Telstra provides Microsoft Teams Phone System calling experience through our Telstra Calling for Microsoft Teams (TCMT) platform. This offers a fully managed, Teams Certified Carrier Grade SBCs, deployed in our global data centers, and connected to our SIP Connect PSTN services. This infrastructure-less solution covers 19 countries.

However, for those locations not covered by Telstra SIP Connect, we deployed a fully managed, Teams Certified SBCs such as Ribbon SBC deployed in customer hosted environments. This solution we call it “TCMT with BYOC.”

In this blog, I will walk you through how I deploy TCMT with BYOC using Ribbon SBC 1000 and is integrated with either third-party SIP Provider or ISDN PRI (E1/T1).

High Level Architecture

Skills / Familiarity

It will be good if the person that will use this document has the following experience.
  • PowerShell
  • Teams Admin Center
  • Teams Direct Routing
  • SIP or ISDN PRI circuit
  • Telephony / Voice

Requirement Checklist

Prior to deploying your Teams Direct Routing, make sure to complete below requirements.

Microsoft 365 or Office 365 Tenancy A Microsoft 365 or Office 365 organization that you use to home your Microsoft Teams users, and the configuration and connection to the SBC.

Teams User License

  • E1 or E3 + Phone System License
  • E5
  • Business Standard/Premium + Business Voice without Calling Plan

Note: Any license combination above and depending on company license structure.

Certified Session Border Controller (SBC) Ribbon SBC 1000

Note: This guide should also be applicable to another Ribbon SBC model such as Ribbon SBC 2000 and SWe Lite.

SBC IP Address Allocation or Network Requirements

  • Eth1 – Admin port
  • Eth2 – Teams Direct Routing port
  • Eth3 – SIP Trunk port

Note: In a scenario where trunk is using ISDN, Eth3 will be empty, and you will use the E1/T1 port on the Ribbon SBC.

Collect SIP or ISDN Provider Trunk Details

  • Remote SIP Entities Settings
  • PSTN Trunk Configuration
  • Carrier Specific Parameters
  • Carrier Expected Dialed Patterns

Note: Collecting this information is very vital so make sure you have the above information prior to deployment.

Public IP Address and DNS for the SBC
  • Xx.xx.xx.xx
  • If required

Note: Eth2 can be assigned with the Public IP directly however if DMZ IP is assigned, it must be NAT’ed to the Public IP on the Enterprise Firewall.

Public CertificateFirewall

  • SBC Primary Certificate
  • Trusted CA Certificate

Note: Make sure to use Microsoft trusted Public Certificate Authorities.

Firewall Refer to below table

Firewall Requirement 

Allowing firewall ports between Teams Proxy and SBC communication is very important. Typically, you will encounter several issues during deployment like one-way audio or call not being established due to IP address or port restrictions. Work with customer network team to implement below FW requirements.

SBC <-> Teams

Source IP Source Port & Protocol Destination IP Destination Port & Protocol
1024-65535 TCP SBC Public IP Address 5061 TCP
SBC Public IP Address 1024-65535 TCP
5061 TCP

3478-3481 &
49152-53247 UDP
SBC Public IP Address 16384 – 21384 UDP
SBC Public IP Address 16384 – 21384 UDP
3478-3481 &
49152-53247 UDP

Teams Client <-> SBC (for Media Bypass)

Media bypass enables you to shorten the path of media traffic and reduce the number of hops in transit for better performance. With media bypass, media is kept between the Session Border Controller (SBC) and the client instead of sending it via the Microsoft Phone System.

Source IP
Source Port & Protocol Destination IP Desintation Port & Protocol
User subnet 50000–50019
SBC DMZ and Public IP Address facing Internet 16384 – 21384

Tenant Configuration

Running below PS commands requires some knowledge with PowerShell. I have not included the commands how to connect to Microsoft Teams or MS Online Service. I’m pretty sure you can figure it out.

1. Assign user usage location and adding phone-system license 

Set-MsolUser -UserPrincipalName UserPrincipalName -UsageLocation INSet-MsolUserLicense -UserPrincipalName UserPrincipalName -AddLicenses Customer365:MCOEV

Note: Alternatively, this can also be done in M365 Admin Center > Users > Active users

2. Create Online PSTN Gateway

New-CsOnlinePSTNGateway -Fqdn -SipSignalingPort 5061 -MaxConcurrentSessions 20 -ForwardCallHistory $true -Enabled $true -MediaBypass $true 

3. Create Online PSTN Usage

Set-CsOnlinePSTNUsage -Identity Global -Usage @{Add="IN-Allow-AllCalls"}

4. Create Online Voice Route

New-CsOnlineVoiceRoute -Identity "IN-Allow-AllCalls-Route" -Priority 1 -OnlinePstnUsages "IN-Allow-AllCalls" -OnlinePstnGatewayList -NumberPattern '^\+?\d+' -Description "Allows all calls from India"

5. Create Online Voice Routing Policy

New-CsOnlineVoiceRoutingPolicy "IN-Allow-AllCalls" -OnlinePstnUsages "IN-Allow-AllCalls" -Description "Allows all calls from India"  

6. Enable User for Teams Voice and Assign Phone Number

Set-CsUser -Identity "" -OnPremLineURI tel:+91XXXXXXXX -EnterpriseVoiceEnabled $true -HostedVoiceMail $true

Note: The telephone number must be in E.164 format

7. Assign Calling Restriction to User

Grant-CsOnlineVoiceRoutingPolicy -Identity "" -PolicyName "IN-Allow-AllCalls"

Note: Above example is for an India site, you must amend the naming prefix based on your site deployment.

Configure Ribbon SBC 1000

Below steps allows you to fully configure Ribbon SBC 1000 to a working state.

1. Configure SBC basic settings

  • Host Name – this is the SBC public hostname
  • Domain Name – this is the customer domain name
  • Domain Name Services
  • Time Management
  • Country Level Information

2. Verify Static Routes are defined correctly

Static routes are one of the important configurations within the SBC. If not properly defined, routing can be messed up.

3. Verify All Logical Interfaces are configured properly

Note: As mentioned earlier, if setup is ISDN, Eth3 will be empty as it’ll be using E1/T1 port for the Carrier connection.

4. Upload SBC Primary Certificate and Trusted Root CA CertificatesIn this setup we are using Entrust as our Public Certificate Authority



Note: Don’t forget to upload Baltimore Root CA because Microsoft service certificates use the Baltimore root certificate

Verify SBC Primary Certificate. Make sure status is OK.

5.  Verify SBC Public DNS ( are resolving correctly



6. SBC Easy Config Wizard (ISDN PRI vs. SIP)

In this step, I will show you how easy to use ‘Easy Config Wizard’ for ISDN PRI and SIP Trunk. It has only 3 steps and will pre-populate all the required settings for Teams and ISDN PRI/SIP.


Step 1


Step 2

Review the configuration summary and click Finish.

SIP Service Provider

Step 1


Step 2

Note: Above public IP is just fictitious.

Step 3


Review the configuration summary and click Finish.

7. Once you’re done with Wizard, it creates transformation and call routing automatically. Just adjust the transformation table based on customer PSTN requirements.

Below screenshots are few examples for an Indian telco.


8. Teams Connectivity Check

Make sure that results are all “open.”

9. Test Results – SIP

Incoming Call

Outgoing Call

10. Test Result - ISDN PRI

Inbound Call

Outbound Call

That’s all. You should have a working Teams Direct Routing setup at this stage!