In this section:
This Best Practice details the configuration required for interoperability between Ribbon SBC Edge (SBC 1000/2000 and SBC SWe Lite) and Microsoft Teams Direct Routing.
The intended audiences for this document are enterprises/partners that would like to begin testing with SBC Edge products within the Microsoft® sponsored Direct Routing public preview planned for mid-May 2018. For enterprises/partners testing SBC Edge products within the Microsoft-sponsored Direct Routing TAP (Technology Access Program), contact your Ribbon sales representative before undertaking any product software upgrades in response to this document.
Microsoft Teams Direct Routing with Media Bypass will be supported on the SBC Edge products in 2018.
Note: Direct Routing support is available on the SBC Core products immediately.
This Best Practice includes the configuration steps necessary for the SBC Edge and the Microsoft Teams Direct Routing Interface to interoperate; the connection of other entities, such as a SIP/TDM trunk or 3rd Party PBX and/or analog devices, are not included. For connection to additional equipment, refer to Ribbon documentation and search for a Best Practice that reflects the specific interoperability you want to achieve (i.e., FXS on SBC Edge, TDM on SBC Edge, etc.).
Microsoft Teams Direct Routing interface enables the Ribbon SBC Edge to connect to the Microsoft Teams. The SBC Edge can be connected to almost any telephony trunk or interconnect a 3rd party non-Teams client. The scenario enables the following:
Microsoft supports only validated devices (such as the Ribbon SBC Core and Edge) to connect to the Direct Routing interface.
The example below shows the connection topology, which includes the following:
The topology example below uses an SBC 1000/2000.
A Tenant is used within the Microsoft environment to describe an Office 365 organization; through this tenant, administrators can manage projects, users, and roles.
Consult the Microsoft documentation for the Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.
To locate the SBC Edge software version you are running, refer to Viewing the Software Version and Hardware ID.
Before you begin, ensure that you have the following for every SBC to be paired:
Public IP address
If you plan to use Media Bypass, Microsoft requires ICE Lite. ICE RFC 5245 requires a public IP address assigned on the SBC interface without NAT.
If you do not plan to use Media Bypass, ICE Lite is not required. The SBC can use a Public IP behind a NAT.
The SBC FQDN must be from one of the Domain names registered in “Domains” of the Tenant. The table below lists Domain Name examples.
Do not use the *.onmicrosoft.com tenant for the domain name.
Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.
Ensure you are running the latest SBC Edge Release:
Release | Specifications |
---|---|
7.0.3 or later | Does not support Media Bypass.* |
8.0.0 or later (available shortly) | Supports Media Bypass.* NOTE: If Release 8.0.0 is not generally available, contact your local Ribbon sales representative for early access options. |
*Teams Direct Routing With/Without Media Bypass - Example Below
To locate the SBC Edge software version you are running, refer to Viewing the Software Version and Hardware ID.
For the purposes of this documentation, the screens displayed are for an SBC 1000/2000; the interface configuration may vary slightly for the SBC SWe Lite. If configuration is not specified for a field, use the default value.
This section provides details on how to configure Ribbon SBC Edge for interoperating with Microsoft Teams Direct Routing.
In this document, the following are used as examples:
Public IP | FQDN | Certificate |
---|---|---|
192.168.211.80 | aepsite6.sonusMS01.com | GlobalSign |
Microsoft Teams Direct Routing only allows TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.
Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:
The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.
Click Generate Sonus CSR.
Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.
Enter data in the required fields.
Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.
After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:
Validate the certificate is installed correctly.
Validate the certificate is installed correctly.
The Direct Routing interface has the DNS name sip.pstnhub.microsoft.com. On that interface, the certificate is signed by Baltimore CyberTrust Root with Serial Number: 02 00 00 b9 and SHA fingerprint: d4:de:20:d0:5e:66:fc: 53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74.
To trust this certificate, your SBC MUST have the certificate in Trusted Certificates storage.
Download the certificate from https://cacert.omniroot.com/bc2025.crt and use the steps above to import the certificate to the Trusted Root storage.
The TLS profile defines the crypto parameters for the SIP protocol.
Create a TLS profile as follows:
In the left navigation pane, go to Security > TLS Profiles.
Configure the parameters shown below. Leave all other parameters as default.
In the left navigation page, access System > Node-Level Settings.
Configure the NTP and DNS Server with the appropriate configuration.
Ensure the IP Routing Table contains the same information as in the network topology.
In the left navigation pane, go to Node Interfaces > Logical Interfaces.
Configure the parameters shown below:
The Media Next Hop IP field (available on SWe Lite only; not shown below) must be configured with the Default Gateway for this interface.
The SIP Profile enables configuration for parameters, such as SIP Header customization, option tags, etc.
Click the (
) icon at the top of left corner and add a new SIP profile.Configure parameters shown below:
The Media Crypto Profile defines the encryption mechanism to use between the SBC and the Microsoft Direct Routing Interface.
Add a Media Crypto Profile:
Configure the parameters as shown below. Leave all other parameters as default.
The Media List defines the codecs and if the crypto mechanism will be used.
Create a media Profile:
Configure the parameters as shown below. Leave all other parameters as default.
SIP server tables defines the information for the SIP interfaces connected to the Ribbon SBC; it must be configured to support the Microsoft Phone System.
Click the (
) icon at the top of left corner and add a new SIP Server Table.Configure the parameters as shown below. Leave all other parameters as default.
Configure the parameters of the SIP Server table:
Repeat the operation for the other two SIP Server entries. Leave all other parameters as default.
Configure Routing Logic per Ribbon Documentation. Refer to Working with Telephony Routing.
Click the (
) icon at the top left corner to add a new Transformation Table.Configure the parameters as shown below.
To add and configure a new Call Routing Table:
Click the (t the top of left corner and add a new Call Routing Table.
) icon aConfigure the parameters as shown below. Click OK.
From the left navigation pane, click on the Call Routing > Microsoft Phone System (the entry created in the last step).
Configure the parameters as shown below. Leave all other parameters as default.
Click OK.
For the SBC 1000-2000, from the Create Signaling Group drop down box, select SIP Signaling Group.
For the SWe Lite, click Add SIP SG.
Configure the parameters as shown below. Leave the default values for all other parameters.
Click OK.
When the remote peer forwards all the REFER messages without checking the destination, the SBC EDGE can be reconfigured to force the call through the remote peer. See below for configuration.
In the left navigation pane, go to SIP > Message Manipulation > Message Rule Table.
Create a new Message Rule Table configured as shown below.
Click Create Rule > Request Line Rule.
Configure the Request Line Rule as shown below.
Access the Signaling Group used for Teams.
Assign the Message Rule Table to the Teams Signaling Group as Inbound Message Manipulation.
Click the (
) icon at the top left corner to add a new Transformation Table.Configure as shown below.
In the Routing Table designated "From Teams," create a routing entry that points to the destination Teams Signaling Group (this must be the first routing entry in the list) and assign the newly created Transformation Table.
Place a test call as follows:
Click OK.
When forward PAI is enabled on the Tenant CsOnlinePSTNGateway, Microsoft adds a PAI and Privacy SIP header on the outbound call to the SBC. RFC 3325 defined the 'id' value for the Privacy header, which is used to request the network remove the P-Asserted-Identity header field.
Different behavior may be required, as follows:
The SBC Edge supports REFER and Re-Invites for call forwarding. To handle a scenario for when the remote peer forwards all the REFER messages without checking the destination, the SBC EDGE can be reconfigured to force the call through the remote peer.
For configuration, see Configure Forward Handling.