Page History
Tip | ||
---|---|---|
| ||
Consult the Microsoft documentation for detailed information on Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages. |
SBC Edge Software
Ensure you are running the latest version of SBC software:
- To locate the SBC Edge software current running, refer to: Viewing the Software Version and Hardware ID.
- To download and upgrade a new version of SBC Edge software, refer to: Installing and Commissioning the SBC Edge Portfolio.
Obtain IP Address and FQDN
Requirements for configuring the SBC Edge in support of Teams Direct Routing include:
SBC Edge Requirements
Requirement | How it is Used |
---|---|
Public IP address of NAT device (must be Static)* Private IP address of the SBC | Required for SBC Behind the NAT deployment. |
Public IP address of SBC | Required for SBC with Public IP deployment. |
Public FQDN | The Public FQDN must point to the Public IP Address. |
*NAT translates a public IP address to a Private IP address.
Anchor | ||||
---|---|---|---|---|
|
For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:
- On the Microsoft Teams Tenant side, execute Get-CsTenant.
- Review the output.
- Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.
Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.
Pagebreak |
---|
Domain Name Examples
Domain Name* | Use for SBC FQDN? | FQDN Names - Examples |
---|---|---|
SonusMS01.com | Valid names: | |
Valid names:
Non-Valid name: sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first) |
*Do not use the *.onmicrosoft.com tenant for the domain name.
Configure Domain Names - Example
Obtain Certificate
Public Certificate
The Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.
Refer to Microsoft documentation for certificate information.
Refer to CCADB Documentation for the comprehensive list of supported CAs.
- Refer to Domain Name for certificate formats.
Configure and Generate Certificates on the SBC
Expand | |||||||
---|---|---|---|---|---|---|---|
| |||||||
Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities. Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:
Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.
Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBCAfter receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:
|
Firewall Rules
Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Portfolio Security Hardening Checklist for more information about the SBC and firewalls.
This section lists the ports, protocols and services for firewalls that are in the path of the SBC connecting to Teams Direct Routing.
Pagebreak |
---|
Basic Firewall Rules for All Call Flows
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Inbound Public (Internet to SBC)
The tables below represent ACL (Access Control List) examples that protect the SBC Edge. When using Easy Configuration Teams related wizards in an Enterprise deployment, these attributes are automatically provisioned. If you are manually configuring the SBC Edge as part of a Microsoft Teams Direct Routing migration scenario (for example Skype for Business or CCE), you must manually configure these ports. For details on ACLs, refer to Creating and Modifying Rules for IPv6 Access Control Lists. Public Access In - Requirements
Public Access Out - Requirements
* Define in Tenant configuration ** SBC SWe Edge does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC. |
Firewall Rules for the SBC with Media Bypass
Expand | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||
Apply the following firewall rules below:
Media for SBC 1000: UDP 17586-21186** Media for SBC 2000: UDP 19386-28386** Media: UDP 50000-50019 If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT ( ), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP. For SBC not using NAT, there must be access between the firewall and the SBC's Public IP. Public AccessThe tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only). Public Access In - Requirements (Media Bypass Scenario)
Public Access Out - Requirements (Media Bypass Scenario)
* Define in Tenant configuration ** SBC SWe Edge does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC. |