In this section:

Related articles:

Overview

The SBC Edge is certified to offer Microsoft Teams Direct Routing services; the SBC Edge can be used to connect any Teams client to:

  • A PSTN trunk, whether based on TDM (e.g. PRI, BRI, etc.), CAS, or SIP
  • 3rd-party, non-Teams-certified SIP/TDM based PBXs, analog devices, and SIP clients

These instructions detail how to configure the SBC Edge (SBC 1000/2000 and SBC SWe Edge) deployed with a Microsoft partner (sells telephony services delivered to Microsoft Teams) to connect Microsoft Teams Direct Routing services for multiple independent enterprise customers (Tenants). A Tenant is used within the Microsoft environment as a single independent enterprise that has subscribed to Office 365 services; through this Tenant, administrators manage projects, users, and roles. Refer to Configure a Session Border Controller for multiple Tenants for Microsoft partner requirements in support of multiple Tenants.

Network Topology - SBC Edge Deployed in a Microsoft Partner Network to Connect Microsoft Teams Direct Routing for Multiple Tenants

The network diagram below shows an SBC Edge device deployed at the Microsoft partner data center, including communication between:

  • Tenants and the enterprise's legacy PBX based clients, and
  • Tenants and the PSTN supported by the Microsoft partner.


Ribbon SBC Edge at Microsoft Partner Data Center Supporting Multiple Tenants


Microsoft offer an advanced solution called "Carrier/Derived Trunk" that allows the Partner to control specific parameters on the end-user Tenants (list of codecs, port to use, Media Bypass activation, and such). This advance solution requires the following:



  • Requires all the Derived Trunks (used by end customer) being a subdomain of the Carrier Trunk.
  • Requires all Derived Trunks (used by end customer) to use Carrier Wild card certificate.
  • Requires all the Derived Trunk (used by end customer) being configured with the same PSTN Gateway parameter (Codec, Max Call allowed, Media Bypass, and such).

For more information, refer to: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-sbc-multiple-tenants.

How Call Traffic Routes between the SBC Edge and Microsoft Teams Tenants

The network topology supported are detailed below.

Topology 1 - ITSP Aggregation for all Teams Tenants

This network topology is referred to as "Microsoft Teams Direct Routing Carrier." This topology enables the partner to offer Microsoft Teams external calling capability to the end customer. Usually the partner owns the ITSP contract. For lower cost routing, the partner can choose to have more than one ITSP; routing is then decided based on destination, time of the day, and such.

Routing Summary for ITSP Aggregation

  


Topology 2 - ITSP Segregation per Teams Tenant

This network topology is referred to as "Teams Direct Routing Bring your Own Trunk." This topology enables the partner to offer the SBC management to the end customer. Usually the end customer owns the ITSP contract; only a specific Tenant can use the associated ITSP.

ITSP Segregation per Teams Tenant

 


Step 1: Install SBC Edge (if required)

These instructions assume the SBC Edge Portfolio product ( SBC SWe Edge , SBC 1000/2000) is installed and running. If the product is not installed, refer to the links below.

Installation Requirements

ProductInstallation

SBC SWe Edge

On KVM: Installing SBC SWe Edge on KVM Hypervisor

On VMware ESXiInstalling SBC SWe Edge on VMware ESXi

On Hyper-V: Installing SBC SWe Edge on Microsoft Hyper-V

SBC 1000

Prepare for Installation

Installing the SBC 1000 Hardware
SBC 2000

Prepare for Installation
 Installing the SBC 2000 Hardware

Step 2: Prerequisites


Microsoft Teams Direct Routing Configuration

Consult the Microsoft documentation for detailed information on Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.

SBC Edge Software

Ensure you are running the latest version of SBC software:

Obtain IP Address and FQDN

Requirements for configuring the SBC Edge in support of Teams Direct Routing include:

SBC Edge Requirements

RequirementHow it is Used

Public IP address of NAT device (must be Static)*

Private IP address of the SBC

Required for SBC Behind the NAT deployment.

Public IP address of SBCRequired for SBC with Public IP deployment.
Public FQDN The Public FQDN must point to the Public IP Address.

*NAT translates a public IP address to a Private IP address.

Domain Name

For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:

  1. On the Microsoft Teams Tenant side, execute Get-CsTenant.
  2. Review the output.
  3. Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.

Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

Domain Name Examples

Domain Name*Use for SBC FQDN?FQDN Names - Examples
SonusMS01.com(tick)

Valid names:

hybridvoice.org

(tick)

Valid names:

Non-Valid name:

sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

*Do not use the *.onmicrosoft.com tenant for the domain name.

Configure Domain Names - Example


Obtain Certificate

Public Certificate

The Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.

Configure and Generate Certificates on the SBC

Warning: Common Encryption Certificate Issues Arise from Missing Root Certificates
  • Did you only install the CA-signed SBC certificate, along with the intermediate certificate(s) sent by your issuing CA?
  • Did you get the following error message from the SBC?




If so, the likely reason is a missing CA Root Certificate. The SBC does not have any pre-installed CA root X.509 certificates, unlike typical browsers found on your PC. Ensure the entire certificate chain of trust is installed on the SBC, including the root certificate. Acquire the CA root certificate as follows:

  1. Contact your system administrator or certificate vendor to acquire the root, and any further missing intermediate certificate(s) to provision the entire certificate chain of trust within the SBC;
  2. Load the root certificate, along with the intermediate and SBC certificates, according to Importing Trusted Root CA Certificates.

NOTE: Root certificates are easily acquired from the certificate authorities. For example, the root certificate for the GoDaddy Class 2 Certification Authority may be found at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO . For more information about root certificates, intermediate certificates, and the SBC server (“leaf”) certificates, refer to this tutorial.

For other certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge Portfolio.

Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.

Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:

  • Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
  • Import the Public CA Root/Intermediate Certificate on the SBC.
  • Import the Microsoft CA Certificate on the SBC.
  • Import the SBC Certificate.

The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.

Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)

Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.

  1. Access the WebUI.
  2. Access Settings > Security > SBC Certificates.

  3. Click Generate SBC Edge CSR.

  4. Enter data in the required fields.

  5. Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.

  6. Use the generated CSR text from the clipboard to obtain the certificate. 

Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC

After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:

  1. Obtain Trusted Root and Intermediary signing certificates from your certification authority.
  2. Access the WebUI.
  3. To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted Root Certificates.
  4. Click Import and select the trusted root certificates.
  5. To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.

  6. Validate the certificate is installed correctly.

  7. Click Import  and select X.509 Signed Certificate.

  8. Validate the certificate is installed correctly.

Firewall Rules

Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Portfolio Security Hardening Checklist for more information about the SBC and firewalls.

This section lists the ports, protocols and services for firewalls that are in the path of the SBC connecting to Teams Direct Routing.

Basic Firewall Rules for All Call Flows

Inbound Public (Internet to SBC)

  • SIP TLS: TCP 5061*

  • Media for SBC 1000: UDP 16384-17584**
  • Media for SBC 2000: UDP 16384-19384*
  • Media for SBC SWe Edge: UDP 16384-21384
Outbound Public (SBC to Internet)

  • DNS: TCP 53

  • DNS: UDP 53

  • NTP: UDP 123

  • SIP TLS: TCP 5061

  • Media: UDP 49152-53247

Public Access Information

The tables below represent ACL (Access Control List) examples that protect the SBC Edge. When using Easy Configuration Teams related wizards in an Enterprise deployment, these attributes are automatically provisioned. If you are manually configuring the SBC Edge as part of a Microsoft Teams Direct Routing migration scenario (for example Skype for Business or CCE), you must manually configure these ports. For details on ACLs, refer to Creating and Modifying Rules for IPv6 Access Control Lists.

Public Access In - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Reply

TCP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound DNS Reply

UDP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound NTP Reply

UDP

Allow

0.0.0.0/0

123

SBC/32

123

Outbound SIP Reply

TCP

Allow

0.0.0.0/0

5061

SBC/32

1024-65535

Inbound SIP Request

TCP

Allow

0.0.0.0/0

1024-65535

SBC/32

5061*

Inbound Media Helper

UDP

Allow

52.112.0.0/14

52.120.0.0/14

49152-53247

SBC/32

16384-17584**

Deny All

Any

Deny

0.0.0.0/0


0.0.0.0/0


Public Access Out - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound DNS Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound NTP Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

123

Outbound SIP Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

5061

Inbound SIP Reply

TCP

Allow

SBC/32

5061*

0.0.0.0/0

1024-65535

Outbound Media Helper

UDP

Allow

SBC/32

16384-17584**

52.112.0.0/14

52.120.0.0/14

49152-53247

Deny All

Any

Deny

0.0.0.0/0


0.0.0.0/0


* Define in Tenant configuration

** SBC SWe Edge does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.

Firewall Rules for the SBC with Media Bypass

Apply the following firewall rules below:

The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).

Inbound Public (Internet to SBC) 

Media for SBC 1000: UDP 17586-21186**

Media for SBC 2000: UDP 19386-28386**

Outbound Public (SBC to Internet)

Media: UDP 50000-50019

If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.

For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP.

For SBC not using NAT, there must be access between the firewall and the SBC's Public IP.

Public Access

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

Public Access In - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Inbound Media Bypass Helper

UDP

Allow

0.0.0.0/0

1024-65535

SBC/32

16384-21186**

Public Access Out - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound Media Bypass Helper

UDP

Allow

SBC/32

16384-21186**

0.0.0.0/0

1024-65535

* Define in Tenant configuration

** SBC SWe Edge does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.





Wildcard Certificate

Microsoft Teams Direct Routing in support of multiple Tenants requires wildcard certificate support to protect the Microsoft partner's SBC FQDN and Tenant's SBC FQDN (that is, SAN=myMicrosoftPartner.com, SAN=*.myMicrosoftPartner.com). The SBC Edge products fully support wildcard certificates.

SBC Edge Configuration for Microsoft Teams Direct Routing 

These instructions assume the SBC Edge has been configured for Microsoft Teams Direct Routing through the Easy Configuration wizard. For details on Easy Configuration, refer to: Working with SBC Easy Configuration.

OR

  • For SBC Edge Previously Configured for Microsoft Teams Direct Routing: Move to Step 3.

Step 3: Configure each Tenant

The SBC Easy Configuration wizard configures the SBC Edge for one Tenant; additional Tenants subscribed to Microsoft Office 365 services (Microsoft Teams Direct Routing) must be configured manually with the configuration items below. For documentation purposes, the following terms are used in the configuration examples.

Configuration Used in This Document

ConfigurationExample used in this document
SBC FQDN for Microsoft partnermyMicrosoftPartner.com
SBC FQDN for Tenanttenant2.myMicrosoftPartner.com
Microsoft descriptionMicrosoft Phone System
Tenant Name

Microsoft Phone System Tenant 2

Access the WebUI

You must access the SBC Edge's WebUI to configure the items below. To access the WebUI, refer to: Logging into the SBC Edge Portfolio.

Topology 1 - Configure the SBC for ITSP Aggregation for all Teams Tenants

To implement ITSP Aggregation, the SBC configuration must contain the following:

  • Call traffic from the ITSP to Microsoft Teams uses a single SIP Signaling Group to Teams Direct Routing. The destination Tenant is included in the Transformation table; each Microsoft Teams Tenant requires a dedicated Transformation Entry that matches the Microsoft Online PSTN Gateway created on the Microsoft Teams Tenant.
  • Call traffic from Microsoft Teams to ITSP uses the default call route to the ITSP.


Multi Tenant Routing on SBC Edge with ITSP Aggregation


Create a Transformation entry for the call from ITSP to the new Tenant

In the SBC, configure a Transformation table entry for Teams Direct Routing (Entry #2 on previous diagram). This entry will match the input of the new end customer number and configure the proper Teams Tenant output.

  1. In the WebUI, click the Settings tab.

  2. In the left navigation page, access Call Routing > Transformation.

  3. Select the Transformation Table called From Microsoft Teams: Passthrough (the entry created in the Easy Configuration Wizard).
  4. Click the () icon.

  5. Configure the parameters as shown below. Leave all other parameters as default.

  6. Click OK. 
    Transformation Entry Tenant 2 Configuration - Example

    ParameterExample Value

    Description

    To Microsoft Phone System Tenant 2 (example name)

    Match TypeOptional

    Input Type

    Called Address/Number

    Input Value

    <Enter Tenant 2 Phone Number > (\+151048512\d{2})

    Output Type

    		SIP: Contact Domain

    Output Value

    		tenant2.myMicrosoftPartner.com

     

    Transformation Entry Tenant 2 - Example

Topology 2 - Configure the SBC for ITSP Segregation per Teams Tenant

To implement ITSP Segregation, the SBC configuration must contain the following:

  • Call traffic from the ITSP to Microsoft Teams uses the single SIP Signaling Group to Teams Direct Routing. The destination Tenant is used in the Transformation table. Each Microsoft Teams Tenant requires a dedicated Transformation Entry that matches the Microsoft Online PSTN Gateway created on the Microsoft Teams Tenant.
  • Call traffic from Microsoft Teams to the SBC Edge is aggregated onto the single SIP Signaling Group for all Tenants. The Call Routing Table associated with this SIP Signaling Group is configured to distribute the traffic to a specific ITSP, based on the original tenant (SIP: R-URI Domain).


Multi Tenant Routing on SBC Edge with ITSP Segregation

The instructions below require that you have created the SIP Signaling Group, SIP Server Table, Call Routing Table, and Transformation Table for the new ITSP. For details, refer to the following:


Create a Transformation entry for the call from ITSP to the new Tenant

  1. In the WebUI, click the Settings tab.

  2. In the left navigation page, access Call Routing > Transformation.

  3. Click on the Transformation Table > From SIP Trunk 2: Passthrough (the entry created when you added your ITSP 2 configuration).
  4. Click the () icon.

  5. Configure the parameters as shown below. Leave all other parameters as default.

  6. Click OK. 
    Transformation Entry Tenant 2 Configuration - Example

    ParameterExample Value

    Description

    From ITSP 2 To Microsoft Phone System Tenant 2 (example name)

    Match TypeOptional

    Input Type

    Called Address/Number

    Input Value

    (.*)

    Output Type

    		SIP: Contact Domain

    Output Value

    		tenant2.myMicrosoftPartner.com


    Transformation Entry Tenant 2 - Example

Create a New Transformation Table for the call from the new Tenant to ITSP 2

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Call Routing > Transformation.

  3. Click the () icon at the top left corner to add a new Transformation Table.

  4. Configure the parameters as shown below and click OK. For details on parameter definitions, refer to Creating and Modifying Transformation Tables.
    Transformation Table - Example Values

    ParameterExample Value

    Row ID

    Assigned by the system

    Description

    From Microsoft Phone System Tenant 2 To ITSP 2

     

    Create Transformation Table

  5. From the left navigation pane, click on the Transformation > From Microsoft Phone System Tenant 2 To ITSP 2 (the entry created in the last step).
  6. Click the () icon.

  7. Configure the parameters as shown below. Leave all other parameters as default.

  8. Click OK. 
    Transformation Entry Tenant 1 Configuration - Example

    ParameterExample Value

    Description

    To ITSP 2 (example name)

    Match TypeMandatory

    Input Type

    SIP: R-URI Domain

    Input Value

    		(tenant2.myMicrosoftPartner.com):5061

    Output Type

    		SIP: R-URI Domain

    Output Value

    		\1


    Transformation Entry Tenant 2 - Example

Add New Routing Table Entry for the Call from the new Tenant to ITSP 2

The Easy Configuration process (used for initial configuration) creates the first connection to Teams Direct Routing. This configuration also creates two Call Routing Tables for transporting calls between the SBC's SIP Trunk and Microsoft Teams:

From SIP Trunk. Calls from SIP Trunk to Teams.

From Microsoft Team. Calls from Teams to SIP Trunk.

For calls to be routed from an individual Tenant to the proper ITSP, an entry must be added to the From Microsoft Teams Routing table (this Routing Table was created as part of Easy Configuration) for each Tenant. Add an entry in the From Microsoft Teams Call Routing table for each Tenant as follows:

  1. In the WebUI, click the Settings tab.

  2. From the left navigation pane, click on the Call Routing table. Click on the From Microsoft Teams Call Routing Table.  

  3. Click the () icon to add an entry.

  4. Configure the parameters as shown below. Leave all other parameters as default. For details on parameter definitions, refer to Creating and Modifying Entries to Call Routing Tables.

  5. Click OK. 
    Call Routing Entry - Example Values

    Parameter

    Example Value

    Description

    To ITSP 2

    Number/Name Transformation Table

    From Microsoft Phone System Tenant 2 To ITSP 2

    Destination Signaling Groups

    ITSP 2 (from the previous steps)

     

    Create Call Routing Entry - Example

Step 4: Confirm SBC Edge Links to Microsoft Teams

  1. Access the WebUI. Refer to Logging into the SBC Edge.
  2. Click Monitor.
  3. Under each newly created Signaling Group (created for each Tenant), confirm the channels are green. For details on channel status, refer to Monitoring Real Time Status.

For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.

Step 5: Place a Test Call

Place a test call as follows:

  1. Access the WebUI. Refer to Logging into the SBC Edge.

  2. In the WebUI, click the Diagnostics tab.

  3. In the left navigation pane, click Test a Call.

  4. Configure the parameters as shown below.

  5. Click OK. 

    Place a Test Call - Parameters

    Parameter

    Value

    Destination Number

    Number assigned to a Teams user.

    Origination/Calling Number

    Number assigned to a Local user.

    Call Routing Table

    The routing table that handles the call from Microsoft Teams.


     Test a Call - Configuration


    Place a Test Call - Example

The test call is now complete. For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.