Microsoft Teams – Direct Routing Deloyment – Part 1
5 (100%) 1 vote[s]

Background

The deployment configuration below has been done in Australia and will cover all the requirements and configuration to be able to get Direct Routing up and running without any issues.

Voice gateway used for Enterprise Voice – Sonus Session Border Controller (SBC) 2000.

Note: The same configuration holds good for Sonus SBC 1000.

Pre-requisites

If media bypass is required for the deployment, the gateway will require a public IP address. Also note that in order for media bypass to successfully work, the Teams users in the corporate network will need to route to the public interface of the SBC, as such firewall rules need to be amended to allow this.

The diagram below shows and overview of how media bypass works with Sonus SBC

Figure 1: Media bypass with Sonus SBC 2000

If media bypass is not required or cannot be provided for the deployment, the gateway will require public facing DMZ address which is NAT’d to a public IP address. In this instance the Teams users’ media will be proxied via Microsoft relay to the Sonus SBC public IP Address

The diagram below shows and overview of how media works without media bypass with Sonus SBC

Figure 2: Without media bypass with Sonus SBC 2000

Infrastructure Requirements

The infrastructure requirements for the supported SBCs, domains, and other network connectivity requirements to deploy Direct Routing are listed in the following table

Infrastructure
Requirement
Following Needed
Office 365 tenant Customer tenant
Licensing Users of Direct Routing must have the
following licenses assigned in Office 365:
• Skype for Business Online (Plan 2)
• Microsoft Phone System
• Microsoft Teams
• Microsoft Audio Conferencing
Public IP Address for SBC  
Internal IP Address for SBC This is only required of the Public IP
Address cannot be directly mapped to the
Sonus SBC Ethernet Interface

Fully Qualified Domain Name
(FQDN) for the SBC

A Fully qualified public name is required in the line such as:
Sbc01.domain.com.au (this is publicly available)

Public DNS entry for the SBC As above the SBC FQDN will be publicly available
Public trusted certificate for the SBC A public SAN certificate is required
Connection points for Direct Routing

The connection points for Direct Routing are the following three FQDNs:

Geographically mapped FQDNs
  • sip.pstnhub.microsoft.com
  • sip2.pstnhub.microsoft.com.
  • sip3.pstnhub.microsoft.com 

The above FQDN’s need to be reachable either via the internet/ExpressRoute

The resolved IP Addresses for the above FQDN’s are:

  • 52.114.148.0
  • 52.114.132.46
  • 52.114.75.24
  • 52.114.76.76
  • 52.114.7.24
  • 52.114.14.70

Firewall IP addresses and ports for Direct Routing media

The SBC communicates to the following services in the cloud:

  • SIP Proxy, which handles the signalling
  • Media Processor, which handles media
    except when Media Bypass is on

These two services have separate IP addresses in Microsoft Cloud

Following URL needs to be used:

Skype for Business Online and Microsoft Teams

Media Transport Profile TCP/RTP/SAVP
UDP/RTP/SAVP
Media Traffic and Port Ranges

The media traffic flows to and from a separate service in the Microsoft Cloud. The IP range for Media traffic:

  • 52.112.0.0 /14 (IP addresses from
    52.112.0.1  to 52.115.255.254).

 

 

Firewall requirements

SIP Signalling requirements
For SIP signalling, the FQDN and firewall requirements are the same as for non-bypassed cases.

Source Destination Source Port Destination Port Service

52.114.148.0/24
52.114.132.46
52.114.75.24
52.114.76.76
52.114.7.24
52.114.14.70

Public IP Address(s) of SBC(s) 1024 – 65535 5061 SIP/TLS

Public IP Address(s) of SBC(s)

52.114.148.0/24
52.114.132.46
52.114.75.24
52.114.76.76
52.114.7.24
52.114.14.70
5061 5061 SIP/TLS

Media traffic requirements (Media Bypass scenario)
Below is the firewall requirements between the Teams client and SBC for direct media flow.
Note: To achieve Media bypass NAT’ing need to be disabled.

If the client is on an internal network, the media flows to the public IP address of the SBC. You can configure hair-pinning on the Firewall so that the traffic never leaves the enterprise network.

Source Destination Source Port Destination Port Service
Corporate Client Subnet(s) Public IP Address(s) of SBC(s) 50 000 – 50 019 16384 – 32 767 UDP/SRTP
Public IP Address(s) of SBC(s) Corporate Client Subnet(s) 16384 – 32 767 50 000 – 50 019 UDP/SRTP

Even if Media Bypass is enabled for Teams Client, Teams web client does not support this at this stage.

Media traffic requirements (No Media Bypass)
Without Media Bypass the client will utilise Microsoft Teams transport relays as well media processors to connect to media.

Source Destination Source Port Destination Port Service
52.112.0.0/14 Public IP Address(s) of SBC(s) 49 152 – 59 999 16384 – 32 767 UDP/SRTP
Public IP Address(s) of SBC(s) 52.112.0.0/14 16384 – 32 767 49 152 – 59 999 UDP/SRTP

Client Windows Firewall requirements
If within the corporate environment Windows firewall is turned on as default the following ports on the local Laptop/Desktop will need to be allowed

Source Destination Source Port Destination Port Service
Local Any 80, 443
3478 – 3481

Any

TCP/UDP
Any Local Any

80, 443
3478 – 3481

TCP/UDP

Part 2 will cover off all the configuration setup on both Sonus SBC and O365 Tenant. 

Microsoft Teams Direct Routing Part 2

Category:
Uncategorized

Leave a Reply