Overview 

This document details the configuration required for an SBC SWe Edge to offer Microsoft Teams Phone System-related Direct Routing services in Amazon Web Services (AWS). The SBC SWe Edge can be used to connect an enterprise's Teams clients to:

  • Third-party party PBX and subtended clients
  • SIP trunk from a third-party provider (PSTN)


SBC SWe Edge in Amazon Web Services (AWS) offering Direct Routing Services to Teams Clients

From the AWS public cloud, the SBC SWe Edge offers the same features offered in an on-premises deployment (based on Microsoft®, Hyper-V®, VMware® vSphere® ESXi, or Linux® KVM) in support of Direct Routing, such as:

  • Security: Call encryption/decryption, denial-of-service (DoS)/distributed DoS attack neutralization, and protection from toll fraud.
  • Interoperability: Call mediation services to connect Teams certified clients to non-Teams clients, including popular 3rd  party SIP trunking and SIP PBX platforms such as the Avaya® Aura® Communication Manager and the Cisco® Unified Communications Manager.
  • Survivability: Uninterrupted calling services for SIP clients (including Polycom® and Yealink® phones) through built-in SIP registrar and re-routing around failed routes/proxy servers/destination endpoints.

The SBC SWe Edge is certified for Teams Direct Routing media bypass and non-media bypass services. Please refer to Microsoft Teams Phone System Direct Routing certification page.

Step 1: Deploy SBC SWe Edge via AWS

These instructions assume the SBC SWe Edge product is deployed via AWS and running. If the product is not installed, refer to Deploying an SBC SWe Edge via Amazon Web Services - AWS.

Step 2: Review Prerequisites for Microsoft Teams Direct Routing

 


Microsoft Teams Direct Routing Configuration

Consult the Microsoft documentation for detailed information on Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.

SBC Edge Software

Ensure you are running the latest version of SBC software:

Obtain IP Address and FQDN

Requirements for configuring the SBC Edge in support of Teams Direct Routing include:

SBC Edge Requirements

RequirementHow it is Used

Public IP address of NAT device (must be Static)*

Private IP address of the SBC

Required for SBC Behind the NAT deployment.

Public IP address of SBCRequired for SBC with Public IP deployment.
Public FQDN The Public FQDN must point to the Public IP Address.

*NAT translates a public IP address to a Private IP address.

Domain Name

For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:

  1. On the Microsoft Teams Tenant side, execute Get-CsTenant.
  2. Review the output.
  3. Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.

Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

Domain Name Examples

Domain Name*Use for SBC FQDN?FQDN Names - Examples
SonusMS01.com(tick)

Valid names:

hybridvoice.org

(tick)

Valid names:

Non-Valid name:

sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

*Do not use the *.onmicrosoft.com tenant for the domain name.

Configure Domain Names - Example


Obtain Certificate

Public Certificate

The Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.

Configure and Generate Certificates on the SBC

Warning: Common Encryption Certificate Issues Arise from Missing Root Certificates
  • Did you only install the CA-signed SBC certificate, along with the intermediate certificate(s) sent by your issuing CA?
  • Did you get the following error message from the SBC?




If so, the likely reason is a missing CA Root Certificate. The SBC does not have any pre-installed CA root X.509 certificates, unlike typical browsers found on your PC. Ensure the entire certificate chain of trust is installed on the SBC, including the root certificate. Acquire the CA root certificate as follows:

  1. Contact your system administrator or certificate vendor to acquire the root, and any further missing intermediate certificate(s) to provision the entire certificate chain of trust within the SBC;
  2. Load the root certificate, along with the intermediate and SBC certificates, according to Importing Trusted Root CA Certificates.

NOTE: Root certificates are easily acquired from the certificate authorities. For example, the root certificate for the GoDaddy Class 2 Certification Authority may be found at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO . For more information about root certificates, intermediate certificates, and the SBC server (“leaf”) certificates, refer to this tutorial.

For other certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge Portfolio.

Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.

Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:

  • Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
  • Import the Public CA Root/Intermediate Certificate on the SBC.
  • Import the Microsoft CA Certificate on the SBC.
  • Import the SBC Certificate.

The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.

Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)

Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.

  1. Access the WebUI.
  2. Access Settings > Security > SBC Certificates.
  3. Click Generate SBC Edge CSR.

  4. Enter data in the required fields.

  5. Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.

  6. Use the generated CSR text from the clipboard to obtain the certificate. 

Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC

After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:

  1. Obtain Trusted Root and Intermediary signing certificates from your certification authority.
  2. Access the WebUI.
  3. To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted Root Certificates.
  4. Click Import and select the trusted root certificates.
  5. To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.
  6. Validate the certificate is installed correctly.

  7. Click Import  and select X.509 Signed Certificate.
  8. Validate the certificate is installed correctly.

Firewall Rules

Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Portfolio Security Hardening Checklist for more information about the SBC and firewalls.

This section lists the ports, protocols and services for firewalls that are in the path of the SBC connecting to Teams Direct Routing.

Basic Firewall Rules for All Call Flows

Inbound Public (Internet to SBC)
  • SIP TLS: TCP 5061*

  • Media for SBC 1000: UDP 16384-17584**
  • Media for SBC 2000: UDP 16384-19384*
  • Media for SBC SWe Edge: UDP 16384-21384
Outbound Public (SBC to Internet)
  • DNS: TCP 53

  • DNS: UDP 53

  • NTP: UDP 123

  • SIP TLS: TCP 5061

  • Media: UDP 49152-53247

Public Access Information

The tables below represent ACL (Access Control List) examples that protect the SBC Edge. When using Easy Configuration Teams related wizards in an Enterprise deployment, these attributes are automatically provisioned. If you are manually configuring the SBC Edge as part of a Microsoft Teams Direct Routing migration scenario (for example Skype for Business or CCE), you must manually configure these ports. For details on ACLs, refer to Creating and Modifying Rules for IPv6 Access Control Lists.

Public Access In - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Reply

TCP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound DNS Reply

UDP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound NTP Reply

UDP

Allow

0.0.0.0/0

123

SBC/32

123

Outbound SIP Reply

TCP

Allow

0.0.0.0/0

5061

SBC/32

1024-65535

Inbound SIP Request

TCP

Allow

0.0.0.0/0

1024-65535

SBC/32

5061*

Inbound Media Helper

UDP

Allow

52.112.0.0/14

52.120.0.0/14

49152-53247

SBC/32

16384-17584**

Deny All

Any

Deny

0.0.0.0/0


0.0.0.0/0


Public Access Out - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound DNS Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound NTP Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

123

Outbound SIP Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

5061

Inbound SIP Reply

TCP

Allow

SBC/32

5061*

0.0.0.0/0

1024-65535

Outbound Media Helper

UDP

Allow

SBC/32

16384-17584**

52.112.0.0/14

52.120.0.0/14

49152-53247

Deny All

Any

Deny

0.0.0.0/0


0.0.0.0/0


* Define in Tenant configuration

** SBC SWe Edge does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.

Firewall Rules for the SBC with Media Bypass

Apply the following firewall rules below:

The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).

Inbound Public (Internet to SBC) 

Media for SBC 1000: UDP 17586-21186**

Media for SBC 2000: UDP 19386-28386**

Outbound Public (SBC to Internet)

Media: UDP 50000-50019

If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.

For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP.

For SBC not using NAT, there must be access between the firewall and the SBC's Public IP.

Public Access

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

Public Access In - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Inbound Media Bypass Helper

UDP

Allow

0.0.0.0/0

1024-65535

SBC/32

16384-21186**

Public Access Out - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound Media Bypass Helper

UDP

Allow

SBC/32

16384-21186**

0.0.0.0/0

1024-65535

* Define in Tenant configuration

** SBC SWe Edge does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.





Step 3: Configure SBC SWe Edge for Microsoft Teams Direct Routing

Run the Easy Configuration Wizard to configure Microsoft Teams Direct Routing:

  1. Access the WebUI. Refer to Logging into the SBC Edge Portfolio.
  2. Click on the Tasks tab.
  3. From the left side menu, click SBC Easy Setup > Easy Config Wizard.
  4. From the Application drop down box, select the relevant Easy Configuration wizard.  Refer to the table below for guidance and the supporting user documentation.
    Easy Configuration - Microsoft Teams Direct Routing Configuration

    Deployment TypeRefer to Configuration:

    SBC SWe Edge connects to Microsoft Teams via SIP Trunk

    SIP trunks ↔ Microsoft Teams

    SBC SWe Edge connects to Microsoft Teams via IP PBX

    IP PBX  Microsoft Teams

    SBC SWe Edge connects to Microsoft Teams via SIP Trunk (Single Leg)

    Single Leg SIP Trunk  Microsoft Teams

    SBC SWe Edge connects to Microsoft Teams via IP PBX (Single Leg)

    Single Leg IP PBX Microsoft Teams

    The Easy Configuration Wizard is complete.

Step 4: Confirm SBC SWe Edge links to Microsoft Teams

Following configuration, confirm the SBC SWe Edge links to Microsoft Teams as follows:

  1. Access the WebUI. Refer to Logging into the SBC SWe Edge.
  2. Click Monitor.
  3. Under each newly created Signaling Group (created for each Tenant), confirm the channels are green. For details on channel status, refer to Monitoring Real Time Status.

For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.

Step 5: Place a Test Call

Following configuration, place a test call as follows:

  1. Access the WebUI. Refer to Logging into the SBC Edge.

  2. In the WebUI, click the Diagnostics tab.

  3. In the left navigation pane, click Test a Call.

  4. Configure the parameters as shown below.

  5. Click OK
    Place a Test Call - Parameters

    ParameterValue
    Destination NumberNumber assigned to a Teams User.
    Origination/Calling NumberNumber assigned to a Local user.
    Call Routing TableThe routing table that handles the call from the Local resource.

    Test a Call - Configuration

    For information about troubleshooting the SBC SWe Edge's connection to Microsoft Teams, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.