The procedures in this document apply only to the Application Solution Module (ASM)/Survivable Branch Appliance (SBA) and not the virtual SBA (vSBA).
Overview
An SBA is an application on the ASM that can be used for survivability of Microsoft Teams VoIP calls from the network over to the PSTN, increasing the resiliency of branch office communications during network failures. This document describes how to upgrade a Direct Routing SBA on the ASM, with procedures defined in the workflow below.
For more information on the SBA and the ASM, refer to: Working with the ASM: SBA and 3rd Party Applications.
Ribbon recommends upgrading the ASM to Windows Server 2019, which has a few benefits: it is still supported by Microsoft and will get vulnerability fixes. Microsoft ended general support for Windows Server 2012R2 and it may not provide fixes to vulnerabilities.
Prerequisites
Before you begin, make sure you have completed the following:
Direct Routing SBA (capable of SBC 1000 or SBC 2000)
- Configure the Microsoft Teams Tenant for Direct Routing. For more information, refer to: https://learn.microsoft.com/en-us/microsoftteams/direct-routing-configure.
- Configure the Microsoft Teams Tenant for Direct Routing SBA. For more information, refer to: https://learn.microsoft.com/en-us/microsoftteams/direct-routing-plan.
- Obtain an Internet link to connect the Direct Routing SBA and the Microsoft Teams Tenant.
Hardware and License
- Activate licenses for the following features:
- SIP sessions
- Direct Routing SBA
For more information on activating licenses, refer to: Node-Locked Licensing.
Confirm that you are working in a Ribbon SBC Edge 9.0.9 or higher device.
NoteThe SBC and SBC Communication service must be on Ribbon SBC Edge release 9.0.9 or higher.
- Confirm that your ASM features a licensed copy of Windows Server 2019 or 2012R2 License.Note
Ribbon recommends upgrading the ASM to Windows Server 2019, which has a few benefits: it is still supported by Microsoft and will get vulnerability fixes. Microsoft ended general support for Windows Server 2012R2 and it may not provide fixes to vulnerabilities.
Confirm that your ASM is loaded with the Office 365 Direct Routing SBA image.
Example of the Windows License and Office 365 Direct Routing SBA Image TypeCautionDo not apply an ASM_Teams_update.pkg until the SBA is fully deployed, as this results in an undesired outcome such as breaking the system.
Workflow
Exporting a PKCS12 Certificate and Key from the ASM
Start
- Log in to your SBC Edge (SBC 1000 or SBC 2000).
- In the SBC Edge WebUI, select the Tasks tab.
- From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
- Select the Manage Certificate tab. The Certificate pane opens.
- From the Action dropdown menu, select Export PKCS12 Certificate and Key.
- Enter a password for the PKCS12 Certificate and Key.
- Click OK.
- Save the certificate file in a secure place on your PC.
Downloading the ASM Microsoft Teams SBA Package
Download the required ASM Microsoft Teams SBA package from the Ribbon Support Portal. The file name of the package is in the format of ASM_Teams_xxxx-xx-xx.pkg (e.g. ASM_Teams_2022-06-14.pkg). For information on downloading the ASM Microsoft Teams SBA package, refer to: Ribbon Support Portal - Download Center.
Installing the ASM Microsoft Teams SBA Package
For information on installing the ASM Microsoft Teams SBA package, refer to: Installing an ASM Package.
Setting up the Office 365 Direct Routing SBA
Setting up the Office 365 Direct Routing SBA consists of 4 procedures:
- Configure an ASM for Office 365 Direct Routing SBA
- Import a Root and an Intermediate CA Certificate on the SBC
- Import an Office 365 Direct Routing SBA Certificate
- Configuring Office 365 Direct Routing SBA
Configure an ASM for Office 365 Direct Routing SBA
Start
- Log in to your SBC Edge (SBC 1000 or SBC 2000).
- In the SBC Edge WebUI, select the Tasks tab.
- From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
- Select the ASM Config tab. The ASM Configuration pane opens.
In the ASM Configuration pane, complete the following fields based on your requirements:
a. In the Network General Configuration section:
• Remote Desktop EnabledNoteRibbon recommends you to disable Remote Desktop for security reasons.
• Windows Firewall EnabledNoteRibbon recommends you to enable Windows Firewall for security reasons.
• Proxy EnabledYou must set this option to disabled, because the Teams Direct Routing SBA does not support a Proxy Server.
b. In the Network Adapter 1 Configuration section:
• IP Addressing Mode
• DHCPv4 Enabled
c. In the IPv4 Information section:
• IPv4 Address
• IPv4 Subnet Mask
• Default Gateway
d. In the DNS Addresses section:
• Preferred DNS
• Alternate DNS
e. In the Network Adapter 2 Configuration section:
• IP Addressing Mode
• DHCPv4 Enabled
For more information on the field descriptions, refer to: Configuring the ASM IP Settings.- Click Apply.
Import a Root and an Intermediate CA Certificate on the SBC
Prerequisites
Before you begin, make sure you have completed the following:
- (optional) Generate a Certificate Request (CSR) if this is the initial deployment. For more information on generating a CSR, refer to: Generate and Import an SBA Certificate.
- (optional) Export a PKCS12 Certificate and Key from the ASM from a previous deployment.
Start
- In the SBC Edge WebUI, select the Tasks tab.
- From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
- Select the Manage Certificate tab. The Certificate pane opens.
- From the Action dropdown menu, perform the following:
a. (optional) If this is an initial deployment:
i. Select Import X.509 Signed Certificate.
ii. In the Paste Base64 Certificate field, paste the CSR certificate you generated.
b. (optional) If you exported a PKCS12 Certificate and Key from the ASM from a previous deployment:
i. Select Import PKCS12 Certificate and Key.
ii. Enter a password for the PKCS12 Certificate and Key.
iii. Select the PKCS12 Certificate and Key file.
- Click OK.
- Repeat steps 1 to 5 for the Intermediate CA Certificate.
Import an Office 365 Direct Routing SBA Certificate
Perform the following steps only if your Direct Routing SBA does not share the SBC Public Certificate.
Make sure you have completed Import a Root and an Intermediate CA Certificate on the SBC before importing an Office 365 Direct Routing SBA Certificate.
Start
- In the SBC Edge WebUI, select the Tasks tab.
- From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
- Select the Manage Certificate tab. The Certificate pane opens.
From the Action dropdown menu, select Import PKCS12 Certificate and Key.
- Enter a password for the PKCS12 Certificate and Key.
- Select the PKCS12 Certificate and Key file you exported in Exporting a PKCS12 Certificate and Key from the ASM.
- Click OK.
Configuring Office 365 Direct Routing SBA
Start
- Log in to your SBC 1000/2000.
- In the SBC Edge WebUI, select the Tasks tab.
- From the left navigation pane, select Office 365TM Direct Routing SBA > Setup. The setup pane opens on the right.
- Select the Configure Office 365 Direct Routing SBA tab.
In the Microsoft Office 365 Direct Routing SBA Configuration pane, complete the following fields:
• SBA FQDNNoteThe SBA FQDN must match the FQDN used to define this Direct Routing SBA in the Teams tenant item Teams Survivable Branch Appliance, e.g. New-CsTeamsSurvivableBranchAppliance.
• SBC Public FQDNNoteThe SBC Public FQDN must match the FQDN used to define the SBC that hosts this Direct Routing SBA in the Teams tenant item Online PSTN Gateway, e.g. New-CsOnlinePSTNGateway.
• Create Azure AD Application
NoteCreate Azure AD Application enables the option to create a new Azure AD Application credentials for this Direct Routing SBA.
a. (Optional) Select No if you already created an Azure AD Application credentials. If you select No, complete the following fields:
- Application ID
- Application Secret
b. (Optional) Select Yes if you need to create Azure AD Application credentials. If you select Yes, complete the following fields:
- Azure Administrator Account Name: You need a Global Administrator, an Application Administrator, or a Cloud Application Administrator role to complete this field.
- Azure Administrator Account Password
For more information on Azure AD user roles, refer to: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal.• Tenant ID: Enter the Teams Tenant ID. For more information on finding the Teams Tenant ID, refer to: https://learn.microsoft.com/en-us/sharepoint/find-your-office-365-tenant-id.
- Click Apply.
Troubleshooting
The Microsoft Teams Tenant data may not synchronize after you configured Teams SBA. This is due to the SIP Signaling Group (SG) that connects the SBC with the SBA being down. If this occurs, use the following workaround.
Start
- Go back to Configuring Office 365 Direct Routing SBA, and modify the following fields:
• Create Azure AD Application: Select Yes.
• Azure Administrator Account Name
• Azure Administrator Account Password - Click Apply.
- Wait for the operation to complete and check the status of the SBA SG. For more information on checking the status of the SBA SG, refer to: Managing the Skype SBA.
- If the SG continues to be down, restart the Teams Server Service.
Restarting the Teams Server Service
Start
- Log in to your SBC 1000/2000.
- In the SBC Edge WebUI, select the Tasks tab.
- From the left navigation pane, select Office 365TM Direct Routing SBA > Start/Stop Services. The Start/Stop Survivable Branch Appliance Services pane opens on the right.
- In the Start/Stop Service section, complete the following fields:
• Service Action: From the dropdown menu, select Stop Service.
• Service Name: From the dropdown menu, select Teams Server, Service. - Click OK.
- Wait for the SBA services to stop.
- In the Start/Stop Service section, complete the following fields:
• Service Action: From the dropdown menu, select Start Service.
• Service Name: From the dropdown menu, select Teams Server, Service. - Click OK.
- Wait for the SBA services to start.