In this section:

Related articles:

 

Overview

The SBC Edge is certified to offer Microsoft Teams Direct Routing services, and used to connect any Teams client to:

  • A PSTN trunk, whether based on TDM (e.g. PRI, BRI, etc.), CAS, or SIP
  • 3rd-party, non-Teams-certified SIP/TDM based PBXs, analog devices, and SIP clients

These instructions detail how to connect the SBC Edge for Enterprise's migration from Skype for Business (SfB) On Premises to Microsoft Phone System (Teams). 

Network Topology - Skype for Business Server On-Premises Migration to Microsoft Phone System (Teams) Deployment

An enterprise may choose to deploy Teams Phone System services to clients using Skype for Business Server on-premises enterprise voice services. Two migrations scenarios exist: 

  • Uniquely On-Premises deployment only
  • Hybrid On-Premises deployment

Pre-Migration Uniquely On-Premises Deployment

All Skype for Business clients are homed to the On-Premises Skype for Business Server for voice services. No cloud-based VoIP services from Microsoft are used. A Ribbon SBC Edge device qualified for Skype for Business is deployed on the customer premises to support connectivity with the PSTN and legacy clients.

Enterprise Voice Network with Skype for Business Server On-Premises Services, Before Teams Direct Routing Migration

NOTE: The Ribbon SBC may be also deployed in an enterprise branch office and may feature a Skype for Business Survivable Branch Appliance (SBA) application (not shown).

Pre-Migration Hybrid On-Premises Deployment

Skype for Business clients are homed to the Cloud PBX for voice services. No CCE is deployed; the Skype for Business Server provides services analogous to those provided by the CCE. A Ribbon SBC Edge device qualified for Skype for Business and the Skype for Business Server (deployed on premises) to support connectivity with the PSTN and legacy clients.

 

Enterprise Voice Network with "Hybrid" Skype for Business Server On-Premises Services, Before Teams Direct Routing Migration

Post Migration - Hybrid and Uniquely On Premises Deployment

Following configuration, the Ribbon SBC Edge device offers certified Teams Phone System Direct Routing services to enterprise clients.

Enterprise Voice Network After Migration to Teams Direct Routing, Away From Skype for Business Server

 

Step 1: Install SBC Edge

These instructions assume the SBC Edge product (SBC SWe Lite, SBC 1000/2000) is installed and running. If the product is not installed, refer to the links below.

Installation Requirements

ProductInstallation
SBC SWe Lite

On KVM: Installing SBC SWe Lite on KVM Hypervisor

On VMware ESXi: Installing SBC SWe Lite on VMware ESXi

On Hyper-V: Installing SBC SWe Lite on Microsoft Hyper-V

SBC 1000

Prepare for Installation

Installing the SBC 1000 Hardware
SBC 2000

Prepare for Installation
Installing the SBC 2000 Hardware

Step 2: Review Prerequisites for Microsoft Teams Direct Routing


Microsoft Teams Direct Routing Configuration

Consult the Microsoft documentation for detailed information on Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.

SBC Edge Software

Ensure you are running the latest version of SBC software:

Obtain IP Address and FQDN

Requirements for configuring the SBC Edge in support of Teams Direct Routing include:

SBC Edge Requirements

RequirementHow it is Used

Public IP address of NAT device (must be Static)*

Private IP address of the SBC

Required for SBC Behind the NAT deployment.

Public IP address of SBCRequired for SBC with Public IP deployment.
Public FQDN The Public FQDN must point to the Public IP Address.

*NAT translates a public IP address to a Private IP address.


Domain Name

For the SBC Edge to pair with Microsoft Teams, the SBC FQDN domain name must match a name registered in both the Domains and DomainUrlMap fields of the Tenant. Verify the correct domain name is configured for the Tenant as follows:

  1. On the Microsoft Teams Tenant side, execute Get-CsTenant.
  2. Review the output.
  3. Verify that the Domain Name configured is listed in the Domains and DomainUrlMap attributes for the Tenant. If the Domain Name is incorrect or missing, the SBC will not pair with Microsoft Teams.

Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

Domain Name Examples

Domain Name*Use for SBC FQDN?FQDN Names - Examples
SonusMS01.com(tick)

Valid names:

  • aepsite6.SonusMS01.com

hybridvoice.org

(tick)

Valid names:

  • sbc1. hybridvoice.org
  • ussbcs15. hybridvoice.org
  • europe. hybridvoice.org

Non-Valid name:

sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

*Do not use the *.onmicrosoft.com tenant for the domain name.

Configure Domain Names - Example

 

Obtain Certificate

Public Certificate

The Certificate must be issued by one of the supported certification authorities (CAs). Wildcard certificates are supported.

Configure and Generate Certificates on the SBC

Warning: Common Encryption Certificate Issues Arise from Missing Root Certificates
  • Did you only install the CA-signed SBC certificate, along with the intermediate certificate(s) sent by your issuing CA?
  • Did you get the following error message from the SBC?




If so, the likely reason is a missing CA Root Certificate. The SBC does not have any pre-installed CA root X.509 certificates, unlike typical browsers found on your PC. Ensure the entire certificate chain of trust is installed on the SBC, including the root certificate. Acquire the CA root certificate as follows:

  1. Contact your system administrator or certificate vendor to acquire the root, and any further missing intermediate certificate(s) to provision the entire certificate chain of trust within the SBC;
  2. Load the root certificate, along with the intermediate and SBC certificates, according to Importing Trusted Root CA Certificates.

NOTE: Root certificates are easily acquired from the certificate authorities. For example, the root certificate for the GoDaddy Class 2 Certification Authority may be found at https://ssl-ccp.godaddy.com/repository?origin=CALLISTO . For more information about root certificates, intermediate certificates, and the SBC server (“leaf”) certificates, refer to this tutorial.

For other certificate-related errors, refer to Common Troubleshooting Issues with Certificates in SBC Edge.

Microsoft Teams Direct Routing allows only TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.

Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:

  • Generate a Certificate Signing Request (CSR) and obtain the certificate from a supported Certification Authority.
  • Import the Public CA Root/Intermediate Certificate on the SBC.
  • Import the Microsoft CA Certificate on the SBC.
  • Import the SBC Certificate.

The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.

Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)

Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.

  1. Access the WebUI.
  2. Access Settings > Security > SBC Certificates.

  3. Click Generate SBC Edge CSR.

  4. Enter data in the required fields.

  5. Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.


    Generate Certificate Signing Request

  6. Use the generated CSR text from the clipboard to obtain the certificate. 

Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC

After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:

  1. Obtain Trusted Root and Intermediary signing certificates from your certification authority.
  2. Access the WebUI.
  3. To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted Root Certificates.
  4. Click Import and select the trusted root certificates.
  5. To install the SBC certificate, open Settings > Security > SBC Certificates > SBC Primary Certificate.

  6. Validate the certificate is installed correctly.

    Validate Certificate

  7. Click Import  and select X.509 Signed Certificate.

  8. Validate the certificate is installed correctly.

    Validate Certificate

Firewall Rules

Ribbon recommends the deployment of the SBC Edge product behind a firewall, within the DMZ, regardless of the assignment of a public IP to the SBC in question. Refer to SBC Edge Security Hardening Checklist for more information about the SBC and firewalls.

This section lists the ports, protocols and services for firewalls that are in the path of the SBC connecting to Teams Direct Routing.

Basic Firewall Rules for All Call Flows

Inbound Public (Internet to SBC)

  • SIP TLS: TCP 5061*

  • Media for SBC 1000: UDP 16384-17584**
  • Media for SBC 2000: UDP 16384-19384*
  • Media for SBC SWe Lite: UDP 16384-21384
Outbound Public (SBC to Internet)

  • DNS: TCP 53

  • DNS: UDP 53

  • NTP: UDP 123

  • SIP TLS: TCP 5061

  • Media: UDP 49152-53247

Public Access Information

The tables below represent ACL (Access Control List) examples that protect the SBC Edge. When using Easy Configuration Teams related wizards in an Enterprise deployment, these attributes are automatically provisioned. If you are manually configuring the SBC Edge as part of a Microsoft Teams Direct Routing migration scenario (for example Skype for Business or CCE), you must manually configure these ports. For details on ACLs, refer to Creating and Modifying Rules for IPv6 Access Control Lists.

Public Access In - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Reply

TCP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound DNS Reply

UDP

Allow

0.0.0.0/0

53

SBC/32

0-65535

Outbound NTP Reply

UDP

Allow

0.0.0.0/0

123

SBC/32

123

Outbound SIP Reply

TCP

Allow

0.0.0.0/0

5061

SBC/32

1024-65535

Inbound SIP Request

TCP

Allow

0.0.0.0/0

1024-65535

SBC/32

5061*

Inbound Media Helper

UDP

Allow

52.112.0.0/14

49152-53247

SBC/32

16384-17584**

Deny All

Any

Deny

0.0.0.0/0


0.0.0.0/0


Public Access Out - Requirements

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound DNS Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound DNS Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

53

Outbound NTP Request

UDP

Allow

SBC/32

0-65535

0.0.0.0/0

123

Outbound SIP Request

TCP

Allow

SBC/32

0-65535

0.0.0.0/0

5061

Inbound SIP Reply

TCP

Allow

SBC/32

5061*

0.0.0.0/0

1024-65535

Outbound Media Helper

UDP

Allow

SBC/32

16384-17584**

52.112.0.0/14

49152-53247

Deny All

Any

Deny

0.0.0.0/0


0.0.0.0/0


* Define in Tenant configuration

** SBC SWe Lite does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.

Firewall Rules for the SBC with Media Bypass

Apply the following firewall rules below:

The Teams Client IP address cannot be predicted. As a result, allow Any IP (0.0.0.0/0).

Inbound Public (Internet to SBC) 

Media for SBC 1000: UDP 17586-21186**

Media for SBC 2000: UDP 19386-28386**

Outbound Public (SBC to Internet)

Media: UDP 50000-50019

If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.

For SBC behind NAT, the firewall should allow access between the firewall IP and the NAT device's IP.

For SBC not using NAT, there must be access between the firewall and the SBC's Public IP.

Public Access

The tables below represent ACL (Access Control List) examples that protect the SBC Edge; these ACL attributes are automatically provisioned if the Teams-related Easy Configuration wizards are used (applies to the greenfield deployment scenario only).

Public Access In - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Inbound Media Bypass Helper

UDP

Allow

0.0.0.0/0

1024-65535

SBC/32

16384-21186**

Public Access Out - Requirements (Media Bypass Scenario)

Description

Protocol

Action

Src IP Address

Src Port

Dest IP Address

Dest Port

Outbound Media Bypass Helper

UDP

Allow

SBC/32

16384-21186**

0.0.0.0/0

1024-65535

* Define in Tenant configuration

** SBC SWe Lite does not require this rule to be created since Media ports are opened as needed. This rule is required only for SBC 1000, SBC 2000 and then depends of the Media Port paired configured in the SBC.

Step 3: Configure Direct Routing from Skype for Business Server On-Premises

These instructions configure the Tenant to connect (pair) the SBC to the Microsoft Direct Routing Interface.

  1. Access PowerShell. Refer to the PowerShell documentation.
  2. Connect to the Tenant via Powershell.

  3. Configure the Microsoft Phone system Voice routing. As part of this process, use the following command to create an Online PSTN Gateway that points to the SBC:

    New-CsOnlinePSTNGateway -Fqdn <SBC FQDN> -SipSignallingPort <SBC SIP Port> -MaxConcurrentSessions <Max Concurrent Session which SBC capable handling> -Enabled $true

  4. Configure the Teams usage for the user:

    Get-CsOnlineUser -Identity user1@domain.com 
Grant-CsOnlineVoiceRoutingPolicy -PolicyName "GeneralVRP" -Identity user1@domain.com 
Grant-CsTeamsCallingPolicy -PolicyName AllowCalling -Identity user1@domain.com 
Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity user1@domain.com

Step 4: Configure TCP and TLS between SBC Edge and Skype for Business Server

For configuring TCP and TLS between the SBC Edge and Skype for Business server, there are two migration types:

  • Migration from Hybrid On-Premises Deployment
  • Migration from Uniquely On-Premises Deployment

See below for which migration applies to your network.

Migration from Hybrid On-Premises Deployments

These instructions apply to enterprises with a Hybrid On-Premises for Skype for Business on-premises deployment.

Using TCP between SBC and Skype for Business Server

Follow instructions posted below for basic Teams configuration (Step 5).

For a successful migration, if the SBC is deployed with a private FQDN into Skype for Business On-Premises, do not change the SBC Hostname and Domain. Use the Public FQDN on the new SIP profile only.

Using TLS between SBC and Skype for Business Server

Note

When you configure the SBC Edge for Microsoft Teams Direct Routing and use TLS between SfB and the SBC, do not configure the Node-Level Settings because SfB uses the SBC default FQDN.

Note

When you create the SIP Profile for the SBC Edge for Microsoft Teams Direct Routing and use TLS between SfB and the SBC, SfB uses the SBC default FQDN. Since SfB uses the SBC default FQDN, set the FQDN in From Header and FQDN in Contact Header fields to Static and enter the public FQDN used for Microsoft Teams in the Static Host FQDN/IP field.

  • For SBC Using Publicly-Owned Domain Name

Follow instructions posted below for basic Teams configuration (Step 5).

If the SBC is deployed with a private FQDN in the Skype for Business Server, do not change the SBC Hostname and Domain. Use the Public FQDN on the new SIP profile only.

  • For SBC Using Non-Owned Public Domain Name
    Caution

    One TLS port can be attached to only one TLS profile. If your SfB deployment uses TLS 5061 as the Federated port, you must modify this Federated port to use a port other than 5061. To modify the Federated port, you must update the IP/PSTN Gateway's Listen Port of the SfB On-Premise topology and the Federated port of the SfB signaling group.

    If you cannot modify your SfB On-Premise topology, you can modify the port that Microsoft Teams Direct Routing uses. Make sure you update the Firewall, ACL, and Federated port of the Teams Signaling Group and Online PSTN Gateway.

Configure a domain name owned by the enterprise through the basic SBC Edge configuration (see Step 5).

Migration from Uniquely On-Premises Deployments

These instructions apply to enterprises with a Uniquely On-Premises for Skype for Business Server deployment.

  1. Enable split domain. For details, refer to: Configure Hybrid connectivity between Skype for Business Server and Office 365.

  2. Move On-Premises users to Skype Online. For details, refer to: Move users between On-Premises and Cloud.

  3. Follow the process related to hybrid on premises deployments as described Migrations from Hybrid On-Premises Deployments.

Step 5: Configure SBC Edge for Microsoft Teams Direct Routing


These instructions assume the SBC Edge is installed and running, and is connected to the WebUI.

For the purposes of this documentation, the screens displayed are for an SBC 1000/2000; the interface configuration may vary slightly for the SBC SWe Lite. If configuration is not specified for a field, use the default value.

Access the SBC Edge WebUI

Access the WebUI. Refer to Logging into the SBC Edge.

Configure TLS Profile

The TLS profile defines the crypto parameters for the SIP protocol; it is used as the transport type for incoming and outgoing SIP trunks.

Configure a TLS profile as follows:

  1. In the WebUI, click the Settings tab.

  2. In the left navigation pane, go to Security > TLS Profiles.

  3. Click the Create TLS Profile () icon at the top of the TLS Profile page. The Create TLS Profile page is displayed.

  4. Configure the parameters as shown below (example values are shown in the table; configure as per your network requirements). For details on field descriptions, refer to Creating and Modifying TLS Profiles.

  5. Leave all other parameters as default.

  6. Click OK.

    TLS Configuration - Example Values

    ParameterExample Value
    DescriptionTeams Direct Routing TLS
    TLS ProtocolTLS 1.2 Only
    Client Cipher List

    Select at least one of the following Microsoft/Ribbon common cyphers must be configured:

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    Validate Client FQDNDisabled

    TLS - Example

Configure Host Information and DNS

The Host Information and DNS configuration contains system information that is used by the SBC Edge, including host, domain, and NTP server information.

  1. In the WebUI, click the Settings tab.

  2. In the left navigation page, access System > Node-Level Settings. The Node-Level Settings page is displayed.

  3. Configure the NTP and DNS Servers with network-specific data.

  4. Leave all other parameters as default.

  5. Click Apply.

    TLS Configuration - Example Values

    ParameterExample Value
    Host Nameaepsite6
    Domain NameSonusMS01.com
    Use NTPYes
    NTP ServerSpecifies the FQDN, IPv4, or IPv6 address of the NTP server. If the host name is supplied, the SBC uses the DNS to connect to the NTP server.
    Use Primary DNSYes
    Primary Server IPXXX.XXX.XX.XXX

    Node-level Settings - Example

Configure Logical Interface

The SBC Edge supports system-supported Logical Interfaces, which are used to hold the IP address for each Ethernet port. One of these logical interfaces is assigned an IP address for transporting the VoIP media packets (i.e., RTP, SRTP) and protocol packets (i.e, SIP, RTCP, TLS). In this example, Ethernet 1 is configured for transporting packets for the Microsoft Teams Direct Routing connection.

Ensure the IP Routing Table contains the same information as in the network topology.

  1. In the WebUI, click the Settings tab.

  2. In the left navigation pane, go to Node Interfaces > Logical Interfaces.

  3. Configure the parameters as shown below (example values are shown in the table; configure as per your network requirements). For details on field descriptions, refer to Configuring and Modifying Logical Interfaces.

  4. Leave all other parameters as default.

  5. Click Apply.

    Logical Interfaces Configuration - Example Values

    ParameterExample Value
    AliasTo Microsoft Phone 5

    Description

    Interface to Interconnect with Microsoft Phone System

    Admin Interface

    Enable

    IP Assign Method

    Static

    Primary Address

    <Public IP of your SBC> (in the example 192.168.211.80)

    Primary Netmask

    <Mask of Public Interface of your SBC> (in the example 255.255.255.0)

    Logical Interfaces - Example

Create SIP Profile

The SIP Profile controls how the SBC Edge communicates with SIP devices; the profile controls important characteristics such as: session timers, SIP header customization (including FQDN), SIP timers, MIME payloads, and option tags .A SIP Profile also defines which FQDN (Fully Qualified Domain Name) is used in the Contact Header and From Headers.  For interconnecting with Microsoft System Direct Routing, two SIP Profiles are required:

  • Teams Direct Routing Profile
  • SIP Trunk Profile


Create Teams Direct Routing Profile

Create a SIP Profile for the Teams Direct Routing Profile as follows:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > SIP Profiles.

  3. Click the ( ) icon at the top of left corner and add a new SIP profile.

  4. Configure the parameters as shown below (example values are shown in the table; configure as per your network requirements). For details on field descriptions, refer to Creating and Modifying SIP Profiles.

  5. Leave all other parameters as default.

  6. Click OK.

    SIP Profile Configuration - Example Values

    Parameter

    Example Value

    Description

    Teams Direct Routing Profile

    FQDN in From Header

    SBC Edge FQDN

    FQDN In Contact Header

    SBC FQDN

    NOTE: For Microsoft Teams, the Signaling Group facing the Teams server must be configured as SBC Edge FQDN or Static (if there is more than one signaling group connected to Teams Direct Routing). The FQDN in Contact Header should be the same FQDN used in Office 365 Tenant Online Gateway. If the IP Address of the SBC is configured in the Contact Header instead of the FQDN of the SBC, a Forbidden message is received.

    Origin Field Username

    <FQDN of SBC> (in the example aepsite6.SonusMS01.com)

    SIP Profile - Example


Create SIP Trunk Profile

Create a SIP Profile for the SBC Edge's SIP Trunk as follows:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > SIP Profiles.

  3. Click the ( ) icon at the top of left corner and add a new SIP profile.

  4. Configure the parameters as shown below (example values are shown in the table; configure as per your network requirements). For details on field descriptions, refer to Creating and Modifying SIP Profiles.

  5. Leave all other parameters as default.

  6. Click OK.

    SIP Profile Configuration - Example Values

    Parameter

    Example Value

    Description

    SIP Trunk Profile

    FQDN in From Header

    Disable

    FQDN In Contact Header

    Disable

    Origin Field UsernameSBC

    SIP Profile - Example

Create SDES-SRTP Profile

The SDES-SRTP Profile defines the encryption mechanism used between the SBC and the Microsoft Teams Direct Routing interface; the Crypto Suite specifies the algorithm used to negotiate with a peer device.

Create a SDES-SRTP Profile as follows:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Media > SDES-SRTP.
  3. Click the ( ) icon at the top left corner and add a new SDES-SRTP Profile.

  4. Configure the parameters as shown below. For details on field descriptions, refer to Creating and Modifying SIP Profiles.

  5. Leave all other parameters as default.

    Media Crypto Profile Configuration - Example Values

    Parameter

    Example Value

    Description

    Teams Direct Routing SRTP

    Operation Option

    Required

    Crypto Suite

    AES_CM_128_HMAC_SHA1_80

    Media Crypto Profile - Example

Create Media List

The Media List contains one or more of Media Profiles, which the SBC Edge uses for call transmission. A Media Profile specifies the individual voice codecs the SBC Edge uses for voice compression, voice quality, and associated settings.

Create a Media List for Teams Direct Routing as follows:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Media > Media List.
  3. Click the ( ) icon at the top left corner and add a new Media List.

  4. Configure parameters as shown below. For details on field descriptions, refer to Creating and Modifying Media Lists.

  5. Leave all other parameters as default.

    Media List Configuration - Example Values

    Parameter

    Example Value

    Description

    Teams Direct Routing Media List

    Media Profiles List

    In the Media Profiles List field, click Add/Edit. G711a and G711u are the default Media Profiles.

    • G711a
    • G711u

    NOTE: See Microsoft documentation for the list of codecs supported by Microsoft.

    SDES-SRTP Profile

    Teams Direct Routing SRTP. This profile was created in the previous step.

    Media List - Example

Configure a SIP Server Table

SIP server tables define the information for the SIP interfaces connected to the SBC Edge; a SIP Server Table is required to support the Microsoft Phone System. For interconnecting with Microsoft System Direct Routing, two SIP Profiles are required:

  • Teams Direct Routing Server 
  • SIP Trunk Server 

Create a Teams Direct Routing Server

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > SIP Server Tables

  3. Click the ( ) icon at the top left corner and add a new SIP Server Table.

  4. For Description, enter Teams Direct Routing Server.

  5. Click OK.

    Create SIP Server Table

Configure Entries in the Teams Direct Routing Server

The information you configure in the SIP Server table pairs the SBC Edge to the Microsoft Teams Direct Routing interface. Three entries in the SIP Server table offer server redundancy to ensure a server is always up and communicating. If a server is down or not communicating, the SBC Edge will automatically move to the next Server entry on the list. 

Configure Teams Direct Routing Server entries as follows:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > SIP Server Tables.
  3. Select the name of the table created in the previous step.
  4. From the Create SIP Server drop down list, select IP/FQDN.

  5. Repeat this configuration for two additional SIP Server entries, using the field entries below. For details on field descriptions, refer to Creating and Modifying Entries in SIP Server Tables.

    SIP Server 1 Table - Example Values

    Parameter

    Value

    Priority

    1

    Host

    sip.pstnhub.microsoft.com

    Port

    5061

    Protocol

    TLS

    TLS Profile

    Teams Direct Routing TLS

    Monitor

    SIP Options

    SIP Server 1 - Example Values

    SIP Server 2 Table - Example Values

    Parameter

    Value

    Priority

    2

    Host

    sip2.pstnhub.microsoft.com

    Port

    5061

    Protocol

    TLS

    TLS Profile

    Teams Direct Routing TLS

    Monitor

    SIP Options

    SIP Server 2 - Example Values

     

    SIP Server 3 Table - Example Values

    Parameter

    Value

    Priority

    3

    Host

    sip3.pstnhub.microsoft.com

    Port

    5061

    Protocol

    TLS

    TLS Profile

    Microsoft Phone System

    Monitor

    SIP Options

    SIP Server 3 - Example Values

Create a SIP Trunk Server

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > SIP Server Tables

  3. Click the ( ) icon at the top left corner and add a new SIP Server Table.

  4. For Description, enter SIP Trunk Server.

  5. Click OK.

    Create SIP Server Table

Configure an Entry in the SIP Trunk Server

Configure a SIP Trunk Server entry as follows:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > SIP Server Tables.
  3. Select the name of the table created in the previous step.
  4. From the Create SIP Server drop down list, select IP/FQDN.

  5. Leave the remaining fields as default. For details on field descriptions, refer to Creating and Modifying Entries in SIP Server Tables.

  6. Click OK.

    SIP Trunk Server - Example Values

    Parameter

    Value

    Priority

    1

    Host

    Host FQDN for SBC

    Port

    5060

    Protocol

    UDP

    Monitor

    None

    SIP Trunk Server - Example Values

Create Transformation Table and Entries

This Transformation Table contains a list of call routes that include routing configuration for calls from Microsoft Teams and SIP Trunk. Two Transformation tables are required:

  • For Calls from Microsoft Teams
  • For Calls from SBC's SIP Trunk

Calls From Microsoft Teams to SBC's SIP Trunk

This Transformation Table contains a list of call routes that include routing configuration for calls from Microsoft Teams to SBC's SIP Trunk.

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Call Routing > Transformation

  3. Click the ( ) icon at the top left corner to add a new Transformation Table.

  4. For Description, enter From Microsoft Teams

  5. Click OK.

    Create Transformation Table

  6. In the left navigation panel, select the new table:  Transformation > From Microsoft Teams: Passthrough.

  7. Click the Create ( ) icon.

  8. Configure the parameters as shown below. Leave the default values for all other parameters.

  9. Click OK.

    Transformation Entries - Example Values

    Parameter

    Value

    DescriptionFrom Microsoft Teams: Passthrough
    Match TypeMandatory (Must Match)
    Input FieldType: Called Address/Number
    Value: (.*)
    Output FieldType: Called Address Number
    Value: \1

    Transformation Entry - Example

     

    Transformation Table - Entry Added

Calls From SBC's SIP Trunk to Microsoft Teams

This Transformation Table contains a list of call routes that include routing configuration for calls from the SBC's SIP Trunk to Microsoft Teams.

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Call Routing> Transformation

  3. Click the ( ) icon at the top left corner to add a new Transformation Table.

  4. For Description, enter From SIP Trunk.

  5. Click OK.

    Create Transformation Table

  6. In the left navigation panel, select the new table:  Transformation > From SIP Trunk:  Passthrough.

  7. Click the Create ( ) icon.

  8. Configure the parameters as shown below. Leave the default values for all other parameters.

  9. Click OK.

    Transformation Entries - Example Values

    Parameter

    Value

    Description

    From SIP Trunk: Passthrough

    Match Type

    Mandatory (Must Match)

    Input Field

    Type: Called Address/Number

    Value: (.*)

    Output Field

    Type: Called Address Number

    Value: \1

    Transformation Table Entry

    Transformation Table - Entry Added

Create Signaling Groups

Signaling groups allow telephony channels to be grouped together for the purposes of routing and shared configuration. In the case of SIP, they specify protocol settings and link to server, media and mapping tables. For Teams Direct Routing, you configure the Signaling Group to designate routing information for calls between SBC Edge and the Microsoft Phone System. Two Signaling Groups are required:

  • Signaling Group - Calls from Microsoft Teams to SBC's SIP Trunk
  • Signaling Group - Calls from SBC's SIP Trunk to Microsoft Teams
Note

For the Skype for Business to Microsoft Teams migration, do not configure the Listen Ports table of the Skype for Business signaling group with the same Listen Ports of the Microsoft Teams signaling group.

Calls From Microsoft Teams to SBC's SIP Trunk

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Signaling Groups

  3. From the Create Signaling Group drop down box, select SIP Signaling Group.

  4. Configure the parameters as shown below. Leave the default values for all other parameters.

  5. Click OK.

    Signaling Group Configuration - Example Values

    Parameter

    Value

    Description

    From Microsoft Teams

    SIP Profile

    Teams Direct Routing Profile

    Media List ID

    Team Direct Routing List

    Signaling Media/Private IP

    Ethernet 1 (example, choose the interface which faces Microsoft Teams Direct Routing)

    Listen Port

    5061 TLS

    Federated IP/FQDN

    sip-all.pstnhub.microsoft.com

    SIP server table

    Teams Direct Routing Server

    Load Balancing

    Priority: Register All

    SIP Profile

    Microsoft Phone System (from previous step)

    Call Routing Table

    Default

    Outbound NAT Traversal*Static NAT

    NAT Public IP*

    IP Address (Only required if “Static NAT” is selected)

    Static NAT InboundDisabled (this field should not be configured for Non-Media Bypass Teams deployment)
    *Outbound NAT Traversal and the NAT Public IP is required when the SBC is behind a NAT (the public IP address of the NAT device is required when the SBC has a Private IP).

    Signaling Group - Example



Calls from SBC's SIP Trunk to Microsoft Teams

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Signaling Groups

  3. From the Create Signaling Group drop down box, select SIP Signaling Group.

  4. Configure the parameters as shown below. Leave the default values for all other parameters.

  5. Click OK.


    Signaling Group Configuration - Example Values

    Parameter

    Value

    Description

    From SIP Trunk

    SIP Profile

    SIP Trunk

    Media List ID

    SIP Trunk List

    Signaling Media/Source IP

    Ethernet 2 (example, choose the interface which faces the SIP Trunk)

    Listen Port

    5060 UDP

    Federated IP/FQDN

    		IP Address

    SIP Server table

    SIP Trunk Server

    Load Balancing

    Round Robin

    SIP Profile

    SIP Trunk

    Call Routing Table

    Default

    Outbound NAT Traversal*None

    NAT Public IP*

    IP Address (Only required if “Static NAT” is selected)

    Static NAT InboundDisabled (this field should not be configured for Non-Media Bypass Teams deployment)

    *Outbound NAT Traversal and the NAT Public IP is required when the SBC is behind a NAT (the public IP address of the NAT device is required when the SBC has a Private IP).

    Signaling Group - Example

Create Call Routing Tables

Two Call Routing Tables for transporting calls between the SBC's SIP Trunk and Microsoft Teams are required:

  • Call Route - Calls from Microsoft Teams to SBC's SIP Trunk
  • Call Route - Calls from the SBC's SIP Trunk to Microsoft Teams

From Microsoft Teams to SBC's SIP Trunk

This Call Routing Table routes calls from Microsoft Teams.

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Call Routing Table.

  3. Click the () icon at the top left corner and add a new Call Routing Table.

    Create Call Routing Table

  4. Configure the Description as From Microsoft Teams and click OK.

  5. From the left navigation pane, click on the Call Routing > Call Routing table.

  6. Select From Microsoft Teams (the entry you just created).

  7. Click the ().

  8. Configure the parameters as shown below. Leave all other parameters as default.

  9. Click OK.

    Call Routing Table Configuration - Example

    Parameter

    Value

    Description

    To SIP Trunk (Passthrough)

    Number/Name Transformation Table

    From Microsoft Teams: Passthrough (select Transformation Table you created above)

    Destination Signaling Groups

    Choose the Signaling Group of a local equipment.

    Call Routing Table - Example

From SBC's SIP Trunk to Microsoft Teams

This Call Routing Table routes calls from the SBC's SIP Trunk and sent to Microsoft Teams.

To add and configure a new Call Routing Table:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Call Routing Table.

  3. Click the () icon at the top of  left corner and add a new Call Routing Table.

    Create Call Routing Table

  4. Configure the Description as Microsoft Phone system and click OK.

  5. From the left navigation pane, click on the Call Routing > Call Routing table.

  6. Select From SIP Trunk (the entry you just created).

  7. Click the ().

  8. Configure the parameters as shown below. Leave all other parameters as default.

  9. Click OK.

    Call Routing Table Configuration - Example

    Parameter

    Value

    Description

    To Microsoft Teams (Passthrough)

    Number/Name Transformation Table

    From SIP Trunk: Passthrough (select Transformation Table you created above)

    Destination Signaling Groups

    Choose the Signaling Group for Microsoft Teams Direct Routing

    Call Routing Table - Example

Update Signaling Groups for Call Route

The newly created Call Route must be associated to a Signaling Group as follows:

Associate Call Route to Signaling Group for Calls From Teams to SBC's SIP Trunk

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Signaling Groups > Teams Direct Routing.
  3. From the Call Routing Drop down list, select From Microsoft Teams.

  4. Click OK.

    Select Call Routing Table - Teams Direct Routing

Associate Call Route to Signaling Group for Calls from SBC's SIP Trunk to Teams

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Signaling Groups > SIP Trunk.
  3. From the Call Routing Drop down list, select From SIP Trunk.

  4. Click OK.

    Select Call Routing Table - From SIP Trunk

Step 6: Configure SBC Edge when Microsoft Teams is in Media Bypass Mode

Non-Media Bypass vs. Media Bypass Deployment


Non-Media Bypass

Non-Media Bypass is Microsoft Teams Direct Routing related deployment where all media flows between Teams clients in the enterprise and the SBC transit the Teams Phone System based in the Azure cloud.

Teams Direct Routing - Without Media Bypass


Media Bypass

Media Bypass is a Microsoft Teams Direct Routing deployment where all media flows between Teams clients in the enterprise connect directly to the SBC without transiting the Teams Phone System.

If Microsoft Teams is in Media Bypass mode, you must configure the SBC Edge as detailed in this section (if Microsoft Teams is not in Media Bypass mode, this configuration is not required).

For Media Bypass, the following is supported:

  • Deployment on a Public IP address
  • Deployment behind NAT

Configure Signaling Group 

Before configuring Outbound NAT Traversal, obtain the Public IP address for your network (the Public IP address specified in the screen graphic is an example only); configuration for NAT is required only if deployment is behind NAT.

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Signaling Groups

  3. From the Create Signaling Group drop down box, select SIP Signaling Group.

  4. Configure the parameters as shown below. Leave the default values for all other parameters.

  5. Click OK.

    Signaling Group Configuration - Example Values

    Parameter

    Value

    RTCP MultiplexingEnable
    ICE SupportEnabled
    ICE ModeLite
    Outbound NAT Traversal*Static NAT
    NAT Public IP (Signaling/Media)*Public Address for the NAT device assigned on the media port for your network
    Static NAT InboundDisabled (this field should not be configured for Media Bypass Teams deployment)

    *Outbound NAT Traversal and the NAT Public IP is required when the SBC is behind a NAT (the public IP address of the NAT device is required when the SBC has a Private IP).

    The peer endpoint must support the a=rtcp-mux exchange in order for the RTP and RTCP ports to be multiplexed into one data port.

    SIP Signaling Group - Example

Step 7: Confirm the Configuration

Validate SIP Option

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, access Signaling Groups.
  3. For the signaling group configured for Microsoft Teams Direct Routing, click Counters.
  4. Confirm the number of Incoming and Outgoing SIP Options.
  5. Confirm the number of Incoming and Outgoing 2xx responses.

Incoming and Outgoing Counters


Step 8: Place a Test Call

Place a test call as follows:

  1. Access the WebUI. Refer to Logging into the SBC Edge.

  2. In the WebUI, click the Diagnostics tab.

  3. In the left navigation pane, click Test a Call.

  4. Configure the parameters as shown below.

  5. Click OK. 

    Place a Test Call - Parameters

    Parameter

    Value

    Destination Number

    Number assigned to a Teams user.

    Origination/Calling Number

    Number assigned to a Local user.

    Call Routing Table

    The routing table that handles the call from Microsoft Teams.

     

    Test a Call - Configuration

    Place a Test Call - Example

     

The test call is now complete. For troubleshooting steps, refer to Best Practice - Troubleshoot Issues with Microsoft Teams Direct Routing.