Rediger

Del via


Connect your Session Border Controller (SBC) to Direct Routing

This article describes how to configure a Session Border Controller (SBC) and connect it to Direct Routing. This is step 1 of the following steps to configure Direct Routing:

For information on all the steps required to set up Direct Routing, see Configure Direct Routing.

To configure and connect an SBC to Direct Routing, you can use the Microsoft Teams admin center or PowerShell .

Note

For GCC High and DoD clouds, you must use PowerShell. The option to connect the SBC is not available in the Teams admin center.

Use the Microsoft Teams admin center

  1. In the left navigation, go to Voice > Direct Routing, and then click the SBCs tab.

  2. Click Add.

  3. Enter an FQDN for the SBC.

    Make sure the domain name portion of the FQDN matches a domain that's registered in your tenant. Keep in mind that the *.onmicrosoft.com domain name isn't supported for the SBC FQDN domain name. For example, if you have two domain names, contoso.com and contoso.onmicrosoft.com, use sbc.contoso.com as the SBC name. If using a subdomain, make sure this subdomain is also registered in your tenant. For example, if you want to use sbc.service.contoso.com, then service.contoso.com needs to be registered.

  4. Configure the settings for the SBC, based on your organization's needs. For details on each of these settings, see SBC settings.

  5. When you're done, click Save.

Use PowerShell

To connect your SBC to Direct Routing, you'll need to:

  1. Connect to Teams by using PowerShell.

  2. Connect the SBC to the tenant.

  3. Verify the SBC connection.

Connect to Teams by using PowerShell

To pair the SBC to the Direct Routing interface, use a Teams PowerShell module session connected to the tenant. To open a PowerShell session, follow the steps outlined in Set up your computer for Windows PowerShell.

After you establish a remote PowerShell session, verify that you can see the commands to manage the SBC. To verify the commands, type or copy and paste the following command in the PowerShell session, and then press Enter:

Get-Command *onlinePSTNGateway*

The command returns the four functions shown here that will let you manage the SBC.

CommandType    Name                       Version    Source 
-----------    ----                       -------    ------ 
Function       Get-CsOnlinePSTNGateway    1.0        tmp_v5fiu1no.wxt 
Function       New-CsOnlinePSTNGateway    1.0        tmp_v5fiu1no.wxt 
Function       Remove-CsOnlinePSTNGateway 1.0        tmp_v5fiu1no.wxt 
Function       Set-CsOnlinePSTNGateway    1.0        tmp_v5fiu1no.wxt

Connect the SBC to the tenant

To connect the SBC to the tenant, use the New-CsOnlinePSTNGateway cmdlet. In a PowerShell session, type the following, and then press Enter:

New-CsOnlinePSTNGateway -Fqdn <SBC FQDN> -SipSignalingPort <SBC SIP Port> -MaxConcurrentSessions <Max Concurrent Sessions the SBC can handle> -Enabled $true

Considerations

  • Microsoft recommends that you set a maximum call limit in the SBC using information that can be found in the SBC documentation. The limit will trigger a notification if the SBC is at the capacity level.

  • You can only connect the SBC if the domain portion of its FQDN matches one of the domains registered in your tenant, except *.onmicrosoft.com. Using *.onmicrosoft.com domain names is not supported for the SBC FQDN name. For example, if you have two domain names, contoso.com and contoso.onmicrosoft.com, you can use sbc.contoso.com for the SBC name. If you try to connect the SBC with a name such as sbc.contoso.abc, the system won't let you, as the domain is not owned by this tenant.

    In addition to the domain registered in your tenant, it's important that there's a user with that domain and an assigned E3 or E5 license. If not, you'll receive the following error:
    Can not use the "sbc.contoso.com" domain as it was not configured for this tenant.

  • To assign a user with that domain, the configured authentication type of the domain must be "Managed".

  • Multiple IPs mapped with the same FQDN on the SBC side are not supported.

  • To provide the best-in-class encryption to our customers, Microsoft will force TLS1.2 usage for the Direct Routing SIP interface. To avoid any service impact, ensure that your SBCs are configured to support TLS1.2 and can connect using one of the following cipher suites:

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 i.e. ECDHE-RSA-AES256-GCM-SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 i.e. ECDHE-RSA-AES128-GCM-SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 i.e. ECDHE-RSA-AES256-SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 i.e. ECDHE-RSA-AES128-SHA256
  • SIP OPTIONS pings MUST NOT exceed a frequency of one transaction every 60 seconds and MUST NOT be more or less frequent than one transaction every 180 seconds for each configured trunk for each endpoint.

Here's an example. This example shows only the minimum required parameters. There are additional parameters that you can set with the New-CsOnlinePSTNGateway cmdlet during the connection process. To learn more, see SBC settings.

New-CsOnlinePSTNGateway -Identity sbc.contoso.com -Enabled $true -SipSignalingPort 5067 -MaxConcurrentSessions 100 

Which returns:

Identity              : sbc.contoso.com 
Fqdn                  : sbc.contoso.com 
SipSignalingPort     : 5067 
FailoverTimeSeconds   : 10 
ForwardCallHistory    : False 
ForwardPai            : False 
SendSipOptions        : True 
MaxConcurrentSessions : 100 
Enabled               : True   

Verify the SBC connection

To verify the connection:

Check whether the SBC is on the list of paired SBCs

After you connect the SBC, use the Get-CsOnlinePSTNGateway cmdlet to verify that the SBC is present in the list of paired SBCs. Type the following in a remote PowerShell session, and then press Enter:

Get-CsOnlinePSTNGateway -Identity sbc.contoso.com  

The paired gateway should appear in the list as shown in the example below, and the Enabled parameter should display a value of True.

Which returns:

Identity              : sbc.contoso.com  
Fqdn                  : sbc.contoso.com
SipSignalingPort     : 5067
FailoverTimeSeconds   : 10
ForwardCallHistory    : False
ForwardPai            : False
SendSipOptions        : True
MaxConcurrentSessions : 100
Enabled               : True

Validate SIP options

To validate the pairing using outgoing SIP options, use the SBC management interface and confirm that the SBC receives 200 OK responses to its outgoing OPTIONS messages.

When Direct Routing sees incoming OPTIONS, it will start sending outgoing SIP Options messages to the SBC FQDN configured in the Contact header field in the incoming OPTIONS message.

To validate the pairing using incoming SIP options, use the SBC management interface. Check to see that the SBC sends a reply to the OPTIONS messages coming in from Direct Routing, and that the response code it sends is 200 OK.

SBC settings

This table lists the options that you can set for the SBC in the Microsoft Teams admin center and by using the New-CsOnlinePSTNGateway cmdlet.

Required? Teams admin center setting PowerShell parameter Description Default Possible values Type and restrictions
Yes Add an FQDN for the SBC FQDN None FQDN name, limit 63 characters String, see the list of allowed and disallowed characters on Naming conventions in Active Directory for computers, domains, sites, and OUs
No Enabled Enabled Use to turn on the SBC for outbound calls. You can use this to temporarily remove the SBC from service while it's being updated or during maintenance. False True
False
Boolean
Yes SIP signaling port SipSignalingPort This is the listening port that's used to communicate with Direct Routing by using the Transport Layer (TLS) protocol. None Any port 0 to 65535
No Send SIP options SendSIPOptions Defines whether the SBC will send SIP options messages. We highly recommend that you turn on this setting. When this setting is off, the SBC is excluded from the Monitoring and Alert system. True True
False
Boolean
No Forward call history ForwardCallHistory Indicates whether call history information is forwarded through the trunk. When you turn this on, the Microsoft 365 proxy sends a History-info and Referred-by header. False True
False
Boolean
No Forward P-Asserted-identity (PAI) header ForwardPAI Indicates whether the PAI header is forwarded along with the call. The PAI header provides a way to verify the identity of the caller. If this setting is on, the Privacy:ID header is also sent. False True
False
Boolean
No Concurrent call capacity MaxConcurrentSessions When you set a value, the alerting system will notify you when the number of concurrent sessions is 90 percent or higher than this value. If you don't set a value, alerts aren't generated. However, the monitoring system will report the number of concurrent sessions every 24 hours. Null Null
1 to 100,000
No Failover response codes FailoverResponseCodes
Specifying a failover response code forces Direct Routing to attempt connection with another SBC (if another one exists in the user's voice routing policy) upon receiving any of the specified response codes from the SBC on an SBC-terminated initial INVITE request. Note: A retry will only occur in the absence of prior non-100 provisional responses. To learn more, see Failover of specific SIP codes received from the Session Border Controller (SBC). 408, 503, 504 Int
No Failover times (seconds) FailoverTimeSeconds When you set a value, outbound calls that aren't answered by the gateway within the time that you set are routed to the next available trunk. If there are no additional trunks, the call is automatically dropped. The default value is 10 seconds. In an organization with slow networks and gateway responses, this could potentially result in calls being dropped unnecessarily. 10 Number Int
No SBC supports PIDF/LO for emergency calls PidfloSupported Specify whether the SBC supports Presence Information Data Format Location Object (PIDF/LO) for emergency calls.

For information about Loction-Based Routing and media optimization settings, see Plan for Location-Based Routing and Plan for media bypass with Direct Routing.

See also

Plan Direct Routing

Configure Direct Routing

Teams PowerShell overview