Tenant Description
A tenant is used within the Microsoft environment to describe a single independent enterprise that has subscribed to Office 365 services; through this tenant, administrators can manage projects, users, and roles.
Microsoft Teams Direct Routing Configuration
Consult the Microsoft documentation for the Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.
SBC Configuration
Support for an SBC behind a NAT is in SBC Edge 1000/2000 Release 8.0.2 and later only; support in SBC SWe Lite is planned for a later release.
Obtain IP Address, FQDN & Public Certificate
Requirements for configuring the SBC Edge in support of Teams Direct Routing include:
SBC Edge Requirements
| Requirement | Details |
|---|---|
| SBC Behind the NAT* | Public IP address of NAT device and Private IP address of the SBC. |
| SBC with Public IP | Public IP address of SBC is required. |
| Network Address Translation (NAT)* Configuration | Required for deployment of an SBC behind a NAT. |
| Public FQDN | The Public FQDN must point to the Public IP Address. |
| Public certificate associated with the Public FQDN | Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.
|
| Static IP Address | Required for deployment of an SBC behind a NAT, the Public IP address on the NAT must be static. |
*NAT translates a public IP address to a Private IP address.
Obtain Domain Name
The SBC FQDN must be from one of the Domain names registered in “Domains” of the Tenant. The table below lists Domain Name examples.
Do not use the *.onmicrosoft.com tenant for the domain name.
Domain Name Examples
| Domain Name | Use for SBC FQDN? | FQDN Names - Examples |
|---|---|---|
| SonusMS01.com |  | Valid names:
|
hybridvoice.org | | Valid names:
Non-Valid name: sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first) |
Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.
Configure Domain Names - Example
Prerequisite - Verify Domain Before Adding PSTN Gateway
Verify the correct domain name is configured for the Tenant. The correct domain name is required for the SBC to pair with Microsoft Teams.
- On the Microsoft Teams Tenant side, execute Get-CsTenant.
- Review the output.
- Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.
Firewall Settings
The following section details the requirements for ports, protocols and services for firewalls in the path of Direct Routing calls.
Firewall settings may be referenced and applied at any time before, during or after the SBC configuration, but the settings must be applied before Direct Routing services take affect.
Ribbon recommends the deployment of the SBC Edge product (including the SBC SWe Lite) behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Security Hardening Checklist for more information about the SBC and firewalls.
Basic Firewall Settings for All Call Flows
Inbound Public (Internet to SBC)
SIP TLS: TCP 5061*
- Media for SBC 1000: UDP 16384-17584**
- Media for SBC 2000: UDP 16384-19384*
Outbound Public (SBC to Internet)
DNS: TCP 53
DNS: UDP 53
NTP: UDP 123
SIP TLS: TCP 5061
Media: UDP 49152-53247
Public Access Information
The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).
Public Access In - Requirements
Description | Protocol | Action | Src IP Address | Src Port | Dest IP Address | Dest Port |
|---|---|---|---|---|---|---|
Outbound DNS Reply | TCP | Allow | 0.0.0.0/0 | 53 | SBC/32 | 0-65535 |
Outbound DNS Reply | UDP | Allow | 0.0.0.0/0 | 53 | SBC/32 | 0-65535 |
Outbound NTP Reply | UDP | Allow | 0.0.0.0/0 | 123 | SBC/32 | 123 |
Outbound SIP Reply | TCP | Allow | 0.0.0.0/0 | 5061 | SBC/32 | 1024-65535 |
Inbound SIP Request | TCP | Allow | 0.0.0.0/0 | 1024-65535 | SBC/32 | 5061* |
Inbound Media Helper | UDP | Allow | 52.112.0.0/14 | 49152-53247 | SBC/32 | 16384-17584** |
Deny All | Any | Deny | 0.0.0.0/0 | 0.0.0.0/0 |
Public Access Out - Requirements
Description | Protocol | Action | Src IP Address | Src Port | Dest IP Address | Dest Port |
|---|---|---|---|---|---|---|
Outbound DNS Request | TCP | Allow | SBC/32 | 0-65535 | 0.0.0.0/0 | 53 |
Outbound DNS Request | UDP | Allow | SBC/32 | 0-65535 | 0.0.0.0/0 | 53 |
Outbound NTP Request | UDP | Allow | SBC/32 | 0-65535 | 0.0.0.0/0 | 123 |
Outbound SIP Request | TCP | Allow | SBC/32 | 0-65535 | 0.0.0.0/0 | 5061 |
Inbound SIP Reply | TCP | Allow | SBC/32 | 5061* | 0.0.0.0/0 | 1024-65535 |
Outbound Media Helper | UDP | Allow | SBC/32 | 16384-17584** | 52.112.0.0/14 | 49152-53247 |
Deny All | Any | Deny | 0.0.0.0/0 | 0.0.0.0/0 |
** Depends of the Media Port paired configured in SBC
Firewall Securing the SBC with Media Bypass
Apply the following firewall rules below:
The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).
Inbound Public (Internet to SBC)
Media for SBC 1000: UDP 17586-21186**
Media for SBC 2000: UDP 19386-28386**
Outbound Public (SBC to Internet)
Media: UDP 50000-50019
If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.
For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP.
For SBC not using NAT, there must be access between the firewall and the SBC's Public IP.
Public Access
The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).
Public Access In - Requirements (Media Bypass Scenario)
Description | Protocol | Action | Src IP Address | Src Port | Dest IP Address | Dest Port |
|---|---|---|---|---|---|---|
Inbound Media Bypass Helper | UDP | Allow | 0.0.0.0/0 | 1024-65535 | SBC/32 | 16384-21186** |
Public Access Out - Requirements (Media Bypass Scenario)
Description | Protocol | Action | Src IP Address | Src Port | Dest IP Address | Dest Port |
|---|---|---|---|---|---|---|
Outbound Media Bypass Helper | UDP | Allow | SBC/32 | 16384-21186** | 0.0.0.0/0 | 1024-65535 |
** Depends of the Media Port paired configured in SBC
Overview
Content Tools