Connect your Session Border Controller (SBC) to Direct Routing

Article
2025-04-01
Applies to: Microsoft Teams

This article describes how to configure a Session Border Controller (SBC) and connect it to Direct Routing. This is step 1 of the following steps to configure Direct Routing:

Step 1. Connect your SBC with Phone System and validate the connection (This article)
Step 2. Enable users for Direct Routing
Step 3. Configure call routing
Step 4. Translate numbers to an alternate format

For information on all the steps required to set up Direct Routing, see Configure Direct Routing.

To configure and connect an SBC to Direct Routing, you can use the Microsoft Teams admin center or PowerShell .

Note

For GCC High and DoD clouds, you must use PowerShell. The option to connect the SBC isn't available in the Teams admin center.

Use the Microsoft Teams admin center

In the left navigation, go to Voice > Direct Routing, and then select the SBCs tab.
Select Add.
Enter an FQDN for the SBC.

Make sure the ___domain name portion of the FQDN matches a ___domain that's registered in your tenant. Keep in mind that the *.onmicrosoft.com ___domain name isn't supported for the SBC FQDN ___domain name. For example, if you have two ___domain names, contoso.com and contoso.onmicrosoft.com, use sbc.contoso.com as the SBC name. If using a subdomain, make sure this subdomain is also registered in your tenant. For example, if you want to use sbc.service.contoso.com, then service.contoso.com needs to be registered.
Configure the settings for the SBC, based on your organization's needs. For details on each of these settings, see SBC settings.
When you're done, select Save.

Use PowerShell

To connect your SBC to Direct Routing, you need to do the following steps:

Connect to Teams by using PowerShell.
Connect the SBC to the tenant.
Verify the SBC connection.

Connect to Teams by using PowerShell

To pair the SBC to the Direct Routing interface, use a Teams PowerShell module session connected to the tenant. To open a PowerShell session, follow the steps outlined in Set up your computer for Windows PowerShell.

After you establish a remote PowerShell session, verify that you can see the commands to manage the SBC. To verify the commands, type or copy and paste the following command in the PowerShell session, and then press Enter:

Get-Command *onlinePSTNGateway*

The command returns the four functions shown in the following table that lets you manage the SBC.

CommandType    Name                       Version    Source 
-----------    ----                       -------    ------ 
Function       Get-CsOnlinePSTNGateway    1.0        tmp_v5fiu1no.wxt 
Function       New-CsOnlinePSTNGateway    1.0        tmp_v5fiu1no.wxt 
Function       Remove-CsOnlinePSTNGateway 1.0        tmp_v5fiu1no.wxt 
Function       Set-CsOnlinePSTNGateway    1.0        tmp_v5fiu1no.wxt

Connect the SBC to the tenant

To connect the SBC to the tenant, use the New-CsOnlinePSTNGateway cmdlet. In a PowerShell session, type the following, and then press Enter:

New-CsOnlinePSTNGateway -Fqdn <SBC FQDN> -SipSignalingPort <SBC SIP Port> -MaxConcurrentSessions <Max Concurrent Sessions the SBC can handle> -Enabled $true

Considerations

Microsoft recommends that you set a maximum call limit in the SBC using information that can be found in the SBC documentation. If the SBC is at maximum capacity level, the limit triggers a notification.
You can only connect the SBC if the ___domain portion of its FQDN matches one of the domains registered in your tenant, except *.onmicrosoft.com. Using *.onmicrosoft.com ___domain names isn't supported for the SBC FQDN name. For example, if you have two ___domain names, contoso.com and contoso.onmicrosoft.com, you can use sbc.contoso.com for the SBC name. If you try to connect the SBC with a name such as sbc.contoso.abc, the system doesn't let you, as the ___domain isn't owned by this tenant.

In addition to the ___domain registered in your tenant, it's important that there's a user with that ___domain and an assigned E3 or E5 license. If not, you'll receive the following error:
Can not use the "sbc.contoso.com" ___domain as it was not configured for this tenant.
To assign a user with that ___domain, the configured authentication type of the ___domain must be "Managed".
Multiple IPs mapped with the same FQDN on the SBC side aren't supported.
To provide the best-in-class encryption to our customers, Microsoft forces TLS1.2 usage for the Direct Routing SIP interface. To avoid any service impact, ensure that your SBCs are configured to support TLS1.2 and can connect using one of the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 i.e. ECDHE-RSA-AES256-GCM-SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 i.e. ECDHE-RSA-AES128-GCM-SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 i.e. ECDHE-RSA-AES256-SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 i.e. ECDHE-RSA-AES128-SHA256
SIP OPTIONS pings MUST NOT exceed a frequency of one transaction every 60 seconds and MUST NOT be more or less frequent than one transaction every 180 seconds for each configured trunk for each endpoint.

The following example shows only the minimum required parameters. There are additional parameters that you can set with the New-CsOnlinePSTNGateway cmdlet during the connection process. For more information, see SBC settings.

New-CsOnlinePSTNGateway -Identity sbc.contoso.com -Enabled $true -SipSignalingPort 5067 -MaxConcurrentSessions 100

This example returns the following information:

Identity              : sbc.contoso.com 
Fqdn                  : sbc.contoso.com 
SipSignalingPort     : 5067 
FailoverTimeSeconds   : 10 
ForwardCallHistory    : False 
ForwardPai            : False 
SendSipOptions        : True 
MaxConcurrentSessions : 100 
Enabled               : True

Verify the SBC connection

To verify the connection, do the following steps:

Check whether the SBC is on the list of paired SBCs.
Validate SIP options.

Check whether the SBC is on the list of paired SBCs

After you connect the SBC, use the Get-CsOnlinePSTNGateway cmdlet to verify that the SBC is present in the list of paired SBCs. In a remote PowerShell session, type the following and then press Enter:

Get-CsOnlinePSTNGateway -Identity sbc.contoso.com

The paired gateway should appear in the list as shown in the example below, and the Enabled parameter should display a value of True.

This example returns the following information:

Identity              : sbc.contoso.com  
Fqdn                  : sbc.contoso.com
SipSignalingPort     : 5067
FailoverTimeSeconds   : 10
ForwardCallHistory    : False
ForwardPai            : False
SendSipOptions        : True
MaxConcurrentSessions : 100
Enabled               : True

Validate SIP options

To validate the pairing using outgoing SIP options, use the SBC management interface and confirm that the SBC receives 200 OK responses to its outgoing OPTIONS messages.

When Direct Routing sees incoming OPTIONS, it starts sending outgoing SIP Options messages to the SBC FQDN configured in the Contact header field in the incoming OPTIONS message.

To validate the pairing using incoming SIP options, use the SBC management interface. Check to see that the SBC sends a reply to the OPTIONS messages coming in from Direct Routing, and that the response code it sends is 200 OK.

SBC settings

This table lists the options that you can set for the SBC in the Microsoft Teams admin center and by using the New-CsOnlinePSTNGateway cmdlet.

Required?	Teams admin center setting	PowerShell parameter	Description	Default	Possible values	Type and restrictions
Yes	Add an FQDN for the SBC	FQDN	None	FQDN name, limit 63 characters	String, see the list of allowed and disallowed characters on Naming conventions in Active Directory for computers, domains, sites, and OUs
No	Enabled	Enabled	Use to turn on the SBC for outbound calls. You can use this to temporarily remove the SBC from service while it's being updated or during maintenance.	False	True False	Boolean
Yes	SIP signaling port	SipSignalingPort	This is the listening port that's used to communicate with Direct Routing by using the Transport Layer (TLS) protocol.	None	Any port	0 to 65535
No	Send SIP options	SendSIPOptions	Defines whether the SBC sends SIP options messages. We highly recommend that you turn on this setting. When this setting is off, the SBC is excluded from the Monitoring and Alert system.	True	True False	Boolean
No	Forward call history	ForwardCallHistory	Indicates whether call history information is forwarded through the trunk. When you turn this on, the Microsoft 365 proxy sends a History-info and Referred-by header.	False	True False	Boolean
No	Forward P-Asserted-identity (PAI) header	ForwardPAI	Indicates whether the PAI header is forwarded along with the call. The PAI header provides a way to verify the identity of the caller. If this setting is on, the Privacy:ID header is also sent.	False	True False	Boolean
No	Concurrent call capacity	MaxConcurrentSessions	When you set a value, the alerting system notifies you when the number of concurrent sessions is 90 percent or higher than this value. If you don't set a value, alerts aren't generated. However, the monitoring system still reports the number of concurrent sessions every 24 hours.	Null	Null 1 to 100,000
No	Failover response codes	FailoverResponseCodes	Specifying a failover response code forces Direct Routing to attempt connection with another SBC (if another one exists in the user's voice routing policy) upon receiving any of the specified response codes from the SBC on an SBC-terminated initial INVITE request. A retry only occurs in the absence of prior non-100 provisional responses. For more information, see Failover of specific SIP codes received from the Session Border Controller (SBC).	408, 503, 504		Int
No	Failover times (seconds)	FailoverTimeSeconds	When you set a value, outbound calls that aren't answered by the gateway within the time that you set are routed to the next available trunk. If there are no additional trunks, the call is automatically dropped. The default value is 10 seconds. In an organization with slow networks and gateway responses, this could potentially result in calls being dropped unnecessarily.	10	Number	Int
No	SBC supports PIDF/LO for emergency calls	PidfloSupported	Specify whether the SBC supports Presence Information Data Format Location Object (PIDF/LO) for emergency calls.

For information about Loction-Based Routing and media optimization settings, see Plan for Location-Based Routing and Plan for media bypass with Direct Routing.

Share via