Table of Contents



Overview

This document describes the configuration steps required for the Ribbon SBC Core to successfully interoperate with Microsoft Teams. All feature and serviceability test cases completed and passed successfully.

References:

You can configuer Ribbon SBC Core using any one of the methods defined under sections A and B depending on your requirements and level of comfort.

Scope

This document provides the Ribbon SBC Core (SWe/5xx0/5400/7000) configuration with Microsoft® Teams for documented products and their versions. This is a general reference document that requires user input during the configuration. For EMA configuration, the screen captures in this document are limited to only the necessary provisioning areas.

This document provides a sample of the Ribbon SBC 5400 configuration used during compliance testing.

Non-Goals

This document does not provide the test case details, success criteria, processes, and execution steps of testing that was performed. Also, this document does not focus on either the PSX configuration or provisioning areas for Microsoft Teams. These non-goals are covered in a separate configuration guide.

Configuration Overview

The following configurations in this document are for reference only. Other configurations are also based on customer requirements.

Introduction

Microsoft® TAP (Technology Adoption Program) Testing is performed between Microsoft® Teams and the Ribbon’s SBC Core (SWe/5400/5210/5110/7000). This document outlines the configuration, observations, and the overall testing experience with the device under test (DUT).

Audience

This is a technical document intended for telecommunications engineers with the purpose of configuring both the Ribbon SBC and the third-party product.

  • Navigating the third-party product as well as the Ribbon SBC Command Line Interface (CLI) is required. 
  • Understanding the basic concepts of TLS/TCP/UDP, IP/Routing, and SIP/SRTP is also necessary to complete the configuration and any required troubleshooting.

Requirements

The sample configuration uses the following equipment and software:

Requirements

Product

Equipment

Software Version

Ribbon Networks

Ribbon SBC 5400
BMC
BIOS
ConnexIP OS
RibbonDB
EMA
SBX

V06.02.01-F003
V03.16.00-R000
V02.06.00
V05.01.00-F003
V06.02.01-F003 
V06.02.01-F003 
V06.02.01-F003

Third-party Equipment

Microsoft Teams

v.2018.7.3.2 i.ASEA.3

Teams Client1.1.00.28562 

Administration and Debugging Tools

Wireshark2.4.4

 


Reference Configuration

The following figure illustrates the connectivity between the third-party and the Ribbon SBC Core.

High Level Architecture of Deploying Teams

                                                                       



 


Support

For any questions regarding this document or the content herein, contact your maintenance and support provider.

Third-Party Product Features

Refer to the Microsoft Teams' test plan for complete product features details.

Prerequisites

  • Deploy Microsoft Teams configuration in Office 365 with proper licenses. 
  • Verify clients have necessary licenses for making an enterprise voice call.

The following commands and configurations are only for reference, other configurations are also based on the customer's requirement.

Section A: Configuring with CLI

General Configuration

Codec Entry

Create a Codec Entry with the supported codec and packet size of 20:

set profiles media codecEntry G711-default dtmf relay rfc2833
set profiles media codecEntry G711-default packetSize 20
commit

To enable comfort noise, use G711SS-DEFAULT codec profile.


RTCP

Configure the RTCP interval:

set system media mediaRtcpControl senderReportInterval 5
commit


SIP Domain

  1. Specify the global SIP Domain name. 
  2. Specify your SBC's FQDN (example: abc.example.com)

set global sipDomain SIP.PSTNHUB.MICROSOFT.COM
set global sipDomain SIP2.PSTNHUB.MICROSOFT.COM
set global sipDomain SIP3.PSTNHUB.MICROSOFT.COM
set global sipDomain ABC.EXAMPLE.COM
commit


DSP Resource Allocation

This configuration only applies if the SBC is deployed with (hardware) DSP resources. If this is not the case, executing this configuration step has no negative impact.

set system mediaProfile compression 75 tone 25
commit

This configuration is not required for SWe Core 7.2 release onwards.


LRBT Profile

  1. Create a Local Ringback Tone (LRBT) profile that is attached to the Teams side. 
  2. Enable Dynamic LRBT.
set profiles media toneAndAnnouncementProfile LRBT_PROF
set profiles media toneAndAnnouncementProfile LRBT_PROF localRingBackTone signalingTonePackageState enable makeInbandToneAvailable enable
set profiles media toneAndAnnouncementProfile LRBT_PROF localRingBackTone flags useThisLrbtForIngress enable
set profiles media toneAndAnnouncementProfile LRBT_PROF localRingBackTone flags dynamicLRBT enable
commit

Microsoft Teams Configuration on SBC

IP Interface Group

Create an IP interface group.

Replace "x.x.x.x" with SBC's packet interface (pkt) IP address towards Teams (example pkt1 IP). 'y' with its prefix length.

set addressContext default ipInterfaceGroup LIF2 ipInterface PKT1_V4 ceName IOTGCM portName pkt1
set addressContext default ipInterfaceGroup LIF2 ipInterface PKT1_V4 ipAddress x.x.x.x prefix Y
set addressContext default ipInterfaceGroup LIF2 ipInterface PKT1_V4 mode inService state enabled
commit


Zone

This Zone groups the set of objects used for the communication to MS Teams.

Configure the domain name and attach it with appropriate zone.

set addressContext default zone TEAMS_ZONE id 4
set addressContext default zone TEAMS_ZONE domainName abc.example.com
commit


SIP Signaling Port

Set the SIP Signaling port which is a logical address used to send and receive SIP call signaling packets and is permanently bound to a specific zone. 

The Ribbon SBC Core listens on two ports, one defined under sipSigPort for TCP & UDP and plus one port for TLS to receive incoming traffic.

Replace "x.x.x.x" with SIP Signaling Port IP address towards Teams.

set addressContext default zone TEAMS_ZONE id 4 sipSigPort 4 ipInterfaceGroupName LIF2 ipAddressV4 x.x.x.x portNumber 5060 transportProtocolsAllowed sip-tls-tcp
set addressContext default zone TEAMS_ZONE id 4 sipSigPort 4 state enabled mode inService
commit



DNS Group

Create DNS objects for DNS resolution within a particular zone. Use the interface which has public connectivity.

set addressContext default dnsGroup EXT_DNS
set addressContext default dnsGroup EXT_DNS type ip interface LIF2 server DNS2 ipAddress 8.8.8.8 state enabled
set addressContext default zone TEAMS_ZONE dnsGroup EXT_DNS
commit



Packet Service Profile (PSP)

Create a Packet Service Profile (PSP) for the Teams side. The PSP is specified within the SIP trunk group configuration.

set profiles media packetServiceProfile TEAMS_PSP
set profiles media packetServiceProfile TEAMS_PSP codec codecEntry1 G711-default
set profiles media packetServiceProfile TEAMS_PSP rtcpOptions rtcp enable
set profiles media packetServiceProfile TEAMS_PSP preferredRtpPayloadTypeForDtmfRelay 101
set profiles media packetServiceProfile TEAMS_PSP silenceInsertionDescriptor g711SidRtpPayloadType 13 heartbeat enable
set profiles media packetServiceProfile TEAMS_PSP secureRtpRtcp flags enableSrtp enable
set profiles media packetServiceProfile TEAMS_PSP flags ssrcRandomize enable
commit


IP Signaling Profile (IPSP)

Create an IP signaling profile for the Teams side. The IPSP is specified within the SIP trunk group configuration.

set profiles signaling ipSignalingProfile TEAMS_IPSP ipProtocolType sipOnly
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes flags includeReasonHeader enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes flags includeTransportTypeInContactHeader enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes flags routeUsingRecvdFqdn enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes flags sendPtimeInSdp enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes flags sendRtcpPortInSdp enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes flags storePChargingVector enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes relayFlags notify enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes flags publishIPInHoldSDP enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes relayFlags statusCode4xx6xx enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes flags minimizeRelayingOfMediaChangesFromOtherCallLegAll enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes flags relayDataPathModeChangeFromOtherCallLeg enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes transparencyFlags mwiBody enable
set profiles signaling ipSignalingProfile TEAMS_IPSP commonIpAttributes optionTagInRequireHeader suppressReplaceTag enable
set profiles signaling ipSignalingProfile TEAMS_IPSP egressIpAttributes domainName useZoneLevelDomainNameInContact enable
set profiles signaling ipSignalingProfile TEAMS_IPSP egressIpAttributes domainName useIpSignalingPeerDomainInRequestUri enable
set profiles signaling ipSignalingProfile TEAMS_IPSP egressIpAttributes flags disable2806Compliance enable
set profiles signaling ipSignalingProfile TEAMS_IPSP egressIpAttributes privacy flags includePrivacy enable
set profiles signaling ipSignalingProfile TEAMS_IPSP egressIpAttributes redirect flags forceRequeryForRedirection enable
set profiles signaling ipSignalingProfile TEAMS_IPSP egressIpAttributes transport type1 tlsOverTcp 
set profiles signaling ipSignalingProfile TEAMS_IPSP egressIpAttributes domainName useIpSignalingPeerDomainInRequestUri enable
set profiles signaling ipSignalingProfile TEAMS_IPSP ingressIpAttributes flags sendSdpIn200OkIf18xReliable enable
commit

SIP Trunk Group

Create a SIP Trunk Group for the Teams side and assign the IPSP, PSP and LRBT profiles configured above.

For ingressIpPrefix, replace "x.x.x.x" and "y" with the IP address and prefix length that needs to be allowed from Teams.

Teams SIP Proxy server does not support the Update method and requires a Re-Invite. Teams SIP Proxy Server only supports new RFC for call hold that is a=inactive.

set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG media mediaIpInterfaceGroupName LIF2
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG signaling honorMaddrParam enabled
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG policy media packetServiceProfile TEAMS_PSP
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG policy signaling ipSignalingProfile TEAMS_IPSP
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG downstreamForkingSupport enabled
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG signaling rel100Support enabled
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG services dnsSupportType a-only
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG ingressIpPrefix X.X.X.X Y
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG signaling relayNonInviteRequest enabled
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG signaling methods update reject
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG policy media toneAndAnnouncementProfile LRBT_PROF
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG mode inService state enabled
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG media sdpAttributesSelectiveRelay enabled
commit


Path Check Profile

Create a path check profile that is attached to the Teams side.

set profiles services pathCheckProfile Teams_OPTIONS protocol sipOptions sendInterval 20 replyTimeoutCount 1 recoveryCount 1
commit
set profiles services pathCheckProfile Teams_OPTIONS transportPreference preference1 tls-tcp
commit

IP Peer

  1. Create an IP Peer with the Fully-Qualified Domain Name (FQDN) of the endpoints.
  2. Assign the IP Peer to the Teams Zone. 
  3. Assign the path check profile created.
set addressContext default zone TEAMS_ZONE ipPeer TEAMS_PEER policy sip fqdn sip.pstnhub.microsoft.com fqdnPort 5060
set addressContext default zone TEAMS_ZONE ipPeer TEAMS_PEER pathCheck profile Teams_OPTIONS 
set addressContext default zone TEAMS_ZONE ipPeer TEAMS_PEER pathCheck profile Teams_OPTIONS hostName sip.pstnhub.microsoft.com hostPort 5060 state enabled
commit

For TLS, the Ribbon SBC Core increments the port number of the IP-Peer with one while sending out any call. Configure a port less what remote peer is listening on. Please note, this is only applicable for TLS protocol.


SMM to Modify Options Messages


Microsoft Teams requires the SBC's FQDN in the 'From:' and 'Contact:' header. In below SMM configuration replace;

  1. "user_input1" with SBC's fqdn.
  2. "user_input2" with sipSigPort number plus one (For example, if sipSigPort is configured as 5060 then 'user_input2' will be 5061).
  3. "user_input3" with sipSigPort IP address configured in TEAMS_ZONE.
set profiles signaling sipAdaptorProfile Modify_Options state enabled
set profiles signaling sipAdaptorProfile Modify_Options advancedSMM disabled
set profiles signaling sipAdaptorProfile Modify_Options profileType messageManipulation
set profiles signaling sipAdaptorProfile Modify_Options rule 1 applyMatchHeader one
set profiles signaling sipAdaptorProfile Modify_Options rule 1 criterion 1 type message
set profiles signaling sipAdaptorProfile Modify_Options rule 1 criterion 1 message
set profiles signaling sipAdaptorProfile Modify_Options rule 1 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile Modify_Options rule 1 criterion 2 type header
set profiles signaling sipAdaptorProfile Modify_Options rule 1 criterion 2 header
set profiles signaling sipAdaptorProfile Modify_Options rule 1 criterion 2 header name Contact
set profiles signaling sipAdaptorProfile Modify_Options rule 1 criterion 2 header condition exist
set profiles signaling sipAdaptorProfile Modify_Options rule 1 criterion 2 header hdrInstance all
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 type header
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 operation regsub
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 from
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 from type value
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 from value "<sip:user_input1:user_input2;transport=tls>"
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 to
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 to type header
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 to value Contact
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 regexp
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 regexp string .*
set profiles signaling sipAdaptorProfile Modify_Options rule 1 action 1 regexp matchInstance all
set profiles signaling sipAdaptorProfile Modify_Options rule 2 criterion 1 type message
set profiles signaling sipAdaptorProfile Modify_Options rule 2 criterion 1 message
set profiles signaling sipAdaptorProfile Modify_Options rule 2 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile Modify_Options rule 2 criterion 2 type header
set profiles signaling sipAdaptorProfile Modify_Options rule 2 criterion 2 header
set profiles signaling sipAdaptorProfile Modify_Options rule 2 criterion 2 header name From
set profiles signaling sipAdaptorProfile Modify_Options rule 2 criterion 2 header condition exist
set profiles signaling sipAdaptorProfile Modify_Options rule 2 criterion 2 header hdrInstance all
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 type header
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 operation regsub
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 from
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 from type value
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 from value "<sip:user_input1:user_input2;transport=tls>"
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 to
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 to type header
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 to value From
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 regexp
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 regexp string <sip:user_input3>
set profiles signaling sipAdaptorProfile Modify_Options rule 2 action 1 regexp matchInstance all
set profiles signaling sipAdaptorProfile Modify_Options rule 3 criterion 1 type message
set profiles signaling sipAdaptorProfile Modify_Options rule 3 criterion 1 message
set profiles signaling sipAdaptorProfile Modify_Options rule 3 criterion 1 message messageTypes request
set profiles signaling sipAdaptorProfile Modify_Options rule 3 criterion 1 message methodTypes options
set profiles signaling sipAdaptorProfile Modify_Options rule 3 criterion 1 message condition exist
set profiles signaling sipAdaptorProfile Modify_Options rule 3 action 1 type header
set profiles signaling sipAdaptorProfile Modify_Options rule 3 action 1 operation add
set profiles signaling sipAdaptorProfile Modify_Options rule 3 action 1 headerPosition last
set profiles signaling sipAdaptorProfile Modify_Options rule 3 action 1 from
set profiles signaling sipAdaptorProfile Modify_Options rule 3 action 1 from type value
set profiles signaling sipAdaptorProfile Modify_Options rule 3 action 1 from value RibbonSBC
set profiles signaling sipAdaptorProfile Modify_Options rule 3 action 1 to
set profiles signaling sipAdaptorProfile Modify_Options rule 3 action 1 to type header
set profiles signaling sipAdaptorProfile Modify_Options rule 3 action 1 to value User-Agent
commit


Adding SMM Profile to Teams Zone

set addressContext default zone TEAMS_ZONE messageManipulation outputAdapterProfile Modify_Options
commit


Outbound SMM Profile for Teams Trunk Group

Create a smm profile for the modification headers and crypto profile.

Replace 'user_input1' with SBC's FQDN.

set profiles signaling sipAdaptorProfile Modify_Headers rule 1 applyMatchHeader one
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 criterion 1 type message
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 criterion 1 message
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 criterion 2 type header
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 criterion 2 header
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 criterion 2 header name From
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 criterion 2 header condition exist
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 action 1 type token
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 action 1 operation modify
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 action 1 from
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 action 1 from type value
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 action 1 from value user_input1
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 action 1 to
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 action 1 to type token
set profiles signaling sipAdaptorProfile Modify_Headers rule 1 action 1 to tokenValue urihostname
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 applyMatchHeader one
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 criterion 1 type message
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 criterion 1 message
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 criterion 2 type header
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 criterion 2 header
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 criterion 2 header name P-Asserted-Identity
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 criterion 2 header condition exist
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 action 1 type token
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 action 1 operation modify
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 action 1 from
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 action 1 from type value
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 action 1 from value user_input1
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 action 1 to
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 action 1 to type token
set profiles signaling sipAdaptorProfile Modify_Headers rule 2 action 1 to tokenValue urihostname
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 criterion 1 type message
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 criterion 1 message
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 criterion 1 message condition exist
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 criterion 2 type messageBody
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 criterion 2 messageBody
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 criterion 2 messageBody condition exist
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 type messageBody
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 operation regstore
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 from
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 from type messageBody
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 from messageBodyValue all
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 to
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 to type variable
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 to variableValue var1
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 regexp
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 regexp string "a=crypto.*?\r\n"
set profiles signaling sipAdaptorProfile Modify_Headers rule 3 action 1 regexp matchInstance one
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 criterion 1 type message
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 criterion 1 message
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 criterion 1 message condition exist
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 criterion 2 type variable
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 criterion 2 variable
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 criterion 2 variable condition exist
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 criterion 2 variable variableID var1
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 type variable
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 operation regsub
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 from
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 from type value
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 from value "|2^31\r\n"
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 to
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 to type variable
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 to variableValue var1
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 regexp
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 regexp string "\r\n"
set profiles signaling sipAdaptorProfile Modify_Headers rule 4 action 1 regexp matchInstance one
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 criterion 1 type message
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 criterion 1 message
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 criterion 1 message condition exist
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 criterion 2 type variable
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 criterion 2 variable
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 criterion 2 variable condition exist
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 criterion 2 variable variableID var1
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 type messageBody
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 operation regsub
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 from
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 from type variable
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 from variableValue var1
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 to
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 to type messageBody
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 to messageBodyValue all
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 regexp
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 regexp string "a=crypto.*?\r\n"
set profiles signaling sipAdaptorProfile Modify_Headers rule 5 action 1 regexp matchInstance one
commit

Attaching Outbound SMM Profile

set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG signaling messageManipulation outputAdapterProfile Modify_Options 
commit


IP Static Route

Create a default route for the destination IP to come inside the network via a particular interface.

Replace "x.x.x.x" with destination IP, "Y" with the prefix length and "z.z.z.z" with the PKT1 gateway IP address.

set addressContext default staticRoute X.X.X.X Y Z.Z.Z.Z LIF2 PKT1_V4 preference 100
commit


PSTN Side Configuration

Packet Service Profile (PSP)

Create a Packet Service Profile (PSP) for the PSTN side. The PSP is specified within the SIP Trunk Group configuration.

set profiles media packetServiceProfile PSTN_PSP
set profiles media packetServiceProfile PSTN_PSP codec codecEntry1 G711-default
set profiles media packetServiceProfile PSTN_PSP rtcpOptions rtcp enable
set profiles media packetServiceProfile PSTN_PSP preferredRtpPayloadTypeForDtmfRelay 101                                   
set profiles media packetServiceProfile PSTN_PSP silenceInsertionDescriptor g711SidRtpPayloadType 13 heartbeat enable
commit

If PSTN does not support RTCP, disable RTCP flag in the PSTN PSP, and enable "terminationForPassthrough" flag on TEAMS PSP. Refer Teams PSP configuration.


IP Signaling Profile (IPSP)

Create an IP Signaling Profile (IPSP) for the PSTN side. The IPSP is specified within the SIP Trunk Group configuration.

set profiles signaling ipSignalingProfile PSTN_IPSP
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes flags includeReasonHeader enable
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes flags sendPtimeInSdp enable
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes flags sendRtcpPortInSdp enable
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes flags routeUsingRecvdFqdn enable
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes flags minimizeRelayingOfMediaChangesFromOtherCallLegAll enable
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes flags relayDataPathModeChangeFromOtherCallLeg enable
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes relayFlags notify enable
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes relayFlags statusCode4xx6xx enable
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes optionTagInRequireHeader suppressReplaceTag enable
set profiles signaling ipSignalingProfile PSTN_IPSP commonIpAttributes flags includeTransportTypeInContactHeader enable
set profiles signaling ipSignalingProfile PSTN_IPSP egressIpAttributes flags disable2806Compliance enable
set profiles signaling ipSignalingProfile PSTN_IPSP egressIpAttributes redirect flags forceRequeryForRedirection enable
set profiles signaling ipSignalingProfile PSTN_IPSP egressIpAttributes transport type1 tcp
set profiles signaling ipSignalingProfile PSTN_IPSP egressIpAttributes transport type2 udp
set profiles signaling ipSignalingProfile PSTN_IPSP ingressIpAttributes flags sendSdpIn200OkIf18xReliable enable
commit


IP Interface Group

Create an IP interface group. 

Replace "x.x.x.x" with SBC's pkt0 IP address and 'y' with its subnet mask. Use the SBC system name for "ceName".

set addressContext default ipInterfaceGroup LIF1 ipInterface PKT0_V4 ceName IOTGCM portName pkt0
set addressContext default ipInterfaceGroup LIF1 ipInterface PKT0_V4 ceName IOTGCM ipAddress x.x.x.x prefix y
set addressContext default ipInterfaceGroup LIF1 ipInterface PKT0_V4 mode inService state enabled
commit


Zone

Create a Zone that groups the set of objects that are used for the communication to PSTN. 

set addressContext default zone PSTN_ZONE id 2
commit


SIP Signaling Port

Create a SIP Signaling port which is  the logical address permanently bound to a specific zone which is used to send and receive SIP call signaling packets. 

Replace "x.x.x.x" with SBC's pkt0 IP address.

set addressContext default zone PSTN_ZONE id 2 sipSigPort 1 ipInterfaceGroupName LIF1 ipAddressV4 x.x.x.x portNumber 5060 transportProtocolsAllowed sip-tcp,sip-udp,sip-tls-tcp
set addressContext default zone PSTN_ZONE id 2 sipSigPort 1 mode inService state enabled
commit


SIP Trunk Group

Create a SIP Trunk Group towards PSTN side and assign the PSP, IPSP and LRBT Profiles configured above. 

For ingressIpPrefix, replace "x.x.x.x" and "y" with the IP address and subnet mask that you want to allow from PSTN.

set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG media mediaIpInterfaceGroupName LIF1
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG policy media packetServiceProfile PSTN_PSP
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG policy signaling ipSignalingProfile PSTN_IPSP 
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG downstreamForkingSupport enabled
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG signaling rel100Support enabled
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG services dnsSupportType a-only
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG ingressIpPrefix X.X.X.X Y
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG mode inService state enabled
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG signaling honorMaddrParam enabled
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG signaling relayNonInviteRequest enabled
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG media sdpAttributesSelectiveRelay enabled
set addressContext default zone PSTN_ZONE sipTrunkGroup PSTN_TG policy media toneAndAnnouncementProfile LRBT_PROF
commit


IP Peer

Create an IP Peer with the Fully-Qualified Domain Name (FQDN) or IP address of the endpoint and assign it to the PSTN Side.

Replace "x.x.x.x" with PSTN IP address.

set addressContext default zone PSTN_ZONE ipPeer PSTN_IPP ipAddress X.X.X.X ipPort 5060
commit

If FQDN is configured, attach DNS group to the PSTN Zone.


IP Static Route

Create a default route for the destination IP to come inside the network via a particular interface.

Replace "x.x.x.x" with destination IP, "Y" with the subnet mask and "z.z.z.z" with the PKT0 gateway IP address.

set addressContext default staticRoute X.X.X.Z Y Z.Z.Z.Z LIF1 PKT0_V4 preference 100        
commit


Routing Label

Create a Routing Label with a single Routing Label Route to bind the PSTN or Teams Trunk Group with the PSTN or Teams IP Peer.

set global callRouting routingLabel TEAMS_RL routingLabelRoute 1 trunkGroup TEAMS_TG ipPeer TEAMS_PEER inService inService
set global callRouting routingLabel PSTN_RL routingLabelRoute 1 trunkGroup PSTN_TG ipPeer PSTN_IPP inService inService
commit


Routing

Ensure Routing is put in place to send calls to the correct destination. Number based routing is used for the purpose of this scenario; however, you may use additional routing options. The configuration of both standard and username routes are performed to ensure that no matter how the called party is addressed (a number or a username), the SBC routes the message to the Core.

Create Route entries for standard Trunk Group routing with Matching Criteria and a Routing Label destination.

set global callRouting route none Sonus_NULL Sonus_NULL standard 962042 1 all all ALL none Sonus_NULL routingLabel PSTN_RL
set global callRouting route none Sonus_NULL Sonus_NULL standard 777888500 1 all all ALL none Sonus_NULL routingLabel TEAMS_RL
set global callRouting route none Sonus_NULL Sonus_NULL username Sonus_NULL Sonus_NULL all all ALL none SIP.PSTNHUB.MICROSOFT.COM routingLabel TEAMS_RL
set global callRouting route trunkGroup TEAMS_TG PTFY06 standard Sonus_NULL Sonus_NULL all all ALL none sip.pstnhub.microsoft.com routingLabel TEAMS_RL
set global callRouting route trunkGroup TEAMS_TG PTFY06 standard Sonus_NULL Sonus_NULL all all ALL none sip2.pstnhub.microsoft.com routingLabel TEAMS_RL
set global callRouting route trunkGroup TEAMS_TG PTFY06 standard Sonus_NULL Sonus_NULL all all ALL none sip3.pstnhub.microsoft.com routingLabel TEAMS_RL
commit

TLS Configuration

Generate a CSR with OpenSSL (example)

# Generate a private key (Use any Linux box to execute openssl cmds)
openssl genrsa -out /opt/sonus/csrkey.key 2048

# Generating the CSR requires another openssl command along with file location, name of your newly created key, path and file name for your CSR. 
# You are also prompted for information to populate the CSR.
openssl req -new -key /opt/sonus/csrkey.key -out /opt/sonus/certcsr.csr

 
The Country Name is mandatory and takes a two-letter country code:US
The State or Province Name field requires a full name:Taxes
The Locality Name field is for your city or town:Plano
In the Organization Name field, add your company or organization:Ribbon
Organizational Unit Name is an optional field for your department or section:Engineering
The Common Name field is used for the Fully Qualified Domain Name (FQDN) of the server (can be * if it is a wildcard): *.example.com
Email address is an optional field for this request: You can hit Enter to skip forward
The challenge password: <User define>
Company name: Ribbon
 
 
# After receiving the CSR with above information, provide it to CA (Certificate Authority). You will then receive the proper CA signed certificate in .crt format that is convertable into other formats using openssl. 
# By default, you should receive two or more certificate from CA (depanding upon your CA). One is the SBC certificate, and other is CA's root and intermediate certificate. 
# Upload the certificates to the SBC at /opt/sonus/external and convert them into SBC-readable format, i.e. SBC certificate is in .pem or .p12 format and root certificate is in .cer or .der.
 
#Converting .crt to .pem USING OPENSSL for SBC certificate.
openssl x509 -in sbc_cert.crt -out sbc_cert.der -outform DER
openssl x509 -in sbc_cert.der -inform DER -out sbc_cert.pem -outform PEM
 
#After generating sbc_cert.pem file, convert it to .p12 format using below command.
openssl pkcs12 -export -out sbc1_cert.p12 -in sbc_cert.pem -inkey /opt/sonus/csrkey.key
 
#CONVERTING CRT to CER USING OPENSSL for CA's root and intermediate certificate.
openssl x509 -in root_cert.crt -out root_cert.cer -outform DER
 
 
## Use Baltimore's Root Certificate which is downloadable from the below link. It is present in .pem format. Convert it to .cer format using openssl command.
### http://certificate.fyicenter.com/319_Root_CA_Baltimore_CyberTrust_Root_CyberTrust_Baltimore_IE.html
 
#CONVERTING PEM to CER USING OPENSSL
openssl x509 -outform der -in Baltimore_cert.pem -out Baltimore_cert.cer
 
After converting all these certificates upload them on SBC at /opt/sonus/external location.


Generate required certificates 

#Create Crypto Suite Profile.
set profiles security cryptoSuiteProfile CRYPT_PROF entry 1 cryptoSuite AES-CM-128-HMAC-SHA1-80

#Import Public CA Root Certificate into database.
set system security pki certificate CA_ROOT_CERT type remote fileName root_cert.cer state enabled

#Import Baltimore Certificate into database.
set system security pki certificate BALTIMORE_CERT type remote fileName Baltimore_cert.cer state enabled

#Import Public CA Certified SBC Server Certificate into database
set system security pki certificate SBC_CERT filename sbc1_cert.p12 passPhrase <Password defined during CSR generation> state enabled type local

#Create TLS Profile
set profiles security tlsProfile TLS_PROF clientCertName SBC_CERT serverCertName SBC_CERT cipherSuite1 tls_ecdhe_rsa_with_aes_256_cbc_sha384 cipherSuite2 tls_ecdhe_rsa_with_aes_128_cbc_sha authClient true allowedRoles clientandserver acceptableCertValidationErrors invalidPurpose
set profiles security tlsProfile TLS_PROF v1_1 enable
set profiles security tlsProfile TLS_PROF v1_0 disable
set profiles security tlsProfile TLS_PROF v1_2 enable
commit

#Configure Packet Service Profile with Crypto Suite
set profiles media packetServiceProfile TEAMS_PSP secureRtpRtcp cryptoSuiteProfile CRYPT_PROF
set profiles media packetServiceProfile TEAMS_PSP secureRtpRtcp flags enableSrtp enable
set profiles media packetServiceProfile TEAMS_PSP secureRtpRtcp flags allowFallback disable

#Configure SIP Signailng Port
set addressContext default zone TEAMS_ZONE sipSigPort 4 state disable mode outOfService
set addressContext default zone TEAMS_ZONE sipSigPort 4 tlsProfileName TLS_PROF
set addressContext default zone TEAMS_ZONE sipSigPort 4 state enable mode inService
commit
Teams SIP Proxy server only supports TLS version 1.2 with specific ciphersuit. At time of documentation Ribbon SBC support tls_ecdhe_rsa_with_aes_128_cbc_sha and tls_ecdhe_rsa_with_aes_256_cbc_sha384.


Attach TLS Profile to SIP Signaling Port

set addressContext default zone Teams_ZONE sipSigPort 4 state disabled mode outOfService
commit
set addressContext default zone Teams_ZONE sipSigPort 4 tlsProfileName TLS_PROF
commit
set addressContext default zone Teams_ZONE sipSigPort 4 state enabled mode inService
commit


Microsoft Teams Media Bypass


Microsoft Teams Media Bypass Architecture

 


To support Media Bypass on Teams, the SBC must support ICE and RTCP MUX.

#Enabling ICE Lite
set addressContext default zone TEAMS_ZONE sipTrunkGroup TEAMS_TG services natTraversal iceSupport iceWebrtc
commit

#Enabling RTCP Mux
set profiles media packetServiceProfile TEAMS_PSP rtcpOptions rtcpMux enable
commit

Section B: Configuring with EMA

Teams Side Configuration on SBC

Login to EMA Page


EMA login

 


Create Codec Entry

  1. Go to: Configuration --> Profile Management.

    Codec Entry

  2. Go to: Codec Entry --> +New Codec Entry.

    New Codec Entry

For enabling comfort noise, use G711SS-DEFAULT codec profile.


Create RTCP Interval

Go to: All --> System --> Media --> Media RTCP Control.

RTCP Interval

 


Create Global SIP domain

Go to: All --> Global --> Signaling --> SIP Domain --> + New SIP Domain.

SIP Domain




Create Tone and Announcement Profile

  1. Go to: All --> Profile --> Media --> Tone And Announcement Profile --> + New Tone And Announcement Profile.

    LRBT Profile

  2. After saving, Go to localRingbacktone --> LRBT_PROF (From Dropdown).

    Selecting LRBT PROF

    LRBT Configuration 1/3

  3. Go to: Local RingBack Tone -> Flags

    LRBT Configuration 2/3

  4. Go to: All --> System --> Media --> Media Profile

    LRBT Configuration 3/3

This configuration is not required for SWe Core 7.2 release onwards.


Create Pathcheck Profile

  1. Go to: All --> Profile --> Services --> Path check profile --> + New Path check profile.

    PathCheck Profile

  2. Go to: Transport preference.

    PathCheck Profile Transport Protocol

Create Zone

Go to: Configuration --> System Provisioning --> Zone --> + New Zone.

Zone Configuration

 


Create IP Interface Group

  1. Go to: Configuration --> System Provisioning --> IP Interface Group --> + New IP Interface Group.

    IP Interface Group

  2. Go to: Configuration --> System Provisioning --> Ip Interface --> Ip Interface Group (Created above) --> + New IP Interface.

    IP Interface Group

Create SIP Signaling Port

  1. Go to: Configuration --> System Provisioning --> SIP Sig Port.

  2. Choose your address context and zone --> + New SIP Sig Port.

    SIP Signaling Port

    SIP Signaling Port Configuration

Create DNS Record

  1. Go to: All --> Address Context --> DNS Group --> + New DNS Group.

    DNS Record

  2. Go to: All --> Address Context --> DNS Group --> local Record --> Server --> +New Server.\

    1. Choose DNS Group configured earlier (EXT_DNS).

      Adding Server Details in DNS

Add DNS group to Teams_Zone

Go to: Configuration --> System Provisioning --> Zone --> Teams_Zone.

Adding DNS to Zone

 


Create Media Packet Service Profile (PSP)

  1. Go to: All --> Profile --> Media --> Packet Service Profile --> + New Packet Service Profile.

    Creating PSP

  2. Go to: All --> Profile -->  Media --> Packet Service Profile --> Codec.

    Attaching Codec Profile in PSP

  3. Go to: All --> Profile --> Media --> Packet To Packet Control --> RTCP Options.

    RTCP Configuration

  4. Go to: All --> Profile --> Media --> Secure Rtp RTCP --> Flags.

    RTCP Flags

Enable SSRC Randomize

Go to: All --> Profiles --> Media --> Packet Services Profile --> Rtcp Options.

Enabling SSRC Randomize

 


Create IP Signaling Profile (IPSP)

  1. Go to: All --> Profile --> Signaling --> IP Signaling Profile --> + New IP Signaling Profile.

    Configuring IPSP

  2. Go to: All --> Profile --> Signaling --> IP Signaling Profile --> Common IP Attributes.

    1. Flags

      IPSP - Flags

    2. Option Tag In Require Header

      Option

  3. Go to: All --> Profile --> Signaling --> IP Signaling Profile --> Egress IP Attributes.

    1. Number Globalization Profile

      Egress IP Attribute

    2. Domain Name

      Domain Name

    3. Flags

      Flags

    4. Ingress IP Attributes --> Flags

      Ingress IP Attribute

Create SIP Trunk Group

  1. Go to: All --> Address Context --> Zone --> SIP Trunk Group --> + New SIP Trunk Group.
  2. Select Address Context and Zone (Teams_TG).

  3. After Configuring Trunk Group, refer to Inbound and Outbound SMM required for Teams Trunk group.

    SIP Trunk Config


    1. Media (All --> Address Context --> Zone --> Sip Trunk Group --> Media).

      SIP Trunk Media Flags

    2. Signaling (All --> Address Context --> Zone --> Sip Trunk Group --> Signaling).

      SIP Trunk Signaling Flags

    3. Policy (All --> Address Context --> Zone --> Sip Trunk Group --> Policy --> Media).

      Attaching Profile

    4. Policy (All --> Address Context --> Zone --> Sip Trunk Group --> Policy --> Signaling).

      Attaching Profile - Signaling

Create Teams IP Peer

Go to: All --> Address Context --> Zone --> IP Peer --> + New IP Peer.

Teams IP Peer

Peer Policy


For TLS, the Ribbon SBC Core increments the port number of the IP-Peer with one while sending out any call. Thus always configure a port less what remote peer is listening on. Please note, this is only applicable for TLS protocol.


Add Path Check Profile for IP Peer

Go to: All --> Address Context --> Zone --> IP Peer --> Path Check.

Adding PathCheck Profile

 


Create Routing Label

  1. Go to:  All --> Global --> Call Routing --> Routing Label.

  2. Click on Create Routing Label

    Routing Label

  3. Click on Create Routing Label Route.

    Adding Route

  4. Click on Create Route (Provide number towards Teams side).

    Create Number Base Route

    Route


    Route for Transfer

For call transfer scenario towards PSTN, you need to create a route with both number and domain name. The screenshot above creates a route for any number starting with 9620XXXXXX and domain name will get routed towards Teams_RL. 


Configuration Required for Teams Media Bypass 


Enable RTCP Mux

Refer to Media Bypass Topology diagram.

Go to: All --> Profile -->  Media --> Packet Service Profile --> RTCP Options.

Enabling RTCP Mux



Enable ICE Lite 

Go to: All --> Address Context --> Zone --> SIP Trunk Group --> Services --> NAT Traversal.

Enabling ICE Lite

 


PSTN Side Configuration on SBC

Create Zone

Go to: Configuration --> System Provisioning --> Zone --> + New Zone.

PSTN ZONE

 


Create IP Interface Group

  1. Go to: Configuration --> System Provisioning --> IP Interface Group --> + New IP Interface Group.

    PSTN IP Interface Group

  2. Go to: Configuration --> System Provisioning --> Ip Interface --> Ip Interface Group (Created above) --> + New IP Interface.

    IP Interface

Create SIP Signaling Port

  1. Go to: Configuration --> System Provisioning --> SIP Sig Port.
  2. Choose your address context and zone --> + New SIP Sig Port.


PSTN SIP Signaling

 


Create IP Signaling Profile (IPSP)

  1. Go to: All --> Profile --> Signaling --> IP Signaling Profile --> + New IP Signaling Profile.

    PSTN IP Signaling Profile

  2. Go to: All --> Profile --> Signaling --> IP Signaling Profile --> Common IP Attributes.

    1. Flags

      IPSP - Flags

    2. Option Tag In Require Header

      Option Tag

    3. Relay Flags

      Relay Flags

  3. Go to: All --> Profile --> Signaling --> IP Signaling Profile --> Egress Ip Attribute.

    1. Domain Name

      Domain Name

    2. Privacy

      Privacy flags

    3. Transport

      Transport

  4. Go to: All --> Profile --> Signaling --> IP Signaling Profile --> Ingress IP Attributes.

    1. Flags

      Flags

Create a Packet Service Profile (PSP)

  1. Go to: All --> Profile --> Media --> Packet Service Profile --> + New Packet Service Profile.

    PSTN PSP

  2. Go to: All --> Profile --> Media --> Packet Service Profile --> Codec.

    Codec Selection

  3. Go to: All --> Profile --> Media --> Packet Service Profile --> Rtcp Options.

    RTCP Config

Create Sip Trunk Group

  1. Go to: All --> Address Context --> Zone --> SIP Trunk Group --> + New SIP Trunk Group.

  2. Select Address Context and Zone (PSTN_Zone).


    SIP Trunk


    1. Media (All --> Address Context --> Zone --> Sip Trunk Group --> Media) 

      Media Flags

    2. Policy (All --> Address Context --> Zone --> Sip Trunk Group --> Policy)

      Policy

      Policy

    3. Signaling

      Signaling

Create PSTN IP-Peer

Go to: All --> Address Context --> Zone --> IP Peer --> + New IP Peer.

PSTN IP-Peer


You can configure the IP-Peer as the FQDN or IP address. To configure it as FQDN, refer to Teams' IP Peer configuration snapshot.


Create Routing Label

  1. Go to: All --> Global --> Call Routing --> Routing Label.

  2. Click on New “Create Routing Label”.

    Routing Label

  3. Click on Routing Label Route.

    Routing Label Route

  4. Click on Create Route.

    Adding Route

Security Configuration

Create PKI Profile

  1. Go to: All --> System --> Security --> PKI --> Certificate --> New Certificate

    New Certificate

  2. After Saving it. Click on the created certificate (MS_CERT) --> Certificate Commands --> Generate CSR.

  3. Provide the required information to generate the CSR. 

    Generate CSR


    MS Teams support Key Size2k only.


    CSR Info

    CSR

  4. Copy the CSR above and generate the certificate by a known Public CA. After receiving the certificate, upload the following certificate:
    • SBC certificate (must use .pem or .p12 format)
    • CA’s root and intermediate certificate (must use .der format)
    • Baltimore’s root certificate (must use .der format)

    For converting the certificate format, refer to "TLS Configuration" page under Section A.

  5. Go to: Administration --> System Administration --> File Upload --> Add files to Queue.

  6. Add and upload all required certificates.

    Adding files to Queue

  7. Click on “Upload All Files”.

    Uploading Files

Certificate Profile 

  1. Go to: All --> System --> Security --> PKI --> Certificate.

    Certificate

  2. Provide the certificate name in the “File Name” that you have uploaded and make the state “Enabled”.

  3. Similarly create a profile for remote certificates (Root, Intermediate, and Baltimore).

    Creating Remote cert profile

    Baltimore Cert

Create Crypto Profile

  1. Go to: All --> Profile --> Security --> Crypto Suite Profile --> + New Crypto Suite Profile.

    Crypto Profile

  2. Go to: All --> Profile --> Security --> Crypto Suite Profile --> Entry.

  3. Choose created profile --> New Entry.

    Crypto Entry

Create TLS Profile

Go to: All --> Profile --> Security --> TLS Profile --> + New TLS Profile.

TLS Profile

TLS Prof Cont


Teams SIP Proxy server only supports TLS version 1.2 with specific ciphersuit.

At the time of publishing this document, the Ribbon SBC supports following ciphersuits:

  1. tls_ecdhe_rsa_with_aes_128_cbc_sha
  2. tls_ecdhe_rsa_with_aes_256_cbc_sha384.


Attach TLS Profile to SIP Sig Port

  1. Go to: Configuration --> System Provisioning --> SIP Sig Port.
  2. Choose SIP Sig interface on the Teams side (make state disable and mode out of service).


Adding TLS Prof


Section C: Configuring Site Failover

This feature will allow the SBC to failover to another site of Office 365 when a primary data center site is down.

Currently, Microsoft Office 365 has the following sites:

  • sip.pstnhub.microsoft.com
  • sip2.pstnhub.microsoft.com
  • sip3.pstnhub.microsoft.com


Site Failover


## Adding IP-Peer
set addressContext default zone TEAMS_ZONE ipPeer TEAMS_PEER policy sip fqdn sip.pstnhub.microsoft.com fqdnPort 5060
set addressContext default zone TEAMS_ZONE ipPeer TEAMS1_PEER policy sip fqdn sip2.pstnhub.microsoft.com fqdnPort 5060
set addressContext default zone TEAMS_ZONE ipPeer TEAMS2_PEER policy sip fqdn sip3.pstnhub.microsoft.com fqdnPort 5060

## Adding IP-Peer in RoutingLabel
set global callRouting routingLabel TEAMS_RL routingLabelRoute 1 routeType trunkGroup trunkGroup TEAMS_TG ipPeer TEAMS_PEER inService inService
set global callRouting routingLabel TEAMS_RL routingLabelRoute 2 routeType trunkGroup trunkGroup TEAMS_TG ipPeer TEAMS1_PEER inService inService
set global callRouting routingLabel TEAMS_RL routingLabelRoute 3 routeType trunkGroup trunkGroup TEAMS_TG ipPeer TEAMS2_PEER inService inService

## Adding Reason Code in Cranckback Profile
set profiles callRouting crankbackProfile default reason code 41

Section D: Configuring SBC Hosting Scenario 


Understanding the SBC Hosting Scenario Example

A Microsoft partner sells telephony services delivered to Microsoft Teams to multiple independent enterprise customers (tenants). This partner may or may not be a PSTN carrier. Refer to Configure a Session Border Controller for multiple tenants for more information regarding Microsoft partner requirements in support of multiple tenants. The following example shows an SBC Core device deployed at the Microsoft partner data center. The following steps are configured on each independent enterprise tenant:

  1. Communication between the enterprise tenant's Teams clients and the enterprise's legacy PBX based clients.
  2. Communication between the enterprise tenant's Teams clients and the PSTN supported by the Microsoft partner.


Hosting scenario


Teams Direct Routing in support of multiple tenants requires wildcard certificate support.


This example uses Microsoft partner's SBC FQDN as customers.interopdomain.com, and an example Tenant's SBC FQDN as tenant1.customers.example.com 

The requirements for this configuration includes:

  1. A Public IP address for the SBC.
  2. Microsoft partner's SBC FQDN that points to the Public IP address of the SBC (e.g. tenant1.customers.example.com).
  3. The ability to create a Tenant's SBC FQDN sub-entry to the Microsoft partner's SBC FQDN (e.g. tenant1.customers.example.com).
  4. A wildcard certificate that protects the Microsoft partner's SBC FQDN, as well as the Tenant's SBC FQDN sub-entry (e.g. SAN=customers.example.com, SAN=*.customers.example.com).
  5. To enable the tenant's FQDN (e.g. tenant1.customers.example.com), create a user with this FQDN and proper license. 


The requirements from the Tenant's side:

  1. Create a DNS A entry for Tenant's SBC FQDN
    Example: tenant1.customers.example.com -> X.X.X.X

  2. Add the Tenant's SBC FQDN as the Domains for the tenant. The customer then provides the TXT entry to the Microsoft partner.
    Example: tenant1.customers.example.com

  3. Create a DNS TXT entry for the Tenant's SBC FQDN to validate the SBC connection
    Example: tenant1.customers.example.com TXT -> MS=54621XXXXX


Using ERE for multi-tenant deployment, the Ribbon SBC Core has limitations to scale up to around 500 tenants. To have more tenants onboard, deploy the Ribbon SBC Core with a PSX.

To re-create multiple sipSigPort, re-use the same public IP with a different port number, and with a difference of two port numbers.


Update SBC Configuration for Each New Tenant

For each tenant, configure a separate zone, SIP signaling port, and trunk group. 

You can have common or separate PSP and IPSP groups depending on your requirement. Refer to Section-A for PSP and IPSP configuration.

## Create Zone for tenantA
set addressContext default zone TEAMS_Tenant_A id 10
set addressContext default zone TEAMS_Tenant_A domainName tenant1.customers.example.com
 
## Create SIP Signaling Port
set addressContext default zone TEAMS_Tenant_A id 10 sipSigPort 12 ipInterfaceGroupName LIF2 ipAddressV4 115.X.X.X portNumber 5064 transportProtocolsAllowed sip-tls-tcp
set addressContext default zone TEAMS_Tenant_A sipSigPort 12 tlsProfileName TLS_PROF
set addressContext default zone TEAMS_Tenant_A id 10 sipSigPort 12 state enabled mode inService

## Create DNS Group
set addressContext default dnsGroup EXT_DNS
set addressContext default dnsGroup EXT_DNS type ip interface LIF2 server DNS2 ipAddress 8.8.8.8 state enabled
set addressContext default zone TEAMS_Tenant_A dnsGroup EXT_DNS

## Create SIP Trunk
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG media mediaIpInterfaceGroupName LIF2
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG signaling honorMaddrParam enabled
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG policy media packetServiceProfile TEAMS_A_PSP
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG policy signaling ipSignalingProfile TEAMS_A_IPSP
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG downstreamForkingSupport enabled
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG signaling rel100Support enabled
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG services dnsSupportType a-only
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG signaling relayNonInviteRequest enabled
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG signaling methods notify allow
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG ingressIpPrefix X.X.X.X X
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG policy media toneAndAnnouncementProfile LRBT_PROF
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG mode inService state enabled
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG media sdpAttributesSelectiveRelay enabled
set addressContext default zone TEAMS_Tenant_A sipTrunkGroup TEAMS_A_TG signaling messageManipulation outputAdapterProfile domainname_A
## Create Zone for tenantB
set addressContext default zone TEAMS_Tenant_B id 12	
set addressContext default zone TEAMS_Tenant_B domainName tenant2.customers.example.com
 
## Create SIP Signaling Port
set addressContext default zone TEAMS_Tenant_B id 12 sipSigPort 14 ipInterfaceGroupName LIF2 ipAddressV4 115.X.X.X portNumber 5066 transportProtocolsAllowed sip-tls-tcp
set addressContext default zone TEAMS_Tenant_B sipSigPort 14 tlsProfileName TLS_PROF
set addressContext default zone TEAMS_Tenant_B id 12 sipSigPort 14 state enabled mode inService

## Create DNS Group
set addressContext default dnsGroup EXT_DNS
set addressContext default dnsGroup EXT_DNS type ip interface LIF2 server DNS2 ipAddress 8.8.8.8 state enabled
set addressContext default zone TEAMS_Tenant_B dnsGroup EXT_DNS

## Create SIP Trunk
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG media mediaIpInterfaceGroupName LIF2
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG signaling honorMaddrParam enabled
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG policy media packetServiceProfile TEAMS_B_PSP
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG policy signaling ipSignalingProfile TEAMS_B_IPSP
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG downstreamForkingSupport enabled
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG signaling rel100Support enabled
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG services dnsSupportType a-only
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG signaling relayNonInviteRequest enabled
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG signaling methods notify allow
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG ingressIpPrefix X.X.X.X X
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG policy media toneAndAnnouncementProfile LRBT_PROF
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG mode inService state enabled
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG media sdpAttributesSelectiveRelay enabled
set addressContext default zone TEAMS_Tenant_B sipTrunkGroup TEAMS_B_TG signaling messageManipulation outputAdapterProfile domainname_B


SMM Required for Hosting Solution

Create separate SMM Profile with the domain name of each tenant's FQDN and apply it on their respective trunk group.

## SMM Rule
set profiles signaling sipAdaptorProfile domainname state enabled
set profiles signaling sipAdaptorProfile domainname advancedSMM disabled
set profiles signaling sipAdaptorProfile domainname profileType messageManipulation
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 1 type message
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 1 message
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 2 type header
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 2 header
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 2 header name contact
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 2 header condition exist
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 2 header hdrInstance all
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 3 type token
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 3 token
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 3 token condition exist
set profiles signaling sipAdaptorProfile domainname rule 1 criterion 3 token tokenType urihostname
set profiles signaling sipAdaptorProfile domainname rule 1 action 1 type token
set profiles signaling sipAdaptorProfile domainname rule 1 action 1 operation modify
set profiles signaling sipAdaptorProfile domainname rule 1 action 1 from
set profiles signaling sipAdaptorProfile domainname rule 1 action 1 from type value
set profiles signaling sipAdaptorProfile domainname rule 1 action 1 from value tenant1.customers.example.com
set profiles signaling sipAdaptorProfile domainname rule 1 action 1 to
set profiles signaling sipAdaptorProfile domainname rule 1 action 1 to type token
set profiles signaling sipAdaptorProfile domainname rule 1 action 1 to tokenValue urihostname
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 1 type message
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 1 message
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 2 type header
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 2 header
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 2 header name From
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 2 header condition exist
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 2 header hdrInstance all
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 3 type token
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 3 token
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 3 token condition exist
set profiles signaling sipAdaptorProfile domainname rule 2 criterion 3 token tokenType urihostname
set profiles signaling sipAdaptorProfile domainname rule 2 action 1 type token
set profiles signaling sipAdaptorProfile domainname rule 2 action 1 operation modify
set profiles signaling sipAdaptorProfile domainname rule 2 action 1 from
set profiles signaling sipAdaptorProfile domainname rule 2 action 1 from type value
set profiles signaling sipAdaptorProfile domainname rule 2 action 1 from value tenant1.customers.example.com
set profiles signaling sipAdaptorProfile domainname rule 2 action 1 to
set profiles signaling sipAdaptorProfile domainname rule 2 action 1 to type token
set profiles signaling sipAdaptorProfile domainname rule 2 action 1 to tokenValue urihostname
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 1 type message
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 1 message
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 1 message messageTypes all
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 2 type header
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 2 header
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 2 header name To
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 2 header condition exist
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 2 header hdrInstance all
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 3 type toke
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 3 token
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 3 token condition exist
set profiles signaling sipAdaptorProfile domainname rule 3 criterion 3 token tokenType urihostname
set profiles signaling sipAdaptorProfile domainname rule 3 action 1 type token
set profiles signaling sipAdaptorProfile domainname rule 3 action 1 operation modify
set profiles signaling sipAdaptorProfile domainname rule 3 action 1 from
set profiles signaling sipAdaptorProfile domainname rule 3 action 1 from type value
set profiles signaling sipAdaptorProfile domainname rule 3 action 1 from value tenant1.customers.example.com
set profiles signaling sipAdaptorProfile domainname rule 3 action 1 to
set profiles signaling sipAdaptorProfile domainname rule 3 action 1 to type token
set profiles signaling sipAdaptorProfile domainname rule 3 action 1 to tokenValue urihostname

Section E: Basic Troubleshooting Steps

TLS Negotiation Issues

  • Port number:

    There are few areas that results in TLS negotiation issue. One of the them is assigning of incorrect port. Please make sure of the following: 

    • By default, MS Teams listens on port number 5061

    • Configure port number 5060 on Teams IP-Peer as Ribbon SBC Core increments the port by 1 when transport protocol is TLS 

    • For tenant's SBC configuration on Teams, use the same port number that is configured under SBC' sipSigPort


  • Certificates:

    There can be issues during certificate exchange resulting in failure of TLS negotiation. Please note the following points for troubleshooting:

    • Make sure to install root and all intermediate certificates provided by your CA on the SBC

    • Make sure that SBC's FQDN configured on the Teams side is the same as that on SBC's certificate

    • In case of a wildcard certificate, make sure the correct number of spaces exist before the domain name

      Example: A wild card certificate generated for *.example.com is not valid for *.customers.example.com. Refer to Tls Configuration section for detailed explanation on SBC supported certificate format.


  • SIP 403 Response to SIP OPTIONS: 

    There can be a situation when Teams SIP Proxy server responds with a SIP 403 to SIP OPTIONS request from SBC Core. This behavior is observed when Core SBC do not send domain information OR sends incorrect domain information to the Teams SIP ProxyIn either case, please verify the following:

    • Verify that SBC Core sends its FQDN in the 'From' and 'Contact' headers

    • Also, please make sure to configure the same as above on Teams SIP Proxy Server

    • Ensure SMM is applied to modify these headers in SIP Options Request