You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

In this section:

 

This Best Practice applies to deployments in Microsoft Azure only and does not apply to on-premises deployments. For on-premises deployments, refer to Best Practice - Configuring SBC Edge for Microsoft Teams Phone System Direct Routing On-Premises Deployment.

Introduction

This Best Practice details the configuration required for an 

Unable to show "metadata-from": No such page "_space_variables"
to offer Microsoft Teams Phone System-related Direct Routing services in Microsoft® Azure™.The 
Unable to show "metadata-from": No such page "_space_variables"
can be used to connect an enterprise's Teams clients to:

  • Third-party party PBX and subtended clients

  • SIP trunk from a third-party provider (PSTN)

    SBC SWe Lite in Microsoft Azure offering Direct Routing Services to Teams Clients

From the Azure public cloud, the

Unable to show "metadata-from": No such page "_space_variables"
offers the same features offered in an on-premises deployment (based on Microsoft®, Hyper-V®, VMware® vSphere® ESXi, or Linux® KVM) in support of Direct  Routing, such as:

  • Security: Call encryption/decryption, denial-of-service (DoS)/distributed DoS attack neutralization, and protection from toll fraud.
  • Interoperability: Call mediation services to connect Teams certified clients to non-Teams clients, including popular 3rd  party SIP trunking and SIP PBX platforms such as the Avaya® Aura® Communication Manager and the Cisco® Unified Communications Manager.
  • Survivability: Uninterrupted calling services for SIP clients (including Polycom® and Yealink® phones) through built-in SIP registrar and re-routing around failed routes/proxy servers/destination endpoints.

The

Unable to show "metadata-from": No such page "_space_variables"
is certified for Teams Direct Routing media bypass* and non-media bypass services. Please refer to Microsoft Teams Phone System Direct Routing certification page.

*Note: Media bypass support in Azure is a planned future feature; media bypass is available for on-premises deployments immediately.

Microsoft Teams Direct Routing Media Bypass is not supported when the SBC SWe Lite is hosted in Azure due to the lack of static NAT support.

Prerequisites

Deploy SBC SWe Lite in Azure Marketplace

Deploy the SBC SWe Lite in Azure Marketplace. Refer to: Running a SWe Lite via Microsoft Azure Marketplace.

Tenant Description
A tenant is used within the Microsoft environment to describe a single independent enterprise that has subscribed to Office 365 services; through this tenant, administrators can manage projects, users, and roles. 

Microsoft Teams Direct Routing Configuration

Consult the Microsoft documentation for the Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.

SBC Configuration

Obtain IP Address, FQDN & Public Certificate

Requirements for configuring the SBC Edge in support of Teams Direct Routing include:

SBC Edge Requirements

RequirementDetails
Public IP AddressMedia Bypass is not currently supported in Azure deployments; ICE Lite is not required. The SBC can use a Public IP behind a NAT.
Public FQDN Must point to the Public IP Address.
Public certificate associated with the Public FQDN

Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.

Obtain Domain Name

The SBC FQDN must be from one of the Domain names registered in “Domains” of the Tenant. The table below lists Domain Name examples.

Do  not use the *.onmicrosoft.com tenant for the domain name.

Domain Name Examples

Domain NameUse for SBC FQDN?FQDN Names - Examples
SonusMS01.com(tick)

Valid names:

  • aepsite6.SonusMS01.com

hybridvoice.org

(tick)

Valid names:

  • sbc1. hybridvoice.org
  • ussbcs15. hybridvoice.org
  • europe. hybridvoice.org

Non-Valid name:

sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

Configure Domain Names - Example

 

Prerequisite - Verify Domain Before Adding PSTN Gateway

Verify the correct domain name is configured for the Tenant. The correct domain name is required for the SBC to pair with Microsoft Teams.

  1. On the Microsoft Teams Tenant side, execute Get-CsTenant.
  2. Review the output.
  3. Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.

Firewall Settings

The following section details the requirements for ports, protocols and services for firewalls in the path of Direct Routing calls.

Firewall settings may be referenced and applied at any time before, during or after the SBC configuration, but the settings must be applied before Direct Routing services take affect.

Ribbon recommends the deployment of the SBC Edge product (including the SBC SWe Lite) behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Security Hardening Checklist for more information about the SBC and firewalls.


Basic Firewall Settings for All Call Flows

Inbound Public (Internet to SBC)

  • SIP TLS: TCP 5061*

  • Media for SBC 1000: UDP 16384-17584**
  • Media for SBC 2000: UDP 16384-19384*
Outbound Public (SBC to Internet)

  • DNS: TCP 53

  • DNS: UDP 53

  • NTP: UDP 123

  • SIP TLS: TCP 5061

  • Media: UDP 49152-53247

Public Access Information

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

 

Public Access In - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Reply

TCP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound DNS Reply

UDP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound NTP Reply

UDP

Allow

0.0.0.0/0

123

SBC/32

123

Outbound SIP Reply

TCP

Allow

0.0.0.0/0

5061

SBC/32

1024-65535

Inbound SIP Request

TCP

Allow

0.0.0.0/0

1024-65535

SBC/32

5061*

Inbound Media Helper

UDP

Allow

52.112.0.0/14

49152-53247

SBC/32

16384-17584**

Deny All

Any

Deny

0.0.0.0/0

 

0.0.0.0/0

 

Public Access Out - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound DNS Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound NTP Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

123

Outbound SIP Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

5061

Inbound SIP Reply

TCP

Allow

SBC/32

5061*

0.0.0.0/0

1024-65535

Outbound Media Helper

UDP

Allow

SBC/32

16384-17584**

52.112.0.0/14

49152-53247

Deny All

Any

Deny

0.0.0.0/0

 

0.0.0.0/0

 

* Define in Tenant configuration

** Depends of the Media Port paired configured in SBC

Firewall Securing the SBC with Media Bypass

Configure the Firewall per Basic Firewall Settings for All Call Flows, and then apply the updates below.

The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).

Inbound Public (Internet to SBC) 

Media for SBC 1000: UDP 17586-21186**

Media for SBC 2000: UDP 19386-28386**

Outbound Public (SBC to Internet)

Media: UDP 50000-50019

If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.

Public Access

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

Public Access In - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Inbound Media Bypass Helper

UDP

Allow

0.0.0.0/0

1024-65535

SBC/32

16384-21186**

Public Access Out - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound Media Bypass Helper

UDP

Allow

SBC/32

16384-21186**

0.0.0.0/0

1024-65535

* Define in Tenant configuration

** Depends of the Media Port paired configured in SBC

 

Configure Azure for Microsoft Teams Direct Routing 

Assign a Static Public IP Address on the Media Port

Assign a Static Public IP address on the media interface in Azure for Microsoft Teams Direct Routing.

These instructions assume the SBC SWe Lite has been deployed in Azure Marketplace. Refer to Running a SWe Lite via Microsoft Azure Marketplace.

  1. Connect to the Azure portal. Refer to portal.azure.com.
  2. From the left navigation pane, click Virtual Machines.

  3. Click the desired VM to be used for Microsoft Teams Direct Routing.

    Click on VM

  4. Under Settings, click Networking to open the media interface.

    Select Networking

  5. Click on the network interface.

  6. Under Settings, click IP Configuration.

    Select IP Configuration

  7. Click ipconfig1.
  8. Enable a Public IP address and create a new Static Public IP address on the media interface through a series of windows:

    1. From the Public IP address settings option, select Enabled.

    2. Click IP address.

    3. From the Choose public IP address window, click Create new.

    4. From the Create public IP address window and the Assignment options, select Static.

 

Create Static Public IP Address

Run Easy Configuration Wizard for Microsoft Teams Direct Routing

Run the Easy Configuration Wizard to deploy a Microsoft Teams Direct Routing scenario. Refer to the following configurations under Working with SBC Easy Configuration:

Complete SBC SWe Lite Configuration for Microsoft Teams Direct Routing in Azure

Configure IP Routing

IP Routing must be customized in the SBC SWe Lite for Microsoft Teams Direct Routing in Azure. Two options are available for configuration:

  • Set the Default Route on the Media Interface.
  • Add a Static Route for Microsoft Teams Direct Routing traffic to the Media Interface.

Option 1: Set the Default Route on a Media Interface

When using multiple NICs on the SBC SWe Lite, Azure designates the first Network's Interface as the Primary Network Interface. Only the Primary Network Interface receives a network default gateway and routes via DHCP. To assign the Network Default Route on another Subnet, you must designate another Network's Interface as the Primary Network Interface.

To assign the network default route, refer to Change Azure Default Route.

Option 2: Add a Static Route for Microsoft Teams traffic to a Media Interface

Add a static route for the traffic to the following IP address and Mask: 52.112.0.0/14 (52.112.0.0/255.252.0.0).

For details on creating Static Routes, refer to Creating Entries in a Static IP Route Table.

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to Protocols > IP > Static Routes. 
  3. Click the Create Static IP Route () icon at the top of the Static IP Route Table page.

  4. Add the following Static Route using your media interface:

    1. Destination IP: 52.112.0.0

    2. Mask: 255.252.0.0

    3. Gateway: 10.1.9.1

      Create Static IP Route

  5. Click OK.

Confirm the IP Configuration

For details on IP Interfaces, refer to Managing Logical Interfaces

Ensure that all network interfaces are configured as follows:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to Networking Interfaces > Logical Interfaces.
  3. Verify the following is configured:
    1. IP Assign Method: DHCP.

    2. DHCP Options to Use: IP Address and Default Route.

      Select Networking Options

  4. Update if required.

Configure the Outbound NAT Traversal

For details on Signaling Groups, refer to Creating and Modifying SIP Signaling Groups.

Before configuring Outbound NAT Traversal, obtain the Public IP address for your network (the Public IP address specified in the screen graphic is an example only).

Configure the Outbound Static NAT for all Signaling Groups that use an interface with a Public IP address (at the minimum for the Microsoft Teams Direct Routing Signaling Groups).

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to Signaling Groups.
  3. Click on the Signaling Group used for Microsoft Teams Direct Routing. For details on modifying a signaling group, refer to Creating and Modifying SIP Signaling Groups.
  4. From the Outbound NAT Traversal drop down list, select Static NAT.

  5. From the NAT Public IP (Signaling/Media) drop down list, enter the Public IP Address assigned on this media port (the Public IP used in the screen is an example only; use the Public IP for your network).

    Configure Outbound NAT Traversal

Disable Media Bypass

Hosting SBC in Microsoft Azure reduces the need for Direct Routing Media Bypass (Media Bypass in Azure is not recommended but will be supported in a future release). As a result, ICE Lite and RTCP Multiplexing must be disabled on the Teams Direct Routing Signaling Group, as follows:

 

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to System > Signaling Groups.

  3. Select the Signaling Group used for Microsoft Teams Direct Routing.

  4. From the RTCP Multiplexing drop-down list, select Disable.

    Disable RTCP Multiplexing

  5. From the ICE Support drop down list, select Disabled.

    Disable ICE Support

  6. Click OK.

Place a Test Call

Place a test call and verify the operation via  Confirm the configuration. For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.

  • No labels