teams tenant item Online PSTN Gateway, e.g. New-CsOnlinePSTNGateway.

    • Create Azure AD Application 

    Note

    Create Azure AD Application enables the option to create a new Azure AD Application credentials for this Direct Routing SBA. 

       a. (Optional) Select No if you already created an Azure AD Application credentials. If you select No, complete the following fields:
           - Application ID
           - Application Secret
       b. (Optional) Select Yes if you need to create Azure AD Application credentials. If you select Yes, complete the following fields:
           - Azure Administrator Account Name: You need a Global Administrator, an Application Administrator, or a Cloud Application Administrator role to complete this field.
           
    - Azure Administrator Account Password
          
    For more information on Azure AD user roles, refer to: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal.

    Tenant ID: Enter the Teams Tenant ID. For more information on finding the Teams Tenant ID, refer to:  https://learn.microsoft.com/en-us/sharepoint/find-your-office-365-tenant-id.

  6. Click Apply.


Troubleshooting

The Microsoft Teams Tenant data may not synchronize after you configured Teams SBA. This is due to the SIP Signaling Group (SG) that connects the SBC with the SBA being down. If this occurs, use the following workaround.

Start

  1. Go back to Configuring Office 365 Direct Routing SBA, and modify the following fields:
    • Create Azure AD Application: Select Yes.
    • Azure Administrator Account Name
    • Azure Administrator Account Password
  2. Click Apply.
  3. Wait for the operation to complete and check the status of the SBA SG. For more information on checking the status of the SBA SG, refer to: Managing the Skype SBA.
  4. If the SG continues to be down, restart the Teams Server Service.


Restarting the Teams Server Service 

Start

  1. Log in to your SBC 1000/2000.
  2. In the SBC Edge WebUI, select the Tasks tab.
  3. From the left navigation pane, select Office 365TM Direct Routing SBA > Start/Stop Services. The Start/Stop Survivable Branch Appliance Services pane opens on the right.
  4. In the Start/Stop Service section, complete the following fields:
    • Service Action: From the dropdown menu, select Stop Service.
    • Service Name: From the dropdown menu, select Teams Server, Service.
  5. Click OK.

  6. Wait for the SBA services to stop.
  7. In the Start/Stop Service section, complete the following fields:
    • Service Action: From the dropdown menu, select Start Service.
    • Service Name: From the dropdown menu, select Teams Server, Service.
  8. Click OK.

  9. Wait for the SBA services to start.