Professional Documents
Culture Documents
Version 7.2
Configuration Note Contents
Table of Contents
1 Introduction ......................................................................................................... 9
1.1 About Teams Direct Routing .................................................................................... 9
1.2 Validated AudioCodes Version ................................................................................ 9
1.3 About AudioCodes SBC Product Series .................................................................. 9
1.4 Infrastructure Prerequisites .................................................................................... 10
2 Configuring AudioCodes' SBC ........................................................................ 11
2.1 Prerequisites .......................................................................................................... 12
2.1.1 About the SBC Domain Name .................................................................................12
2.2 Validate AudioCodes' License ............................................................................... 13
2.3 Configure LAN and WAN IP Interfaces .................................................................. 14
2.3.1 Validate Configuration of Physical Ports and Ethernet Groups ...............................15
2.3.2 Configure LAN and WAN VLANs ............................................................................16
2.3.3 Configure Network Interfaces ..................................................................................16
2.4 Configure TLS Context........................................................................................... 18
2.4.1 Configure the NTP Server Address .........................................................................18
2.4.2 Create a TLS Context for Teams Direct Routing .....................................................18
2.4.3 Generate a CSR and Obtain the Certificate from a Supported CA .........................20
2.4.4 Deploy the SBC and Root / Intermediate Certificates on the SBC ..........................23
2.5 Method of Generating and Installing the Wildcard Certificate ................................ 25
2.6 Deploy Baltimore Trusted Root Certificate ............................................................. 25
2.7 Configure Media Realm ......................................................................................... 26
2.8 Configure SIP Signaling Interfaces ........................................................................ 27
2.9 Configure Proxy Sets and Proxy Address .............................................................. 29
2.9.1 Configure Proxy Sets ...............................................................................................29
2.9.2 Configure Proxy Addresses .....................................................................................30
2.10 Configure Coder Groups ........................................................................................ 32
2.11 Configure IP Profiles .............................................................................................. 33
2.12 Configure IP Groups .............................................................................................. 35
2.13 Configure SRTP ..................................................................................................... 37
2.14 Configure Message Condition Rules...................................................................... 38
2.15 Configure Classification Rules ............................................................................... 39
2.16 Configure IP-to-IP Call Routing Rules.................................................................... 40
2.17 Configure Firewall Settings .................................................................................... 41
3 Verify the Pairing Between the SBC and Direct Routing ............................... 43
4 Direct Routing Local Media Optimization ....................................................... 45
4.1 Introduction ............................................................................................................ 45
4.2 Typical Call Scenarios............................................................................................ 46
4.2.1 Implemented Scenarios ...........................................................................................47
4.2.1.1 Central SBC Scenario ..............................................................................47
4.2.1.2 Proxy SBC Scenario.................................................................................48
4.2.1.3 Local Media Optimization Modes .............................................................49
4.3 Online PSTN Gateway Configuration..................................................................... 49
4.3.1 Online PSTN Gateway Configuration (Office 365) - Proxy SBC Scenario ..............49
4.3.2 Configure Online PSTN Gateway Configuration via UMP 365 (Optional)...............49
4.3.2.1 Create PSTN Gateway .............................................................................50
List of Figures
Figure 2-1: Connection Topology with SIP Trunk on the LAN ...............................................................11
Figure 2-2: Example of Registered DNS Names....................................................................................13
Figure 2-3: Network Interfaces in the Topology with SIP Trunk on the LAN..........................................14
Figure 2-4: Network Interfaces in the Topology with SIP Trunk on the WAN ........................................14
Figure 2-5: Physical Ports Configuration Interface .................................................................................15
Figure 2-6: Ethernet Groups Configuration Interface .............................................................................15
Figure 2-7: Configured VLAN IDs in Ethernet Device ............................................................................16
Figure 2-8: Configuration Example of the Network Interface Table .......................................................17
Figure 2-9: Configuring NTP Server Address.........................................................................................18
Figure 2-10: Configuration of TLS Context for Direct Routing ...............................................................19
Figure 2-11: Configured TLS Context for Direct Routing and Interface to Manage the Certificates .....20
Figure 2-12: Example of Certificate Signing Request – Creating CSR ..................................................21
Figure 2-13: Uploading the Certificate Obtained from the Certification Authority ..................................23
Figure 2-14: Message Indicating Successful Upload of the Certificate ..................................................23
Figure 2-15: Certificate Information Example .........................................................................................24
Figure 2-16: Example of Configured Trusted Root Certificates .............................................................24
Figure 2-17: Configuration Example Media Realms in Media Realm Table ..........................................26
Figure 2-18: Configuration Example of SIP Signaling Interfaces ...........................................................28
Figure 2-19: Configuration Example Proxy Sets in Proxy Sets Table ....................................................29
Figure 2-20: Configuring Proxy Address for SIP Trunk ..........................................................................30
Figure 2-21: Configuring Proxy Address for Teams Direct Routing Interface ........................................30
Figure 2-22: Configuring Coder Group for Teams Direct Routing..........................................................32
Figure 2-23: Configured IP Groups in IP Group Table ...........................................................................36
Figure 2-24: Configuring Media Security Parameter ..............................................................................37
Figure 2-25: Configuring Condition Table ..............................................................................................38
Figure 2-26: Configuring Classification Rule ..........................................................................................39
Figure 2-27: Configured IP-to-IP Routing Rules in IP-to-IP Routing Table ............................................40
Figure 3-1: Proxy Set Status ..................................................................................................................43
Figure 4-1:Central SBC Traffic Flow - User at “Home” ..........................................................................47
Figure 4-2: Central SBC Traffic Flow - User is External .........................................................................47
Figure 4-3: Proxy SBC Traffic Flow - user at “home” .............................................................................48
Figure 4-4: Proxy SBC Traffic Flow - user is external ............................................................................48
Figure 4-5: Add New PSTN Gateway.....................................................................................................50
Figure 4-6: Always Bypass with Internal Teams User ............................................................................51
Figure 4-7: Always Bypass with External Teams User ..........................................................................52
Figure 4-8: Always Bypass with Teams User and SBC in Different Sites ..............................................53
Figure 4-9: Always Bypass with Internal Teams User ............................................................................54
Figure 4-10: Only for Local Users with External Teams User ................................................................55
Figure 4-11: Only for Local Users with Internal Teams User in Different Sites......................................56
Figure A-1: Example of an 'INVITE' Message ........................................................................................77
Figure A-2: Example of an 'INVITE' Message (External user) ...............................................................78
Figure A-3: Example of an 'INVITE' Message (Internal User) ................................................................78
Figure A-4: Example of an 'INVITE' Message From Site to Teams .......................................................78
Figure A-5: Example of 'OPTIONS' message ........................................................................................79
Figure C-1: IP Profile for Remote Sites and Proxy SBC ........................................................................85
List of Tables
Table 1-1: Infrastructure Prerequisites ...................................................................................................10
Table 2-1: DNS Names Registered by an Administrator for a Tenant ...................................................12
Table 2-2: Configuration Example of the Network Interface Table ........................................................16
Table 2-3: New TLS Context ..................................................................................................................19
Table 2-4: Configuration Example Media Realms in Media Realm Table .............................................26
Table 2-5: Configuration Example of SIP Signaling Interfaces ..............................................................27
Table 2-6: Configuration Example Proxy Sets in Proxy Sets Table .......................................................29
Table 2-7: Configuration Proxy Address for SIP Trunk ..........................................................................30
Table 2-8: Configuration Proxy Address for Teams Direct Routing .......................................................31
Table 2-9: Configuration Example: Teams IP Profile .............................................................................33
Table 2-10: Configuration Example: SIP Trunk IP Profile ......................................................................34
Table 2-11: IP-to-IP Call Routing Rules .................................................................................................40
Table 2-12: Firewall Table Rules ............................................................................................................41
Table 2-1: Configuration Example of SIP Interface to Remote site SBCs .............................................57
Table 4-2: Configuration Proxy Address Towards Remote SiteA SBC ..................................................58
Table 4-3: Configuration Proxy Address Towards Remote SiteB SBC ..................................................58
Table 4-4: Configuration Example: Teams IP Profile .............................................................................59
Table 4-5: Configuration Example: SIP Trunk IP Profile (toward remote SBC) .....................................59
Table 4-6: Configuration Example: IP Group for Microsoft Teams Direct Routing ................................60
Table 4-7: Configuration Example: IP Group for Site A SBC .................................................................61
Table 4-8: Configuration Example: IP Group for Site B SBC .................................................................62
Table 4-9: Call Setup Rules Table .........................................................................................................62
Table 4-10: IP-to-IP Call Routing Rules .................................................................................................65
Table 4-11: Configuration Example: Site SIP Interface..........................................................................66
Table 4-12: Configuration Example: Site Proxy Set ...............................................................................66
Table 4-13: Configuration Example: Site Proxy Address .......................................................................67
Table 4-14: Configuration Example: Teams IP Profile (through the Proxy SBC)...................................67
Table 4-15: Configuration Example: SIP Trunk IP Profile (toward SIP Provider/ Media Gateway) .......68
Table 4-16: Configuration Example: Site SBC IP Group towards Teams (through Proxy SBC) ...........68
Table 4-17: Site IP-to-IP Call Routing Rule ............................................................................................69
Table 4-18: Configuration Example: Site SIP Interface..........................................................................70
Table 4-19: Configuration Example: Site Proxy Set ...............................................................................70
Table 4-20: Configuration Example: Site Proxy Address .......................................................................71
Table 4-21: Configuration Example: Teams IP Profile (through the Proxy SBC)...................................71
Table 4-22: Configuration Example: Site IP Group ................................................................................72
Table 4-23: SBC IP-to-IP Routing Rules ................................................................................................72
Table 4-24: Gateway Tel-to-IP Routing Rule .........................................................................................73
Table A-1: Syntax Requirements for an 'OPTIONS' Message ...............................................................79
Table A-2: Teams Direct Routing Interface - Technical Characteristics ................................................80
Table C-1: SIP Interface Proxy SBC Configuration Summary ...............................................................85
Table C-2: SIP Interface Remote SBC Configuration Summary ............................................................86
Table C-3: Proxy SET Proxy SBC Configuration Summary ...................................................................86
Table C-4: Proxy SET Remote SBC Configuration Summary ...............................................................86
Table C-5: IP Profile Configuration Summary ........................................................................................87
Table C-6: IP Group Proxy SBC toward Teams Configuration Summary..............................................88
Table C-7: IP Group Proxy SBC toward Remote SBC’s Configuration Summary .................................89
Table C-8: IP Group Remote SBC toward Proxy SBC Configuration Summary....................................90
Table C-9: IP Group Remote SBC toward SIP Trunk (PSTN) Configuration Summary ........................90
Table C-10: IP-To-IP Routing in the Proxy SBC ....................................................................................91
Table C-11: IP-To-IP Routing in the Remote Site SBC ..........................................................................91
Table C-12: Proxy SBC Message Manipulation Index 0 ........................................................................92
Table C-13: Proxy SBC Message Manipulation Index 1 ........................................................................92
Table C-14: Proxy SBC Message Manipulation Index 2 ........................................................................92
Table C-15: Proxy SBC Message Manipulation Index 3 ........................................................................92
Notice
Information contained in this document is believed to be accurate and reliable at the time of
printing. However, due to ongoing product improvements and revisions, AudioCodes cannot
guarantee accuracy of printed material after the Date Published nor can it accept responsibility
for errors or omissions. Updates to this document can be downloaded from
https://www.audiocodes.com/library/technical-documents.
This document is subject to change without notice.
Date Published: July-01-2020
WEEE EU Directive
Pursuant to the WEEE EU Directive, electronic and electrical waste must not be disposed of
with unsorted waste. Please contact your local recycling authority for disposal of this product.
Customer Support
Customer technical support and services are provided by AudioCodes or by an authorized
AudioCodes Service Partner. For more information on how to buy technical support for
AudioCodes products and for contact information, please visit our website at
https://www.audiocodes.com/services-support/maintenance-and-support.
Related Documentation
Document Name
LTRT Description
Added Chapter “Direct Routing Media Optimization” for Direct Routing Media
LTRT-TAP Optimization Routing between Microsoft Phone System (Cloud PBX) and SBC
devices.
Updates in Section “Configuring SBC for Media Optimization Proxy SBC”; Site SBCs
LTRT-TAP
Re-configuration.
Updates to IP Profile configuration in Chapter “Configuring SBC for Media
13320
Optimization Proxy SBC” and Chapter “Site SBCs Re-configuration”
Updates to Table "Configuration Example: Teams IP Profile” (updated parameters
Remote REFER Mode and Remote 3xx Mode)
Added Table “Configuration Example: SIP Trunk IP Profile (toward Remote SBC)”
13320
Changed title for Table “Configuration Example: Teams IP Profile (through the Proxy
SBC) and Table “Configuration Example: SIP Trunk IP Profile (toward SIP Provider/
Media Gateway)”.
Updates to the names of the IP Group Media optimization parameters to “Local Media
13321 Optimization and “Teams Local Media Optimization Initial Behavior”
Added Appendix “IP Profile – Quick Guidelines”
Added Sections “Adopt Gateway Application to Work with Local Media Optimization”
13322
and Appendix C “Local Media Optimization – Quick Guidelines”
Documentation Feedback
AudioCodes continually strives to produce high quality documentation. If you have any
comments (suggestions or errors) regarding this document, please fill out the Documentation
Feedback form on our website at https://online.audiocodes.com/documentation-feedback.
1 Introduction
This document describes how to connect AudioCodes' SBC to Teams Direct Routing
Enterprise model and refers to the AudioCodes SBC configuration only. For configuring the
Office 365 side, please refer to https://docs.microsoft.com/en-us/microsoftteams/direct-
routing-configure.
This document is intended for IT or telephony professionals.
Enterprise Network
Management
Phone System
Station (OAMP) (Cloud PBX)
IP-PBX
PSTN
Note:
• This document shows how to configure the connection between AudioCodes'
SBC and the Teams Direct Routing with a generic SIP Trunk. For detailed
configuration of other entities in the deployment such as the SIP Trunk Provider
and the local IP-PBX, refer to AudioCodes' SIP Trunk Configuration Notes (in the
interoperability suite of documents).
• This chapter only includes basic Teams Direct Routing configuration. Customers
who would like to implement Direct Routing Local Media Optimization Routing
between Microsoft Phone System (Cloud PBX) and SBC devices, see Chapter 4
“Direct Routing Local Media Optimization” and Appendix C “Local Media
Optimization Quick Guidelines”.
2.1 Prerequisites
Before you begin the configuration, make sure you have the following for every SBC you want
to pair:
Public IP address
FQDN name matching SIP addresses of the users
Public certificate, issued by one of the supported CAs
Valid names:
sbc.ACeducation.info
ussbcs15.ACeducation.info
europe.ACeducation.info
ACeducation.info Yes
Invalid name:
sbc1.europe.ACeducation.info (requires
registering domain name europe.atatum.biz
in 'Domains' first)
Using *.onmicrosoft.com domains is not
adatumbiz.onmicrosoft.com No
supported for SBC names
Valid names:
sbc1.hybridvoice.org
ussbcs15.hybridvoice.org
europe.hybridvoice.org
hybridvoice.org Yes
Invalid name:
sbc1.europe.hybridvoice.org (requires
registering domain name
europe.hybridvoice.org in 'Domains' first
Users can be from any SIP domain registered for the tenant. For example, you can provide
users user@ACeducation.info with the SBC FQDN sbc1.hybridvoice.org so long as both
names are registered for this tenant.
Figure 2-2: Example of Registered DNS Names
The following IP address and FQDN are used as examples in this guide:
195.189.192.157 sbc.ACeducation.info
Enterprise Network
Management
Phone System
Station (OAMP) (Cloud PBX)
Figure 2-4: Network Interfaces in the Topology with SIP Trunk on the WAN
Enterprise Network
Management
Phone System
Station (OAMP) (Cloud PBX)
This Configuration Notes document provides an example topology with a SIP Trunk on the
LAN.
Note: Based on your hardware configuration, you might have more than two ports.
3. Click Apply.
All other parameters can be left unchanged with their default values.
Note: The table above exemplifies configuration focusing on interconnecting SIP and
media. You might want to configure additional parameters according to your
company's policies. For example, you might want to configure Online Certificate Status
Protocol (OCSP) to check if SBC certificates presented in the online server are still
valid or revoked. For more information on the SBC's configuration, see the User's
Manual, available for download from https://www.audiocodes.com/library/technical-
documents.
3. Click Apply; you should see the new TLS Context and option to manage the certificates
at the bottom of 'TLS Context' table.
Figure 2-11: Configured TLS Context for Direct Routing and Interface to
Manage the Certificates
To generate a Certificate Signing Request (CSR) and obtain the certificate from a
supported Certification Authority:
1. Open the TLS Contexts page (Setup menu > IP Network tab > Security folder > TLS
Contexts).
2. In the TLS Contexts page, select the Teams TLS Context index row, and then click the
Change Certificate link located below the table; the Context Certificates page appears.
3. Under the Certificate Signing Request group, do the following:
a. In the 'Common Name [CN]' field, enter the SBC FQDN name (based on example
above, ACeducation.info).
b. In the '1st Subject Alternative Name [SAN]' field, change the type to ‘DNS’, and
then enter the SBC FQDN name (based on the example above,
ACeducation.info).
Note: The domain portion of the Common Name [CN] and 1st Subject Alternative
Name [SAN] must match the SIP suffix configured for Office 365 users.
c. Change the 'Private Key Size' based on the requirements of your Certification
Authority. Many CAs do not support private key of size 1024. In this case, you
must change the key size to 2048.
d. To change the key size on TLS Context, go to: Generate New Private Key
and Self-Signed Certificate, change the 'Private Key Size' to 2048 and then
click Generate Private-Key. To use 1024 as a Private Key Size value, you
can click Generate Private-Key without changing the default key size value.
e. Enter the rest of the request fields according to your security provider's
instructions.
f. Click the Create CSR button; a textual certificate signing request is displayed in
the area below the button:
Figure 2-12: Example of Certificate Signing Request – Creating CSR
4. Copy the CSR from the line "----BEGIN CERTIFICATE" to "END CERTIFICATE
REQUEST----" to a text file (such as Notepad), and then save it to a folder on your
computer with the file name, for example certreq.txt.
5. Send certreq.txt file to the Certified Authority Administrator for signing.
2.4.4 Deploy the SBC and Root / Intermediate Certificates on the SBC
After obtaining the SBC signed and Trusted Root/Intermediate Certificate from the CA, install
the following:
SBC certificate
Root / Intermediate certificates
2. Validate that the certificate was uploaded correctly: A message indicating that the
certificate was uploaded successfully is displayed in blue on the lower part of the page:
Figure 2-14: Message Indicating Successful Upload of the Certificate
3. In the SBC's Web interface, return to the TLS Contexts page, select the required TLS
Context index row, and then click the Certificate Information link, located at the bottom
of the TLS. Then validate the Key size, certificate status and Subject Name:
The DNS name of the Teams Direct Routing interface is sip.pstnhub.microsoft.com. In this
interface, a certificate is presented which is signed by Baltimore Cyber Baltimore CyberTrust
Root with Serial Number: 02 00 00 b9 and SHA fingerprint: d4:de:20:d0:5e:66:fc:
53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74.
To trust this certificate, your SBC must have the certificate in Trusted Certificates storage.
Download the certificate from https://cacert.omniroot.com/bc2025.pem and follow the steps
above to import the certificate to the Trusted Root storage.
Note: Before importing the Baltimore root certificate into AudioCodes' SBC, make sure
it's in .PEM or .PFX format. If it isn't, you need to convert it to .PEM or .PFX format,
otherwise the 'Failed to load new certificate' error message is displayed. To convert to
PEM format, use Windows local store on any Windows OS and then export it as 'Base-
64 encoded X.509 (.CER) certificate'.
Note: The Direct Routing interface can only use TLS for a SIP port. It does not support
using TCP due to security reasons. The SIP port might be any port of your choice.
When pairing the SBC with Office 365, the chosen port is specified in the pairing
command.
5060
Disable
SIPTrunk (according
(leave 500 (leave
0 (arbitrary LAN_IF SBC to Service 0 0 MRLan -
default default value)
name) Provider
value)
requirement)
0
(Phone 5061 (as
0
Teams System configured
(Recommended
1 (arbitrary WAN_IF SBC does not 0 in the Enable MRWan Teams
to prevent DoS
name) use UDP or Office
attacks)
TCP for SIP 365)
signaling)
Note: For implementing an MTLS connection with the Microsoft Teams network,
configure ‘TLS Mutual Authentication’ to “Enable” for the Teams SIP Interface.
Proxy
SBC Proxy Proxy
TLS Context Load
Index Name IPv4 SIP Keep- Hot
Name Balancing
Interface Alive Swap
Method
SIPTrunk Using
1 SIPTrunk Default - -
(arbitrary name) Options
Teams Using Random
2 Teams Teams Enable
(arbitrary name) Options Weights
3. Configure the address of the Proxy Set according to the parameters described in the
table below:
Table 2-7: Configuration Proxy Address for SIP Trunk
SIPTrunk.com:5060
0 UDP 0 0
(SIP Trunk IP / FQDN and port)
4. Click Apply.
3. Configure the address of the Proxy Set according to the parameters described in the
table below:
Table 2-8: Configuration Proxy Address for Teams Direct Routing
0 sip.pstnhub.microsoft.com:5061 TLS 1 1
1 sip2.pstnhub.microsoft.com:5061 TLS 2 1
2 sip3.pstnhub.microsoft.com:5061 TLS 3 1
4. Click Apply and then save your settings to flash memory.
3. Click Apply, and then confirm the configuration change in the prompt that pops up.
To configure an IP Profile:
1. Open the Proxy Sets table (Setup > Signaling and Media > Coders and Profiles >
IP Profiles).
2. Click +New to add the IP Profile for the Direct Routing interface. Configure the
parameters using the table below as reference.
Table 2-9: Configuration Example: Teams IP Profile
Parameter Value
General
Name Teams (arbitrary descriptive name)
Media Security
SBC Media Security Mode Secured
SBC Early Media
Remote Early Media RTP Detection By Media (required, as Teams Direct Routing does not send
Mode RTP immediately to remote side when it sends a SIP 18x
response)
SBC Media
Extension Coders Group AudioCodersGroups_1
RTCP Mode Generate Always (required, as some ITSPs do not send
RTCP packets during Hold, but Microsoft expects them)
ICE Mode Lite (required only when Media Bypass enabled on Teams)
SBC Signaling
SIP UPDATE Support Not Supported
Remote re-INVITE Support Supported Only With SDP
Remote Delayed Offer Support Not Supported
SBC Forward and Transfer
Remote REFER Mode Handle Locally
Remote 3xx Mode Handle Locally
SBC Hold
Inactive (some SIP Trunk may answer with a=inactive and
IP=0.0.0.0 in response to the Re-Invite with Hold request from
Remote Hold Format
Teams. Microsoft Media Stack doesn’t support this format. So,
SBC will replace 0.0.0.0 with its IP address)
All other parameters can be left unchanged at their default values.
3. Click Apply, and then save your settings to flash memory.
4. Click +New to add the IP Profile for the SIP Trunk. Configure the parameters using the
table below as a reference.
Parameter Value
General
Name SIPTrunk
Media Security
SBC Media Security Mode Not Secured
SBC Signaling
P-Asserted-Identity Header Mode Add (required for anonymous calls)
SBC Forward and Transfer
Remote REFER Mode Handle Locally
Remote Replaces Mode Handle Locally
Remote 3xx Mode Handle Locally
All other parameters can be left unchanged with their default values.
5. Click Apply, and then save your settings to flash memory.
To configure an IP Groups:
1. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder
> IP Groups).
2. Click +New to add the IP Group for the SIP Trunk:
Parameter Value
Name SIPTrunk
Type Server
Proxy Set SIPTrunk
IP Profile SIPTrunk
Media Realm MRLan or MRWan (according to your network environment)
SIP Group Name (according to ITSP requirement)
All other parameters can be left unchanged with their default values.
3. Click +New to add the IP Group for the Teams Direct Routing:
Parameter Value
Name Teams
Topology Location Up
Type Server
Proxy Set Teams
IP Profile Teams
Media Realm MRWan
Classify by Proxy Set Disable
<FQDN name of the SBC in the enterprise tenant>
(For example, sbc.ACeducation.info defines the host name
(string) that the device uses in the SIP message's Via and
Contact headers. This is typically used to define an FQDN as
the host name. The device uses this string for Via and
Local Host Name Contact headers in outgoing INVITE messages sent to a
specific IP Group, and the Contact header in SIP 18x and
200 OK responses for incoming INVITE messages received
from a specific IP Group.
More information about the requirements for the various parts
of SIP messages can be found in Appendix A.2 on page 77.
Always Use Src Address Yes
Parameter Value
3. Click Apply.
Parameter Value
Index 0
Name Teams-Contact (arbitrary descriptive name)
Condition header.contact.url.host contains 'pstnhub.microsoft.com'
3. Click Apply.
Parameter Value
Index 0
Name Teams
Source SIP Interface Teams
Source IP Address 52.114.*.*
Destination Host sbc.ACeducation.info (example)
Message Condition Teams-Contact
Action Type Allow
Source IP Group Teams
3. Click Apply.
Terminate Dest
0 Any OPTIONS internal
OPTIONS Address
Refer from
Request
1 Teams Any REFER Teams Teams
URI
(arbitrary name)
Teams to SIP
IP
2 Trunk (arbitrary Teams SIPTrunk
Group
name)
SIP Trunk to
IP
3 Teams SIPTrunk Teams
Group
(arbitrary name)
Note: The routing configuration may change according to your specific deployment
topology.
As an extra security to the above note, there is option to configure traffic filtering rules (access
list) for incoming traffic on AudioCodes SBC. For each packet received on the configured
network interface, the SBC searches the table from top to bottom until the first matching rule
is found. The matched rule can permit (allow) or deny (block) the packet. Once a rule in the
table is located, subsequent rules further down the table are ignored. If the end of the table
is reached without a match, the packet is accepted. Please note that the firewall is stateless.
The blocking rules will apply to all incoming packets, including UDP or TCP responses.
Use
Subnet Start End Interface Allow
Index Source IP Protocol Specific
Prefix Port Port ID Type
Interface
Note: Be aware, that if in your configuration, connectivity to SIP Trunk (or other entities)
is performed through the same IP Interface as Teams (WAN_IF in our example), you
must add rules to allow traffic from these entities.
Notes:
• The implementation of this feature is only relevant for customers with site topology
requiring Local Media Optimization solution
• SIP Signaling is always routed via the Microsoft Phone System Cloud PBX
• For Quick guidelines, see Appendix C “Local Media Optimization – Quick
Guidelines”.
4.1 Introduction
The SBC supports the capability to optimize media flow between the Microsoft Phone System
(Cloud PBX) and Direct Route SBC devices. It implements network policies for media traffic
control flows paths between the Teams clients and the SBC devices for PSTN termination.
Enterprises consider PSTN voice as a business-critical application with high emphasis on
voice quality. Media Path Optimization in Media Bypass mode for Direct Routing helps to
better manage voice quality by enabling enterprises to do the following:
Control how the media traffic flows between the Teams clients and customer SBCs;
Allowing media streams between the Teams clients and SBCs even if SBCs are
behind the corporate firewalls with private IPs and not directly visible to Microsoft.
By default, media bypass (referred to as Direct Media by the AudioCodes SBC application)
is configured per SIP interface or per SBC device by the parameter Microsoft Teams
PowerShell configured parameter MediaBypass (True or False). When enabled, media is
routed directly between the Teams user and the SBC, bypassing the Microsoft Phone System
Cloud PBX Media Relay or Media Proxy, on the condition that the client and the SBC media
interface can establish a routed connection (verified during ICE negotiation).
Affectively this means that traffic does not need to route through an unnecessary loop. For
example, the Teams user is in the same building and/or network as the SBC (the Teams
client is inside the corporate network and has access to the Internal IP address of the SBC).
Alternatively, if the Teams user is outside the corporate network and cannot reach the internal
IP address of the SBC, then RTP media needs to pass via the Microsoft Phone System Cloud
PBX.
The new functionality of Local Media Optimization uses an additional capability for the
location of the Teams user device (for the inbound or the outgoing call). In other words, the
SBC offers the correct interface for the media based on the user device location.
The handling is based on supplementary SIP headers supplied by Microsoft Teams HUB:
X-MS-UserLocation: Indicates whether the Teams user is inside or outside the
corporate network.
X-MS-MediaPath: Indicates the FQDN of the SBC devices in the network that the call
must traverse.
X-MS-UserSite: Indicates the name of the network site
192.168.6.0/24
192.168.5.5 52.114.76.71
sbc4.contoso.com
192.168.7.0/24 PSTN
192.168.6.0/24
192.168.5.5 52.114.76.71
sbc4.contoso.com
192.168.7.0/24 PSTN
192.168.3.5 96.66..240.133
192.168.1.5
Session Border Controller + DR
PSTN Phone System
(Cloud PBX)
sbc2.contoso.com Proxy SBC
sbc1.contoso.com
192.168.2.5
sbc3.contoso.com
When a user is outside of the office (on a public internet or in a different office) the
media flows from the user to the public IP of the Proxy SBC, which proxies it to the
downstream SBC(s).
192.168.1.0/24
sbc1.contoso.com
sbc3.contoso.com
Note: Enabling Location-based routing policies is not Mandatory for LMO, instead only
the assigning of the SBC devices to the sites is required, as shown in the above
PowerShell command sets. If you would like to enable Location-based routing, refer to
the configuration reference:
https://docs.microsoft.com/en-us/microsoftteams/location-based-routing-enable
Based on the information above the Direct Routing will include three proprietary SIP Headers
to SIP Invites and Re-invites.
PSTN Gateways
PSTN Usage records for use within Voice Routes and Voice Routing Policies
Voice Routes
Voice Routing Policies
Note: This Chapter is optional, UMP offer simple and easy to use WEB portal user
interface that Alleviates need for PowerShell expertise (Chapter 4.3.1)
Site HQ
Site A 192.168.9.0/24
192.168.10.0/24
sbc5.contoso.com
Site HQ
Site A 192.168.5.0/24
192.168.6.0/24
192.168.5.5 52.114.76.71
sbc4.contoso.com
192.168.7.0/24 PSTN
4.4.3 Always Bypass with Teams User and SBC in Different Sites
This topology reflects when the Teams user is in a different location to the branch SBC;
however located inside the corporate network and BypassMode is configured to
alwaysbypass:
The Teams user device is inside the corporate network “Internal” and is in a different
location to the branch SBC and places an Outbound call – BypassMode is set to
alwaysbypass.
TheTeams user device is inside the corporate network “Internal” and is in a different
location to the branch SBC, receiving an Inbound call – BypassMode is set to
alwaysbypass.
Figure 4-8: Always Bypass with Teams User and SBC in Different Sites
Site HQ
Site A 192.168.9.0/24
192.168.10.0/24
sbc5.contoso.com
192.168.11.0/24
Site HQ
Site A
192.168.3.5 96.66..240.133
192.168.1.5
Session Border Controller + DR
PSTN Phone System
(Cloud PBX)
sbc2.contoso.com Proxy SBC
sbc1.contoso.com
192.168.2.5
sbc3.contoso.com
Site HQ
Site A 192.168.3.0/24
192.168.1.0/24
sbc1.contoso.com
sbc3.contoso.com
4.4.6 Only for Local Users with Internal Teams User in Different Sites
This topology reflects when the Teams User is in a different location to the branch SBC;
however located inside the corporate network and BypassMode is configured to
OnlyForLocalUsers:
The Teams user is inside the corporate network “Internal” and is in a different location
to the branch SBC and places an Outbound call – BypassMode is set to
OnlyForLocalUsers.
TheTeams user is inside the corporate network “Internal” and is in a different location
to the branch SBC, receiving an Inbound call – BypassMode is set to
OnlyForLocalUsers.
Figure 4-11: Only for Local Users with Internal Teams User in Different Sites
Site HQ
Site A 192.168.3.0/24
192.168.1.0/24
sbc1.contoso.com
sbc3.contoso.com
Classification
Enable TLS
Network Application UDP TCP Failure Media
Index Name TLS Port TCP Context
Interface Type Port Port Response Realm
Keepalive Name
Type
5061 Disable
SiteSIPInterface (according (leave 500 (leave
0 LAN_IF SBC 0 0 MRLan -
(arbitrary name) to site default default value)
requirement) value)
0 192.168.1.5:5061 TLS
4. Click Apply and then save your settings to flash memory.
5. Configure the IP address of the Proxy Set towards Remote SBC in Site B according to
the parameters described in the table below:
Table 4-3: Configuration Proxy Address Towards Remote SiteB SBC
0 192.168.2.5:5061 TLS
6. Click Apply and then save your settings to flash memory.
Parameter Value
General
Name Teams (arbitrary name)
Media Security
SBC Media Security Mode Secured
SBC Media
ICE Mode Lite
SBC Signaling
Remote Update Support Not Supported
Remote re-INVITE Support Supported Only With SDP
Remote Delayed Offer Support Not Supported
Remote Representation Mode Add Routing Headers
SBC Forward and Transfer
Remote REFER Mode Regular
Remote 3xx Mode Transparent
SBC Hold
Remote Hold Format Inactive
Table 4-5: Configuration Example: SIP Trunk IP Profile (toward remote SBC)
Parameter Value
General
Name SIP Trunk (arbitrary name)
SBC Forward and Transfer
Remote REFER Mode Regular
Remote Replaces Mode Standard
Remote 3xx Mode Transparent
To configure IP Group for Microsoft Teams Direct Routing for Media optimization:
1. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder
> IP Groups).
2. Click Edit to re-configure the IP Group for the Microsoft Teams Direct Routing paired
SBC (Proxy SBC):
Table 4-6: Configuration Example: IP Group for Microsoft Teams Direct Routing
Parameter Value
Parameter Value
3. Click +New to add the IP Group for the SBC located at Site A. Configure the parameters
using the table below as reference:
Table 4-7: Configuration Example: IP Group for Site A SBC
Parameter Value
4. Configure the IP Group for the SBC located at Site B. Configure the parameters using
the table below as reference:
Table 4-8: Configuration Example: IP Group for Site B SBC
Parameter Value
Parameter Value
Index 0
Name Privacy Header
Manipulation Set ID 2
Condition Header.Privacy contains 'id'
Action Subject Header.Privacy
Action Type Remove
3. Configure a new manipulation rule (Manipulation Set 1) for Teams IP Group. This rule
applies to messages sent to the Teams IP Group. This stores in a variable, the host part
of the header on the INVITE requests.
Parameter Value
Index 1
Name Assign Var 1
Manipulation Set ID 1
Message Type Invite.Request
Condition Var.Session.1 == ''
Action Subject Var.Session.1
Action Type Modify
Action Value Header.To.URL.Host
4. Configure a new manipulation rule (Manipulation Set 1) for Teams IP Group. This rule
applies to messages sent to the Teams IP Group. This replaces the host part of the SIP
Contact Header with the value exist in To header on the INVITE requests.
Parameter Value
Index 2
Name Change Contact
Manipulation Set ID 1
Message Type Invite.Request
Action Subject Header.Contact.URL.Host
Action Type Modify
Action Value Var.Session.1
5. Configure a new manipulation rule (Manipulation Set 1) for Teams IP Group. This rule
applies to messages sent to the Teams IP Group. This replaces the host part of the SIP
Contact Header with the value existing in To Header on the RE-INVITE requests.
Parameter Value
Index 3
Name Change Contact
Manipulation Set ID 1
Message Type ReInvite.Request
Action Subject Header.Contact.URL.Host
Action Type Modify
Action Value Var.Session.1
Terminate Dest
0 Any OPTIONS internal
OPTIONS Address
Teams to
SIP Trunk Destinati
1 Teams Site
(arbitrary on Tag
name)
SIP Trunk
to Teams IP
2 Any Teams
(arbitrary Group
name)
Parameter Value
General
Name Teams (arbitrary name)
Media Security
SBC Media Security Mode Secured
SBC Media
ICE Mode Lite
SBC Signaling
Remote Update Support Not Supported
Remote re-INVITE Support Supported Only With SDP
Remote Delayed Offer Support Not Supported
Remote Representation Mode Replace Contact
SBC Forward and Transfer
Remote REFER Mode Handle Locally
Remote Replaces Mode Handle Locally
3. Click Edit to re-configure the IP Profile for the SIP Trunk. Configure the parameters
using the table below as reference.
Table 4-15: Configuration Example: SIP Trunk IP Profile (toward SIP Provider/ Media Gateway)
Parameter Value
General
Name SIP Trunk (arbitrary name)
SBC Forward and Transfer
Remote REFER Mode Handle Locally
Note: The only parameter required for implementing Local Media Optimization
handling is ‘SIP Group Name’. All other parameters can be left according to your
configuration and might be different.
To re-configure an IP Groups:
1. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder
> IP Groups).
2. Click Edit to re-configure an IP Group towards Teams in the remote site SBC:
Table 4-16: Configuration Example: Site SBC IP Group towards Teams (through Proxy SBC)
Parameter Value
IP
1 Terminate Refer Any Any Refer ProxySBC ProxySBC
Group
All other Routing rules can be left unchanged with their default values.
Notes:
• This section is only relevant for implementation, where the remote site is
populated with PSTN connectivity (through Gateway Application).
• The Gateway configuration can vary from customer to customer, therefore in
this document, we only provide the configuration changes that are necessary
to adopt the Gateway to work with Local Media Optimization.
• Device should be populated with the appropriate (SBC session and IP
security) licenses.
Parameter Value
General
Name Teams (arbitrary name)
Media Security
SBC Media Security Mode Secured
SBC Media
ICE Mode Lite
SBC Signaling
Remote Update Support Not Supported
Remote re-INVITE Support Supported Only With SDP
Remote Delayed Offer Support Not Supported
Remote Representation Mode Replace Contact
SBC Forward and Transfer
Remote REFER Mode Handle Locally
Remote Replaces Mode Handle Locally
Remote 3xx Mode Handle Locally
SBC Hold
Remote Hold Format Inactive
To configure an IP Group:
1. Open the IP Groups table (Setup menu > Signaling & Media tab > Core Entities folder
> IP Groups).
2. Click +New to add the IP Group towards Proxy SBC:
Table 4-22: Configuration Example: Site IP Group
Parameter Value
Source IP Request Call ReRoute Dest Dest Dest SIP Dest Dest
Index Name
Group Type Triger IP Group Type IP Group Interface Address Port
Terminate Dest
0 Any OPTIONS internal
OPTIONS Address
Refer from
Teams Request
1 Any REFER ProxySBC ProxySBC
(arbitrary URI
name)
GW to Teams
Teams ProxySBC
(arbitrary name)
All other parameters can be left unchanged with their default values.
A.1 Terminology
Strictly required. The deployment does not function correctly without the correct
Must
configuration of these parameters.
Contact header
• MUST: When placing calls to the Direct Routing interface, the 'CONTACT' header
must have the SBC FQDN in the URI hostname
• Syntax: Contact: <phone number>@<FQDN of the SBC>:<SBC Port>;<transport
type>
• If the parameter is not configured correctly, calls are rejected with a '403 Forbidden'
message.
Contact header
• MUST: When sending OPTIONS to the Direct Routing interface, the 'CONTACT'
header must have the SBC FQDN in the URI hostname
• Syntax: Contact: <phone number>@<FQDN of the SBC>:<SBC Port>;<transport
type>
• If the parameter is not configured correctly, the calls are rejected with a '403
Forbidden' message
The table below shows where in the Web interface the parameters are configured and where in this
document you can find the configuration instructions.
Table A-1: Syntax Requirements for an 'OPTIONS' Message
Contact Setup > Signaling and Media > See Section 2.12.
Core Entities > IP Groups>
<Group Name> > Local Host
Name
In IP Group, 'Contact' must be
configured. In this field ('Local
Host Name'), define the local host
name of the SBC as a string, for
example, sbc.ACeducation.info.
The name changes the host
name in the call received from the
IP Group.
Remote Site B
5061
SiteSIPInt (accord Disable
erface ing to (leave 500 (leave MRLa
0 LAN_IF SBC 0 0 -
(arbitrary site default default value) n
name) require value)
ment)
0
(Phone
5061
System
(as
does 0
Teams configu
not use (Recommended MRW
1 (arbitrary WAN_IF SBC 0 red in Enable Teams
UDP or to prevent DoS an
name) the
TCP for attacks)
Office
SIP
365)
signalin
g)
5060
Disable 0
SIPTrunk (according
(leave (Recommended
0 (arbitrary WAN_IF SBC to Service 0 0 MRWan -
default to prevent DoS
name) Provider
value) attacks)
requirement)
0 (Phone
System
ProxySBC
does not 500 (leave
1 (arbitrary LAN_IF SBC 0 5061 Enable MRLan -
use UDP or default value)
name)
TCP for SIP
signaling)
Proxy
TLS Proxy Proxy
SBC IPv4 SIP Load Transport Proxy
Index Name Context Keep- Hot Proxy Address
Interface Balancing Type Priority
Name Alive Swap
Method
192.168.1.5:5061
SiteA
SiteSIPInterface Using (IP address of the
1 (arbitrary Default - - TLS
(arbitrary name) Options Proxy Set to
name)
SiteA)
192.168.2.5:5061
SiteB
SiteSIPInterface Using (IP address of the
2 (arbitrary Default - - TLS
(arbitrary name) Options Proxy Set to
name)
SiteB)
sip.pstnhub.micros
oft.com:5061
Teams TLS 1
Using Enabl Random sip2.pstnhub.micr
3 (arbitrary Teams Teams TLS 2
Options e Weights osoft.com:5061
name) TLS 3
sip3.pstnhub.micr
osoft.com:5061
Proxy
SBC IPv4 TLS Proxy Proxy
Load Transport
Index Name SIP Context Keep- Hot Proxy Address Proxy Priority
Balancing Type
Interface Name Alive Swap
Method
SIPTrunk
Using
1 (arbitrary SIPTrunk Default - - SIPTrunk.com.5060 UDP -
Options
name)
ProxySBC
Using
2 (arbitrary ProxySBC Default - - {ProxySBC IP}.5061 TLS -
Options
name)
C.4 IP Profile
Table C-5: IP Profile Configuration Summary
General
By Media By Media
(required, as (required, as
Remote Teams Direct Teams Direct
Early Media Routing does not Routing does not
By Signaling = By Signaling =
RTP send RTP send RTP
(Default) (Default)
Detection immediately to immediately to
Mode remote side when remote side when it
it sends a SIP 18x sends a SIP 18x
response) response)
SBC Media
SBC Signaling
SIP
Supported = Supported =
UPDATE Not Supported Not Supported
(Default) (Default)
Support
Remote re-
Supported = Supported Only Supported = Supported Only
INVITE
(Default) With SDP (Default) With SDP
Support
Remote
Delayed Supported Supported
Not Supported Not Supported
Offer (default) (default)
Support
P-Asserted-
Identity Add (required for Add (required for
As Is = (Default) As Is = (Default)
Header anonymous calls) anonymous calls)
Modet
Remote
Regular = Regular =
REFER Handle Locally Handle Locally
(Default) (Default)
Mode
Remote
Standard = Standard =
Replaces Handle Locally Handle Locally
(Default) (Default)
Mode
Remote Transparent = Transparent =
Handle Locally Handle Locally
3xx Mode (Default) (Default)
Remote According to According to
Add Routing
Representa Operation Mode = Replace Contact Operation Mode =
Headers
tion Mode (Default) (Default)
SBC Hold
Remote
Transparent = Transparent =
Hold Inactive Inactive
(Default) (Default)
Format
All other parameters can be left unchanged at their default values.
C.5 IP Group
Table C-6: IP Group Proxy SBC toward Teams Configuration Summary
Parameter Value
Name Teams
Type Server
Proxy Set Teams
IP Profile Teams
Media Realm MRWan
MRLan
This parameter is relevant when the 'Teams Local Media Optimization
Handling' parameter (see below) is configured to any value other than
Internal Media Realm “None” and the X-MS-UserLocation header in the incoming SIP
message is set to ‘Internal’. In this case, the Internal Media Realm
determines the UDP port range and maximum sessions for Media traffic
on this IP interface.
Parameter Value
Table C-7: IP Group Proxy SBC toward Remote SBC’s Configuration Summary
Parameter Value
Outbound Message
2
Manipulation Set
All other parameters can be left unchanged with their default values.
Table C-8: IP Group Remote SBC toward Proxy SBC Configuration Summary
Parameter Value
Name SIPTrunk
Topology Location Down
Type Server
All other parameters can be left unchanged with their default values.
Table C-9: IP Group Remote SBC toward SIP Trunk (PSTN) Configuration Summary
Parameter Value
Name ProxySBC
Topology Location Down
Type Server
Proxy Set ProxySBC
IP Profile ProxySBC
Media Realm MRLan
All other parameters can be left unchanged with their default values.
Terminate Dest
0 Any OPTIONS internal
OPTIONS Address
Teams to
SIP Trunk Destination
1 Teams Site
(arbitrary Tag
name)
SIP Trunk
to Teams
2 Any IP Group Teams
(arbitrary
name)
Terminate Dest
0 Any OPTIONS internal
OPTIONS Address
Terminate
Refer
1 Any Any REFER ProxySBC IP Group ProxySBC
(arbitrary
name)
Teams to
SIP Trunk
2 ProxySBC IP Group SIPTrunk
(arbitrary
name)
SIP Trunk
to Teams
3 SIPTrunk IP Group ProxySBC
(arbitrary
name)
Parameter Value
Index 0
Manipulation Set ID 2
Condition Header.Privacy contains 'id'
Action Subject Header.Privacy
Parameter Value
Index 1
Manipulation Set ID 1
Message Type Invite.Request
Condition Var.Session.1 == ''
Action Subject Var.Session.1
Parameter Value
Index 2
Name Change Contact
Manipulation Set ID 1
Message Type Invite.Request
Parameter Value
Index 3
Manipulation Set ID 1
AudioCodes Inc.
200 Cottontail Lane
Suite A101E
Somerset NJ 08873
Tel: +1-732-469-0880
Fax: +1-732-469-2298
©2020 AudioCodes Ltd. All rights reserved. AudioCodes, AC, HD VoIP, HD VoIP Sounds Better, IPmedia, Mediant,
MediaPack, What’s Inside Matters, OSN, SmartTAP, User Management Pack, VMAS, VoIPerfect, VoIPerfectHD, Your
Gateway To VoIP, 3GX, VocaNom, AudioCodes One Voice, AudioCodes Meeting Insights, AudioCodes Room
Experience and CloudBond are trademarks or registered trademarks of AudioCodes Limited. All other products or
trademarks are property of their respective owners. Product specifications are subject to change without notice.
Document #: LTRT-13322