Page History

...

Info

title	Tenant Description

A tenant is used within the Microsoft environment to describe a single independent enterprise that has subscribed to Office 365 services; through this tenant, administrators can manage projects, users, and roles.

Microsoft Teams Direct Routing Configuration

Consult the Microsoft documentation for the Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.

Anchor
SBC Config
SBC Config
SBC Configuration

Info
Support for an SBC behind a NAT is in SBC Edge 1000/2000 Release 8.0.2 and later only; support in SBC SWe Lite Edge is planned for a later release.

Obtain IP Address, FQDN & Public Certificate

Requirements for configuring the SBC Edge in support of Teams Direct Routing include:

Caption

0	Table
1	SBC Edge Requirements

Requirement	Details
SBC Behind the NAT*	Public IP address of NAT device and Private IP address of the SBC.
SBC with Public IP	Public IP address of SBC is required.
*Network Address Translation (NAT) Configuration**	Required for deployment of an SBC behind a NAT.
Public FQDN	The Public FQDN must point to the Public IP Address.
Public certificate associated with the Public FQDN	Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported. Refer to Microsoft documentation for certificate information. Refer to CCADB Documentation for the comprehensive list of supported CAs. See Domain Name for certificate formats.
Static IP Address	Required for deployment of an SBC behind a NAT, the Public IP address on the NAT must be static.

*NAT translates a public IP address to a Private IP address.

Anchor
DomainName
DomainName
Obtain Domain Name

The SBC FQDN must be from one of the Domain names registered in “Domains” of the Tenant. The table below lists Domain Name examples.

...

Caption

0	Table
1	Domain Name Examples

Domain Name

Use for SBC FQDN?

FQDN Names - Examples

SonusMS01.com

Valid names:

aepsite6.SonusMS01.com

hybridvoice.org

Valid names:

sbc1. hybridvoice.org
ussbcs15. hybridvoice.org
europe. hybridvoice.org

Non-Valid name:

sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

Info
Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

...

Note

title	Prerequisite - Verify Domain Before Adding PSTN Gateway

Verify the correct domain name is configured for the Tenant. The correct domain name is required for the SBC to pair with Microsoft Teams.

On the Microsoft Teams Tenant side, execute Get-CsTenant.
Review the output.
Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.

Anchor

	Firewall
	Firewall

Firewall Settings

The following section details the requirements for ports, protocols and services for firewalls in the path of Direct Routing calls.

...

Note
Ribbon recommends the deployment of the SBC Edge product (including the SBC SWe LiteEdge) behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to to SBC Edge Portfolio Security Hardening Checklist for more information about the SBC and firewalls.

Anchor
nomedia
nomedia
Basic Firewall Settings for All Call Flows

Inbound Public (Internet to SBC)

SIP TLS: TCP 5061*
Media for SBC 1000: UDP 16384-17584**
Media for SBC 2000: UDP 16384-19384*

Outbound Public (SBC to Internet)

DNS: TCP 53
DNS: UDP 53
NTP: UDP 123
SIP TLS: TCP 5061
Media: UDP 49152-53247

Public Access Information

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

...

Caption

0	Table
1	Public Access In - Requirements

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Outbound DNS Reply	TCP	Allow	0.0.0.0/0	53	SBC/32	0-65535
Outbound DNS Reply	UDP	Allow	0.0.0.0/0	53	SBC/32	0-65535
Outbound NTP Reply	UDP	Allow	0.0.0.0/0	123	SBC/32	123
Outbound SIP Reply	TCP	Allow	0.0.0.0/0	5061	SBC/32	1024-65535
Inbound SIP Request	TCP	Allow	0.0.0.0/0	1024-65535	SBC/32	5061*
Inbound Media Helper	UDP	Allow	52.112.0.0/14	49152-53247	SBC/32	16384-17584**
Deny All	Any	Deny	0.0.0.0/0		0.0.0.0/0

Caption

0	Table
1	Public Access Out - Requirements

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Outbound DNS Request	TCP	Allow	SBC/32	0-65535	0.0.0.0/0	53
Outbound DNS Request	UDP	Allow	SBC/32	0-65535	0.0.0.0/0	53
Outbound NTP Request	UDP	Allow	SBC/32	0-65535	0.0.0.0/0	123
Outbound SIP Request	TCP	Allow	SBC/32	0-65535	0.0.0.0/0	5061
Inbound SIP Reply	TCP	Allow	SBC/32	5061*	0.0.0.0/0	1024-65535
Outbound Media Helper	UDP	Allow	SBC/32	16384-17584**	52.112.0.0/14	49152-53247
Deny All	Any	Deny	0.0.0.0/0		0.0.0.0/0

* Define in Tenant configuration

...

** Depends of the Media Port paired configured in SBC

Firewall Securing the SBC with Media Bypass

Apply the following firewall rules below:

Info
The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).

Inbound Public (Internet to SBC)

Media for SBC 1000: UDP 17586-21186**

Media for SBC 2000: UDP 19386-28386**

Outbound Public (SBC to Internet)

Media: UDP 50000-50019

If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.

...

For SBC not using NAT, there must be access between the firewall and the SBC's Public IP.

Public Access

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

Caption

0	Table
1	Public Access In - Requirements (Media Bypass Scenario)

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Inbound Media Bypass Helper	UDP	Allow	0.0.0.0/0	1024-65535	SBC/32	16384-21186**

Caption

0	Table
1	Public Access Out - Requirements (Media Bypass Scenario)

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Outbound Media Bypass Helper	UDP	Allow	SBC/32	16384-21186**	0.0.0.0/0	1024-65535

* Define in Tenant configuration

...

Space shortcuts

Page tree

Versions Compared

Old Version 1

New Version Current

Key

Microsoft Teams Direct Routing Configuration

Anchor
SBC Config
SBC Config
SBC Configuration

Obtain IP Address, FQDN & Public Certificate

Anchor
DomainName
DomainName
Obtain Domain Name

Firewall Settings

Anchor
nomedia
nomedia
Basic Firewall Settings for All Call Flows

Inbound Public (Internet to SBC)

Outbound Public (SBC to Internet)

Public Access Information

Firewall Securing the SBC with Media Bypass

Inbound Public (Internet to SBC)

Outbound Public (SBC to Internet)

Public Access

Space shortcuts

Page tree

Page History

Versions Compared

Old Version 1

New Version Current

Key

Microsoft Teams Direct Routing Configuration

AnchorSBC ConfigSBC ConfigSBC Configuration

Obtain IP Address, FQDN & Public Certificate

AnchorDomainNameDomainNameObtain Domain Name

Firewall Settings

AnchornomedianomediaBasic Firewall Settings for All Call Flows

Inbound Public (Internet to SBC)

Outbound Public (SBC to Internet)

Public Access Information

Firewall Securing the SBC with Media Bypass

Inbound Public (Internet to SBC)

Outbound Public (SBC to Internet)

Public Access

Anchor
SBC Config
SBC Config
SBC Configuration

Anchor
DomainName
DomainName
Obtain Domain Name

Anchor
nomedia
nomedia
Basic Firewall Settings for All Call Flows