Consult the Microsoft documentation for detailed information on Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.
SBC Edge Software
Ensure you are running the latest version of SBC software:
Requirements for configuring the SBC Edge in support of Teams Direct Routing include:
SBC Edge Requirements
Requirement
How it is Used
Public IP address of NAT device (must be Static)*
Private IP address of the SBC
Required for SBC Behind the NAT deployment.
Public IP address of SBC
Required for SBC with Public IP deployment.
Public FQDN
The Public FQDN must point to the Public IP Address.
*NAT translates a public IP address to a Private IP address.
Domain Name
For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:
On the Microsoft Teams Tenant side, execute Get-CsTenant.
Review the output.
Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.
Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.
Domain Name Examples
Domain Name*
Use for SBC FQDN?
FQDN Names - Examples
SonusMS01.com
Valid names:
aepsite6.SonusMS01.com
hybridvoice.org
Valid names:
sbc1. hybridvoice.org
ussbcs15. hybridvoice.org
europe. hybridvoice.org
Non-Valid name:
sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)
*Do not use the *.onmicrosoft.com tenant for the domain name.
Configure Domain Names - Example
Obtain Certificate
Public Certificate
The Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.
Warning: Common Encryption Certificate Issues Arise from Missing Root Certificates
Did you only install the CA-signed SBC certificate, along with the intermediate certificate(s) sent by your issuing CA?
Did you get the following error message from the SBC?
If so, the likely reason is a missing CA Root Certificate. The SBC does not have any pre-installed CA root X.509 certificates, unlike typical browsers found on your PC. Ensure the entire certificate chain of trust is installed on the SBC, including the root certificate. Acquire the CA root certificate as follows:
Contact your system administrator or certificate vendor to acquire the root, and any further missing intermediate certificate(s) to provision the entire certificate chain of trust within the SBC;
NOTE: Root certificates are easily acquired from the certificate authorities. For example, the root certificate for the GoDaddy Class 2 Certification Authoritymay be found at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO . For more information about root certificates, intermediate certificates, and the SBC server (“leaf”) certificates, refer to this tutorial.
Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.
Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:
Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
Import the Public CA Root/Intermediate Certificate on the SBC.
Import the Microsoft CA Certificate on the SBC.
Import the SBC Certificate.
The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.
Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)
Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.
Access the WebUI.
Access Settings > Security > SBC Certificates.
Click Generate SBC Edge CSR.
Enter data in the required fields.
Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.
Generate Certificate Signing Request
Use the generated CSR text from the clipboard to obtain the certificate.
Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC
After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:
Obtain Trusted Root and Intermediary signing certificates from your certification authority.
Click Import and select the trusted root certificates.
To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.
Validate the certificate is installed correctly.
Validate Certificate
Click Import and select X.509 Signed Certificate.
Validate the certificate is installed correctly.
Validate Certificate
Firewall Rules
Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Security Hardening Checklist for more information about the SBC and firewalls.
This section lists the ports, protocols and services for firewalls that are in the path of the SBC connecting to Teams Direct Routing.
Basic Firewall Rules for All Call Flows
Inbound Public (Internet to SBC)
SIP TLS: TCP 5061*
Media for SBC 1000: UDP 16384-17584**
Media for SBC 2000: UDP 16384-19384*
Media for SBC SWe Lite: UDP 16384-21384
Outbound Public (SBC to Internet)
DNS: TCP 53
DNS: UDP 53
NTP: UDP 123
SIP TLS: TCP 5061
Media: UDP 49152-53247
Public Access Information
The tables below represent ACL (Access Control List) examples that protect the SBC Edge. When using Easy Configuration Teams related wizards in an Enterprise deployment, these attributes are automatically provisioned. If you are manually configuring the SBC Edge as part of a Microsoft Teams Direct Routing migration scenario (for example Skype for Business or CCE), you must manually configure these ports. For details on ACLs, refer to Creating and Modifying Rules for IPv6 Access Control Lists.
Public Access In - Requirements
Description
Protocol
Action
Src IP Address
Src Port
Dest IP Address
Dest Port
Outbound DNS Reply
TCP
Allow
0.0.0.0/0
53
SBC/32
0-65535
Outbound DNS Reply
UDP
Allow
0.0.0.0/0
53
SBC/32
0-65535
Outbound NTP Reply
UDP
Allow
0.0.0.0/0
123
SBC/32
123
Outbound SIP Reply
TCP
Allow
0.0.0.0/0
5061
SBC/32
1024-65535
Inbound SIP Request
TCP
Allow
0.0.0.0/0
1024-65535
SBC/32
5061*
Inbound Media Helper
UDP
Allow
52.112.0.0/14
49152-53247
SBC/32
16384-17584**
Deny All
Any
Deny
0.0.0.0/0
0.0.0.0/0
Public Access Out - Requirements
Description
Protocol
Action
Src IP Address
Src Port
Dest IP Address
Dest Port
Outbound DNS Request
TCP
Allow
SBC/32
0-65535
0.0.0.0/0
53
Outbound DNS Request
UDP
Allow
SBC/32
0-65535
0.0.0.0/0
53
Outbound NTP Request
UDP
Allow
SBC/32
0-65535
0.0.0.0/0
123
Outbound SIP Request
TCP
Allow
SBC/32
0-65535
0.0.0.0/0
5061
Inbound SIP Reply
TCP
Allow
SBC/32
5061*
0.0.0.0/0
1024-65535
Outbound Media Helper
UDP
Allow
SBC/32
16384-17584**
52.112.0.0/14
49152-53247
Deny All
Any
Deny
0.0.0.0/0
0.0.0.0/0
* Define in Tenant configuration
** Depends of the Media Port paired configured in SBC
Firewall Rules for the SBC with Media Bypass
Apply the following firewall rules below:
The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).
Inbound Public (Internet to SBC)
Media for SBC 1000: UDP 17586-21186**
Media for SBC 2000: UDP 19386-28386**
Outbound Public (SBC to Internet)
Media: UDP 50000-50019
If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.
For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP.
For SBC not using NAT, there must be access between the firewall and the SBC's Public IP.
Public Access
The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).
Public Access In - Requirements (Media Bypass Scenario)
Description
Protocol
Action
Src IP Address
Src Port
Dest IP Address
Dest Port
Inbound Media Bypass Helper
UDP
Allow
0.0.0.0/0
1024-65535
SBC/32
16384-21186**
Public Access Out - Requirements (Media Bypass Scenario)
Description
Protocol
Action
Src IP Address
Src Port
Dest IP Address
Dest Port
Outbound Media Bypass Helper
UDP
Allow
SBC/32
16384-21186**
0.0.0.0/0
1024-65535
* Define in Tenant configuration
** Depends of the Media Port paired configured in SBC