You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This article describes infrastructure, licensing, and Session Border Controller (SBC) connectivity details that you'll want to keep in mind as your plan your Azure direct routing deployment.
20
+
This article describes infrastructure, licensing, and Session Border Controller (SBC) connectivity details that you want to keep in mind as your plan your Azure direct routing deployment.
21
21
22
22
23
23
## Infrastructure requirements
@@ -26,7 +26,7 @@ The infrastructure requirements for the supported SBCs, domains, and other netwo
26
26
|Infrastructure requirement|You need the following|
27
27
|:--- |:--- |
28
28
|Session Border Controller (SBC)|A supported SBC. For more information, see [Supported SBCs](#supported-session-border-controllers-sbcs).|
29
-
|Telephony trunks connected to the SBC|One or more telephony trunks connected to the SBC. On one end, the SBC connects to the Azure Communication Service via direct routing. The SBC can also connect to third-party telephony entities, such as PBXs, Analog Telephony Adapters, and so on. Any Public Switched Telephony Network (PSTN) connectivity option connected to the SBC will work. (For configuration of the PSTN trunks to the SBC, refer to the SBC vendors or trunk providers.)|
29
+
|Telephony trunks connected to the SBC|One or more telephony trunks connected to the SBC. On one end, the SBC connects to the Azure Communication Service via direct routing. The SBC can also connect to third-party telephony entities, such as PBXs, Analog Telephony Adapters. Any Public Switched Telephony Network (PSTN) connectivity option connected to the SBC works. (For configuration of the PSTN trunks to the SBC, refer to the SBC vendors or trunk providers.)|
30
30
|Azure subscription|An Azure subscription that you use to create Communication Services resource, and the configuration and connection to the SBC.|
31
31
|Communication Services Access Token|To make calls, you need a valid Access Token with `voip` scope. See [Access Tokens](../identity-model.md#access-tokens)|
32
32
|Public IP address for the SBC|A public IP address that can be used to connect to the SBC. Based on the type of SBC, the SBC can use NAT.|
@@ -38,47 +38,47 @@ The infrastructure requirements for the supported SBCs, domains, and other netwo
38
38
39
39
## SBC certificates and domain names
40
40
41
-
Microsoft recommends that you request the certificate for the SBC by generating a certification signing request (CSR). For specific instructions on generating a CSR for an SBC, refer to the interconnection instructions or documentation provided by your SBC vendors.
41
+
Microsoft recommends that you request the certificate for the SBC by a certification signing request (CSR). For specific instructions on how to generate a CSR for an SBC, refer to the interconnection instructions or documentation provided by your SBC vendors.
42
42
43
43
>[!NOTE]
44
-
> Most Certificate Authorities (CAs) require the private key size to be at least 2048. Keep this in mind when generating the CSR.
44
+
> Most Certificate Authorities (CAs) require the private key size to be at least 2048. Keep this in mind when you generate the CSR.
45
45
46
46
The certificate must have the SBC FQDN as the common name (CN) or the subject alternative name (SAN) field. The certificate should be issued directly from a certification authority, not an intermediate provider.
47
47
48
-
Alternatively, Communication Services direct routing supports a wildcard in the CN and/or SAN, and the wildcard needs to conform to standard [RFC HTTP Over TLS](https://tools.ietf.org/html/rfc2818#section-3.1).
48
+
Alternatively, Communication Services direct routing supports a wildcard in the CN and/or SAN, and the wildcard must conform to standard [RFC HTTP Over TLS](https://tools.ietf.org/html/rfc2818#section-3.1).
49
49
50
50
Customers who already use Office 365 and have a domain registered in Microsoft 365 Admin Center can use SBC FQDN from the same domain.
51
-
Domains that aren’t previously used in O365 need to be provisioned.
51
+
Domains that aren’t previously used in O365 must be provisioned.
52
52
53
53
An example would be using `\*.contoso.com`, which would match the SBC FQDN `sbc.contoso.com`, but wouldn't match with `sbc.test.contoso.com`.
54
54
55
55
>[!IMPORTANT]
56
56
>During Public Preview only: if you plan to use a wildcard certificate for the domain that is not registered in Teams, please raise a support ticket, and we will add it as a trusted domain.
57
57
58
-
Communication Services will only trust certificates signed by Certificate Authorities (CAs) that are part of the Microsoft Trusted Root Certificate Program. Ensure that your SBC certificate is signed by a CA that is part of the program and that your certificate's Extended Key Usage (EKU) extension includes Server Authentication.
58
+
Communication Services only trusts certificates signed by Certificate Authorities (CAs) that are part of the Microsoft Trusted Root Certificate Program. Ensure that your SBC certificate is signed by a CA that is part of the program and that Extended Key Usage (EKU) extension of your certificate includes Server Authentication.
59
59
Learn more:
60
60
61
-
[Program Requirements - Microsoft Trusted Root Program](/security/trusted-root/program-requirements)
61
+
[Program Requirements — Microsoft Trusted Root Program](/security/trusted-root/program-requirements)
62
62
63
63
[Included CA Certificate List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT)
64
64
65
-
SBC pairing works on the Communication Services resource level, meaning you can pair many SBCs to a single Communication Services resource. Still, you cannot pair a single SBC to more than one Communication Services resource. Unique SBC FQDNs are required for pairing to different resources.
65
+
SBC pairing works on the Communication Services resource level. It means you can pair many SBCs to a single Communication Services resource. Still, you cannot pair a single SBC to more than one Communication Services resource. Unique SBC FQDNs are required for pairing to different resources.
66
66
67
67
68
68
## SIP Signaling: FQDNs
69
69
70
70
The connection points for Communication Services direct routing are the following three FQDNs:
71
71
72
-
-**sip.pstnhub.microsoft.com** – Global FQDN – must be tried first. When the SBC sends a request to resolve this name, the Microsoft Azure DNS servers return an IP address pointing to the primary Azure datacenter assigned to the SBC. The assignment is based on performance metrics of the datacenters and geographical proximity to the SBC. The IP address returned corresponds to the primary FQDN.
73
-
-**sip2.pstnhub.microsoft.com** – Secondary FQDN – geographically maps to the second priority region.
74
-
-**sip3.pstnhub.microsoft.com** – Tertiary FQDN – geographically maps to the third priority region.
72
+
-**sip.pstnhub.microsoft.com — Global FQDN — must be tried first. When the SBC sends a request to resolve this name, the Microsoft Azure DNS servers return an IP address that points to the primary Azure datacenter assigned to the SBC. The assignment is based on performance metrics of the datacenters and geographical proximity to the SBC. The IP address returned corresponds to the primary FQDN.
73
+
-**sip2.pstnhub.microsoft.com — Secondary FQDN — geographically maps to the second priority region.
74
+
-**sip3.pstnhub.microsoft.com — Tertiary FQDN — geographically maps to the third priority region.
75
75
76
76
Placing these three FQDNs in order is required to:
77
77
78
78
- Provide optimal experience (less loaded and closest to the SBC datacenter assigned by querying the first FQDN).
79
-
- Provide failover when connection from an SBC is established to a datacenter that is experiencing a temporary issue. For more information, see [Failover mechanism](#failover-mechanism-for-sip-signaling) below.
79
+
- Provide failover when connection from an SBC is established to a datacenter that is experiencing a temporary issue. For more information, see [Failover mechanism](#failover-mechanism-for-sip-signaling).
80
80
81
-
The FQDNs – sip.pstnhub.microsoft.com, sip2.pstnhub.microsoft.com, and sip3.pstnhub.microsoft.com – will be resolved to one of the following IP addresses:
81
+
The FQDNs — sip.pstnhub.microsoft.com, sip2.pstnhub.microsoft.com, and sip3.pstnhub.microsoft.com — resolve to one of the following IP addresses:
82
82
83
83
-`52.112.0.0/14 (IP addresses from 52.112.0.1 to 52.115.255.254)`
84
84
-`52.120.0.0/14 (IP addresses from 52.120.0.1 to 52.123.255.254)`
@@ -91,12 +91,12 @@ Use the following ports for Communication Services Azure direct routing:
91
91
92
92
|Traffic|From|To|Source port|Destination port|
93
93
|:--- |:--- |:--- |:--- |:--- |
94
-
|SIP/TLS|SIP Proxy|SBC|1024 – 65535|Defined on the SBC (For Office 365 GCC High/DoD only port 5061 must be used)|
94
+
|SIP/TLS|SIP Proxy|SBC|1024–65535|Defined on the SBC (For Office 365 GCC High/DoD only port 5061 must be used)|
95
95
SIP/TLS|SBC|SIP Proxy|Defined on the SBC|5061|
96
96
97
97
### Failover mechanism for SIP Signaling
98
98
99
-
The SBC makes a DNS query to resolve sip.pstnhub.microsoft.com. Based on the SBC location and the datacenter performance metrics, the primary datacenter is selected. If the primary datacenter experiences an issue, the SBC will try the sip2.pstnhub.microsoft.com, which resolves to the second assigned datacenter, and, in the rare case that datacenters in two regions aren’t available, the SBC retries the last FQDN (sip3.pstnhub.microsoft.com), which provides the tertiary datacenter IP.
99
+
The SBC makes a DNS query to resolve sip.pstnhub.microsoft.com. Based on the SBC location and the datacenter performance metrics, the primary datacenter is selected. If the primary datacenter experiences an issue, the SBC tries the sip2.pstnhub.microsoft.com, which resolves to the second assigned datacenter, and, in the rare case that datacenters in two regions aren’t available, the SBC retries the last FQDN (sip3.pstnhub.microsoft.com), which provides the tertiary datacenter IP.
100
100
101
101
## Media traffic: IP and Port ranges
102
102
@@ -108,8 +108,8 @@ The port range of the Media Processors is shown in the following table:
108
108
109
109
|Traffic|From|To|Source port|Destination port|
110
110
|:--- |:--- |:--- |:--- |:--- |
111
-
|UDP/SRTP|Media Processor|SBC|3478 - 3481 and 49152 – 53247|Defined on the SBC|
112
-
|UDP/SRTP|SBC|Media Processor|Defined on the SBC|3478 - 3481 and 49152 – 53247|
111
+
|UDP/SRTP|Media Processor|SBC|3478–3481 and 49152–53247|Defined on the SBC|
112
+
|UDP/SRTP|SBC|Media Processor|Defined on the SBC|3478–3481 and 49152–53247|
113
113
114
114
> [!NOTE]
115
115
> Microsoft recommends at least two ports per concurrent call on the SBC.
0 commit comments