...
Requirements for configuring the SBC Edge in support of Teams Direct Routing include:
Caption |
---|
0 | Table |
---|
1 | SBC Edge Requirements |
---|
|
Requirement | How it is Used |
---|
Public IP address of NAT device (must be Static)* Private IP address of the SBC
| Required for SBC Behind the NAT deployment. | Public IP address of SBC | Required for SBC with Public IP deployment. | Public FQDN | The Public FQDN must point to the Public IP Address. |
*NAT translates a public IP address to a Private IP address. |
Domain Name
For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:
...
Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.
Caption |
---|
0 | Table |
---|
1 | Domain Name Examples |
---|
|
Domain Name* | Use for SBC FQDN? | FQDN Names - Examples |
---|
SonusMS01.com | | Valid names: | hybridvoice.org | | Valid names: - sbc1. hybridvoice.org
- ussbcs15. hybridvoice.org
- europe. hybridvoice.org
Non-Valid name: sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first) |
*Do not use the *.onmicrosoft.com tenant for the domain name. |
Caption |
---|
0 | Figure |
---|
1 | Configure Domain Names - Example |
---|
|
Image Modified |
Obtain Certificate
Public Certificate
...
...
Expand |
---|
title | Click here to expand for how to generate Certificates on the SBC |
---|
|
Warning |
---|
title | Warning: Common Encryption Certificate Issues Arise from Missing Root Certificates |
---|
| - Did you only install the CA-signed SBC certificate, along with the intermediate certificate(s) sent by your issuing CA?
- Did you get the following error message from the SBC?
If so, the likely reason is a missing CA Root Certificate. The SBC does not have any pre-installed CA root X.509 certificates, unlike typical browsers found on your PC. Ensure the entire certificate chain of trust is installed on the SBC, including the root certificate. Acquire the CA root certificate as follows: - Contact your system administrator or certificate vendor to acquire the root, and any further missing intermediate certificate(s) to provision the entire certificate chain of trust within the SBC;
- Load the root certificate, along with the intermediate and SBC certificates, according to Importing Trusted Root CA Certificates.
NOTE: Root certificates are easily acquired from the certificate authorities. For example, the root certificate for the GoDaddy Class 2 Certification Authority may be found at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO . For more information about root certificates, intermediate certificates, and the SBC server (“leaf”) certificates, refer to this tutorial. For other certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge. |
Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities. Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows: - Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
- Import the Public CA Root/Intermediate Certificate on the SBC.
- Import the Microsoft CA Certificate on the SBC.
- Import the SBC Certificate.
Info |
---|
The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority. |
Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key. - Access the WebUI.
- Access Settings > Security > SBC Certificates.
Click Generate SBC Edge CSR. Enter data in the required fields. Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.
Caption |
---|
0 | Figure |
---|
1 | Generate Certificate Signing Request |
---|
| Image Modified |
- Use the generated CSR text from the clipboard to obtain the certificate.
After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows: - Obtain Trusted Root and Intermediary signing certificates from your certification authority.
- Access the WebUI.
- To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted Root Certificates.
- Click Import and select the trusted root certificates.
- To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.
Validate the certificate is installed correctly. Caption |
---|
0 | Figure |
---|
1 | Validate Certificate |
---|
| Image Modified |
- Click Import and select X.509 Signed Certificate.
Validate the certificate is installed correctly. Caption |
---|
0 | Figure |
---|
1 | Validate Certificate |
---|
| Image Modified |
|
Firewall Rules
Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Security Hardening Checklist for more information about the SBC and firewalls.
...
Expand |
---|
title | Click here to expand for Basic Firewall Settings |
---|
|
Inbound Public (Internet to SBC)SIP TLS: TCP 5061* - Media for SBC 1000: UDP 16384-17584**
- Media for SBC 2000: UDP 16384-19384*
- Media for SBC SWe Lite: UDP 16384-21384
Outbound Public (SBC to Internet)DNS: TCP 53 DNS: UDP 53 NTP: UDP 123 SIP TLS: TCP 5061 Media: UDP 49152-53247
The tables below represent ACL (Access Control List) examples that protect the SBC Edge. When using Easy Configuration Teams related wizards in an Enterprise deployment, these attributes are automatically provisioned. If you are manually configuring the SBC Edge as part of a Microsoft Teams Direct Routing migration scenario (for example Skype for Business or CCE), you must manually configure these ports. For details on ACLs, refer to Creating and Modifying Rules for IPv6 Access Control Lists.
Caption |
---|
0 | Table |
---|
1 | Public Access In - Requirements |
---|
|
Description | Protocol | Action | Src IP Address | Src Port | Dest IP Address
| Dest Port |
---|
Outbound DNS Reply | TCP | Allow | 0.0.0.0/0 | 53 | SBC/32 | 0-65535 | Outbound DNS Reply | UDP | Allow | 0.0.0.0/0 | 53 | SBC/32 | 0-65535 | Outbound NTP Reply | UDP | Allow | 0.0.0.0/0 | 123 | SBC/32 | 123 | Outbound SIP Reply | TCP | Allow | 0.0.0.0/0 | 5061 | SBC/32 | 1024-65535 | Inbound SIP Request | TCP | Allow | 0.0.0.0/0 | 1024-65535 | SBC/32 | 5061* | Inbound Media Helper
| UDP | Allow | 52.112.0.0/14 | 49152-53247 | SBC/32 | 16384-17584** | Deny All | Any | Deny | 0.0.0.0/0 |
|
Caption |
---|
0 | Table |
---|
1 | Public Access Out - Requirements |
---|
|
Description | Protocol | Action | Src IP Address | Src Port | Dest IP Address | Dest Port |
---|
Outbound DNS Request | TCP | Allow | SBC/32 | 0-65535 | 0.0.0.0/0 | 53 | Outbound DNS Request | UDP | Allow | SBC/32 | 0-65535 | 0.0.0.0/0 | 53 | Outbound NTP Request | UDP | Allow | SBC/32 | 0-65535 | 0.0.0.0/0 | 123 | Outbound SIP Request | TCP | Allow | SBC/32 | 0-65535 | 0.0.0.0/0 | 5061 | Inbound SIP Reply | TCP | Allow | SBC/32 | 5061* | 0.0.0.0/0 | 1024-65535 | Outbound Media Helper
| UDP | Allow | SBC/32 | 16384-17584** | 52.112.0.0/14 | 49152-53247 | Deny All | Any | Deny | 0.0.0.0/0 |
| * Define in Tenant configuration ** Depends SBC SWe Lite does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port Port paired configured in the SBC. |
Firewall Rules for the SBC with Media Bypass
Expand |
---|
title | Click here to expand for Firewall Settings for an SBC with Media Bypass |
---|
|
Apply the following firewall rules below: Info |
---|
The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0). |
Inbound Public (Internet to SBC) Media for SBC 1000: UDP 17586-21186** Media for SBC 2000: UDP 19386-28386** Outbound Public (SBC to Internet)Media: UDP 50000-50019 If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535. For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP. For SBC not using NAT, there must be access between the firewall and the SBC's Public IP. Public Access
The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only). Caption |
---|
0 | Table |
---|
1 | Public Access In - Requirements (Media Bypass Scenario) |
---|
|
Description | Protocol | Action | Src IP Address | Src Port | Dest IP Address | Dest Port |
---|
Inbound Media Bypass Helper
| UDP | Allow | 0.0.0.0/0 | 1024-65535 | SBC/32 | 16384-21186** |
|
Caption |
---|
0 | Table |
---|
1 | Public Access Out - Requirements (Media Bypass Scenario) |
---|
|
Description | Protocol | Action | Src IP Address | Src Port | Dest IP Address | Dest Port |
---|
Outbound Media Bypass Helper
| UDP | Allow | SBC/32 | 16384-21186** | 0.0.0.0/0 | 1024-65535 |
|
* Define in Tenant configuration ** Depends SBC SWe Lite does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port Port paired configured in the SBC. |