Connect SBC Edge to Microsoft Teams Direct Routing to Support Multiple Tenants

Overview

The SBC Edge is certified to offer Microsoft Teams Direct Routing services; the SBC Edge can be used to connect any Teams client to:

• A PSTN trunk, whether based on TDM (e.g. PRI, BRI, etc.), CAS, or SIP
• 3rd-party, non-Teams-certified SIP/TDM based PBXs, analog devices, and SIP clients

These instructions detail how to configure the SBC Edge (SBC 1000/2000 and SBC SWe Lite) deployed with a Microsoft partner (sells telephony services delivered to Microsoft Teams) to connect Microsoft Teams Direct Routing services for multiple independent enterprise customers (Tenants). A tenant is used within the Microsoft environment as a single independent enterprise that has subscribed to Office 365 services; through this tenant, administrators manage projects, users, and roles. Refer to Configure a Session Border Controller for multiple tenants for Microsoft partner requirements in support of multiple tenants.

Network Topology - SBC Edge Deployed in a Microsoft Partner Network to Connect Microsoft Teams Direct Routing for Multiple Tenants

The network diagram below shows an SBC Edge device deployed at the Microsoft partner data center, including communication between:

• Tenants and the enterprise's legacy PBX based clients,
• Tenants and the PSTN supported by the Microsoft partner.

Ribbon SBC Edge at Microsoft Partner Data Center Supporting Multiple Tenants

 

How Call Traffic Routes between the SBC Edge and Microsoft Teams Tenants

Each Microsoft Teams Tenant requires a dedicated Egress SIP Signaling Group configured with a SIP Profile to match the Microsoft Online PSTN Gateway created on the Microsoft Teams Tenant. This Signaling Group is only used for call traffic directed to Microsoft Teams, and specifically configured not to accept incoming SIP Requests.

Call traffic from Microsoft Teams to the SBC Edge is aggregated onto single Ingress SIP Signaling Group for all Tenants. The Call Routing Table associated with this Ingress SIP Signaling Group is configured to distribute the traffic to specific ITSP, based on the call parameters (such as the Called Address/Number).

Multi-Tenant Routing Call Routes

Step 1: Install SBC Edge (if required)

These instructions assume the SBC Edge product (SBC SWe Lite, SBC 1000/2000) is installed and running. If the product is not installed, refer to the links below.

Step 2: Prerequisites

Microsoft Teams Direct Routing Configuration

Consult the Microsoft documentation for detailed information on Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.

SBC Edge Software

Ensure you are running the latest version of SBC software:

• To locate the SBC Edge software current running, refer to: Viewing the Software Version and Hardware ID.
• To download and upgrade a new version of SBC Edge software, refer to: Installing and Commissioning the SBC Edge and SBC SWe Lite.

Obtain IP Address and FQDN

Requirements for configuring the SBC Edge in support of Teams Direct Routing include:

SBC Edge Requirements

Requirement	How it is Used
Public IP address of NAT device (must be Static)* Private IP address of the SBC	Required for SBC Behind the NAT deployment.
Public IP address of SBC	Required for SBC with Public IP deployment.
Public FQDN	The Public FQDN must point to the Public IP Address.

*NAT translates a public IP address to a Private IP address.

Domain Name

For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:

1. On the Microsoft Teams Tenant side, execute Get-CsTenant.
2. Review the output.
3. Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.

Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

Domain Name Examples

Domain Name*	Use for SBC FQDN?	FQDN Names - Examples
SonusMS01.com		Valid names: aepsite6.SonusMS01.com
hybridvoice.org		Valid names: sbc1. hybridvoice.org ussbcs15. hybridvoice.org europe. hybridvoice.org Non-Valid name: sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

*Do not use the *.onmicrosoft.com tenant for the domain name.

Configure Domain Names - Example

 

Obtain Certificate

Public Certificate

The Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.

• Refer to Microsoft documentation for the supported CAs.

• Refer to Domain Name for certificate formats.

Configure and Generate Certificates on the SBC

Click here to expand for how to generate Certificates on the SBC

Warning: Common Encryption Certificate Issues Arise from Missing Root Certificates

• Did you only install the CA-signed SBC certificate, along with the intermediate certificate(s) sent by your issuing CA?
• Did you get the following error message from the SBC?

If so, the likely reason is a missing CA Root Certificate. The SBC does not have any pre-installed CA root X.509 certificates, unlike typical browsers found on your PC. Ensure the entire certificate chain of trust is installed on the SBC, including the root certificate. Acquire the CA root certificate as follows:

1. Contact your system administrator or certificate vendor to acquire the root, and any further missing intermediate certificate(s) to provision the entire certificate chain of trust within the SBC;
2. Load the root certificate, along with the intermediate and SBC certificates, according to Importing Trusted Root CA Certificates.

NOTE: Root certificates are easily acquired from the certificate authorities. For example, the root certificate for the GoDaddy Class 2 Certification Authority may be found at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO . For more information about root certificates, intermediate certificates, and the SBC server (“leaf”) certificates, refer to this tutorial.

For other certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge.

Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.

Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:

• Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
• Import the Public CA Root/Intermediate Certificate on the SBC.
• Import the Microsoft CA Certificate on the SBC.
• Import the SBC Certificate.

The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.

Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)

Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.

1. Access the WebUI.
2. Access Settings > Security > SBC Certificates.

3. Click Generate SBC Edge CSR.

4. Enter data in the required fields.

5. Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.

   
   

   Generate Certificate Signing Request

   

6. Use the generated CSR text from the clipboard to obtain the certificate. 

Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC

After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:

1. Obtain Trusted Root and Intermediary signing certificates from your certification authority.
2. Access the WebUI.
3. To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted Root Certificates.
4. Click Import and select the trusted root certificates.
5. To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.

6. Validate the certificate is installed correctly.

   Validate Certificate

   

7. Click Import  and select X.509 Signed Certificate.

8. Validate the certificate is installed correctly.

   Validate Certificate

   

Firewall Rules

Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Security Hardening Checklist for more information about the SBC and firewalls.

This section lists the ports, protocols and services for firewalls that are in the path of the SBC connecting to Teams Direct Routing.

Basic Firewall Rules for All Call Flows

Click here to expand for Basic Firewall Settings

Inbound Public (Internet to SBC)

• SIP TLS: TCP 5061*

• Media for SBC 1000: UDP 16384-17584**
• Media for SBC 2000: UDP 16384-19384*
• Media for SBC SWe Lite: UDP 16384-21384

Outbound Public (SBC to Internet)

• DNS: TCP 53

• DNS: UDP 53

• NTP: UDP 123

• SIP TLS: TCP 5061

• Media: UDP 49152-53247

Public Access Information

The tables below represent ACL (Access Control List) examples that protect the SBC Edge. When using Easy Configuration Teams related wizards in an Enterprise deployment, these attributes are automatically provisioned. If you are manually configuring the SBC Edge as part of a Microsoft Teams Direct Routing migration scenario (for example Skype for Business or CCE), you must manually configure these ports. For details on ACLs, refer to Creating and Modifying Rules for IPv6 Access Control Lists.

Public Access In - Requirements

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Outbound DNS Reply	TCP	Allow	0.0.0.0/0	53	SBC/32	0-65535
Outbound DNS Reply	UDP	Allow	0.0.0.0/0	53	SBC/32	0-65535
Outbound NTP Reply	UDP	Allow	0.0.0.0/0	123	SBC/32	123
Outbound SIP Reply	TCP	Allow	0.0.0.0/0	5061	SBC/32	1024-65535
Inbound SIP Request	TCP	Allow	0.0.0.0/0	1024-65535	SBC/32	5061*
Inbound Media Helper	UDP	Allow	52.112.0.0/14	49152-53247	SBC/32	16384-17584**
Deny All	Any	Deny	0.0.0.0/0		0.0.0.0/0

Public Access Out - Requirements

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Outbound DNS Request	TCP	Allow	SBC/32	0-65535	0.0.0.0/0	53
Outbound DNS Request	UDP	Allow	SBC/32	0-65535	0.0.0.0/0	53
Outbound NTP Request	UDP	Allow	SBC/32	0-65535	0.0.0.0/0	123
Outbound SIP Request	TCP	Allow	SBC/32	0-65535	0.0.0.0/0	5061
Inbound SIP Reply	TCP	Allow	SBC/32	5061*	0.0.0.0/0	1024-65535
Outbound Media Helper	UDP	Allow	SBC/32	16384-17584**	52.112.0.0/14	49152-53247
Deny All	Any	Deny	0.0.0.0/0		0.0.0.0/0

* Define in Tenant configuration

** SBC SWe Lite does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.

Firewall Rules for the SBC with Media Bypass

Click here to expand for Firewall Settings for an SBC with Media Bypass

Apply the following firewall rules below:

The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).

Inbound Public (Internet to SBC) 

Media for SBC 1000: UDP 17586-21186**

Media for SBC 2000: UDP 19386-28386**

Outbound Public (SBC to Internet)

Media: UDP 50000-50019

If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.

For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP.

For SBC not using NAT, there must be access between the firewall and the SBC's Public IP.

Public Access

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

Public Access In - Requirements (Media Bypass Scenario)

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Inbound Media Bypass Helper	UDP	Allow	0.0.0.0/0	1024-65535	SBC/32	16384-21186**

Public Access Out - Requirements (Media Bypass Scenario)

Description	Protocol	Action	Src IP Address	Src Port	Dest IP Address	Dest Port
Outbound Media Bypass Helper	UDP	Allow	SBC/32	16384-21186**	0.0.0.0/0	1024-65535

* Define in Tenant configuration

** SBC SWe Lite does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.

Wildcard Certificate

Microsoft Teams Direct Routing in support of multiple tenants requires wildcard certificate support to protect the Microsoft partner's SBC FQDN and Tenant's SBC FQDN (i.e., SAN=myMicrosoftPartner.com, SAN=*.myMicrosoftPartner.com). The SBC Edge products fully support wildcard certificates.

SBC Edge Configuration for Microsoft Teams Direct Routing 

These instructions assume the SBC Edge has been configured for Microsoft Teams Direct Routing through the Easy Configuration wizard.

• For SBC Edge Not configured for Microsoft Teams Routing: If the SBC Edge has not been configured for Microsoft Teams Direct Routing through the Easy Configuration Wizard, configure the SBC Edge per Connect SBC Edge to Microsoft Teams Direct Routing. Once complete, move to Step 3 below.

OR

• For SBC Edge Previously Configured for Microsoft Teams Direct Routing: Move to Step 3.

Step 3: Configure each Tenant

The SBC Easy Configuration wizard configures the SBC Edge for one Tenant; additional Tenants subscribed to Microsoft Office 365 services (Microsoft Teams Direct Routing) must be configured manually with the configuration items below. For documentation purposes, the following terms are used in the configuration examples.

Access the WebUI

You must access the SBC Edge's WebUI to configure the items below. To access the WebUI, refer to: Logging into the SBC Edge.

Create a New SIP Profile for each Tenant

The SIP Profile controls how the SBC Edge communicates with SIP devices; the profiles control important characteristics such as: session timers, SIP header customization, SIP timers, MIME payloads, and option tags. The SIP Profile must match the information in the Microsoft Online PSTN Gateway created on the Microsoft Teams Tenant.

1. Access the WebUI. Refer to Logging into the SBC Edge.
2. Click the Settings tab.
3. In the left navigation pane, access SIP > SIP Profiles. For details on parameter definitions, refer to Creating and Modifying SIP Profiles.
   

4. Click the () icon at the top of left corner and add a new SIP profile.

5. Configure parameters shown below:
   

   SIP Profile Configuration - Example Values

   Parameter	Example Value
   Description	Microsoft Phone System Tenant 1
   FQDN in From Header	Static
   Static Host	<Tenant's SBC FQDN> tenant1.myMicrosoftPartner.com
   FQDN In Contact Header	Static
   Origin Field name	<Tenant's SBC FQDN> tenant1.myMicrosoftPartner.com

   SIP Profile Tenant 1 - Example

   

Create a New Transformation Table for each Tenant

1. In the WebUI, click the Settings tab.
2. In the left navigation page, access SIP > Transformation Tables.
   

3. Click the () icon at the top left corner to add a new Transformation Table.
   

4. Configure the parameters as shown below and click OK. For details on parameter definitions, refer to Creating and Modifying Transformation Tables.

   Transformation Table - Example Values

   Parameter	Example Value
   Row ID	Assigned by the system
   Description	Microsoft Phone System Tenant 1

   Create Transformation Table

   

5. From the left navigation pane, click on the Transformation Table> Microsoft Phone System Tenant 1 (the entry created in the last step).
6. Click the () icon.

7. Configure the parameters as shown below. Leave all other parameters as default.

8. Click OK.
   
   

   Transformation Entry Tenant 1 Configuration - Example

   Parameter	Example Value
   Description	To Microsoft Phone System Tenant 1 (example name)
   Match Type	Mandatory
   Input Type	Called Address/Number
   Input Value	<Enter Tenant 1 Phone Number > (\+151048512\d{2})
   Output Type	Called Address/Number
   Output Value	\1

   Transformation Entry Tenant 1- Example

   

Create a New Signaling Group for Each Tenant

Two Signaling Group types are required for call traffic between Teams and the SBC's SIP Trunk:

Ingress Signaling Group (For Calls From Teams). Calls are routed on a Single ingress SIP Signaling Group for all Tenants. Calls are then distributed by the Call Routing Table to the specific ITSP. The From Microsoft Teams Signaling Group is created during Easy Configuration.

Egress Signaling Group (For Calls from the PSTN SIP Trunk to a Tenant). Each Microsoft Teams Tenant requires a dedicated egress SIP Signaling Group. This Signaling Group is used only for call traffic directed to Microsoft Teams; this Signaling Group is configured not to accept incoming SIP requests. The calls are then distributed by the Call Routing Table to the specific Tenant. The maximum number of tenants is limited to the maximum number of signaling groups (this assumes one signaling group per tenant). This signaling group must be created new for each Tenant.

Create the egress Signaling Group as follows:

1. In the WebUI, click the Settings tab.
2. In the left navigation page, access Signaling Groups.
   

3. From the Create Signaling Group drop down box, select SIP Signaling Group.

4. Configure the parameters as shown below. Leave the default values for all other parameters. For details on parameter definitions, refer to Creating and Modifying SIP Signaling Groups.

5. Click OK. 

   Signaling Group Tenant 1 Configuration - Example Values

   Parameter	Example Value
   Description	Microsoft Phone System Tenant 1
   SIP Profile	Microsoft Phone System Tenant 1 (created in previous steps)
   Media List ID	SIP Trunk Routing List (automatically created in Easy Configuration)
   Signaling Media/Source IP	Ethernet 1 (example, pick the interface which faces the Microsoft Phone System)
   SIP server table	SIP Trunk Server (automatically created in Easy Configuration)
   Load Balancing	Priority: Register All
   Call Routing Table	From SIP Trunk (automatically created in Easy Configuration)
   Outbound NAT Traversal*	Static NAT
   NAT Public IP*	Example: X.XX.XX.X (Only required if Outbound NAT Traversal is selected)
   Federated IP/FQDN	This field must stay empty. NOTE: In Easy Configuration, the signaling Group from From Teams (Calls from Teams Signaling Group to PSTN SIP Trunk) generates sip-all.pstnhub.microsoft.com as the Federated IP/FQDN. This FQDN accepts all IP addresses from Teams Signaling Group. As a result, all incoming traffic from Teams is accepted.

   *Outbound NAT Traversal and the NAT Public IP is required when the SBC is behind a NAT (the pubic IP address of NAT device is required when the SBC has Private IP). The Public IP address specified in the screen graphic is an example only
   
   

   Signaling Group Tenant 1 - Example

   

Add Tenant Entry to Call Routing Table

The Easy Configuration process creates two Call Routing Tables for transporting calls between the SBC's SIP Trunk and Microsoft Teams: From SIP Trunk (Calls from SIP Trunk to Teams) and From Microsoft Teams (Calls from Teams to SIP Trunk). For calls to be routed properly from the SIP Trunk from the SIP Trunk to an individual Tenant, an entry must be added to the From SIP Trunk Routing table (this Routing Table was created as part of Easy Configuration) for each Tenant.

Add an entry in the Call Routing table for each Tenant as follows:

1. In the WebUI, click the Settings tab.

2. From the left navigation pane, click on the Call Routing. Click on the From SIP Trunk Call Routing Table.  

3. Click the () icon to add an entry.
   

4. Configure the parameters as shown below. Leave all other parameters as default. For details on parameter definitions, refer to Creating and Modifying Entries to Call Routing Tables.

5. Click OK.
   

6. Call Routing Tenant 1 - Routing Table configuration

   Parameter	Example Value
   Description	From Microsoft Phone System Tenant 1
   Number/Name Transformation Table	Microsoft Phone System Tenant 1
   Destination Signaling Groups	Microsoft Phone System Tenant 1 (from the previous steps) NOTE: This is the dedicated egress Signaling Group created above; the Routing Table must have a corresponding entry for each dedicated egress Signaling Group created for each Tenant.

   Call Routing Table - Example

   

Step 4: Confirm SBC Edge Links to Microsoft Teams

1. Access the WebUI. Refer to Logging into the SBC Edge.
2. Click Monitor.
3. Under each newly created Signaling Group (created for each Tenant), confirm the channels are green. For details on channel status, refer to Monitoring Real Time Status.

For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.

Step 5: Place a Test Call

Place a test call as follows:

1. Access the WebUI. Refer to Logging into the SBC Edge.

2. In the WebUI, click the Diagnostics tab.

3. In the left navigation pane, click Test a Call.

4. Configure the parameters as shown below.

5. Click OK. 

   Place a Test Call - Parameters

   Parameter	Value
   Destination Number	Number assigned to a Teams user.
   Origination/Calling Number	Number assigned to a Local user.
   Call Routing Table	The routing table that handles the call from Microsoft Teams.

    

   Test a Call - Configuration

   

   Place a Test Call - Example

    

The test call is now complete. For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.