In this section:

Overview

This Best Practice details the configuration required for interoperability between Ribbon SBC Edge (SBC 1000/2000 and SBC SWe Lite) and Microsoft Teams Direct Routing.

The intended audiences for this document are enterprises/partners that would like to begin testing with SBC Edge products within the Microsoft® sponsored Direct Routing public preview planned for mid-May 2018. For enterprises/partners testing SBC Edge products within the Microsoft-sponsored Direct Routing TAP (Technology Access Program), contact your Ribbon sales representative before undertaking any product software upgrades in response to this document.

Microsoft Teams Direct Routing with Media Bypass will be supported on the SBC Edge products in 2018.

Note: Direct Routing support is available on the SBC Core products immediately.

How SBC Edge Interoperates with Microsoft Teams Direct Routing

This Best Practice includes the configuration steps necessary for the SBC Edge and the Microsoft Teams Direct Routing Interface to interoperate; the connection of other entities, such as a SIP/TDM trunk or 3rd Party PBX and/or analog devices, are not included. For connection to additional equipment, refer to Ribbon documentation and search for a Best Practice that reflects the specific interoperability you want to achieve (i.e., FXS on SBC Edge, TDM on SBC Edge, etc.).

Microsoft Teams Direct Routing interface enables the Ribbon SBC Edge to connect to the Microsoft Teams. The SBC Edge can be connected to almost any telephony trunk or interconnect a 3rd party non-Teams client. The scenario enables the following:

Microsoft supports only validated devices (such as the Ribbon SBC Core and Edge) to connect to the Direct Routing interface.

Topology Example

The example below shows the connection topology, which includes the following: 

The topology example below uses an SBC 1000/2000.

Prerequisites

A Tenant is used within the Microsoft environment to describe an Office 365 organization; through this tenant, administrators can manage projects, users, and roles. 

Microsoft Teams Direct Routing 

Consult the Microsoft documentation for the Direct Routing interface configuration guidelines, including the RFC standards and the syntax of SIP messages.

Ribbon SBC Edge

To locate the SBC Edge software version you are running, refer to Viewing the Software Version and Hardware ID.

Obtain IP Address/FQDN/Public Certificate

Before you begin, ensure that you have the following for every SBC to be paired:

Obtain Domain Name

The SBC FQDN must be from one of the Domain names registered in “Domains” of the Tenant. The table below lists Domain Name examples.

Do  not use the *.onmicrosoft.com tenant for the domain name.

Domain NameUse for SBC FQDN?FQDN Names - Examples
SonusMS01.com(tick)

Valid names:

  • aepsite6.SonusMS01.com

hybridvoice.org

(tick)

Valid names:

  • sbc1. hybridvoice.org
  • ussbcs15. hybridvoice.org
  • europe. hybridvoice.org

Non-Valid name:

sbc1.europe.hybridvoice.org (requires registering domain name europe. hybridvoice.org in “Domains” first)

Users may be from any SIP domain registered for the tenant. For example, you can configure user user@SonusMS01.com with the SBC FQDN name sbc1.hybridvoice.org, as long as both names are registered for the tenant.

 

Download Latest Software Version

Ensure you are running the latest SBC Edge Release:

ReleaseSpecifications

SWe Lite 7.0.4 or later

SBC 1000/2000 7.0.3 or later

Does not support Media Bypass.*
8.0.0 or later

Supports Media Bypass.*

*Teams Direct Routing With/Without Media Bypass - Example Below

 

 

To locate the SBC Edge software version you are running, refer to Viewing the Software Version and Hardware ID.

Configuring SBC Edge

For the purposes of this documentation, the screens displayed are for an SBC 1000/2000; the interface configuration may vary slightly for the SBC SWe Lite. If configuration is not specified for a field, use the default value.

This section provides details on how to configure Ribbon SBC Edge for interoperating with Microsoft Teams Direct Routing.  

In this document, the following are used as examples:

Public IPFQDNCertificate
192.168.211.80aepsite6.sonusMS01.comGlobalSign

Configure a Certificate for the SBC Direct Routing Interface 

Microsoft Teams Direct Routing only allows TLS connections from the SBC for SIP traffic with a certificate signed by one of the trusted certification authorities.

Request a certificate for the SBC External interface and configure it based on the example using GlobalSign as follows:

 

The certificate is obtained through the Certificate Signing Request (instructions below). The Trusted Root and Intermediary Signing Certificates are obtained from your certification authority.

Step 1: Generate a Certificate Signing Request and obtain the certificate from a supported Certification Authority (CA)

  1. Access the WebUI.
  2. Access Settings > Security > SBC Certificates.
  3. Click Generate Sonus CSR.

    Many CA's do not support a private key with a length of 1024 bits. Validate with your CA requirements and select the appropriate length of the key.

  4. Enter data in the required fields.

  5. Click OK. After the Certificate Signing request finishes generating, copy the result to the clipboard.

  6. Use the generated CSR text from the clipboard to obtain the certificate.
     

Step 2: Deploy the SBC and Root/Intermediate Certificates on the SBC

After receiving the certificates from the certification authority, install the SBC Certificate and Root/Intermediate Certificates as follows:

  1. Obtain Trusted Root and Intermediary signing certificates from your certification authority.
  2. Access the WebUI.
  3. To install Trusted Root Certificates, click Settings > Security > SBC Certificates > Trusted CA Certificates.
  4. Click Import and select the trusted root certificates.
  5. To install the SBC certificate, open Settings > Security > SBC Certificates > Sonus Certificate.
  6. Validate the certificate is installed correctly.

  7. Click Import  and select X.509 Signed Certificate.
  8. Validate the certificate is installed correctly.

Step 3: Deploy Baltimore Trusted Root Certificate

The Direct Routing interface has the DNS name sip.pstnhub.microsoft.com. On that interface, the certificate is signed by Baltimore CyberTrust Root with Serial Number: 02 00 00 b9 and SHA fingerprint: ‎d4:de:20:d0:5e:66:fc: 53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74.

To trust this certificate, your SBC MUST have the certificate in Trusted Certificates storage.

  1. Download the certificate from https://cacert.omniroot.com/bc2025.crt and use the steps above to import the certificate to the Trusted Root storage. 

Configure TLS Profile

The TLS profile defines the crypto parameters for the SIP protocol.

Create a TLS profile as follows:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to Security > TLS Profiles.

  3. Click the CreateTLS Profile ( ) icon at the top of the TLS Profile page.
  4. Configure the parameters shown below. Leave all other parameters as default.

    ParameterExample Value
    DescriptionMicrosoft Phone system (example name)
    TLS ProtocolTLS 1.2 Only
    Validate Client FQDNDisabled

Configure Node-Level Settings

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access System > Node-Level Settings.

  3. Configure the NTP and DNS Server with the appropriate configuration.

Configure Node Interface

Ensure the IP Routing Table contains the same information as in the network topology.

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to Node Interfaces > Logical Interfaces.

  3. Configure the parameters shown below:

    The Media Next Hop IP field (available on SWe Lite only; not shown below) must be configured with the Default Gateway for this interface.

    ParameterExample Value

    Description

    To Microsoft Phone System

    Admin Interface

    Enable

    IP Assign Method

    Static (example)

    Primary Address

    <Public IP of your SBC> in the example 192.168.211.80

    Primary Netmask

    <Mask of Public Interface of  your SBC> in the example 255.255.255.0

Configure SIP Profile

The SIP Profile enables configuration for parameters, such as SIP Header customization, option tags, etc.

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > SIP Profiles.
  3. Click the ( ) icon at the top of left corner and add a new SIP profile.

  4. Configure parameters shown below:

    Parameter

    Example Value

    Description

    Microsoft Phone System

    FQDN in From Header

    Sonus SBC FQDN

    FQDN In Contact Header

    Sonus SBC FQDN

    Origin Field Username

    <FQDN of SBC>

Configure Media Crypto Profile

The Media Crypto Profile defines the encryption mechanism to use between the SBC and the Microsoft Direct Routing Interface.

Add a Media Crypto Profile:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Media > Media Crypto Profiles.
  3. Click the ( ) icon at the top of  left corner and add a new Media Crypto Profile.
  4. Configure the parameters as shown below. Leave all other parameters as default.

    Parameter

    Example Value

    Description

    Microsoft Phone System

    Operation Option

    Required

    Crypto Suite

    AES_CM_128_HMAC_SHA1_80

Configure Media List

The Media List defines the codecs and if the crypto mechanism will be used.

Create a media Profile:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Media >Media List.
  3. Click the ( ) icon at the top of  left corner and add a new Media List.
  4. Configure the parameters as shown below. Leave all other parameters as default.

    Parameter

    Example Value

    Description

    Microsoft Phone System

    Media Profiles List

    • Default G711a
    • Default G711u

    NOTE: See Microsoft documentation for the list of codecs supported by Microsoft.

    Crypto Profile ID

    Microsoft Phone System (created on the previous step)

Configure SIP Server Tables

SIP server tables defines the information for the SIP interfaces connected to the Ribbon SBC; it must be configured to support the Microsoft Phone System.

Add a new SIP Server Table:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > SIP Server Tables
  3. Click the ( ) icon at the top of  left corner and add a new SIP Server Table.

  4. Configure the parameters as shown below. Leave all other parameters as default.

    Parameter

    Example Value

    Row ID

    Assigned by the system

    Description

    Microsoft Phone System

Configure Parameters of new SIP Server Table

Configure the parameters of the SIP Server table:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > SIP Server Tables.
  3. Select the name of the table created in the previous step.
  4. At the top left corner of the main configuration pane click Create New SIP Server, select IP/FQDN and add the pairing to the Direct Routing interface .
  5. Repeat the operation for the other two SIP Server entries. Leave all other parameters as default.

    Parameter

    Value

    Priority

    1

    Host

    sip.pstnhub.microsoft.com

    Port

    5061

    Protocol

    TLS

    TLS Profile

    Microsoft Phone System

    Monitor

    SIP Options

    Parameter

    Value

    Priority

    2

    Host

    sip2.pstnhub.microsoft.com

    Port

    5061

    Protocol

    TLS

    TLS Profile

    Microsoft Phone System

    Monitor

    SIP Options

    Parameter

    Value

    Priority

    3

    Host

    sip3.pstnhub.microsoft.com

    Port

    5061

    Protocol

    TLS

    TLS Profile

    Microsoft Phone System

    Monitor

    SIP Options

Configure Voice routing

Configure Routing Logic per Ribbon Documentation. Refer to Working with Telephony Routing.

 

Configure Transformation Table

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > Transformation Tables.
  3. Click the ( ) icon at the top left corner to add a new Transformation Table.


     

  4. Configure the parameters as shown below.

    Parameter

    Value

    Row ID

    Assigned by the system

    Description

    Microsoft Phone System (example name)

Configure Call Routing Table

To add and configure a new Call Routing Table:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Call Routing Table.
  3. Click the () icon at the top of  left corner and add a new Call Routing Table.

     

  4. Configure the parameters as shown below. Click OK.

    Parameter

    Value

    Row ID

    Assigned by the system

    Description

    Microsoft Phone System (example name)

  5. From the left navigation pane, click on the Call Routing > Microsoft Phone System (the entry created in the last step).

  6. Click the ().
  7. Configure the parameters as shown below. Leave all other parameters as default.

  8. Click OK.

    Parameter

    Value

    Description

    From Microsoft Phone System (example name)

    Number/Name Transformation Table

    Microsoft Phone System

    Destination Signaling Groups

    Choose the Signaling Group of a local equipment

Configure Signaling Group

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Signaling Groups
  3. For the SBC 1000-2000, from the Create Signaling Group drop down box, select SIP Signaling Group.

  4. For the SWe Lite, click Add SIP SG.

  5. Configure the parameters as shown below. Leave the default values for all other parameters.

  6. Click OK.

    Parameter

    Value

    Description

    Microsoft Phone System

    SIP Profile

    Microsoft Phone System (from the previous steps)

    Media List ID

    Microsoft Phone System (from the previous steps)

    Signaling Media/Source IP

    Ethernet 1 (example, pick the interface which faces the Microsoft Phone System)

    Listen Port

    5068 (arbitrary port)

    TLS

    TLS Profile ID: Microsoft Phone System (from the previous steps)

    Federated IP/FQDN

    sip-all.pstnhub.microsoft.com

    SIP server table

    Microsoft Phone System (from the previous steps)

    Load Balancing

    Priority

    SIP Profile

    Microsoft Phone System (from the previous steps)

    Call Routing Table

    Microsoft Phone System (from the previous steps)

    Outbound NAT traversal[1]

    Static NAT

    NAT Public IP

    192.168.211.80 (Only required if “Static NAT” is selected)



    [1] Please ignore if the SBC has a Public IP assigned on the interface. The NAT Public IP is required only when the SBC is behind a NAT.

Configure REFER and Re-Invites for Call Forwarding

This section is applicable to SBC SWe Lite only.

When the remote peer forwards all the REFER messages without checking the destination, the SBC EDGE can be reconfigured to force the call through the remote peer. See below for configuration.

Modify Message Manipulation

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to SIP > Message Manipulation > Message Rule Table.

  3. Create a new Message Rule Table configured as shown below.

  4. In the left navigation pane, click the newly created Rule Table entry. 
  5. Click Create Rule > Request Line Rule.

  6. Configure the Request Line Rule as shown below.

Modify Signaling Group

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Signaling Groups
  3. Access the Signaling Group used for Teams.

  4. Assign the Message Rule Table to the Teams Signaling Group as Inbound Message Manipulation.

Modify Transformation Table

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access SIP > Transformation Tables.
  3. Click the ( ) icon at the top left corner to add a new Transformation Table.

  4. Configure as shown below.

Modify Call Routing

  1. In the WebUI, click the Settings tab.
  2. In the left navigation page, access Call Routing Table.
  3. In the Routing Table designated "From Teams," create a routing entry that points to the destination Teams Signaling Group (this must be the first routing entry in the list) and assign the newly created Transformation Table.

Confirm the Configuration

Validate SIP Option

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, access Signaling Groups.
  3. For the signaling group configured for Microsoft Teams Direct Routing, click Counters.
  4. Confirm the number of Incoming and Outgoing SIP Options.
  5. Confirm the number of Incoming and Outgoing 2xx responses.

 

Place a Test Call

Place a test call as follows:

  1. In the WebUI, click the Diagnostics tab.
  2. In the left navigation pane, click Test a Call.
  3. Configure the parameters as shown below.
  4. Click OK.

    ParameterValue
    Destination NumberNumber assigned to a Teams user.
    Origination/Calling NumberNumber assigned to a Local user
    Call Routing TableThe routing table that handles the call from Local resource.

Known Issues

Outbound call from Teams to PSTN show as Anonymous when ForwardPAI is enabled on the CSOnlinePSTNGateway

When forward PAI is enabled on the Tenant CsOnlinePSTNGateway, Microsoft adds a PAI and Privacy SIP header on the outbound call to the SBC. RFC 3325 defined the 'id' value for the Privacy header, which is used to request the network remove the P-Asserted-Identity header field.

Different behavior may be required, as follows:

  1. If the SBC is in a trusted network, it should not remove the PAI information and allow the last equipment to remove it. SBC will forward the FROM, PAI and Privacy header.
  2. If the SBC is the last trusted equipment, it should hide the PAI information. SBC will remove the PAI and Privacy header and make the FROM header Anonymous.
  3. If the SBC is in a trusted network but the equipment behind it makes the call anonymous due to the Privacy header (and the customer does not want the call anonymous), the SBC can remove the PAI and Privacy header and keep the FROM Header.

Teams Direct Routing Refer Scenario

The SBC Edge supports REFER and Re-Invites for call forwarding. To handle a scenario for when the remote peer forwards all the REFER messages without checking the destination, the SBC EDGE can be reconfigured to force the call through the remote peer.

For configuration, see Configure Forward Handling.