by As per this HUGE announcement, Microsoft Phone System Direct Routing is now available!
What does this mean?
In essence, this means that it is now possible to configure a SIP Trunk directly from a supported on-premises Session Border Controller (SBC) to Microsoft Teams via the internet.
Microsoft’s Enterprise Voice Strategy for the Cloud
To understand how this fits into the overall picture, the diagram below outlines the main components that come together to enable PSTN connectivity for Office 365 in Australia. This diagram assumes I do not have an on-premises Skype for Business server deployed, and simply want to enable voice services for users homed within Office 365 with minimal on-premises infrastructure:
To summarise the options for PSTN connectivity available today:
- There are two platforms in the Microsoft cloud that can provide voice services: Skype for Business & Microsoft Teams
- To enable PBX like capabilities in either, users must have a Phone System license
- To enable connectivity to the PSTN network, there are three options:
- Direct routing for Teams – enables PSTN connectivity for Microsoft Teams only. Requires on-premises infrastructure (SBC).
- Telstra Calling for Office 365 – enables PSTN connectivity for both Skype for Business Online and Microsoft Teams. A pure cloud offering.
- Cloud Connector Edition (CCE) – enables PSTN connectivity for Skype for Business Online only. Requires on-premises infrastructure (SBC & Hyper-V Host with VMs).
How does Direct Routing Differ from CCE?
Microsoft Cloud Connector edition was a great way to enable PSTN connectivity for Skype for Business Online users, particularly as native cloud calling plans are only now available in Australia. However, CCE will support PSTN connectivity for Skype for Business Online only, not Microsoft Teams. The other key differentiator with Direct Routing is that I no longer need to deploy the Cloud Connector Edition virtual machines as well as an SBC to provide connectivity to the Office 365 cloud: a certified SBC is all that is required.
Another major difference with Direct Routing is that it can be deployed side by side with Telstra Calling for Office 365 Calling Plans. This means we now have greater flexibility in deployment options: I can choose to have some calls route via on-premises infrastructure, and other calls to route to the PSTN network direct from the cloud via Telstra Calling. This is useful in environments where I may want to route some calls to existing on-premises infrastructure (call centres, analogue endpoints, other 3rd party telephony infrastructure), but have the bulk of my organisation’s PSTN calls route via a Telstra Calling Plan (ignore “Microsoft Calling Plan” in the diagram below, in Australia it’s known as a Telstra Calling Plan):
Call Routing Options with Microsoft Teams
Now that there are two ways I can route calls to the PSTN from Microsoft Teams at the same time, how do I control what routes where?
Per User Call Routing
Using this approach, users are configured to route all their calls via Direct Routing or via a Telstra Calling Plan. In this example, one user is assigned a Calling Plan (pure cloud), the other a Direct Routing policy (via on-premises SBC):
Route Based on Dial Pattern
Using this approach, calls are routed via Telstra Calling plan or Direct Routing based on the number dialled. For example, if I dial numbers associated with an on-premises call centre, these route via Direct Routing, all other calls route via a Telstra Calling Plan:
Call Flow Logic
In the above example, calls route one of two ways depending on the number dialled. But what’s the logic? How does it “know” to route via a calling plan if Direct Routing fails to find a match? The following diagram outlines the decision tree when a user makes a phone call. As long as the user is licensed for Telstra Calling from within the Office 365 portal, the call will automatically route if no matching Direct Routes are found:
Direct Routing: How to Configure
In this section, I will walk through end to end configuration that enables Direct Routing with Microsoft Teams from an on-premises SIP Trunk, via a Ribbon SBC Edge 1000. This section assumes you have an intimate knowledge of Ribbon SBC configuration!
What Do I Need?
The following diagram gives a good overview of all the requirements needed to enable Direct Routing:
For more details on planning and configuring direct routing, check out the following Microsoft Docs:
Network Requirements
In order to support direct routing, a single public IP address is required that must be presented to the SBC. In my example configuration below, I created a new dedicated one-to-one NAT on the perimeter firewall: 121.50.209.233 <> 192.168.1.187. The private address was then bound as an additional IP address to Ethernet 1:
FQDNs and Firewall Port Requirements
The connection point for Direct Routing are the following three FQDNs:
- sip.pstnhub.microsoft.com – Global FQDN – must be tried first. When the SBC sends a request to resolve this name, the Microsoft Azure DNS servers return an IP address pointing to the primary Azure datacenter assigned to the SBC. The assignment is based on performance metrics of the datacenters and geographical proximity to the SBC. The IP address returned corresponds to the primary FQDN
- sip2.pstnhub.microsoft.com – Secondary FQDN – geographically maps to the second priority region
- sip3.pstnhub.microsoft.com – Tertiary FQDN – geographically maps to the third priority region
Placing these three FQDNs in order is required to:
- Provide optimal experience (less loaded and closest to the SBC datacentre assigned by querying the first FQDN)
- Provide failover when connection from an SBC is established to a datacentre that is experiencing a temporary issue
The FQDNs sip.pstnhub.microsoft.com, sip2.pstnhub.microsoft.com and sip3.pstnhub.microsoft.com will be resolved to one of the following IP addresses:
- 52.114.148.0
- 52.114.132.46
- 52.114.75.24
- 52.114.76.76
- 52.114.7.24
- 52.114.14.70
- 52.114.20.29
- 52.114.16.74
If your firewall supports DNS name resolution, the FQDN sip-all.pstnhub.microsoft.com resolves to all IP addresses listed above.
Note: The firewall port requirements below assume media bypass is not enabled. For additional port requirements for media bypass scenarios, see Plan for media bypass with Direct Routing
The following firewall ports are required to be open for all the above IP addresses:
| Traffic | From | To | Source Port | Destination Port | Description |
| SIP/TLS | Teams SIP Proxy
(IP addresses above) | Ribbon SBC | 1024-65535 TCP | Defined on SBC | SIP signalling from Teams to Ribbon SBC. In example below, destination port selected for SIP signalling is 5061. |
| SIP/TLS | Ribbon SBC | Teams SIP Proxy
(IP addresses above) | 1024-65535 TCP | 5061 TCP | SIP signalling from Ribbon SBC to Teams. |
| UDP/SRTP | Teams Media Processor 52.112.0.0/14 52.120.0.0/14 | Ribbon SBC | 3478-3481 & 49152-53247 UDP | Defined on SBC | Media from Teams to Ribbon SBC. The destination port is configurable on the SBC. |
| UDP/SRTP | Ribbon SBC | Teams Media Processor 52.112.0.0/14 52.120.0.0/14 | Defined on SBC | 3478-3481 & 49152-53247 UDP | Media from Ribbon SBC to Teams. The source port is configurable on the SBC. |
DNS Requirements
Before moving onto the configuration steps below, make sure you have created a public DNS A record for your Direct Routing trunk FQDNs. In this example, I created an A record for teamstrunk.insynctechnology.com.au pointing at 121.50.209.233.
Step 1: Office 365 Tenant Direct Routing Configuration
- Connect to Office 365 Remote PowerShell
$acctName="admin@domain.onmicrosoft.com"
$sfboSession = New-CsOnlineSession -UserName $acctName
Import-PSSession $sfboSession
- Create Online PSTN Gateway
New-CsOnlinePSTNGateway -Fqdn teamstrunk.insynctechnology.com.au -SipSignalingPort 5061 -MaxConcurrentSessions 10 -ForwardCallHistory $true -Enabled $true
- Create an empty PSTN Usage
Set-CsOnlinePstnUsage -Identity Global -Usage @{Add="Australia"}
- Create Voice Routes and Associate with PSTN Usage
New-CsOnlineVoiceRoute -Identity "AU-Emergency" -NumberPattern "^\+000$" -OnlinePstnGatewayList teamstrunk.insynctechnology.com.au -Priority 1 -OnlinePstnUsages "Australia" New-CsOnlineVoiceRoute -Identity "AU-Service" -NumberPattern "^\+61(1\d{2,8})$" -OnlinePstnGatewayList teamstrunk.insynctechnology.com.au -Priority 1 -OnlinePstnUsages "Australia" New-CsOnlineVoiceRoute -Identity "AU-National" -NumberPattern "^\+61\d{9}$" -OnlinePstnGatewayList teamstrunk.insynctechnology.com.au -Priority 1 -OnlinePstnUsages "Australia" New-CsOnlineVoiceRoute -Identity "AU-International" -NumberPattern "^\+(?!(61190))([1-9]\d{9,})$" -OnlinePstnGatewayList teamstrunk.insynctechnology.com.au -Priority 1 -OnlinePstnUsages "Australia"
- Create Voice Routing Policy
New-CsOnlineVoiceRoutingPolicy "Australia" -OnlinePstnUsages "Australia"
Step 2: Ribbon SBC Edge 1000 Configuration
Node-Level settings
Ensure the following general node level setting have been configured:
- From the SBC Web GUI, navigate to System > Node-Level Settings
- Check NTP configured and time is correct (TLS trunk will not negotiate if time is incorrect)
- DNS Server configured. To test DNS resolution, make sure the following can be resolved: sip.pstnhub.microsoft.com (test from Diagnostics > Ping Destination)
Note: Don’t expect a valid ICMP response, all we care about is a valid DNS resolution (the above example shows a successful resolution).
Certificates
The SIP Trunk I’ll be configuring between the SBC and Microsoft Teams must be a secure TLS trunk. To support this, a public certificate is required.
Important: Ribbon SBC Edge series appliances can only support one certificate installed at a time. If you’re planning to use an existing Edge series SBC for Direct Routing to Teams, you may already be using a certificate to support TLS trunks. If that’s the case, you’ll need to either revert to using TCP for existing trunks before updating the certificate, or adding your SBC’s FQDN to the public certificate that you plan to use for Direct Routing to Teams.
Request Certificate
- From the SBC Web GUI, navigate to Settings > Security > SBC Certificates
- Click Generate Sonus CSR
- Fill in the required fields
- Copy the Resultant CSR to your clipboard, and use to request a certificate from one of the supported public certificate providers
- Make sure to also obtain Trusted Root and Intermediary certificates from your public certification authority, as these will need to be imported to the Ribbon SBC also
Apply Certificates
After receiving the certificates from the certification authority, install the SBC certificate and the Root/Intermediate certificates:
- From the SBC Web GUI, navigate to Settings > Security > SBC Certificates > Trusted Root Certificates
- At the top left of the page click “import” and select the trusted root and (if applicable) any intermediate certificates
- Validate that the certificate installed correctly
- From the SBC Web GUI, navigate to Settings > Security > SBC Certificates > Sonus Certificate
- At the top of the page click Import > X.509 Signed Certificate and install
- Validate that the certificate installed correctly
Deploy Baltimore Trusted Root Certificate
The Microsoft Phone System Hybrid Voice Connectivity Interface has DNS name sip.pstnhub.microsoft.com. This interface uses a public certificate provided by Cyber Baltimore CyberTrust Root, which will also need to be trusted by your SBC:
- Download the certificate from https://cacert.omniroot.com/bc2025.crt
- From the SBC Web GUI, navigate to Settings > Security > SBC Certificates > Trusted Root Certificates
- At the top left of the page click “import” and select the Baltimore trusted root cert
- Validate that the certificate installed correctly
TLS Configuration
Create TLS Profile
The TLS profile defines the crypto parameters for the SIP protocol. To create a new TLS profile:
- From the SBC Web GUI, navigate to Settings > Security > TLS Profiles
- At the top left corner of the main pane click “+” and add a new TLS Profile
| Parameter | Value |
| Description | MS Phone System TLS Profile |
| TLS Protocol | TLS 1.2 Only |
| Handshake Inactivity Timeout | 30 |
| Validate Client FQDN | Disabled |
SIP Profile Configuration
SIP profiles allows configuring such parameters as SIP Headers customizations, options tags etc.
- From the SBC Web GUI, navigate to Settings > SIP > SIP Profiles
- At the top left corner click “+” and add a new SIP profile
| Parameter | Value |
| Description | MS Phone System SIP Profile |
| FQDN in From Header | Sonus SBC FQDN |
| FQDN In Contact Header | Sonus SBC FQDN |
| Origin Field name | Ribbon SBC FQDN |
Media Configuration
Configure Media Crypto Profile
The Media Crypto Profile defines the encryption mechanism to use between the SBC and Microsoft Phone System Interface. To add a Media Crypto Profile:
- From the SBC Web GUI, navigate to Settings > Media > Media Crypto Profiles
- At the top left corner click “+” and add a new Media Crypto Profile
| Parameter | Value |
| Description | MS Phone System Media Crypto Profile |
| Operation Option | Supported |
| Crypto Suite | AES_CM_128_HMAC_SHA1_80 |
Configure Media List
The Media List defines the codecs and if the crypto mechanism will be used. To create a media Profile:
- From the SBC Web GUI, navigate to Settings > Media > Media List
- At the top left corner click “+” and add a new Media List:
| Parameter | Value |
| Description | MS Phone System Media List |
| Media Profiles List | Default G711a
Default G711u |
| Crypto Profile ID | MS Phone System Media Crypto Profile |
Configure SIP Server Table
The SIP server table defines the information about the SIP interfaces connected to the Sonus SBC. To add a new SIP Server Table:
- From the SBC Web GUI, navigate to Settings > SIP > SIP Server Tables
- At the top left corner of the main pane click “+” and add a new SIP Server Table
- Name the Table and click save
- Click on the new SIP Server Table, and configure the following
| Parameter | SBC 1 | SBC 2 | SBC 3 |
| Priority | 1 | 2 | 3 |
| Host | sip.pstnhub.microsoft.com | sip2.pstnhub.microsoft.com | sip3.pstnhub.microsoft.com |
| Port | 5061 | 5061 | 5061 |
| Protocol | TLS | TLS | TLS |
| TLS Profile | Microsoft Phone System | Microsoft Phone System | Microsoft Phone System |
| Monitor | SIP Options | SIP Options | SIP Options |
Configure Transformation Tables and Routing Tables
If you’ve made it this far, I would assume you are already familiar with transformation and routing table configuration. For completeness sake, here’s the ones I created for my test Direct Routing number:
Configure Route Table
You will need to route calls both to and from your Microsoft Teams Direct Routing trunk:
Create Signalling Group
To create a new signalling group:
- From the SBC Web GUI, navigate to Settings > Signalling Groups
- At the top left corner of the main pane click Create SIP Signalling Group
| Parameter | Value |
| Description | MS Phone System |
| Call Routing Table | From MS Phone System |
| No. of Channels | 10 |
| SIP Profile | MS Phone System SIP Profile |
| SIP Server Table | MS Phone System Sip Server Table |
| Load Balancing | Priority |
| Media List ID | MS Phone System Media List |
| Signalling Media/Private IP | Ethernet 1 (whichever port you’re using to route to/from Office 365) |
| Outbound NAT Traversal | Static NAT |
| NAT Public IP (Signalling/Media) | 121.50.209.233 |
| Listen Port | Port: 5061
Protocol: TLS TLS Profile ID: MS Phone System TLS Profile |
| Federated IP/FQDN | sip.pstnhub.microsoft.com
sip2.pstnhub.microsoft.com sip3.pstnhub.microsoft.com sip-all.pstnhub.microsoft.com |
Important: Make sure to add sip-all.pstnhub.microsoft.com to the Federated IP/FQDN list. In testing, I was receiving SIP invites from IP addresses that were not resolvable via the three Microsoft documented “pstnhub” FQDNs. This meant that every third inbound call to Microsoft Teams would fail as the source IP was unknown. adding this additional record was the solution.
Once this has been created, confirm you are sending and receiving SIP Options and 200 OK responses in both directions:
- From the SBC Web GUI, navigate to Settings > Signalling Groups
- For the MS Phone System Signalling Group, click on Counters
Step 3: Enable Users for Direct Routing with Microsoft Teams
Now that the SBC configuration has been completed, we can now enable our Microsoft Teams users for calls via Direct Routing.
Ensure User is Homed to Office 365
If you are still sporting a hybrid Skype for Business environment, it’s only supported to enable users for Direct Routing with Teams if they are homed in Office 365. To check this, run the following cmdlet and ensure the Registrar Pool fqdn ends in “infra.lync.com:
Get-CsOnlineUser -Identity "Patrick Bateman" | fl RegistrarPool
Ensure User is Licensed for Phone System
Your users will need to be licensed for Microsoft Phone System in order to enable calls within Microsoft Teams. To check:
Connect-MsolService
(Get-MsolUser -UserPrincipalName patrick.bateman@insynctechnology.com.au).Licenses.ServiceStatus
Enable Telephony Features and Configure Phone Number
The following cmdlet will enable the user for Phone System calling, enable Azure Voicemail, and configure their phone number:
Set-CsUser -Identity patrick.bateman@insynctechnology.com.au -EnterpriseVoiceEnabled $true -HostedVoiceMail $true -OnPremLineURI tel:+61799999999
Configure Voice Routing
The final step is to assign the Online Voice Routing Policy we created earlier to the user. To do this:
Grant-CsOnlineVoiceRoutingPolicy -Identity "patrick.bateman@insynctechnology.com.au" -PolicyName Australia
To Check everything has been configured correctly, run the following:
Get-CsOnlineUser -Identity "patrick.bateman@insynctechnology.com.au" | Format-List -Property FirstName, LastName, EnterpriseVoiceEnabled, HostedVoiceMail, LineURI, UsageLocation, UserPrincipalName, WindowsEmailAddress, SipAddress, OnPremLineURI, OnlineVoiceRoutingPolicy
Testing
Once configuration has been completed, it may take a while for changes to take effect. The first thing you should notice is the calls button appear in the Teams client:
Once this appears, you should now be able to route calls to and from Microsoft Teams!
Outbound Call from Teams to PSTN
Inbound Call from PSTN to Teams
Resources
A lot of the diagrams for this post came from a great video available on YouTube. Check it out here: Direct Routing in Microsoft Teams
I hope you find this post useful. As usual, ping me with any questions or queries, always happy to help.
dmunified 
Great Article Damien !!
Very good articole Damien
G-Day Damien, Great Article. I would say you had a few runs at this. I have rolled up my sleeves already. Your blogs is a great reference point. Keep up the good work
Hi Damien,
thanks this is useful – quick question…actually on O365 rather than the SBC! When I try and execute the Set-CsUser command it fails saying that the parameter ‘OnPremLineURI’ doesn’t exist (error is: A parameter cannot be found that matches parameter name ‘OnPremLineURI’.). If I check using the command ‘Get-CsOnlineUser’ I can see that parm is there and correctly configured but not sure why I cannot set it myself (interesting, there is also a parameter “OnPremLineURIManuallySet” which is set to False for me).
Not sure if this is causing my issue – basically I never see the ‘Calls’ icon in my Teams client regardless of what InterOp policy or Upgrade mode I set. Would appreciate any suggestions!!
Hi Antony,
Checking my cloud account, “OnPremLineURIManuallySet” is set to true, and cloud voice was configured with the following:
Set-CsUser -Identity “damien.margaritis@insynctechnology.com.au” -EnterpriseVoiceEnabled $true -HostedVoiceMail $true -OnPremLineURI “tel:+61311111111;ext=111”
Are you syncing any attributes from on-prem? Old on-premises msRTCSIP=* attributes? This will cause issues for you
Dear Damien…
Your have a great blog with very useful informations, thanks for sharing the informations with us!
I enabled a Teams room system with Enterprise voice and assigned a wrong tel. number, now I’m not able to change the tel. number because the system says “Can not update OnPremLineURI as the user has dirsynced onpremise LineURI”.
I see that “OnPremLineURIManuallySet” is set to false! We never had a Onpremise Infrastructure. we always were in the cloud, so we do not have msRTCP attributes in our AD!
Do you know how to change “OnPremLineURIManuallySet” to true?
Thank you for a feedback and kind regards,
Walter
Hi Walter,
If you first gave a user account a phone number, then setup as a meeting room (Enable-CsMeetingRoom), you’ll need to disable as a meeting room to then change the phone number. In my experience, I’ve found it less hassle to disable the meeting room, remove Skype for Business\Teams\Phone System license, wait for user to disappear in SfB and Teams admin centres, then add licenses back and configure again.
Let me know if this works?
Damien
Hi Damien…
Thanks for your reply!
I already tried this, but it does not work, always the error “Can not update OnPremLineURI as the user has dirsynced onpremise LineURI” 😦
Anyway, I’m now in contact with the Microsoft support, I’ll let know about the outcome!
Thanks and have a nice day!
Walter
Hi Walter, did you ever hear back from MS about your issue – “Can not update OnPremLineURI as the user has dirsynced onpremise LineURI”
We are experiencing the same. Cloud only account, but seeing the same error. Have been delaing with MS for the past few weeks and going nowhere.
thanks
In case anyone else runs into this issue, we resolved it by adding the “Skype for Business Administrator” role to the admin user – despite being Teams Only tenant-wide, “Teams Service Administrator” was not enough to get this property when connecting to the online connector.
After adding the “Skype for Business Administrator” role, which commands did you give to resolve this issue?
Hi Damian,
Thanks this really helped me. But i keep getting stuck at one point.
When i try to assign the routing policy to the user. It keep giving me the following error:
Policy “Australia” is not a user policy. You can assign only a user policy to a specific user.
+ CategoryInfo : InvalidOperation: (CN=ac3ddb74-e7a…c1e001,DC=local:OCSADUserOrAppContact) [Grant-CsOnlineVoiceRoutingPolicy], ManagementException
+ FullyQualifiedErrorId : GrantPolicy,Microsoft.Rtc.Management.Xds.GrantOnlineVoiceRoutingPolicyCmdlet
+ PSComputerName : admin1e.online.lync.com
And i just cant get any further than this. The rest all succeeded. But i cant get that policy on my user.
Did you run this?
New-CsOnlineVoiceRoutingPolicy “Australia” -OnlinePstnUsages “Australia”
Check you haven’t missed any steps when creating the user level policy
Thanks Damien
That has to be the most concise and well-worded description of Teams and Direct Routing I’ve found – thank you!
I have an issue where the Calls button is not added to the Teams interface. Have you experienced this before?
The user has E3 + Phone System, and shows “true” for EnterpriseVoiceEnabled + HostedVoiceMail and has a number and routing policy assigned.
Many thanks,
Jon
hmmm – cancel that!!!
the Calls button just turned up. I did nothing to the config, just had Teams running in the background whilst I did other stuff.
grrrrr….
cheers,
Jon
Hi Damien,
If you use Teams DR, how did you manage existing phone number if organization want to move them to the cloud.
Do we need to create a port phone number request from Office 365 or directly from the Telco provider ?
Thanks
Hi Jordan,
With direct routing, PSTN connectivity is delivered via an SBC with a SIP trunk out of band of the Microsoft Office 365 environment. If you wanted to move a number range from this SIP Trunk to a Microsoft Calling Plan (Telstra Calling Plan in Australia), you would need to request a port from Carrier/Microsoft.
Hi,
Ok thanks and how it works for service numbers versus user numbers ?
I mean, if i’m using Teams DR with a telco. Can I port my phone number to Office 365 as well to have call queue and auto attendant feature and port user numbers to the telco provider ?
Today, you cannot assign a telephone number from direct routing to a call queue or auto attendant. My understanding is that this is on the road map
Hi Damine,
Just to start, Great article! Helped me alot in configuring DirectRouting along side the MS/Sonus documentation.
I have a quick question in regards of debugging Calls via Teams direct routing.
I have one way calling ability. That is I can call my teams client via pstn, but when I try calling from Teams the call does not come into my Sonus SBC and fails (obviously).
I have a feeling it is related to network routing, but debugging this on the Teams end is something I have not been able to figure out yet.. I get the cause code in the Teams/Skype admin portal calling logs, but I would like a more detailed info on the call flow from Teams.
I believe I have seen something in regards of this being in Azure, the local client logs are useless as far as I can see..
Hi Darri,
I’d start with logging on your firewall/Sonus to make sure the invite isn’t getting dropped at either firewall or SBC. Have you created the public DNS A Record for the Sonus?
I have been logging on the client side with wireshark. For testing purposes I put my external address outside the firewall so that souldn’t be an issue with the Firewall.
Yes I have DNS records and am able to connect to the IP externally via fqdn.
Aren’t there any media logs available for debugging without having MS assist you ?
I atleast get no viable data from the *.etl files using various readers.
Are you getting successful SIP Options in both directions?
I am getting the TLSv1.2 communications via Wireshark that I have not been able to decrypt so I can not be sure that the SIP options are successful in both directions.
Fiddler is not giving me much to go on either as far as I can see.
Thanks for the great article, the following line saved my day 🙂
Important: Make sure to add sip-all.pstnhub.microsoft.com to the Federated IP/FQDN list.
You’re welcome Ayman 👍
Hello, thanks for the article. I wanted to know what attributes are used by teams to know if the called number is a teams user? for example, Skype for Business checks the msRTCsip attributes in AD to do its RNL. what is the equivalent behavior in teams with direct routing, assuming that users are full online or synchedwith AAD.
Thank you!
Hi BC,
I’m guessing you want to use this to support automatic routing of calls to Teams users from the SBC?
You could possibly use the OnPremLineURI attribute, but that value only exists in AAD, not on-prem. You could potentially get it with MIM or similar and copy to an on-premises attribute that could then be queried for call routing. I haven’t come up with a solution to this just yet, will let you know if I do.
Hello, thanks for the article. I wanted to know what attributes are used by teams to know if the called number is a teams user? for example, Skype for Business checks the msRTCsip attributes in AD to do its RNL. what is the equivalent behavior in teams with direct routing, assuming that users are full online or synchedwith AAD.
Thank you!
Hi Bouthainac, apologies for the delayed response.
That’s a good question. I would say it looks at OnPremLineURI if it’s a Direct Route number, or the equivalent for a Calling Plan (pure online) user. If no match on RNL will route via configured routes for that particular user.
Hope this helps?
Damien
Hi there,
Great post.
Looking at rolling this out in our office, but a question.
Once direct routing is set up, can the user make and receive calls through a combination of physical desk phone and Teams?
Sometimes it’s difficult to teach an old dog new tricks, and there are features such as paging that I’m not sure works through the Teams client.
Cheers,
Hi Nicholas,
Great to hear the post was useful for you. In answer to your question: yes you can. Once you have added the Direct Route and setup calling for a Teams user, there’s nothing stopping an outbound call being made from either their legacy handset or Microsoft Teams (same direct in dial number will be used too). If you want to get both Teams and legacy phone to ring at the same time for an inbound call, you would need a forking licence on the Ribbon SBC. I try to avoid using this feature, I’d rather let users call out from wither platform but manage which client rings for inbound.
Hello Damien,
Great article. I appreciate your effort.
Please, I have a question with regards to the article.
“The dedicated one-to-one NAT on the perimeter firewall: 121.50.209.233 192.168.1.187. The private address was then bound as an additional IP address to Ethernet 1”
Based on my set up, I have five logical interfaces on different networks (Admin IP, Ethernet 1, Ethernet 2, Ethernet 3 and Ethernet 4). The IP address used for Ethernet 1 – 4 all have Media Next Hop IP. This means that each of them has two IP addresses. Only the Admin IP has one IP address which is used to access the Web UI
**Here is my question**
From the quote above on the article, the IP address that has to be NAT to a public address. Is it the Admin IP address or the Media Next Hop IP address that needs to be NAT to a Public IP address?
I look forward to reading from you soon.
Best Regards,
Onyinye
Hi Onyinye,
No need for you to have separate media IP addresses on all NICs, or even to have that many configured NICs. In my setup, I didn’t have an available NIC I could dedicate for direct route IP address so I just bound another address to an existing NIC.
I would remove additional media IPs from NIC (unless you need them for some reason) and simply NAT to one of the primary IP addresses. Not the Admin IP, this should be dedicated for admin access.
Hope this helps,
Damien
HI Damien,
Great article thanks this helped me out a lot. However I have an issue with the Auto Attendant to forward to Call Queue. I’ve read that this has to do something with a REFER that the TEAMS engine is putting back on the SBC. I’ve tried configuring the REFER as Ribbon is suggesting in their documentation, but that didn’t work. So I’ve read that disabling REFER on the SBC will force Teams to do internal forwarding itself. However, I have no clue on where to disable REFER. Could you help me with this?
Thanks a lot
Ronald
Hi Ronald,
Check out this post: https://ucgeek.co/2019/07/dont-forget-the-refer-microsoft-teams-direct-routing-with-swe-lite/
Wait a sec.
If I’m hybrid OPCH with most/all users homed in the cloud and my “From PSTN” call routing still works while sending to my on-prem mediation servers in my signaling group, how do I manage individual user routing and/or pilot groups if I setup DR on my SBC? Do I have to go through a whole “find an attribute to sync on” exercise or do i just add “MS Phone System” as a 2nd signaling group in the existing call route table and assume it will simulring both signaling groups at the same time and then control invite notifications with client policies?
Hi robg,
One way or another, you’ll need to update the routing table for users you want to move to Teams voice (via Direct Route). You could do this a number of ways:
– Manually update routing table\transformation table
– Use an AD attribute to allow the SBC to dynamically route to Direct Route signalling group on an LDAP lookup
– Use REST API to update routing table\transformation table when you move a user to Teams for voice
The last one is handy if the SBC is in a DMZ and access to AD for LDAP lookup is problematic. What makes this even simpler is the existence of the PowerShell module for Ribbon (Sonus) SBCs: http://www.allthingsuc.co.uk/powershell-module-for-sonus-sbc-10002000
I have used the latter to automate the whole process, using PowerShell to:
– Check user is licensed for Teams\Phone System etc
– Enable user for Teams with Phone System
– Enable Voicemail (enabled by default these days)
– Reach into SBC via PowerShell REST module and update call routing to route calls via Direct Route
Hope this helps.
Damien
Hi Damien,
if you want to use the second option, you can read and use my guide “How to dynamically route calls to Microsoft Teams instead of SfB with Ribbon SBC 1K/2K” here https://lucavitali.wordpress.com/2019/03/04/how-to-dynamically-route-calls-to-microsoft-teams-instead-of-sfb-with-ribbon-sbc-1k-2k/
Best. Luca
How do I route calls through LDAP lookup to know if user is on CCE/SkypeOnline or Teams ? Rightnow I am doing LDAP query based on msrtcsip_line and if LDAP record is found, I am sending it to CCE. But How do I route to Teams with LDAP ?
Hi pateshra,
Given that there’s on on-prem attribute you can query, I have been using a customer attribute field from on-premises AD that I update as part of on-boarding script for any cloud voice users. I then query this attribute with LDAP from the SBC in order to dynamically route.
Hi Damian,
Thank you for a great article.
I keep reading about the firewall configuration and what ports to open, it mentions “Defined on SBC”. Also watching the MS direct routing deep dive video, they mention “the ports will be configured under media profile”.
Now, I used the Sonus easy configuration wizard which created everything automatically, but when I try to identify the media ports “Which supposedly defined on SBC”, I cannot find them anywhere.
Any help on what are these port numbers? both for media and SIP signaling? and where they are defined?
Thanks a million.
Fayez
Hi Fayez,
There’s three places you’re going to find port config on a Ribbon (Sonus) SBC:
– The listen port is configured in the signalling group (5061 for example)
– The far end signalling port configured on each SIP Server entry on the SIP Server Table (5061 for example)
– Media port range under Media System Configuration (16384-17584 for example)
Thanks,
Damien
Can I assign Direct Routing number to audioconferencing user or bridge?
Hi Zbigniew,
This is not possible today.
Cheers,
Damien
Hi Damien,
Thanks for your quick reply, and great article!
So, if I’m going to deploy Direct Routing, how will be look flow between Audioconferencing and Direct Routing?
Could you explain me this point?
Thanks,
Zbigniew
Hi Zbigniew,
These are mutually exclusive. Direct Routing allows you to route PSTN calls to\from your users and AutoAttendants\Call Queues. If you want Dial-in conferencing capabilities, you will need Audio Conferencing Office 365 licenses for every user that requires it. Once a user has teh Audio Conferencing license, they will get dial in conferencing information added to their Teams meeting invites.
You don’t need a Direct Route to support Audio Conferencing: an Office 365 license gives you this.
Ribbon’s physical SBCs for core networks include the SBC 5400 and the SBC which scales up to 150,000 concurrent SIP sessions. Like the SWe, these SBCs can be configured for multiple tenants, allowing for economies of scale. The multi-tenant architecture and certified performance and security of Ribbon SBCs make them a perfect piece of your Microsoft Teams SIP trunking solution.
For a full list of supported SBCs that can be used for Direct Routing: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-border-controllers
Hello Damien
I really enjoyed your article. It is a great one.
We have phone system license available but haven’t paired our SBC SWeLite yet. By navigating to Phone Numbers, Microsoft is not providing those phone number is my country.
“My question is”
Do I need to ask Microsoft to provide me phone numbers for my country, or I can add user defined phone numbers as well once I pair the SBC. Where do I have to enter the numbers that I will be going to assign to the user?
Also, assuming that Microsoft provides the local number, can I dial that number without any direct routing infrastructure?
Hi Rizwan,
Phone System licenses don’t “pair” with the SBC: they are assigned to a user. Think of this step as lighting up the dial pad, each user that requires PSTN calling must have the Phone System licence assigned to them. At this stage however, all they have is a dial pad: they don’t have connectivity to the PSTN network. Having the Phone License assigned is like having their own little PABX but it’s not yet plugged into a phone line. The phone line come via one of two ways: Calling Plans (from the Microsoft cloud) or Direct Routing.
If you are using Direct Routing with Teams, phone numbers are not provided\controlled by Microsoft: you bring these with you via the PSTN trunk that Direct Routing “plugs” into Teams. Phone numbers are assigned to users via PowerShell:
Set-CsUser -Identity patrick.bateman@teamsdownunder.com.au -EnterpriseVoiceEnabled $true -HostedVoiceMail $true -OnPremLineURI tel:+61387676767
Hope that helps
Hi Damian! It’s like heaven has sent you! The two issues being described in your article is what I’m facing as a major problem in my pressing deployment during COVID19 and people needing access. I’m a VoIP novice…
The SBC has been configured and connected in Teams.
The first one is that calls coming in from my SBC don’t get transferred further by the auto-attendant. ‘There is a problem, please try again later’. The general consensus is that this can be fixed in the SBC. However, Anynode tech support are helpful but aren’t seeing any options where they can fix this. Of course, Microsoft is only telling me to go to the SBC provider as there is nothing in Teams that can be configured. It is worth noting that I tested with assigning an international number from Microsoft and this worked like a dream.
The second issue is the Set-CsUser isn’t recognised in PowerShell. I’ve downloaded every possible Import and added every possible -AllowClobber, but the command just won’t work.
We’re in a 100% Teams environment, no SfB server or on-prem. So my dilemma, not only can I not transfer calls from the auto attendant, I can assign PSTN phone number as the Set-CsUser isn’t recognised.
Any help would be deeply appreciated!
Joris
Hi Joris,
For your first issue, how are you actually getting to the Auto Attendant? What mechanism are you using to transfer to someone else? With voice (their name) or using an extension\number? Have you configured a number on the Auto Attendant correctly? Check out the following for more info on how to do that:
https://ucstatus.com/2019/05/14/how-to-assign-a-direct-routing-number-to-an-auto-attendant-or-call-queue-in-microsoft-teams-phone-system/
For your second issue, sounds like you’re not loading the LyncOnlineConnector correctly. This is an example of what I run when connecting to SfB\Teams Online PowerShell:
$credential = Get-Credential ateamsadmin@mydomain.com.au
Import-Module SkypeOnlineConnector
$Session = New-CsOnlineSession -Credential $credential -OverrideAdminDomain mycompanyname.onmicrosoft.com
Import-PSSession $Session -allowclobber
If the above fails to connect, you can find further guidance here: https://docs.microsoft.com/en-us/office365/enterprise/powershell/manage-skype-for-business-online-with-office-365-powershell
Super good document.
Only change required is firewall port for media by-pass case.
Thanks for the feedback Magnus. I have modified the port ranges to include 3478=3481 (these weren’t required when I first wrote this article), but I haven’t added the media bypass ports: have a link to Plan for media bypass with Direct Routing instead for anyone that wants to configure it. With Local Media optimization however, there’s a better option that hairpining media via public IP of the SBC. Microsoft documentation could be a lot clearer…
Great article Damien. Thank you for sharing.
Worth up mentioning – latest versions of Ribbon allows to add supplementary certificates, so there is no more limitation to one device certificate.
Thanks czari, I do need to review this and update with latest versions\capabilities in mind.
Hi any Tutorial about Ribbon SBA and Office 365 integration ?
In fact, we purchase SBC/SBA 1000 to set Direct routing Microsoft teams for our sites around the world , we are facing an issue when creating SBA application on Office 365
Hi , We are deploying Teams phone system in many sites , we are facing now an issue when configuring Office 365 Direct Routing SBA.
it’s work for first site and an application was created in azure, we try to use the same application ID and secret for the others sites and it dosen’t work , we got the following error at 50% :
Failed to perform last user action ‘Direct Routing SBA Configuration’.
Last Direct Routing SBA Configuration step..
Additional Information: Got an error configuring Office 365 Direct Routing SBA via WEB API: ConnectFailure.
any idea
Hi AEL,
Suggest you get some Microsoft partner assistance to get this deployed correctly? You can reach me at damien.margaritis@rapidcircle.com if you would like to discuss.
Thank you Damien for the great explanation.
I have an issue after deploying the sbc ribbon and the firewall which is there a high background noise in the calls , what do you think this issue come from ?
Thanks again
How are you connecting to the PSTN? SIP Trunk or ISDN? What devices are you using? all calls or some? Could be a whole range of things, need more info if you’re happy to share.
I connect the SCB Ribbon to the ISDN modem using a crossover cable and the other port to the switch
I configured the numbers to be used on the MS Teams application.
All the calls have these issues.
Check Settings >System > System Companding Law. try changing from a-law to u-law or vice-versa and see if that resolves your issue?