Modified: for 8.1.5

Overview

Caution

When the SBC SWe Lite is deployed in Azure, the SBC SWe Lite does not support Local Media Optimization. Local Media Optimization is available only in on-premises deployments.

Note

This best practice uses the term Microsoft Teams Direct Routing, which is also known as Phone System Direct Routing.

This best practice outlines how to use the Ribbon SBC Edge to configure Local Media Optimization for Microsoft Teams Direct Routing. Local Media Optimization allows the Microsoft Teams Direct Routing media flow to always use the shortest path to improve the SBC Edge's media quality and bandwidth usage. The Microsoft Teams Direct Routing media flow can be directly established between the Teams client and the SBC, even if the SBC does not have Microsoft Teams Direct Routing connectivity. The SBC 1000, SBC 2000, and SBC SWe Lite support the Proxy, Central, and Downstream SBCs. For more details about this feature, refer to Local Media Optimization for Direct Routing.

Microsoft Teams Direct Routing Media Flow


This best practice uses greenfield and migration deployments and explains the requirements for each case. This best practice includes cautions to specify the deployment scenarios.

Though the SBC 1000, SBC 2000, and SBC SWe Lite support all Local Media Optimization roles for Microsoft Teams Direct Routing, this best practice uses the following configurations as examples:

  • the SBC SWe Lite as a Proxy SBC in the central site

  • the SBC 1000 as a Downstream SBC in a local branch office
Note

You can use the Prepare Proxy SBC procedure to configure the SBC as a Central SBC.

The Proxy SBC information in this best practice applies to a Central SBC configuration unless otherwise stated.


Note

For the Proxy SBCRibbon recommends that you use the SBC SWe Lite because it has higher CPS (up to 10 CPS) and higher session density (up to 1200 simultaneous Direct Routing calls).

Make sure the licensed quantity of sessions on the SBC SWe Lite accommodates the maximum number of Local Media Optimization calls that the subtended (attached behind the Proxy SBC) Downstream SBCs carry.

Microsoft Limitations

Microsoft does not support Music on Hold. You should disable Music on Hold for all users that use Local Media Optimization. To disable Music on Hold, refer to Set-CsTeamsCallingPolicy.

Microsoft does not support Early 183. You should disable Early 183 for all SBC signaling groups that use Local Media Optimization. For information about Early 183, refer to the Early 183 section in Creating and Modifying SIP Signaling Groups.

Prerequisites

This section outlines the prerequisites for Local Media Optimization for Microsoft Teams Direct Routing.

SBC Capacity

When deploying Local Media Optimization, the Proxy SBC has to handle its usual local traffic plus all traffic from the Downstream SBC. You must make sure the Proxy SBC has the capacity and the license to handle the load. See the following load impacts:

  • Call made to and from a Teams client that is internal to the customer network:
    • The Proxy SBC consumes the Proxy Media Mode with Encryption resource.
    • The Downstream SBC consumes the SIP with corresponding RTP Media resource.
  • Call made to and from a Teams client that is external to the customer network:
    • The Proxy SBC consumes the SIP with corresponding RTP Media resource.
    • The Downstream SBC consumes the SIP with corresponding RTP Media resource.

Firmware Requirement

The Proxy SBC requires the following firmware:

  • SBC SWe Lite: Release 8.1.5 Build 239
  • SBC Edge: Release 8.1.5 Build 538

Ribbon recommends the following versions for the Downstream SBC for an easier configuration:

  • SBC SWe Lite: Release 8.1.5 Build 239
  • SBC Edge: Release 8.1.5 Build 538
Note

This document outlines only the recommended firmware.

Microsoft Direct Routing Configuration

You must configure the following for Microsoft Teams Direct Routing:

  • You must plan the Microsoft Teams tenant for Local Media Optimization usage according to the Local Media Optimization for Direct Routing document.
  • You must configure the Microsoft Teams tenant for Local Media Optimization usage according to the Configure Local Media Optimization for Direct Routing document. When you configure the Microsoft Teams Direct Routing, you must also configure the following items:
    • CsTenantTrustedIPAddress

    • CsTenantNetworkRegion

    • CsTenantNetworkSite

    • CsTenantNetworkSubnet

    • CSOnlinePSTNGateway

    • CsOnlineVoiceRoute

Certificate Usage

The Proxy SBC requires a certificate signed by a public certificate authority.

The Downstream SBC requires a certificate to support the encrypted media. This certificate can be signed by a private or public certificate authority.

Note

Since the Proxy SBC and Downstream SBC use the same domain in this best practice, the SBC Edge reuses the wildcard certificate from the Proxy SBC on each Downstream SBC.

Public Certificate

The public certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.

Domain Name

For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:

  1. On the Microsoft Teams Tenant side, execute Get-CsTenant.
  2. Review the output.
  3. Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.

Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

Domain Name Examples

Domain Name*

Use for SBC FQDN?

FQDN Names - Examples
SonusMS01.com(tick)

Valid names:

  • aepsite6.SonusMS01.com

hybridvoice.org

(tick)

Valid names:

  • sbc1. hybridvoice.org
  • ussbcs15. hybridvoice.org
  • europe. hybridvoice.org

Non-Valid name:

sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

*Do not use the *.onmicrosoft.com tenant for the domain name.

Configure Domain Names - Example

 

Name Resolution

The Proxy SBC FQDN needs to be resolved in a publicly accessible DNS.

The Proxy SBC and Downstream SBC can resolve each other's FQDN with their private IP through using one of the following architectures:

Note

This best practice uses host entries.

  • host entries
    • The Proxy SBC has a host entry resolve each Downstream SBC FQDN.
    • The Downstream SBC has a host entry resolve the Proxy SBC FQDN to its private IP address.
  • private DNS
    • The Proxy SBC and Downstream SBC use a split DNS to resolve each other's FQDN with their private IP address.

Implementation

This best practice uses the FQDN and ports illustrated in the following figure.

FQDN and Port Usage

Prepare Proxy SBC

This section outlines how to prepare the Proxy SBC.

Note

You can use the procedures in this section if you want to configure a Central SBC. Note that the screen captures in this section are not examples of Central SBC configurations.

For more information about configuring a Central SBC, refer to Local Media Optimization for Direct Routing.

Install SBC and Perform Initial Setup

Caution

Perform this procedure only if you are creating a new SBC for the Proxy role (a greenfield scenario).


Use the following procedure to install the SBC and perform the initial setup: Installing SBC SWe Lite

Run Easy Config Wizard on Proxy SBC

Once your SBC is up and running, you must configure the SBC to connect to the Microsoft Teams Direct Routing Server and allow the Downstream SBC connection.

  1. Access a compatible web browser.
  2. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  3. Review the Pre-Login message.
  4. Enter the administrator User Name and Password configured during initial setup.
  5. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  6. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  7. Select Tasks > SBC Easy Setup > Easy Config Wizard.

    Easy Config Wizard

  8.  In the Application field, select your application. This best practice configures the SIP Trunk  Microsoft Teams.

    Easy Configuration Step 1

  9. Configure the other fields in Step 1 and click Next.
  10. In the SIP Trunk section, enter the information for the central SIP Trunk provider.

    Note

    For a Central SBC configuration, configure the Border Element Server with the FQDN or IP of the central SIP Trunk.

  11. In the Teams Connection Type field, select Local Media Optimization.

    Easy Configuration Step 2

  12. Configure the other fields in the Microsoft Teams section and click Next.

    Caution

    The SBC Edge will not support the Outbound NAT Traversal field until the SBC SWe Lite 9.0.0 release.

  13. Review your configuration information in Step 3 and click Finish.

    Easy Configuration Step 3

Import Certificate on Proxy SBC

This section outlines how to import a certificate on the Proxy SBC.

Configure and Generate Certificates on the SBC

Warning: Common Encryption Certificate Issues Arise from Missing Root Certificates
  • Did you only install the CA-signed SBC certificate, along with the intermediate certificate(s) sent by your issuing CA?
  • Did you get the following error message from the SBC?




If so, the likely reason is a missing CA Root Certificate. The SBC does not have any pre-installed CA root X.509 certificates, unlike typical browsers found on your PC. Ensure the entire certificate chain of trust is installed on the SBC, including the root certificate. Acquire the CA root certificate as follows:

  1. Contact your system administrator or certificate vendor to acquire the root, and any further missing intermediate certificate(s) to provision the entire certificate chain of trust within the SBC;
  2. Load the root certificate, along with the intermediate and SBC certificates, according to Importing Trusted Root CA Certificates.

NOTE: Root certificates are easily acquired from the certificate authorities. For example, the root certificate for the GoDaddy Class 2 Certification Authority may be found at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO . For more information about root certificates, intermediate certificates, and the SBC server (“leaf”) certificates, refer to this tutorial.

For other certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge.

Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.

Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:

  • Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
  • Import the Public CA Root/Intermediate Certificate on the SBC.
  • Import the Microsoft CA Certificate on the SBC.
  • Import the SBC Certificate.
Note

The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.

Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)

Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.

  1. Access a compatible web browser.
  2. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  3. Review the Pre-Login message.
  4. Enter the administrator User Name and Password configured during initial setup.
  5. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  6. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  7. Access Settings > Security > SBC Certificates.
  8. Click Generate SBC Edge CSR.

  9. Enter data in the required fields.

  10. Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.

    Generate Certificate Signing Request

  11. Use the generated CSR text from the clipboard to obtain the certificate. 

Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC

After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:

  1. Obtain Trusted Root and Intermediary signing certificates from your certification authority.
  2. Access a compatible web browser.
  3. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  4. Review the Pre-Login message.
  5. Enter the administrator User Name and Password configured during initial setup.
  6. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  7. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  8. To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted Root Certificates.
  9. Click Import and select the trusted root certificates.
  10. To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.
  11. Validate the certificate is installed correctly.

    Validate Certificate

  12. Click Import  and select X.509 Signed Certificate.
  13. Validate the certificate is installed correctly.

    Validate Certificate

Update the Current Call Routing

Caution

Perform this procedure only if you are using a node that is already configured with another signaling group (a migration scenario).

If this is not a newly deployed SBC and you have already configured one of the following, follow the corresponding instructions:

  • If you configured a SIP Trunk or PSTN Access on this SBC, you must perform the following procedure to select the previously created signaling group in the From Microsoft Teams Direct Routing table (see the following example call flow).

    Call Routing Setup to old PSTN - Proxy SBC

    1. Select Settings > Call Routing > Call Routing Table.

    2. Select the call routing table for Microsoft Teams Direct Routing.
    3. Select the To Outside (Passthrough) route entry.

    4. In the Destination Signaling Groups field, select the Border Element signaling group and click Remove.

      Remove Border Element for Teams Direct Routing

    5. In the Destination Signaling Groups field, click Add and add your previously created SIP Trunk or PSTN Access.

      Add SIP Trunk or PSTN Access for Teams Direct Routing

    6. In the Audio Stream Mode field, select Direct Preferred over DSP.

      Audio Stream Mode for Teams Direct Routing

    7. Click Apply.

    8. Click Signaling Groups.
    9. Delete the Border Element signaling group.
  • If you configured a connection to Teams Direct Routing or Skype for Business, you must remove the previously created signaling group (see the following example call flow).

    Call Routing Setup to new Teams - Proxy SBC

Disable Validate Server FQDN in TLS Profile

Note

This section applies to only the Proxy SBC for the SBC SWe Lite Release 8.1.5.

Use the following procedure to disable the Validate Server FQDN in the TLS Profile.


  1. Access a compatible web browser.
  2. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  3. Review the Pre-Login message.
  4. Enter the administrator User Name and Password configured during initial setup.
  5. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  6. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  7. Select Settings > Security.

  8. From the TLS Profiles drop-down menu, select the TLS profile for the Teams Direct Routing TLS.
  9. In the Validate Server FQDN field, select Disabled.

Verify the Deployment

After you configure the Proxy SBC, use the following procedure to verify that the SBC works properly.

  1. Access a compatible web browser.
  2. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  3. Review the Pre-Login message.
  4. Enter the administrator User Name and Password configured during initial setup.
  5. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  6. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  7. Select Settings > Signaling Groups.

  8. Make sure the Service Status for all signaling groups is Up.

    Signaling Group Verification

  9. If the Service Status for the Teams Direct Routing signaling group is Down, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.

Prepare Downstream SBC

You must perform the procedures in this section for each Downstream SBC you must add. Make sure the FQDN for each Downstream SBC is different.

Note

The information to prepare a Downstream SBC applies to both the SBC 1000/2000 and SBC SWe Lite unless otherwise stated.

Install SBC and Perform Initial Setup

Caution

Perform this procedure only if you are creating a new SBC for the Downstream role (a greenfield scenario).

Use the following procedure to install the SBC and perform the initial setup: Installing SBC 1000/2000

Note

For the SBC SWe Lite, use the following procedure to install the SBC and perform the initial setup: Installing SBC SWe Lite

Run Easy Config Wizard on Downstream SBC

Once your SBC is up and running, you must configure the SBC to connect to the Proxy SBC.

  1. Access a compatible web browser.
  2. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  3. Review the Pre-Login message.
  4. Enter the administrator User Name and Password configured during initial setup.
  5. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  6. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  7. Select Tasks > SBC Easy Setup > Easy Config Wizard.

  8. In the Application field, select your application. This best practice configures SIP Trunk Microsoft Teams.

  9. In the Teams Connection field, select Teams Downstream SBC.

    Easy Configuration for Teams Downstream SBC

  10. Configure the other fields in Step 1 and click Next.
  11. In the SIP Trunk section, enter the information for the Branch 1 SIP Trunk provider.

    Caution

    You must target the Proxy with an FQDN for the TLS to properly establish.

    Easy Configuration Step 2 for Teams Downstream SBC

  12. Configure the other fields in the Microsoft Teams section and click Next.
  13. Review your configuration information in Step 3 and click Finish.

    Easy Configuration Step 3 for Teams Downstream SBC

Import Certificate on Downstream SBC

Since the Proxy SBC and Downstream SBC use the same domain in this best practice, the SBC Edge reuses the wildcard certificate from the Proxy SBC on each Downstream SBC.

If your deployment requires a different certificate for the Downstream SBC, see Configure and Generate Certificates on the SBC.

Configure Proxy FQDN Resolution on Downstream SBC

  1. Access a compatible web browser.
  2. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  3. Review the Pre-Login message.
  4. Enter the administrator User Name and Password configured during initial setup.
  5. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  6. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  7. Select Settings > Protocols > DNS > Hosts.

    Hosts Settings

  8. Click the + icon to create a host entry.

  9. Enter the FQDN and IP address for the Proxy SBC.

    Create Host Entry for Proxy SBC

Configure Downstream FQDN Resolution on Proxy SBC

  1. Access a compatible web browser.
  2. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  3. Review the Pre-Login message.
  4. Enter the administrator User Name and Password configured during initial setup.
  5. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  6. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  7. Select Settings > Protocols > DNS > Hosts.

  8. Click the + icon to create a host entry.

  9. Enter the FQDN and IP address for the Downstream SBC.

    Create Host Entry for Downstream SBC

Update the Current Call Routing

Caution

Perform this procedure only if you are using a node that is already configured with another signaling group (a migration scenario).

If this is not a newly deployed SBC and you have already configured one of the following, follow the corresponding instructions:

  • If you configured a SIP Trunk or PSTN Access on this SBC, you must perform the following procedure to select the previously created signaling group in the From SBC as Teams Downstream table (see the following example call flow).

    Call Routing Setup to old PSTN - Downstream SBC

    1. Select Settings > Call Routing > Call Routing Table.

    2. Select the call routing table for the SBC as Teams Downstream.
    3. Select the To Outside (Passthrough) route entry.

    4. In the Destination Signaling Groups field, select the Border Element signaling group and click Remove.

      Remove Border Element for Downstream SBC

    5. In the Destination Signaling Groups field, click Add and add your previously created SIP Trunk or PSTN Access.

    6. Click Apply.
    7. Click Signaling Groups.
    8. Delete the Border Element signaling group.
  • If you configured a connection to Teams Direct Routing or Skype for Business, you must remove the previously created signaling group (see the following example call flow).

    Call Routing Setup to new Teams - Downstream SBC

Verify the deployment

After you configure the Downstream SBC, use the following procedure to verify that the SBC works properly.

  1. Access a compatible web browser.
  2. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  3. Review the Pre-Login message.
  4. Enter the administrator User Name and Password configured during initial setup.
  5. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  6. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  7. Select Settings > Signaling Groups.

  8. Make sure the Service Status for all signaling groups is Up.

    Signaling Group Verification for Downstream SBC

Place a Test Call

Use the following procedure to place a test call.

  1. Access a compatible web browser.
  2. In the browser, enter the IP address of the SBC Edge in the URL address bar. The Welcome to Ribbon screen is displayed.
  3. Review the Pre-Login message.
  4. Enter the administrator User Name and Password configured during initial setup.
  5. If the Acknowledge Pre-Login Message checkbox is displayed, click on it to acknowledge you have reviewed the pre-login information above. After initial login, this checkbox can be enabled and disabled via the Global Security Options. By default, this checkbox is configured as disabled.
  6. Click Login. The main screen provides all WebUI functions, including tabbed options, menu tree, device name, and the last login date and time of the system.

  7. In the WebUI, click the Diagnostics tab.

  8. In the left navigation pane, click Test a Call.

  9. Configure the parameters according to your SBC.

    • Use the following table to configure the parameters for a Proxy SBC.

      Test Call for a Proxy SBC - Parameters

      ParameterValue

      Destination Number

      Number assigned to a Teams user.

      Origination/Calling Number

      Number assigned to a Local user.

      Call Routing Table

      The routing table that handles the call from the Proxy SBC.

      See the following example configuration of testing a call for a Proxy SBC.

      Test Call for a Proxy SBC - Configuration

    • Use the following table to configure the parameters for a Central SBC.

      Test Call for a Central SBC - Parameters

      ParameterValue

      Destination Number

      Number assigned to a Teams user.

      Origination/Calling Number

      Number assigned to a Local user.

      Call Routing Table

      The routing table that handles the call from the Central SBC.

      See the following example configuration of testing a call for a Central SBC.

      Test Call for a Central SBC - Configuration

    • Use the following table to configure the parameters for a Downstream SBC.

      Test Call for a Downstream SBC - Parameters

      ParameterValue

      Destination Number

      Number assigned to a Teams user.

      Origination/Calling Number

      Number assigned to a Local user.

      Call Routing Table

      The routing table that handles the call from the Downstream SBC.

      See the following example configuration of testing a call for a Downstream SBC.

      Test Call for a Downstream SBC - Configuration

  10. Click OK.

    Place a Test Call - Example