- 7 minutes to read
- Applies to:
- Microsoft Teams
This article describes how to configure a Session Border Controller (SBC) and connect it to Direct Routing. This is step 1 of the following steps to configure Direct Routing:
- Step 1. Connect your SBC with Phone System and validate the connection (This article)
- Step 2. Enable users for Direct Routing
- Step 3. Configure call routing
- Step 4. Translate numbers to an alternate format
For information on all the steps required to set up Direct Routing, see Configure Direct Routing.
You can use the Microsoft Teams admin center or PowerShell to configure and connect an SBC to Direct Routing.
Using the Microsoft Teams admin center
In the left navigation, go to Voice > Direct Routing, and then click the SBCs tab.
Enter an FQDN for the SBC.
Make sure the domain name portion of the FQDN matches a domain that's registered in your tenant and keep in mind that the
*.onmicrosoft.comdomain name isn't supported for the SBC FQDN domain name. For example, if you have two domain names,
sbc.contoso.comas the SBC name. If using a subdomain, make sure this subdomain is also registered in your tenant. For example, if you want to use
service.contoso.comneeds to be registered.
Configure the following settings for the SBC, based on your organization's needs. For details on each of these settings, see SBC settings.
When you're done, click Save.
To connect your SBC to Direct Routing, you'll need to:
Connect to Skype for Business Online by using PowerShell.
Connect the SBC to the tenant.
Verify the SBC connection.
Connect to Skype for Business Online by using PowerShell
To pair the SBC to the Direct Routing interface, use a PowerShell session connected to the tenant. To open a PowerShell session, follow the steps outlined in Set up your computer for Windows PowerShell.
After you establish a remote PowerShell session, verify that you can see the commands to manage the SBC. To verify the commands, type or copy and paste the following command in the PowerShell session, and then press Enter:
The command returns the four functions shown here that will let you manage the SBC.
CommandType Name Version Source ----------- ---- ------- ------ Function Get-CsOnlinePSTNGateway 1.0 tmp_v5fiu1no.wxt Function New-CsOnlinePSTNGateway 1.0 tmp_v5fiu1no.wxt Function Remove-CsOnlinePSTNGateway 1.0 tmp_v5fiu1no.wxt Function Set-CsOnlinePSTNGateway 1.0 tmp_v5fiu1no.wxt
Connect the SBC to the tenant
To connect the SBC to the tenant, use the New-CsOnlinePSTNGateway cmdlet. In a PowerShell session, type the following, and then press Enter:
New-CsOnlinePSTNGateway -Fqdn <SBC FQDN> -SipSignalingPort <SBC SIP Port> -MaxConcurrentSessions <Max Concurrent Sessions the SBC can handle> -Enabled $true
- We recommend that you set a maximum call limit in the SBC using information that can be found in the SBC documentation. The limit will trigger a notification if the SBC is at the capacity level.
- You can only connect the SBC if the domain portion of its FQDN matches one of the domains registered in your tenant, except *.onmicrosoft.com. Using *.onmicrosoft.com domain names is not supported for the SBC FQDN name. For example, if you have two domain names, contoso.com and contoso.onmicrosoft.com, you can use sbc.contoso.com for the SBC name. If you try to connect the SBC with a name such as sbc.contoso.abc, the system won't let you, as the domain is not owned by this tenant.
In addition to the domain registered in your tenant, it's important that there's a user with that domain and an assigned E3 or E5 license. If not, you'll receive the following error:
Can not use the "sbc.contoso.com" domain as it was not configured for this tenant.
- Multiple IPs mapped with the same FQDN on the SBC side are not supported.
- To provide the best-in-class encryption to our customers, Microsoft will force TLS1.2 usage for the Direct Routing SIP interface.To avoid any service impact, ensure that your SBCs are configured to support TLS1.2 and can connect using one of the following cipher suites:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 i.e. ECDHE-RSA-AES256-GCM-SHA384TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 i.e. ECDHE-RSA-AES128-GCM-SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 i.e. ECDHE-RSA-AES256-SHA384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 i.e. ECDHE-RSA-AES128-SHA256
- SIP OPTIONS pings MUST NOT exceed a frequency of one transaction every 60 seconds and MUST NOT be more or less frequent than one transaction every 180 seconds for each configured trunk for each endpoint.
Here's an example:
New-CsOnlinePSTNGateway -Identity sbc.contoso.com -Enabled $true -SipSignalingPort 5067 -MaxConcurrentSessions 100
Identity : sbc.contoso.com Fqdn : sbc.contoso.com SipSignalingPort : 5067 FailoverTimeSeconds : 10 ForwardCallHistory : False ForwardPai : False SendSipOptions : True MaxConcurrentSessions : 100 Enabled : True
This example shows only the minimum required parameters. There are additional parameters that you can set with the New-CsOnlinePSTNGateway cmdlet during the connection process. To learn more, see SBC settings.
Verify the SBC connection
To verify the connection:
- Check whether the SBC is on the list of paired SBCs.
- Validate SIP options.
Check whether the SBC is on the list of paired SBCs
After you connect the SBC, use the Get-CsOnlinePSTNGateway cmdlet to verify that the SBC is present in the list of paired SBCs. Type the following in a remote PowerShell session, and then press Enter:
Get-CsOnlinePSTNGateway -Identity sbc.contoso.com
The paired gateway should appear in the list as shown in the example below, and the Enabled parameter should display a value of True.
Identity : sbc.contoso.com Fqdn : sbc.contoso.comSipSignalingPort : 5067CodecPriority : SILKWB,SILKNB,PCMU,PCMAExcludedCodecs : FailoverTimeSeconds : 10ForwardCallHistory : FalseForwardPai : FalseSendSipOptions : TrueMaxConcurrentSessions : 100Enabled : True
Validate SIP options
To validate the pairing using outgoing SIP options, use the SBC management interface and confirm that the SBC receives 200 OK responses to its outgoing OPTIONS messages.
When Direct Routing sees incoming OPTIONS, it will start sending outgoing SIP Options messages to the SBC FQDN configured in the Contact header field in the incoming OPTIONS message.
To validate the pairing using incoming SIP options, use the SBC management interface and see that the SBC sends a reply to the OPTIONS messages coming in from Direct Routing and that the response code it sends is 200 OK.
This table lists the options that you can set for the SBC in the Microsoft Teams admin center and by using the New-CsOnlinePSTNGateway cmdlet.
|Required?||Teams admin center setting||PowerShell parameter||Description||Default||Possible values||Type and restrictions|
|Yes||Add an FQDN for the SBC||FQDN||None||FQDN name, limit 63 characters||String, see the list of allowed and disallowed characters on Naming conventions in Active Directory for computers, domains, sites, and OUs|
|No||Enabled||Enabled||Use to turn on the SBC for outbound calls. You can use this to temporarily remove the SBC from service while it's being updated or during maintenance.||False||True|
|Yes||SIP signaling port||SipSignalingPort||This is the listening port that's used to communicate with Direct Routing by using the Transport Layer (TLS) protocol.||None||Any port||0 to 65535|
|No||Send SIP options||SendSIPOptions||Defines whether the SBC will send SIP options messages. We highly recommend that you turn on this setting. When this setting is off, the SBC is excluded from the Monitoring and Alert system.||True||True|
|No||Forward call history||ForwardCallHistory||Indicates whether call history information is forwarded through the trunk. When you turn this on, the Microsoft 365 proxy sends a History-info and Referred-by header.||False||True|
|No||Forward P-Asserted-identity (PAI) header||ForwardPAI||Indicates whether the PAI header is forwarded along with the call. The PAI header provides a way to verify the identity of the caller. If this setting is on, the Privacy:ID header is also sent.||False||True|
|No||Concurrent call capacity||MaxConcurrentSessions||When you set a value, the alerting system will notify you when the number of concurrent sessions is 90 percent or higher than this value. If you don't set a value, alerts aren't generated. However, the monitoring system will report the number of concurrent sessions every 24 hours.||Null||Null|
1 to 100,000
|No||Failover response codes||FailoverResponseCodes||If Direct Routing receives any 4xx or 6xx SIP error code in response to an outgoing Invite, the call is considered completed by default. Outgoing means a call from a Teams client to the PSTN with traffic flow: Teams client -> Direct Routing -> SBC -> telephony network). When you specify a failover response code, this forces Direct Routing to try another SBC (if another SBC exists in the voice routing policy of the user) when it receives the specified codes if the SBC can't make a call because of network or other issues. To learn more, see Failover of specific SIP codes received from the Session Border Controller (SBC).||408, 503, 504||Int|
|No||Failover times (seconds)||FailoverTimeSeconds||When you set a value, outbound calls that aren't answered by the gateway within the time that you set are routed to the next available trunk. If there are no additional trunks, the call is automatically dropped. The default value is 10 seconds. In an organization with slow networks and gateway responses, this could potentially result in calls being dropped unnecessarily.||10||Number||Int|
|No||Preferred country or region for media traffic||MediaRelayRoutingLocationOverride||Not applicable to Direct Routing. This parameter is reserved for use with managed carriers in Calling Plans||None|
|No||SBC supports PIDF/LO for emergency calls||PidfloSupported||Specify whether the SBC supports Presence Information Data Format Location Object (PIDF/LO) for emergency calls.|
|No||-||MediaBypass||This setting indicates whether the SBC supports media bypass and whether you want to use it for this SBC.||None||True|
Plan Direct Routing
Configure Direct Routing
Teams PowerShell overview