Telstra provides Microsoft Teams Phone System calling experience through our Telstra Calling for Microsoft Teams (TCMT) platform. This offers a fully managed, Teams Certified Carrier Grade SBCs, deployed in our global data centers, and connected to our SIP Connect PSTN services. This infrastructure-less solution covers 19 countries.
However, for those locations not covered by Telstra SIP Connect, we deployed a fully managed, Teams Certified SBCs such as Ribbon SBC deployed in customer hosted environments. This solution we call it “TCMT with BYOC.”
In this blog, I will walk you through how I deploy TCMT with BYOC using Ribbon SBC 1000 and is integrated with either third-party SIP Provider or ISDN PRI (E1/T1).
High Level Architecture
Skills / Familiarity
- PowerShell
- Teams Admin Center
- Teams Direct Routing
- SIP or ISDN PRI circuit
- Telephony / Voice
Requirement Checklist
Prior to deploying your Teams Direct Routing, make sure to complete below requirements.
| Microsoft 365 or Office 365 Tenancy | A Microsoft 365 or Office 365 organization that you use to home your Microsoft Teams users, and the configuration and connection to the SBC. |
Teams User License |
Note: Any license combination above and depending on company license structure. |
| Certified Session Border Controller (SBC) | Ribbon SBC 1000 Note: This guide should also be applicable to another Ribbon SBC model such as Ribbon SBC 2000 and SWe Lite. |
SBC IP Address Allocation or Network Requirements |
Note: In a scenario where trunk is using ISDN, Eth3 will be empty, and you will use the E1/T1 port on the Ribbon SBC. |
Collect SIP or ISDN Provider Trunk Details |
Note: Collecting this information is very vital so make sure you have the above information prior to deployment. |
| Public IP Address and DNS for the SBC |
|
| NAT |
Note: Eth2 can be assigned with the Public IP directly however if DMZ IP is assigned, it must be NAT’ed to the Public IP on the Enterprise Firewall. |
Public CertificateFirewall |
Note: Make sure to use Microsoft trusted Public Certificate Authorities. |
| Firewall | Refer to below table |
Firewall Requirement
Allowing firewall ports between Teams Proxy and SBC communication is very important. Typically, you will encounter several issues during deployment like one-way audio or call not being established due to IP address or port restrictions. Work with customer network team to implement below FW requirements.
SBC <-> Teams
| Source IP | Source Port & Protocol | Destination IP | Destination Port & Protocol |
|---|---|---|---|
| 52.114.148.0 52.114.132.46 52.114.75.24 52.114.76.76 52.114.7.24 52.114.14.70 52.114.16.74 52.114.20.29 |
1024-65535 TCP | SBC Public IP Address | 5061 TCP |
| SBC Public IP Address | 1024-65535 TCP | 52.114.148.0 52.114.132.46 52.114.75.24 52.114.76.76 52.114.7.24 52.114.14.70 52.114.16.74 52.114.20.29 |
5061 TCP |
52.112.0.0/14 |
3478-3481 & 49152-53247 UDP |
SBC Public IP Address | 16384 – 21384 UDP |
| SBC Public IP Address | 16384 – 21384 UDP |
52.112.0.0/14 52.120.0.0/14 |
3478-3481 & 49152-53247 UDP |
Teams Client <-> SBC (for Media Bypass)
Media bypass enables you to shorten the path of media traffic and reduce the number of hops in transit for better performance. With media bypass, media is kept between the Session Border Controller (SBC) and the client instead of sending it via the Microsoft Phone System.
| Source IP |
Source Port & Protocol | Destination IP | Desintation Port & Protocol |
|---|---|---|---|
| User subnet | 50000–50019 UDP|TCP |
SBC DMZ and Public IP Address facing Internet | 16384 – 21384 UDP|TCP |
Tenant Configuration
Running below PS commands requires some knowledge with PowerShell. I have not included the commands how to connect to Microsoft Teams or MS Online Service. I’m pretty sure you can figure it out.
1. Assign user usage location and adding phone-system license
Set-MsolUser -UserPrincipalName UserPrincipalName -UsageLocation INSet-MsolUserLicense -UserPrincipalName UserPrincipalName -AddLicenses Customer365:MCOEV
Note: Alternatively, this can also be done in M365 Admin Center > Users > Active users
2. Create Online PSTN Gateway
New-CsOnlinePSTNGateway -Fqdn sbc1.company.com -SipSignalingPort 5061 -MaxConcurrentSessions 20 -ForwardCallHistory $true -Enabled $true -MediaBypass $true
3. Create Online PSTN Usage
Set-CsOnlinePSTNUsage -Identity Global -Usage @{Add="IN-Allow-AllCalls"}
4. Create Online Voice Route
New-CsOnlineVoiceRoute -Identity "IN-Allow-AllCalls-Route" -Priority 1 -OnlinePstnUsages "IN-Allow-AllCalls" -OnlinePstnGatewayList sbc1.company.com -NumberPattern '^\+?\d+' -Description "Allows all calls from India"
5. Create Online Voice Routing Policy
New-CsOnlineVoiceRoutingPolicy "IN-Allow-AllCalls" -OnlinePstnUsages "IN-Allow-AllCalls" -Description "Allows all calls from India"
6. Enable User for Teams Voice and Assign Phone Number
Set-CsUser -Identity "USERNAME@company.com" -OnPremLineURI tel:+91XXXXXXXX -EnterpriseVoiceEnabled $true -HostedVoiceMail $true
Note: The telephone number must be in E.164 format
7. Assign Calling Restriction to User
Grant-CsOnlineVoiceRoutingPolicy -Identity "USERNAME@company.com" -PolicyName "IN-Allow-AllCalls"
Note: Above example is for an India site, you must amend the naming prefix based on your site deployment.
Configure Ribbon SBC 1000
Below steps allows you to fully configure Ribbon SBC 1000 to a working state.
1. Configure SBC basic settings
- Host Name – this is the SBC public hostname
- Domain Name – this is the customer domain name
- Domain Name Services
- Time Management
- Country Level Information
2. Verify Static Routes are defined correctly
Static routes are one of the important configurations within the SBC. If not properly defined, routing can be messed up.
3. Verify All Logical Interfaces are configured properly
Note: As mentioned earlier, if setup is ISDN, Eth3 will be empty as it’ll be using E1/T1 port for the Carrier connection.
4. Upload SBC Primary Certificate and Trusted Root CA CertificatesIn this setup we are using Entrust as our Public Certificate Authority
Note: Don’t forget to upload Baltimore Root CA because Microsoft service certificates use the Baltimore root certificate
Verify SBC Primary Certificate. Make sure status is OK.
5. Verify SBC Public DNS (sbc1.company.com) are resolving correctly
6. SBC Easy Config Wizard (ISDN PRI vs. SIP)
In this step, I will show you how easy to use ‘Easy Config Wizard’ for ISDN PRI and SIP Trunk. It has only 3 steps and will pre-populate all the required settings for Teams and ISDN PRI/SIP.
ISDN PRI
Step 1
Step 2
Review the configuration summary and click Finish.
SIP Service Provider
Step 1
Step 2
Note: Above public IP is just fictitious.
Step 3
Review the configuration summary and click Finish.
7. Once you’re done with Wizard, it creates transformation and call routing automatically. Just adjust the transformation table based on customer PSTN requirements.
Below screenshots are few examples for an Indian telco.
8. Teams Connectivity Check
Make sure that results are all “open.”
9. Test Results – SIP
Incoming Call
Outgoing Call
10. Test Result - ISDN PRI
Inbound Call
Outbound Call
That’s all. You should have a working Teams Direct Routing setup at this stage!