Connect SBC Edge to Microsoft Teams Direct Routing

Overview

The SBC Edge is certified to offer Microsoft Teams Direct Routing services; the SBC Edge can be used to connect any Teams client to:

• A PSTN trunk, whether based on TDM (e.g. PRI, BRI, etc.), CAS, or SIP
• 3rd-party, non-Teams-certified SIP/TDM based PBXs, analog devices, and SIP clients

These instructions detail how to configure the SBC Edge (SBC 1000/2000 and SBC SWe Lite) to connect Microsoft Teams Direct Routing services deployed in an Enterprise network (On Premises).  For public cloud deployments, refer to Connect SBC SWe Lite to Microsoft Teams Direct Routing Deployed in Azure. The network diagram below displays the connection topology for Microsoft Teams Direct Routing deployed in an Enterprise network.

SBC Edge connects to Microsoft Teams Direct Routing Deployed in an Enterprise Network

Step 1: Install SBC Edge

These instructions assume the SBC Edge product (SBC SWe Lite, SBC 1000/2000) is installed and running. If the product is not installed, refer to the links below.

Step 2: Review Prerequisites for Microsoft Teams Direct Routing

Microsoft Teams Direct Routing Configuration

Consult the Microsoft documentation for detailed information on Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.

SBC Edge Software

Ensure you are running the latest version of SBC software:

• To locate the SBC Edge software current running, refer to: Viewing the Software Version and Hardware ID.

• To download and upgrade a new version of SBC Edge software, refer to: Installing and Commissioning the SBC Edge and SBC SWe Lite.
  

  Note

  To know more about licensing, contact your account team.

Obtain IP Address and FQDN

Requirements for configuring the SBC Edge in support of Teams Direct Routing include:

SBC Edge Requirements

Requirement	How it is Used
Public IP address of NAT device (must be Static)* Private IP address of the SBC	Required for SBC Behind the NAT deployment.
Public IP address of SBC	Required for SBC with Public IP deployment.
Public FQDN	The Public FQDN must point to the Public IP Address.

*NAT translates a public IP address to a Private IP address.

Domain Name

For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:

1. On the Microsoft Teams Tenant side, execute Get-CsTenant.
2. Review the output.
3. Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.

Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

Domain Name Examples

Domain Name*	Use for SBC FQDN?	FQDN Names - Examples
SonusMS01.com		Valid names: aepsite6.SonusMS01.com
hybridvoice.org		Valid names: sbc1. hybridvoice.org ussbcs15. hybridvoice.org europe. hybridvoice.org Non-Valid name: sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

*Do not use the *.onmicrosoft.com tenant for the domain name.

Configure Domain Names - Example

 

Obtain Certificate

Public Certificate

The Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.

• Refer to Microsoft documentation for certificate information.

• Refer to CCADB Documentation for the comprehensive list of supported CAs.

• Refer to Domain Name for certificate formats.

Configure and Generate Certificates on the SBC

Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.

Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:

• Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
• Import the Public CA Root/Intermediate Certificate on the SBC.
• Import the Microsoft CA Certificate on the SBC.
• Import the SBC Certificate.

The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.

Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)

Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.

1. Access the WebUI.
2. Access Settings > Security > SBC Certificates.

3. Click Generate SBC Edge CSR.

4. Enter data in the required fields.

5. Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.

   Generate Certificate Signing Request

   

6. Use the generated CSR text from the clipboard to obtain the certificate.

Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC

After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:

1. Obtain Trusted Root and Intermediary signing certificates from your certification authority.
2. Access the WebUI.
3. To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted Root Certificates.
4. Click Import and select the trusted root certificates.
5. To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.

6. Validate the certificate is installed correctly.

   Validate Certificate

   

7. Click Import  and select X.509 Signed Certificate.

8. Validate the certificate is installed correctly.

   Validate Certificate

   

9. To install the Baltimore CyberTrust Root Certificate, click Settings > Security > SBC Certificates > Trusted Root Certificates.

10. Click Import and select Baltimore CyberTrust Root Certificate.

11. Validate the certificate is installed correctly.

For certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge.

Firewall Rules

Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Security Hardening Checklist for more information about the SBC and firewalls.

This section lists the ports, protocols and services for firewalls that are in the path of the SBC connecting to Teams Direct Routing.

Basic Firewall Rules for All Call Flows

Click here to expand for Basic Firewall Settings

Inbound Public (Internet to SBC)

SIP TLS: TCP 5061*

Media for SBC 1000: UDP 16384-17584**

Media for SBC 2000: UDP 16384-19384*

Media for SBC SWe Lite: UDP 16384-21384

Outbound Public (SBC to Internet)

DNS: TCP 53

DNS: UDP 53

NTP: UDP 123

SIP TLS: TCP 5061

Media: UDP 49152-53247

Public Access Information

The tables below represent ACL (Access Control List) examples that protect the SBC Edge. When using Easy Configuration Teams related wizards in an Enterprise deployment, these attributes are automatically provisioned. If you are manually configuring the SBC Edge as part of a Microsoft Teams Direct Routing migration scenario (for example Skype for Business or CCE), you must manually configure these ports. For details on ACLs, refer to Creating and Modifying Rules for IPv6 Access Control Lists.

Public Access In - Requirements

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Outbound SIP Reply	TCP	Allow	0.0.0.0/0	5061	SBC/32	1024-65535
Inbound SIP Request	TCP	Allow	0.0.0.0/0	1024-65535	SBC/32	5061*
Inbound Media Helper	UDP	Allow	52.112.0.0/14 52.120.0.0/14	49152-53247	SBC/32	16384-17584**
Deny All	Any	Deny	0.0.0.0/0		0.0.0.0/0

Public Access Out - Requirements

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Outbound DNS Request	TCP	Allow	SBC/32	0-65535	0.0.0.0/0	53
Outbound DNS Request	UDP	Allow	SBC/32	0-65535	0.0.0.0/0	53
Outbound NTP Request	UDP	Allow	SBC/32	0-65535	0.0.0.0/0	123
Outbound SIP Request	TCP	Allow	SBC/32	0-65535	0.0.0.0/0	5061
Inbound SIP Reply	TCP	Allow	SBC/32	5061*	0.0.0.0/0	1024-65535
Outbound Media Helper	UDP	Allow	SBC/32	16384-17584**	52.112.0.0/14 52.120.0.0/14	49152-53247
Deny All	Any	Deny	0.0.0.0/0		0.0.0.0/0

* Define in Tenant configuration

** SBC SWe Lite does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.

Firewall Rules for the SBC with Media Bypass

Click here to expand for Firewall Settings for an SBC with Media Bypass

Apply the following firewall rules below:

The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).

Inbound Public (Internet to SBC) 

Media for SBC 1000: UDP 17586-21186**

Media for SBC 2000: UDP 19386-28386**

Outbound Public (SBC to Internet)

Media: UDP 50000-50019

If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.

For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP.

For SBC not using NAT, there must be access between the firewall and the SBC's Public IP.

Public Access

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

Public Access In - Requirements (Media Bypass Scenario)

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Inbound Media Bypass Helper	UDP	Allow	0.0.0.0/0	1024-65535	SBC/32	16384-21186**

Public Access Out - Requirements (Media Bypass Scenario)

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Outbound Media Bypass Helper	UDP	Allow	SBC/32	16384-21186**	0.0.0.0/0	1024-65535

* Define in Tenant configuration

** SBC SWe Lite does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.

Step 3: Configure Office 365 Tenant Voice Routing

A Tenant is used within the Microsoft environment as a single independent enterprise that has subscribed to Office 365 services; through this tenant, administrators can manage projects, users, and roles.  Access the Tenant configuration and configure as detailed below. (For details on accessing the Tenant, refer to Microsoft Teams Documentation).

1. Create Online PSTN Gateway that points to the SBC:

   1. Enter the SBC FQDN (Example below: aepsite6.SonusMS01.com). The FQDN must be configured for the Tenant in both the Domains and the DomainUrlMap fields.

   2. Enter the SBC SIP Port (Example below - SipPort5061).
      
      

   New-CsOnlinePSTNGateway -Fqdn aepsite6.SonusMS01.com -SipSignallingPort SipPort5061 -MaxConcurrentSessions <Max Concurrent Session which SBC capable handling> -Enabled $true

2. Configure Teams usage for the user:

   1. Enter the User Identity (Example below: -user1@domain.com)

Get-CsOnlineUser -Identity user1@domain.com Set-CsUser -Identity user1@domain.com -EnterpriseVoiceEnabled $true -HostedVoiceMail $true -OnPremLineURI tel:+10001001008 
Grant-CsOnlineVoiceRoutingPolicy -PolicyName "GeneralVRP" -Identity user1@domain.com 
Grant-CsTeamsCallingPolicy -PolicyName AllowCalling -Identity user1@domain.com 
Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity user1@domain.com

Step 4: Configure SBC Edge for Microsoft Teams Direct Routing

The SBC Edge is configured via Easy Configuration Wizard. 

1. Access the WebUI. Refer to Logging into the SBC Edge.
2. Click on the Tasks tab.
3. From the left side menu, click SBC Easy Setup > Easy Config Wizard.

4. From the Application drop down box, select the relevant Easy Configuration wizard. Depending on your network, follow a relevant Easy Configuration wizard. Refer to the table below for guidance.

   Easy Configuration - Microsoft Teams Direct Routing Configuration

   Deployment Type	Refer to Configuration:
   SBC Connects to Microsoft Teams via SIP Trunk	SIP trunks ↔ Microsoft Phone System Direct Routing
   SBC Connects to Microsoft Teams via PSTN Provider through ISDN.	ISDN PSTN ↔ Microsoft Phone System Direct Routing
   SBC connects to Microsoft Teams via IP PBX	IP PBX ↔ Microsoft Phone System Direct Routing

5. For an SBC behind the NAT deployment only: In Step 2 of the Easy Configuration wizard, ensure the following is configured:
   
   1. From the Outbound NAT Traversal drop down list, select Enable. Allows the SBC to be placed behind a NAT device, and uses the IP of the NAT device for all outgoing messages.
   2. In the Public IP Address, enter the Public IP of the NAT device. The SBC uses this IP as the source IP for all the outgoing messages.

6. The Configuration Wizard is complete.

   For the SBC 1000/SBC 2000 only:

   By default, when configuring the SBC with Easy Configuration, the default Ethernet Interface for Border Element (PSTN Endpoint) is configured as Auto. Ribbon recommends changing this configuration manually to the Ethernet port that points to the SIP Trunk side.

   For instructions on changing the Ethernet interface, refer to: Configuring and Modifying Logical Interfaces.

Step 5: Confirm SBC Edge Links to Microsoft Teams

1. Access the WebUI. Refer to Logging into the SBC Edge.
2. Click Monitor.
3. Under each newly created Signaling Group (created for each Tenant), confirm the channels are green. For details on channel status, refer to Monitoring Real Time Status.

For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.

Step 6: Place a Test Call

Place a test call as follows:

1. Access the WebUI. Refer to Logging into the SBC Edge.

2. In the WebUI, click the Diagnostics tab.

3. In the left navigation pane, click Test a Call.

4. Configure the parameters as shown below.

5. Click OK. 

   Place a Test Call - Parameters

   Parameter	Value
   Destination Number	Number assigned to a Teams user.
   Origination/Calling Number	Number assigned to a Local user.
   Call Routing Table	The routing table that handles the call from Microsoft Teams.

    

   Test a Call - Configuration

   

   Place a Test Call - Example

    

The test call is now complete. For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.