In this section:
There are multiple network methods to deploy the Ribbon SBC MS Teams SIP trunking support.
In ESBC Public WAN IP Deployment, the SBC’s WAN interface can be configured with a public IP directly to the perimeter security device and firewall filter rules for the ports required applied to the firewall policy or placed directly on the public network.
The SBC’s WAN interface is protected by its own firewall and dynamically assigns RTP/SRTP ports for the duration of the SIP session from an array of configurable ports.
Also, the SBC is configured in a private DMZ deployment with a public IPv4 address provided by the perimeter security device. In this model the perimeter security device must not provide NAT or PAT to the public IPv4 address forwarded to the SBC. This will be the model chosen for the SBC’s configuration discussed in the document.
ESBC Public WAN IP Deployment
Configuring the SBC’s WAN and LAN IP Addresses
The system default LAN IP is 192.168.1.1 with username 'root' and password 'default'.
Attach LAN Port 1 of the system to the LAN network or directly to the management computer for the first-time IP networking setup.
The system will prompt you to change the default password.
The password change is confirmed. Click the link provided to log in with the new password.
Once you log in, the landing page appears. Here the VOS version is 16.3.1.
Select Network from the Configuration Menu on the left-hand side.
Configure the LAN Interface Settings.
Configure the WAN Interface and Default Gateway Settings.
- Configure the Primary and the Secondary DNS to a DNS server capable of resolving the required Microsoft Teams FQDNs and select Submit. The system will now apply the networks settings. After network configuration takes place, it may be necessary to reconnect to the system at the new LAN IP address.
Creating a CSR
Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA). Refer to Microsoft documentation for certificate information.
This step discusses how to create a certificate signing request (CSR) to be signed by an approved certificate authority, which are listed at CCADB documentation. The certificate is used by the SBC for TLS SIP signaling support to MS Teams. This signed certificate will be applied to the WAN interface of the system.
Many CAs do not support a private key with a length of 1024 bits. Validate the CSR with your CA requirements and select the appropriate length of the key.
Choose Security > Certificates from the Configuration Menu on the left-hand side.
On the Create a Certificate pane, enter the data for the fields displayed.
Creating the CSR
Parameter
Example Configuration Value Certificate Name Arbitrary name
(alphanumeric characters only)Certificate Type SSL Key Size 2048 Certificate Authority Certificate Signing Request (CSR) Country Name (2 letter code) us State or Province (full name) ca Locality Name (for example: City) San Jose Organization (for example: Company) Ribbon CommunicationsOrganization Unit support Common Name sbc1.rbbn.com
Note: This name must be identical to the name configured as the PSTN gateway, New-CsOnlinePSTNGateway, value.Email support@rbbn.com Password Password is optional and should not be set for MS Teams. Password (Verify) Password is optional and should not be set for MS Teams. Click Download to download the CSR certificate and key file and save this to the management computer.
Open the .csr file with an application like Notepad and copy the complete certificate request.
Configure the signed certificate on the system by using the Add a Certificate pane on the Certificates page and click Add Certificate. The signed certificate must use the .key file from the CSR generation.
Add the SBC Signed Certificate
Parameter
Example Configuration Value Certificate Name SBC_Cert Arbitrary name (alphanumeric characters only) Certificate Type SSL Select Certificate File SBC_Cert.crt Select Key File SBC1rbbnCSR.key Password Password is optional and should not be set for MS Teams. Download the root CA on the system and click Add Certificate.
Add the Root CA
Parameter
Example Configuration Value Certificate Name ROOTca
Arbitrary name (alphanumeric characters only)Certificate Type CA Certificate Select Certificate File certROOT.crt Select Key File No File Selected
Note: No key file is required for a root CA.Password Password is optional and should not be set for MS Teams. Select Submit All to save the certificates to the system.
The certificates are now displayed and available to be assigned to system services.
Configuring the SBC’s VoIP Settings
Select VoIP from the Configuration Menu on the left-hand side.
Configure the system’s VoIP settings.
Parameter
Example Configuration Value
Enable LLDP:
Enabled (default)
LLDP-MED with tagged VLAN:
Enabled (default)
LLDP Broadcast Interval (sec):
30 (default)
TFTP Server IP address:
Disabled
Use ALG Alias IP Addresses:
Disabled
Public NAT WAN IP address:
Public WAN IPv4 address when using a 1-to-1 NAT configuration
Private NAT LAN IP address:
Private LAN IPv4 address when using a 1-to-1 NAT configuration
Do strict RTP source check:
Disabled
Enable Client List lockdown:
Disabled
Allow Shared Usernames:
Disabled
Strip G.729 from calls:
Disabled
UDP
UDP System Port:
5060,5070,5075 (default)
UDP
UDP System Source Port:
5060 (default)
UDP
REGISTER restricted to port:
0 (default)
UDP
Block UDP support on WAN:
Disabled
TCP
TCP System Port:
5060 (default)
TCP
TCP Connection Timeout (m):
10 (default)
TCP
Block TCP support on WAN:
Disabled
TLS
TLS System Port:
5061
TLS
TLS Protocol:
TLSv1.2
TLS
Use only selected version:
Disabled
TLS
Ciphers String:
TLSv1.2+HIGH:!eNULL:!aNULL
TLS
LAN:
Certificate: Default
Policy: No Check
TLS
WAN:
Certificate: SBC_Cert
Policy: No Check
TLS
Block TLS support on WAN:
Disabled
TLS
Exclude sips headers for TLS Transport:
Enabled
TLS
Set TLS source port:
Disabled
NAT Traversal
Disabled
Route all SIP signalling through B2BUA:
Enabled
Enable Microsoft Feature:
Enabled
Enable Comfort Noise Generation (CNG):
Enabled
Enable User-Agent header pass-through:
Disabled
B2BUA Redirect Support (302):
Disabled
Enable PANI Header Support:
Disabled
Enable B2BUA Session Timer Support:
Enabled
Session Refresh Interval (s):
1800
Enable SRTP support:
Enabled
Enable MKI support:
Set as required to match the MKI setting selected in the MS Teams configuration
SRTP Key Life Time (2^):
32
H.225/H.245 Port Range:
14085-15084 (default)
RTP Port Range: 16386-18385 (default)
RTP Packetization Time (ms): 20 Enable multi-ports: Disabled Multi-port Port Range: 22000 – 22999 (default) Prioritize Microsoft Teams: Disabled (default) This should be enabled if MS Teams client, present/exists on the LAN side of EM and if EM needs to prioritize the Voice traffic from Teams client. Calculate RTT: Enabled (default) RTCP MUX support: Disabled (default) Disabled – Edgemarc will operate in Direct Routing mode
Configure the SIP Server Settings for the SIP trunking service parameters.
Configuring SIP Server Settings Parameters
Parameter
Example Configuration Value
SIP Server Address
SIP Server Port
5060 (Verify with your SIP trunking provider which SIP port to configure).
If the FQDN resolves to a different port for the SIP Server Address the system will use the port returned in the DNS query response.
SIP Server Transport
UDP
Enable SRTP
Disabled
Use Custom Domain:
Disabled
SIP Server Domain:
Not set
List of SIP Servers:
None
Enable Multi-homed Outbound Proxy Mode:
Disabled
Enable Transparent Proxy Mode:
Disabled
Limit Outbound to listed SIP Servers:
Disabled
Limit Inbound to listed SIP Servers:
Disabled
Include UPDATE In Allow:
Enabled
PRACK Support:
Enabled
GEOLOCATION Support:
Enabled
Call Audit Support:
Disabled
Stale client time (m):
1440 (default)
Force Hairpinning of RTP:
Disabled
SDP Codec Operation:
Allow only given codecs
SDP Section that will be modified:
Audio
Codecs (comma separated list):
PCMU,PCMA,CN,telephone-event
Reject when No Match Codec:
Enabled
Strip Matched Expressions:
SIP Use New Port On Hold Resume:
Disabled
Priority Number 1:
Priority Number 2:
Priority Number 3:
Priority Number 4:
Not set
- Click Submit to apply changes.
Configuring the B2BUA and Header Manipulation rules
This step discusses how to configure a B2BUA trunking device to the WAN side of the system for MS-Teams support. Header manipulation rules will be used to modify the headers required for interoperability to/from MS-Teams and to/from the SIP trunking provider.
Choose VoIP > SIP > B2BUA from the Configuration Menu on the left-hand side.
Add a B2BUA Trunking Device for the MS Teams cloud servers and click Update. Then, scroll to the bottom and click Submit.
Configuring the First B2BUA Trunk
Parameter
Example Configuration Value
Name:
Teams1
Arbitrary name (alpha/numeric characters only)
Model:
Microsoft Teams
Address(IP/FQDN):
Use DNS SRV:
Not set for MS-Teams
Port:
5061
Transport:
TLS
SRTP:
Mandatory
Source FQDN:
(This name must be identical to the name configured as the SIP provider PSTN gateway)
Ignore alias source:
Disabled for most deployments
Not used for MS-Teams
Authenticate Registration:
Disabled
SIP ICE-Support:
None – Use None for Direct Routing deployments
Lite – use Lite for Media-Bypass deployments.
Configuring the Second B2BUA Trunk
Parameter Example Configuration Value Name:
Teams2
Arbitrary name (alpha/numeric characters only)
Model:
Microsoft Teams
Address(IP/FQDN):
Use DNS SRV:
Not set for MS-Teams
Port:
5061
Transport:
TLS
SRTP:
Mandatory
Source FQDN:
(This name must be identical to the name configured as the SIP provider PSTN gateway)
Ignore alias source:
Disabled
Not used for MS-Teams
Authenticate Registration:
Disabled
SIP ICE-Support:
None – Use None for Direct Routing deployments
Lite – use Lite for Media-Bypass deployments.
Configuring the Third B2BUA Trunk
Parameter Example Configuration Value Name:
Teams3
Arbitrary name (alpha/numeric characters only)
Model:
Microsoft Teams
Address(IP/FQDN):
Use DNS SRV:
Not set for MS-Teams
Port:
5061
Transport:
TLS
SRTP:
Mandatory
Source FQDN:
(This name must be identical to the name configured as the SIP provider PSTN gateway)
Ignore alias source:
Disabled
Not used for MS-Teams
Authenticate Registration:
Disabled
SIP ICE-Support:
None – Use None for Direct Routing deployments
Lite – use Lite for Media-Bypass deployments.
Create a routing group for the MS Teams servers with the Trunking Group Availability function.
Configuring the Routing Group
Parameter Example Configuration Value Group Name
TeamsGroup
N/A
State
Display Only
Keep Alive
Enabled
Load Balance
Optional
Invite Failover
Enabled
Trust Enabled
Enabled
Trusted List
52.112.0.0/14;52.120.0.0/14
(note support for sip-all.pstnhub.microsoft.com has been discontinued by Microsoft.
This FQDN should be removed if previously configured)Members for Group:
TeamsGroup
Keep Alive Interval:
60 (default)
Error Response:
Not Set
From User:
Not Set
To User:
Not Set
Backoff on No Response
Enabled
Regular with max. Interval:
Enabled
0sec (default)
Random with max. Interval:
N/A
N/A
Failover upon Invite Responses:
503
Fallback with auto keep alive
Not Selected
Fallback Interval:
Enabled
60(s) (default)
*1 - When configuring Teams, the subnet masks 52.112.0.0/14 and 52.120.0.0/14 are automatically added to the trusted list. As of VOS version 16.3.1, entering sip-all.pstnhub.microsoft.com is no longer required. Existing references to the FQDN should be removed. For more information about Microsoft's deprecation of sip-all.pstnhub.microsoft.com, refer to https://docs.microsoft.com/en-us/microsoftteams/direct-routing-plan#microsoft-365-office-365-and-office-365-gcc-environments
- Choose VoIP > SIP > B2BUA from the Configuration Menu on the left-hand side. Header manipulation rules are used to modify the headers required for interoperability to-and-from MS Teams and to-and-from the SIP trunking provider.
- Scroll down to Actions and add the actions mentioned in the following steps, and associated HMR rules.
- The first Actions is “ToTeams”. This rule has an associated “Match” rule for calls going to Teams.
- Configure the parameters in the actions pane.
- Configure each Header Value one at a time and click Add before creating the next rule.
Click Update and then click Submit to save the action.
NoteIn the example given in the following table, the dialing code +1 is used in reference to the USA. Change it to the dialing code of the country of your choice.
Configuring the ToTeams Action
Parameter
Example Configuration Value
Name:
ToTeams
Arbitrary name (alpha/numeric characters only)
Send To:
TeamsGroup
Prioritize:
Not used for MS-Teams
Refer to Re-INVITE:
Enabled
Serial Hunting:
Not used for MS-Teams
E.164 Conversion rule:
None
Conversion mode:
Add (default)
Request-URI
'sip:+1' + $to.uri.user + '@' +
$env.target_domain + ':' + $env.target_port + ';user=phone'
From
'<sip:+1' + $from.uri.user + '@' +
$env.target_src_domain + ':' +
$env.target_port + ' ;user=phone>'
To
$to.dispname + '<sip:+1' + $to.uri.user + '@'
+ $env.target_domain + ':' + $env.target_port
+ ';user=phone>'
Contact
'<sip:+1' + $from.uri.user + '@' +
$env.target_src_domain + ':' +
$env.out_intf_port + ';transport=TLS>' +
$contact.parameter
- Configure the parameters in the actions pane.
- Configure each Header Value one at a time and click Add before creating the next rule.
Click Update and then click Submit to save the action.
The second action is FromTeams2ServerAnonymous. This rule has an associated “Match” rule for calls with “Anonymous” in the SIP URI. For example, when a Teams caller is blocking their number, the SIP From URI will have the following format:Configuring the FromTeams2ServerAnonymous Action
Parameter Example Configuration Value Name FromTeams2ServerAnonymous
Arbitrary name (alphanumeric characters only)Send To Trunking Device None Prioritize Not used for MS Teams Refer to Re-INVITE Enabled Serial Hunting Not used for MS Teams E.164 Conversion rule None Conversion mode Add (default) Header Example Value Request-URI
'sip:' + substr($request.uri.user, 2, 0) + '@' + $env.available_domain + ':' +
$env.available_port
From
$from.dispname + ' <sip:' +
$from.uri.user + '@' + $env.out_intf_host
+ ':' + $env.out_intf_port + '>'
To
$to.dispname + ' <sip:' + substr($to.uri.user, 2, 0) + '@' +
$env.available_domain + ':' +
$env.available_port + '>'
Contact
$from.dispname + ' <sip:' +
$from.uri.user + '@' + $env.out_intf_host
+ ':' + $env.out_intf_port + '>' +
$contact.parameter
P-Asserted-Identity
$pai?'<sip:' + substr($pai, 7, 10) + '@' +
$env.out_intf_host + ':' +
$env.out_intf_port + '>'
Other
Privacy
'id'
From: "Anonymous"sip:anonymous@anonymous.invalid:5060.
This rule allows anonymous calls inbound from Teams to the SIP trunking provider.To add a new action click anywhere in the New Entry bar.
The third action will be “FromTeams2Server”, this rule will have an associated “Match” rule for calls outbound from Teams to the SIP Trunking provider for destination call routing. This example uses a “P-Asserted-Identity” header string which is common to many SIP trunking providers, please verify with your trunking provider “if” they require these SIP headers or other header requirements to interoperate with their SIP service.
To add a new Action click anywhere in the “New Entry bar.
Configure the parameters in the actions pane.
Configure each Header Value one at a time and click Add before creating the next rule.
Click Update and then click Submit to save the action.
Configuring the FromTeams2Server Action
Parameter Example Configuration Value Name FromTeams2Server
Arbitrary name (alphanumeric characters only)Send To Trunking Device None Prioritize Not used for MS Teams Refer to Re-INVITE Enabled Serial Hunting Not used for MS Teams E.164 Conversion rule None Conversion mode Add (default) Header Example Value Request-URI
'sip:' + substr($request.uri.user, 2, 0) + '@'
+ $env.available_domain + ':' +
$env.available_port
From
$from.dispname + ' <sip:' + substr($from.uri.user, 2, 0) + '@' +
$env.out_intf_host + ':' + $env.out_intf_port
+ '>'
To
$to.dispname + ' <sip:' + substr($to.uri.user, 2, 0) + '@' +
$env.available_domain + ':' +
$env.available_port + '>'
Contact
$from.dispname + ' <sip:' + substr($from.uri.user, 2, 0) + '@' +
$env.out_intf_host + ':' + $env.out_intf_port
+ '>' + $contact.parameter
P-Asserted-Identity
$pai?'<sip:' + substr($pai, 7, 10) + '@' +
$env.out_intf_host + ':' + $env.out_intf_port
+ '>'
History-info
$history-info?' <sip:' + replace($history- info.uri.user, '+1', '' ) + '@' +
$env.out_intf_host + ':' + $env.out_intf_port
+ '>;reason=unknown;counter=1' + ‘,’+$history-info#1?' <sip:' + replace($history- info#1.uri.user, '+1', '' ) + '@' +
$env.out_intf_host + ':' + $env.out_intf_port
+ '>;reason=unknown;counter=1'
- The next action will be “Teams2Analog”, this rule will have an associated “Match” rule for calls inbound from Teams to an analog line in the EdgeMarc.
To add a new Action click anywhere in the “New Entry bar.
a. Configure the parameters in the actions pane.
b. Configure each Header Value one at a time and click Add before creating the next rule.
c. Click Update then click Submit to save the Action.
Configuring the Teams2AnalogAnonymous Action
Parameter
Example Configuration Value
Name:
Teams2AnalogAnonymous
Arbitrary name (alpha/numeric characters only)
Send To:
Trunking Device:
EW_UA
Prioritize:
Not used for MS-Teams
Refer to Re-INVITE:
Enabled
Serial Hunting:
Not used for Skype for Business
E.164 Conversion rule:
None
Conversion mode:
Add (default)
Header
Example Value
Request-URI
'sip:' + substr($request.uri.user, 2, 0) + '@' + $env.target_host + ':' + $env.target_port
From
$from.uri.user +' <sip:' + substr($from.uri.user, 2, 0) + '@' + $env.out_intf_host + ':' + $env.out_intf_port + '>'
To
$to.dispname + ' <sip:' + substr($to.uri.user, 2, 0) + '@' + $env.target_host + ':' + $env.target_port + '>'
Contact
$from.dispname + ' <sip:' + substr($from.uri.user, 2, 0) + '@' +
$env.out_intf_host + ':' + $env.out_intf_port
+ '>' + $contact.parameter
9. Scroll down to the “Match” pane to configure the patterns you wish to match to the actions just created. The match function provides dial plan routing to Actions and relate to the direction the call is coming from, this could be from Teams or from the SIP trunking provider. The examples given in this section will use a dial plan of 555.1000-1099 to provide basic knowledge of how to apply your dial plan to the previously created Actions.
The example will use an “Redirect” rule from Teams as “+1.”, by default Teams will add this to the beginning of every outbound call going to the SBC for SIP trunk routing. This rule is mapped to the Action.”FromTeams2Server” which will remove the +1 from the SIP message and then perform the other header modifications before forwarding the SIP message to the trunking provider. If you’ve configured Teams to not add the +1 then modify the “FromTeams2Server” Action and other header manipulation rules that reference +1 and remove the reference.
The +1. (dot ) portion of the string matches one or more digits this (dot) will allow dialed destinations greater than 10 or 11 digits to be called. If international calling is desired, please verify the MS-Teams voice route to the SBC also includes pattern matches to accommodate international calling. 911, 411 and any other dial plans must also be considered as a SBC or MS-Teams pattern match to route the call correctly.
Match rules are in order of priority from top to bottom, a specific rule must be above a generic rule.
a. The first “Match” rule will be for the Teams dial plan assigned by the SIP trunking provider in this example the DID range for this MS-Teams configuration is “408.555.1000-1099.
1. Configure the parameters in the match pane.
2. Click Update then click Submit to save the Match.
Configuring the called Matches to Teams Match
Parameter
Example Configuration Value
Direction:
Redirect
Mode:
BothModes
Default:
Not used for MS-Teams
Pattern:
Called
Called Party:
Matches
408555.
Calling Party:
Not Set
N/A
Source:
Any
Action:
ToTeams
b. The next “Match” rule is to match called party number that begins with +1408666. SIP messages from MS-Teams to the Actions that routes the call to the configured analog line after the header manipulation has been performed. To add a new Action click anywhere in the “New Entry bar.
1. Configure the parameters in the match pane.
2. Click Update then Click Submit to save the Match.
Configuring the From Teams to Analog Match
Parameter
Example Configuration Value
Direction:
Redirect
Mode:
BothModes
Default:
Not used for MS-Teams
Pattern:
Both
Called Party:
Matches
+1408666.
Calling Party:
Matches
+1.
Source:
TeamsGroup
Action:
Teams2Analog
c. The next “Match” rule is to allow the blocked call-ID’s from Teams to Analog which presents as “anonymous” in the From header for example, From: "Anonymous"sip:anonymous@anonymous.invalid:5060 and called party number that begins with +1408666. line after the header manipulation has been performed.
To add a new Action click anywhere in the “New Entry bar.
1. Configure the parameters in the match pane.
2. Click Update then Click Submit to save the Match.
Configuring the From Teams to Analog Anonymous Match
Parameter
Example Configuration Value
Direction:
Redirect
Mode:
BothModes
Default:
Not used for MS-Teams
Pattern:
Both
Called Party:
Matches
+1408666.
Calling Party:
Does not match
+1.
Source:
TeamsGroup
Action:
Teams2AnalogAnonymous
10. The next “Match” rule is to allow the blocked call-ID’s from Teams to SIP Server which presents as “anonymous” in the SIP header for example, From: "Anonymous"sip:anonymous@anonymous.invalid:5060.
To add a new Action click anywhere in the New Entry bar.
1. Configure the parameters in the match pane.
2. Click Update then click Submit to save the Match.
Configuring the From Teams to Server Anonymous match
Parameter
Example Configuration value
Direction:
Redirect
Mode:
BothModes
Default:
Not used for MS-Teams
Pattern:
Both
Called Party:
Matches
+1.
Calling Party:
Does not match
+1.
Source:
TeamsGroup
Action:
FromTeams2ServerAnonymous
11. The next “Match” rule is to match +1. SIP messages from MS-Teams to the Actions that routes the call to the configured SIP trunking provider after the header manipulation has been performed. This rule is needed to for normal caller-ID routing.
To add a new Action click anywhere in the “New Entry bar.
1. Configure the parameters in the match pane.
2. Click Update then Click Submit to save the Match.
Configuring the From Teams to Server match
Parameter
Example Configuration Value
Direction:
Redirect
Mode:
BothModes
Default:
Not used for MS-Teams
Pattern:
Both
Called Party:
Matches
+1.
Calling Party:
Matches
+1.
Source:
TeamsGroup
Action:
FromTeams2Server
Configuring SBC for Teams Media-Bypass
All the Configurations that made for Non-MediaBypass will be same for MediaBypass. And there are some additional configurations which is specific to MediaBypass.
- VoIP Settings
2. B2BUA Trunking device settings:
As in the figure below, while adding B2BUA trunking device enable ICE support as ‘Lite’.
You have now completed the Ribbon Communications EdgeMarc configuration for Microsoft Teams and are ready to start testing calls.
As a final step, save the SBC’s configuration at this point or when the testing is completed.
Save the ESBC’s Configuration
This step discusses how to save the running SBC’s configuration to restore the system back to a known working configuration if needed.
- From the left-hand navigation menu select Admin > Backup/Restore.
2. Click Create New Config Backup. A dialog box will appear. Click OK.
3. The system will create a backup file of the current running configuration. Click the file name to download the backup file to the management computer.
Overview
Content Tools