In this section:
Overview
The SBC Edge is certified to offer Microsoft Teams Direct Routing services, and used to connect any Teams client to:
- A PSTN trunk, whether based on TDM (e.g. PRI, BRI, etc.), CAS, or SIP
- 3rd-party, non-Teams-certified SIP/TDM based PBXs, analog devices, and SIP clients
These instructions detail how to connect the SBC Edge (SBC 1000/2000 and SBC SWe Lite) for Enterprise's migration from Skype for Business Cloud Connector Edition with Phone System in Office 365 (Cloud PBX) to Microsoft Phone System (Teams).
The Cloud Connector Edition (CCE) application may be physically hosted within the Ribbon SBC (SBC 1000 or SBC 2000 Cloud Link device) or within an external server. These instructions apply to both CCE deployment scenarios.
Network Topology - Skype for Business Cloud Connector Edition (CCE) with Phone System in Office 365 (Cloud PBX) Migrates to Microsoft Phone System (Teams) Deployment
An enterprise may choose to deploy Microsoft Phone System services (Teams Direct Routing) to clients presently receiving Skype for Business Cloud Connector Edition (CCE) with Phone System in Office 365 (Cloud PBX). The instructions below detail how to migrate services from Cloud Connector Edition (CCE) to Microsoft Phone System (Teams Direct Routing) services.
In the following example, it is assumed a Ribbon SBC Edge device qualified for Skype for Business is already deployed on the customer premises.
Before Migration - Services from Skype for Business CCE (Cloud PBX)
After Migration - Services from Microsoft Phone System (Teams)
Step 1: Install SBC Edge
These instructions assume the SBC Edge product (SBC SWe Lite, SBC 1000/2000) is installed and running. If the product is not installed, refer to the links below.
Step 2: Review Prerequisites for Microsoft Teams Direct Routing
If you plan a Big Bang migration, some Prerequisites (such as Public IP, FQDN, and Certificates) are unnecessary if existing CCE resources are being re-used.
Consult the Microsoft documentation for detailed information on Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.
SBC Edge Software
Ensure you are running the latest version of SBC software:
- To locate the SBC Edge software current running, refer to: Viewing the Software Version and Hardware ID.
To download and upgrade a new version of SBC Edge software, refer to: Installing and Commissioning the SBC Edge and SBC SWe Lite.
NoteTo know more about licensing, contact your account team.
Obtain IP Address and FQDN
Requirements for configuring the SBC Edge in support of Teams Direct Routing include:
Domain Name
For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:
- On the Microsoft Teams Tenant side, execute Get-CsTenant.
- Review the output.
- Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.
Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.
Obtain Certificate
Public Certificate
The Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.
Refer to Microsoft documentation for certificate information.
Refer to CCADB Documentation for the comprehensive list of supported CAs.
- Refer to Domain Name for certificate formats.
Configure and Generate Certificates on the SBC
Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.
Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:
- Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
- Import the Public CA Root/Intermediate Certificate on the SBC.
- Import the Microsoft CA Certificate on the SBC.
- Import the SBC Certificate.
The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.
Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)
Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.
- Access the WebUI.
- Access Settings > Security > SBC Certificates.
Click Generate SBC Edge CSR.
Enter data in the required fields.
Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.
Use the generated CSR text from the clipboard to obtain the certificate.
Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC
After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:
- Obtain Trusted Root and Intermediary signing certificates from your certification authority.
- Access the WebUI.
- To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted Root Certificates.
- Click Import and select the trusted root certificates.
- To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.
Validate the certificate is installed correctly.
- Click Import and select X.509 Signed Certificate.
Validate the certificate is installed correctly.
- To install the Baltimore CyberTrust Root Certificate, click Settings > Security > SBC Certificates > Trusted Root Certificates.
Click Import and select Baltimore CyberTrust Root Certificate.
Validate the certificate is installed correctly.
For certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge.
Firewall Rules
Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Security Hardening Checklist for more information about the SBC and firewalls.
This section lists the ports, protocols and services for firewalls that are in the path of the SBC connecting to Teams Direct Routing.
Basic Firewall Rules for All Call Flows
Firewall Rules for the SBC with Media Bypass
Step 3: Configure Direct Routing from Cloud Connector Edition (CCE)
Calls from the PTSN to an Office 365 user can be sent via Teams Direct Routing before the user is moved to Teams. Calls will go via Teams Direct Routing and reach the Skype client.
Before configuring the Tenant, wait at least ten minutes before the call Tab appears on the Team client.
Configure Tenant
These instructions configure the Tenant to connect (pair) the SBC to the Microsoft Direct Routing Interface.
- Access PowerShell. Refer to the PowerShell documentation.
- Connect to the Tenant via Powershell.
Configure Microsoft Phone system Voice routing. As part of this process, use the following command to create an Online PSTN Gateway that points to the SBC:
New-CsOnlinePSTNGateway -Fqdn <SBC Public FQDN> -SipSignallingPort <SBC SIP Port> -MaxConcurrentSessions <Max Concurrent Session which SBC capable handling> -Enabled $true
Configure Teams usage for the user:
#### USER CCE -> Teams Get-CsOnlineUser -Identity user1@domain.com | Select-Object -Property UserPrincipalName,EnterpriseVoiceEnabled,HostedVoiceMail,OnPremLineURI,TeamsInteropPolicy,TeamsCallingPolicy,OnlineVoiceRoutingPolicy Grant-CsVoicePolicy -PolicyName "" -Identity user1@domain.com Set-CsUserPstnSettings -HybridPSTNSite "" -Identity user1@domain.com Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity user1@domain.com Grant-CsTeamsCallingPolicy -PolicyName AllowCalling -Identity user1@domain.com Grant-CsOnlineVoiceRoutingPolicy -PolicyName "GeneralVRP" -Identity user1@domain.com
This can be reverted at any time with the following command:
#### USER Teams -> CCE Grant-CsTeamsUpgradePolicy -PolicyName SfBOnly -Identity user1@domain.com Grant-CsTeamsCallingPolicy -PolicyName "" -Identity user1@domain.com Grant-CsOnlineVoiceRoutingPolicy -PolicyName "" -Identity user1@domain.com Grant-CsVoicePolicy -PolicyName Tag:HybridVoice -Identity user1@domain.com Set-CsUserPstnSettings -HybridPSTNSite aepsite1 -Identity user1@domain.com
Wait at least ten minutes before the call is sent to the Skype client.
Step 4: Configure TCP and TLS between SBC and CCE
This section provides details on how to configure certificates for TCP and TLS between the SBC and Cloud Connector Edition (CCE).
- The new certificate is required only if you choose not to use the wildcard certificate available on the Cloud Connector.
- Calls from the PSTN to an Office 365 user can be sent via Teams Direct Routing before the user is moved to Teams. Calls will go via Teams Direct Routing and reach the Skype Client.
Using TCP between SBC and CCE
Follow instructions posted below for basic Teams configuration (Step 5).
Using TLS between SBC and CCE
There are two types of migration from CCE To Microsoft Teams to Direct Routing:
- Big Bang Migration. Resources are re-assigned from the CCE to Direct routing. After this migration, CCE functionality is no longer available. An Enterprise may choose a big bang migration to optimize costs associated with the migration.
- Smooth Migration. Resources are not re-assigned from the CCE to Direct Routing. After this migration, CCE functionality continues to remain available for select clients. Enterprises may choose a smooth migration when some level of Direct Routing testing is still required prior to CCE shutdown.
One TLS port can be attached to only one TLS profile. If your CCE deployment uses TLS 5061 as the Federated port, you must modify this Federated port to use a port other than 5061. To modify the Federated port, you must update the Primary SBC Transport Protocol of the CCE topology and the Federated port of the CCE signaling group.
If you cannot modify your CCE topology, you can modify the port that Microsoft Teams Direct Routing uses. Make sure you update the Firewall, ACL, and Federated port of the Teams Signaling Group and Online PSTN Gateway.
- Depending on the migration type, load the Root Public CA, the Public certificate, and the private key on SBC as follows:
For a "big bang" migration:
- Access the WebUI. Refer to Logging into the SBC Edge.
- Click on the Tasks tab.
- Export the certificate and private key from CCE via Tasks > Office 365 Cloud Connector Edition > Setup > CCE Public Certificate > Export on PKCS12 format.
From the left side menu, import the file via Certificates > Trusted CAs > Import Trusted CA certificate.
From the left side menu, import the file via Certificates > SBC Primary Certificate > Import > PKCS12 certificate and key.
For a "smooth" migration:
- Access the WebUI. Refer to Logging into the SBC Edge.
- Click on the Tasks tab.
From the left side menu, import the CA certificate via SBC Easy Setup > Certificates >Trusted CAs > Import Trusted CA certificate.
From the left side menu, import the new certificate via Certificates > SBC Primary Certificate > Import > PKCS12 certificate and key.
Exchange the root certificate between the SBC and CCE via Tasks > Office 365 > SBC Easy Setup > CCE Private Certificate > Synchronize CCE/SBC CA Certificate. For details, refer to Managing Cloud Connector Edition Private Certificates.
For details on certificates, refer to: Importing an SBC Edge Primary Certificate and Managing Trusted CA Certificates.
Do not modify the node Hostname, but use the public name of SBC in the SIP profile.
Step 5: Configure SBC Edge for Microsoft Teams Direct Routing
These instructions assume the SBC Edge is installed and running, and is connected to the WebUI.
For the purposes of this documentation, the screens displayed are for an SBC 1000/2000; the interface configuration may vary slightly for the SBC SWe Lite. If configuration is not specified for a field, use the default value.
Access the SBC Edge WebUI
Access the WebUI. Refer to Logging into the SBC Edge.
Configure TLS Profile
The TLS profile defines the crypto parameters for the SIP protocol; it is used as the transport type for incoming and outgoing SIP trunks.
Configure a TLS profile as follows:
- In the WebUI, click the Settings tab.
In the left navigation pane, go to Security > TLS Profiles.
- Click the Create TLS Profile ( ) icon at the top of the TLS Profile page. The Create TLS Profile page is displayed.
Configure the parameters as shown below (example values are shown in the table; configure as per your network requirements). For details on field descriptions, refer to Creating and Modifying TLS Profiles.
Leave all other parameters as default.
Click OK.
Configure Host Information and DNS
The Host Information and DNS configuration contains system information that is used by the SBC Edge, including host, domain, and NTP server information.
- In the WebUI, click the Settings tab.
In the left navigation page, access System > Node-Level Settings. The Node-Level Settings page is displayed.
Configure the NTP and DNS Servers with network-specific data.
Leave all other parameters as default.
Click Apply.
Configure Logical Interface
The SBC Edge supports system-supported Logical Interfaces, which are used to hold the IP address for each Ethernet port. One of these logical interfaces is assigned an IP address for transporting the VoIP media packets (i.e., RTP, SRTP) and protocol packets (i.e, SIP, RTCP, TLS). In this example, Ethernet 1 is configured for transporting packets for the Microsoft Teams Direct Routing connection.
Ensure the IP Routing Table contains the same information as in the network topology.
- In the WebUI, click the Settings tab.
In the left navigation pane, go to Node Interfaces > Logical Interfaces.
Configure the parameters as shown below (example values are shown in the table; configure as per your network requirements). For details on field descriptions, refer to Configuring and Modifying Logical Interfaces.
- Leave all other parameters as default.
Click Apply.
Create SIP Profile
The SIP Profile controls how the SBC Edge communicates with SIP devices; the profile controls important characteristics such as: session timers, SIP header customization (including FQDN), SIP timers, MIME payloads, and option tags .A SIP Profile also defines which FQDN (Fully Qualified Domain Name) is used in the Contact Header and From Headers. For interconnecting with Microsoft System Direct Routing, two SIP Profiles are required:
- Teams Direct Routing Profile
- SIP Trunk Profile
Create Teams Direct Routing Profile
Create a SIP Profile for the Teams Direct Routing Profile as follows:
- In the WebUI, click the Settings tab.
- In the left navigation page, access SIP > SIP Profiles.
Click the (
) icon at the top of left corner and add a new SIP profile.Configure the parameters as shown below (example values are shown in the table; configure as per your network requirements). For details on field descriptions, refer to Creating and Modifying SIP Profiles.
Leave all other parameters as default.
Click OK.
Create SIP Trunk Profile
Create a SIP Profile for the SBC Edge's SIP Trunk as follows:
- In the WebUI, click the Settings tab.
- In the left navigation page, access SIP > SIP Profiles.
Click the (
) icon at the top of left corner and add a new SIP profile.Configure the parameters as shown below (example values are shown in the table; configure as per your network requirements). For details on field descriptions, refer to Creating and Modifying SIP Profiles.
Leave all other parameters as default.
Click OK.
Create SDES-SRTP Profile
The SDES-SRTP Profile defines the encryption mechanism used between the SBC and the Microsoft Teams Direct Routing interface; the Crypto Suite specifies the algorithm used to negotiate with a peer device.
Create a SDES-SRTP Profile as follows:
- In the WebUI, click the Settings tab.
- In the left navigation page, access Media > SDES-SRTP.
- Click the ( ) icon at the top left corner and add a new SDES-SRTP Profile.
Configure the parameters as shown below. For details on field descriptions, refer to Creating and Modifying SIP Profiles.
Leave all other parameters as default.
Create Media List
The Media List contains one or more of Media Profiles, which the SBC Edge uses for call transmission. A Media Profile specifies the individual voice codecs the SBC Edge uses for voice compression, voice quality, and associated settings.
Create a Media List for Teams Direct Routing as follows:
- In the WebUI, click the Settings tab.
- In the left navigation page, access Media > Media List.
- Click the ( ) icon at the top left corner and add a new Media List.
Configure parameters as shown below. For details on field descriptions, refer to Creating and Modifying Media Lists.
Leave all other parameters as default.
Configure a SIP Server Table
SIP server tables define the information for the SIP interfaces connected to the SBC Edge; a SIP Server Table is required to support the Microsoft Phone System. For interconnecting with Microsoft System Direct Routing, two SIP Profiles are required:
- Teams Direct Routing Server
- SIP Trunk Server
Create a Teams Direct Routing Server
- In the WebUI, click the Settings tab.
- In the left navigation page, access SIP > SIP Server Tables
Click the (
) icon at the top left corner and add a new SIP Server Table.- For Description, enter Teams Direct Routing Server.
Click OK.
Configure Entries in the Teams Direct Routing Server
The information you configure in the SIP Server table pairs the SBC Edge to the Microsoft Teams Direct Routing interface. Three entries in the SIP Server table offer server redundancy to ensure a server is always up and communicating. If a server is down or not communicating, the SBC Edge will automatically move to the next Server entry on the list.
Configure Teams Direct Routing Server entries as follows:
- In the WebUI, click the Settings tab.
- In the left navigation page, access SIP > SIP Server Tables.
- Select the name of the table created in the previous step.
- From the Create SIP Server drop down list, select IP/FQDN.
Repeat this configuration for two additional SIP Server entries, using the field entries below. For details on field descriptions, refer to Creating and Modifying Entries in SIP Server Tables.
Create a SIP Trunk Server
- In the WebUI, click the Settings tab.
- In the left navigation page, access SIP > SIP Server Tables
Click the (
) icon at the top left corner and add a new SIP Server Table.- For Description, enter SIP Trunk Server.
Click OK.
Configure an Entry in the SIP Trunk Server
Configure a SIP Trunk Server entry as follows:
- In the WebUI, click the Settings tab.
- In the left navigation page, access SIP > SIP Server Tables.
- Select the name of the table created in the previous step.
- From the Create SIP Server drop down list, select IP/FQDN.
Leave the remaining fields as default. For details on field descriptions, refer to Creating and Modifying Entries in SIP Server Tables.
Click OK.
Create Transformation Table and Entries
This Transformation Table contains a list of call routes that include routing configuration for calls from Microsoft Teams and SIP Trunk. Two Transformation tables are required:
- For Calls from Microsoft Teams
- For Calls from SBC's SIP Trunk
Calls From Microsoft Teams to SBC's SIP Trunk
This Transformation Table contains a list of call routes that include routing configuration for calls from Microsoft Teams to SBC's SIP Trunk.
- In the WebUI, click the Settings tab.
- In the left navigation page, access Call Routing > Transformation
Click the (
) icon at the top left corner to add a new Transformation Table.- For Description, enter From Microsoft Teams
Click OK.
In the left navigation panel, select the new table: Transformation > From Microsoft Teams: Passthrough.
Click the Create (
) icon.- Configure the parameters as shown below. Leave the default values for all other parameters.
Click OK.
Calls From SBC's SIP Trunk to Microsoft Teams
This Transformation Table contains a list of call routes that include routing configuration for calls from the SBC's SIP Trunk to Microsoft Teams.
- In the WebUI, click the Settings tab.
- In the left navigation page, access Call Routing> Transformation
Click the (
) icon at the top left corner to add a new Transformation Table.- For Description, enter From SIP Trunk.
Click OK.
In the left navigation panel, select the new table: Transformation > From SIP Trunk: Passthrough.
Click the Create (
) icon.- Configure the parameters as shown below. Leave the default values for all other parameters.
Click OK.
Create Signaling Groups
Signaling groups allow telephony channels to be grouped together for the purposes of routing and shared configuration. In the case of SIP, they specify protocol settings and link to server, media and mapping tables. For Teams Direct Routing, you configure the Signaling Group to designate routing information for calls between SBC Edge and the Microsoft Phone System. Two Signaling Groups are required:
- Signaling Group - Calls from Microsoft Teams to SBC's SIP Trunk
- Signaling Group - Calls from SBC's SIP Trunk to Microsoft Teams
For the Skype for Business to Microsoft Teams migration, do not configure the Listen Ports table of the Skype for Business signaling group with the same Listen Ports of the Microsoft Teams signaling group.
Calls From Microsoft Teams to SBC's SIP Trunk
- In the WebUI, click the Settings tab.
- In the left navigation page, access Signaling Groups
From the Create Signaling Group drop down box, select SIP Signaling Group.
- Configure the parameters as shown below. Leave the default values for all other parameters.
Click OK.
Calls from SBC's SIP Trunk to Microsoft Teams
- In the WebUI, click the Settings tab.
- In the left navigation page, access Signaling Groups
From the Create Signaling Group drop down box, select SIP Signaling Group.
Configure the parameters as shown below. Leave the default values for all other parameters.
Click OK.
Create Call Routing Tables
Two Call Routing Tables for transporting calls between the SBC's SIP Trunk and Microsoft Teams are required:
- Call Route - Calls from Microsoft Teams to SBC's SIP Trunk
- Call Route - Calls from the SBC's SIP Trunk to Microsoft Teams
From Microsoft Teams to SBC's SIP Trunk
This Call Routing Table routes calls from Microsoft Teams.
- In the WebUI, click the Settings tab.
- In the left navigation page, access Call Routing Table.
Click the (
) icon at the top left corner and add a new Call Routing Table.Configure the Description as From Microsoft Teams and click OK.
From the left navigation pane, click on the Call Routing > Call Routing table.
Select From Microsoft Teams (the entry you just created).
- Click the ( ).
Configure the parameters as shown below. Leave all other parameters as default.
Click OK.
From SBC's SIP Trunk to Microsoft Teams
This Call Routing Table routes calls from the SBC's SIP Trunk and sent to Microsoft Teams.
To add and configure a new Call Routing Table:
- In the WebUI, click the Settings tab.
- In the left navigation page, access Call Routing Table.
Click the (
) icon at the top of left corner and add a new Call Routing Table.Configure the Description as Microsoft Phone system and click OK.
From the left navigation pane, click on the Call Routing > Call Routing table.
Select From SIP Trunk (the entry you just created).
- Click the ( ).
Configure the parameters as shown below. Leave all other parameters as default.
Click OK.
Update Signaling Groups for Call Route
The newly created Call Route must be associated to a Signaling Group as follows:
Associate Call Route to Signaling Group for Calls From Teams to SBC's SIP Trunk
- In the WebUI, click the Settings tab.
- In the left navigation page, access Signaling Groups > Teams Direct Routing.
- From the Call Routing Drop down list, select From Microsoft Teams.
Click OK.
Associate Call Route to Signaling Group for Calls from SBC's SIP Trunk to Teams
- In the WebUI, click the Settings tab.
- In the left navigation page, access Signaling Groups > SIP Trunk.
- From the Call Routing Drop down list, select From SIP Trunk.
Click OK.
Step 6: Configure SBC Edge when Microsoft Teams is in Media Bypass Mode
For Media Bypass, the following is supported:
- Deployment on a Public IP address
- Deployment behind NAT
Configure Signaling Group
Before configuring Outbound NAT Traversal, obtain the Public IP address for your network (the Public IP address specified in the screen graphic is an example only); configuration for NAT is required only if deployment is behind NAT.
- In the WebUI, click the Settings tab.
- In the left navigation page, access Signaling Groups
From the Create Signaling Group drop down box, select SIP Signaling Group.
Configure the parameters as shown below. Leave the default values for all other parameters.
Click OK.
The peer endpoint must support the a=rtcp-mux exchange in order for the RTP and RTCP ports to be multiplexed into one data port.
Step 7: Confirm the Configuration
Validate SIP Option
- Access the WebUI. Refer to Logging into the SBC Edge.
- In the left navigation pane, access Signaling Groups.
- For the signaling group configured for Microsoft Teams Direct Routing, click Counters.
- Confirm the number of Incoming and Outgoing SIP Options.
- Confirm the number of Incoming and Outgoing 2xx responses.
Step 8: Place a Test Call
Place a test call as follows: Access the WebUI. Refer to Logging into the SBC Edge. In the WebUI, click the Diagnostics tab. In the left navigation pane, click Test a Call. Configure the parameters as shown below. Click OK. The test call is now complete. For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.