MS-Teams Direct Routing SBC Example Configuration
Introduction
This document provides instructions on how to configure your existing Microsoft 365 domain with the ProSBC as an SBC for Direct Routing.
Official documentation
Configure Direct Routing – High-level steps for connecting SBC to Teams and enabling users.
Connect your SBC to Direct Routing – Detailed instructions for pairing SBC with Teams using Admin Center or PowerShell.
Prerequisites
Refer to Plan Direct Routing – Infrastructure, licensing, and domain requirements.
MS365 Licensing requirements
Microsoft Teams Phone license assigned to users
The “Microsoft Teams Essentials with Phone” is used and assigned to three MS users:
MS365 : Domain, DNS and certificate requirements
Public FQDN for SBC and public-signed certificate
TLS 1.2 support
MS365 users assigned to that domain
The domain "contoso.com" has been added to Microsoft 365.
“prosbc.contoso.com” is the registered ProSBC FQDN.
ProSBC instance hosting
world-wide web reacheable
configured with public IP and FQDN
network/firewall configuration for public access
MS365 / MS-Teams Configuration
While most of the official documentation is using “PowerShell” commands, the majority of the configuration can be done through the MS365 Admin Portal and MS-Teams Admin Portal.
Create PSTN Gateway in Teams Admin Center or via PowerShell.
Reference: https://learn.microsoft.com/en-us/microsoftteams/direct-routing-connect-the-sbc
Where: Microsoft Teams admin center > Voice > Direct Routing > SBCs (tab)
What to do: Add an SBC with the following configuration:
FQDN and TLS SIP port used for SIP trunking between the ProSBC and MS-Teams cloud network
Send SIP options: On
Forward call history: Off
Forward PAI header: Off
SBC Internet Protocol version: IPv4
Media bypass: Off
Bypass mode: None
All other parameters can be decided
Concurrent call capacity
Faillover response codes/time
Preferred country/region for media traffic
Location based routing
Assign SBC to voice routing policies
Reference:
Where: Microsoft Teams admin center > Voice > Direct Routing > Voice routes (tab)
What to do:
Add routes with number patterns allowed to be used by MS-Teams users for calls toward PSTN
Assign these routes to the SBC
Example:
For Toll-free numbers (e.g. 1-800-555-5555), the configuration may be like that:
Dialed number pattern:
^+18(00|33|44|55|66|77|88)[2-9]\d{6}$SBCs enrolled: prosbc.contoso.com
PSTN usage records: NANP-TollFree
Configuring MS365 users with MS-Teams parameters
Reference: https://learn.microsoft.com/en-us/microsoftteams/direct-routing-enable-users
Where: Microsoft Teams admin center > Users > Manage users
What to do:
Under the “Account” tab, do one of the following
Assign a phone number (“Direct Routing” type) to each user
Enable the “Enterprise Voice” (this user won’t have the full telephony service however)
Enterprise Voice vs Direct Routing number type
Any MS-Teams user can get an incoming SIP call based on its user account identification (e.g. [email protected]). From ProSBC routing rules, this can be done by enforcing “remapped called” attribute with that user account identification.
With a phone number assigned, the incoming SIP call can target the phone number itself instead of the user account.
ProSBC Configuration
Here’s a short list of what must be done on the ProSBC
FQDN and certificates
Where: ProSBC > Security > Certificates
References:
What to do: Add all certificates needed for TLS connection with MS-Teams
As “Local” type, a public-signed certificate for the ProSBC itself and its FQDN
As “Trusted”, the PEM-format certificates coming from MS list:
Converting certificate to PEM format
with openssl, the command command line can be used to generate the .pem file:
The list of CA certificate can change, because of date expiration or other reasons. Always give a look at the official documentation for the actual list of required CA. The page states instructions about that.
TLS Profile
Where: ProSBC > Security > TLS Profile
What to do: Create a “Level 1” TLS profile using the local certificate and bundled with the trusted certificates. The “Peer authentication” must be enabled.
SIP stack configuration
Where: ProSBC > SIP
What to do: Have a SIP stack on the host
Create a TLS transport dedicated to connect with the MS-Teams servers. The TLS transport must me assigned with the TLS profile previously created for MS-Teams.
To avoid interoperability issues with different SIP peers, disable “Use session timer”.
Public IP and FQDN for NAT traversal
Where: ProSBC > Advanced Networking > NATs
What to do: Create two “Force Public IP or FQDN” entries: one for the Public IP and one for the FQDN
This may be unneeded if the public IP is directly available to the IP network interface (no NAT topology)
Profile configuration
Where: ProSBC > Profiles
What to do: Create a dedicated profile for the NAP and/or route that will be connected to MS-Teams servers:
VOIP > Media Relay >
Allow low-delay media relay := enabled (otherwise following RTP and SRTP parameters are hidden)
Use RTP anchoring := enabled
RTP security mode := Secure (otherwise following SRTP parameters are hidden)
SRTP relay behavior := Re-encrypt
SRTP key policy := Reuse
VOIP > SIP > Advanced parameters >
SDP generation options := Generate all SDP parameters
SDP combining options := none selected
Forward SIP hold SDP direction mode := Force Inactive
VOIP > SIP > Allowed SIP methods >
REFER := disabled
VOIP > RTP and Audio > RTCP >
Enabled := enabled
RTCP multiplexing := disabled
NAP configuration
Where: ProSBC > NAP
What to do: Create three NAPs. Each of them have by default the profile configured above.
The proxy for each NAP:
sip.pstnhub.microsoft.com:5061sip2.pstnhub.microsoft.com:5061sip3.pstnhub.microsoft.com:5061
Assigned the SIP TLS transport created from previous step
Poll Remote Proxy := enabled
Proxy Environment > Microsoft Teams Direct Routing := enabled
NAT > Remote Method for RTP := None
NAT > Remote Method for SIP := None
NAT > Local NAT Method for RTP := the public IP NAT from previous step
NAT > Local NAT Method for RTP := the FQDN NAT from previous step
Routes configuration
Where: ProSBC > Gateway > Routes
What to do: For each of the three NAPs, create an inbound and outbound rules
For routes towards MS-Teams server:
filled the Remapped Called with the MS-Teams user identification (user account or phone number)
enabled the forward_sip_domain and forward_sip_parameters parameters.
Set a priority value to each of MS-Teams NAPs: lowest value has the most priority
sip.pstnhub.microsoft.com: Global FQDN, must be tried first.
When the SBC sends a request to resolve this name, the Microsoft Azure DNS servers return an IP address pointing to the primary Azure datacenter assigned to the SBC. The assignment is based on performance metrics of the datacenters and geographical proximity to the SBC. The IP address returned corresponds to the primary FQDN.
sip2.pstnhub.microsoft.com: Secondary FQDN, geographically maps to the second priority region.
sip3.pstnhub.microsoft.com: Tertiary FQDN, geographically maps to the third priority region.
Alternatively, we can use the label routing modules to route a specific list of numbers to the Teams network.
Last updated
Was this helpful?