Media Bypass for Teams Direct Routing and Required Ports and Traffic with Ribbon SBC Edge (SBC 1000 / SBC 2000 / SBC SWe Lite)
It might be confusing to find the ports required for Teams Media Bypass. Especially, since you need to check different Microsoft documentation and SBC documentation
This article explains the needed firewall ports and why we need them. And I will explain how to find the needed media ports for Ribbon SBC Edge.
Although Local Media Optimization (LMO) might better option than Media Bypass, LMO does not support Teams SBA (Survivable Branch Appliance). In such a case, Media Bypass is a good option to use.
Another reason to choose Media Bypass is that it might be easier for you to implement it over implementing implement LMO.
Type of Teams Calls Traffic
The following are the two types of Teams Calls traffic including Teams Direct Routing
Signaling Traffic:
Traffic that is related to the control of the call such as call initiation and call ending. Such traffic is not heavy, but it is important for the call.
Media Traffic
This traffic contains the actual voice that can be heard during the call. It is heavier and it requires to be delivered with less latency and with the shortest path if possible.
The above two types of traffic are explained in the link:
https://learn.microsoft.com/en-us/microsoftteams/microsoft-teams-online-call-flows
Under the section “Types of traffic”
Teams Direct Routing Call Traffic without Media Bypass
In Direct Routing without Media Bypass, both signaling, and media traffic is from Teams Client to Microsoft Servers to the SBC to PSTN and vice versa (Teams Client <-> Microsoft Servers <-> SBC)
Teams Direct Routing Call Traffic with Media Bypass
With media bypass, the media traffic for Teams telephony is between the Teams client and the SBC (Teams Client <-> SBC) while signaling remains the same (Teams Client <-> Microsoft Servers <-> SBC)
In other words, with Teams Direct Routing the voice traffic is between Teams Client and SBC without sending it to Microsoft Servers
Refer to the following Microsoft article for more details:
https://learn.microsoft.com/en-us/microsoftteams/direct-routing-plan-media-bypass
Local Media Optimization
Local Media Optimization (LMO) is another method of keeping the traffic between Teams Client and the SBC. It is not in the scope of this article.
Enabling Media Bypass Using PowerShell
Use the following PowerShell command to enable Media Bypass on a specific SBC
Set-CSOnlinePSTNGateway -Identity sbc.contoso.com -MediaBypass $true
You can use this command if you already have an SBC with the name sbc.contoso.com defined in your tenant. The SBC sbc.contoso.com Is just an example.
Signaling Ports Between the SBC and Microsoft Servers
The following signaling ports. These ports are always used and needed for all Direct Routing deployment scenarios
| From | To | Ports | Comment |
| 52.112.0.0/14 52.120.0.0/14 | SBC public IP | 5061/TCP | Signaling |
| SBC public IP | 52.112.0.0/14 52.120.0.0/14 | 5061/TCP | Signaling |
The above table is from the following link:
https://learn.microsoft.com/en-us/microsoftteams/direct-routing-plan-media-bypass
Under the section “SIP Signaling: Ports”
Note:
In the above table, I have put port 5061 as the signaling port for SBC. Port 5061 is the default port used for Signaling when using Easy Configuration Wizard of Ribbon Edge. This port can change while running the wizard or after completing the wizard (by changing the resulting “Signaling Group”)
Media Ports Between the SBC and Microsoft Servers
Even though you have configured your SBC with Media Bypass, you need the media ports for non-Media Bypass for a situation such as:
- The Public IP of the SBC is not accessible for some reason. In this case, Teams Client will fail over to non-Media Bypass communication
- The administrator chooses not to allow access to the Public IP of the SBC other than Microsoft Servers (maybe for security reasons)
- There are some Teams Clients that are not capable to support Media Bypass (such as the old 3PIP phones)
In such cases, the media traffic will be without Media Bypass (Teams Client <-> Microsoft Servers <-> SBC)
| From | To | Ports | Comment |
| 52.112.0.0/14 | SBC public IP | Media Ports Range Defined on the SBC (UDP Ports) | Media |
| SBC public IP | 52.112.0.0/14 | 3478-3481/UDP 49152-59999/UDP | Media |
The above table is from the following link:
https://learn.microsoft.com/en-us/microsoftteams/direct-routing-plan-media-bypass
Under the section “Requirements for using Transport Relays”
For how to find the exact Media Ports on Ribbon Edge SBC, check the section “How to Find and Set the Media Port Range on SBC Edge” section below
Media Ports Between SBC and Teams Clients (Internal Network or Internet)
These are the ports that are used for Media Traffic of Media Bypass for both internal clients and internet clients. This traffic is between the SBC and the Teams clients on (Internal Network or Internet)
| From | To | Ports | Comment |
| Corp LAN or Internet (client) | SBC public IP | Media Ports Range Defined on the SBC (UDP Ports) | Media-bypass |
| SBC public IP | Corp LAN or Internet (client) | 50000-50019/UDP | Media-bypass |
The above table is from the following link:
https://learn.microsoft.com/en-us/microsoftteams/direct-routing-plan-media-bypass
Under the section “Media traffic: IP and Port ranges” and subsection “Requirements for direct media traffic (between the Teams client and the SBC)”
For how to find the exact Media Ports on Ribbon Edge SBC, check the section “How to Find and Set the Media Port Range on SBC Edge” section below
How to Know the Media Ports for Ribbon SBC Edge (SBC 1000 / SBC 2000 / SBC SWe Lite)
Below is how to find the media ports for the Ribbon Edge family of SBCs. These ports are mentioned in Microsoft documents as “Defined on the SBC”
How to Find and Set the Media Port Range on SBC Edge
On the Web Interface of the SBC, go to
Settings tab > Media > Media System Configuration
Under the “Port Range” section, you will set the starting port and the number of ports
Regular Call Media Port Range will be from the “Start Port”
And it will calculate the port ranges for you. There will be two port ranges, one is for regular media and the other is for ICE.
The port range that you need to allow on the firewall is from the “Regular Call Media Port Range” to the last port of the “ICE Call Media Port Range”
The following image shows the UDP Media Ports is from 1024 to 1824
Default Media Ports Range for each of SBC Edge models
For each model of the SBC Edge, there is a different range of ports that is already set (you can change it as explained in the section above). The following is a table with the default port range for each module.
| Module | SBC 1000 | SBC 2000 | SBC SWe Lite |
| Media Port Range | UDP 17586-21186 | UDP19386-28386 | It depends on the Media Port paired configured in the SBC |
The above is from the following link:
On the above link, expand the section “Firewall Rules for the SBC with Media Bypass”
Media Bypass Is Enabled by Default When Using Easy Configuration Wizard of Ribbon SBC Edge
Easy Configuration enables Media Bypass by default according to the following link:
Under the section “Configure SBC when Microsoft Teams is in Media Bypass Mode”
The link above also explains how to disable Media Bypass on Ribbon SBC Edge
Teams Signaling Group Created with Old Version of Easy Configuration Wizard (Old Firmware)
If your Teams signaling group was created with old version of easy setup wizard (old firmware), the Signaling Group might not be enabled for Media Bypass. In that case, you can enable it by following the same link:
Notes About Configuring Media Ports Opened Correctly
- The firewall and other network devices need to be configured correctly to allow bi-directional communication between the internal clients and the public IP of the SBC on the specific ports for each direction
- The ports from the client to the public IP are different from the ports from the public IP to the clients
- In case of the failure of media communication between Teams Client and the public IP of the SBC, the media communication will go through Microsoft Servers (Teams Client <-> Microsoft Servers <-> SBC). The user might notice a slight delay in establishing the call.
- In case of the public IP is NATed to an internal IP of the SBC, the internal clients need to have bi-directional communication with the Public IP itself and not the internal IP of the SBC.
- When using NATing, outgoing traffic should always go through the public IP specified for the SBC. Many firewall devices are configured to use their default shared IP instead of the specific IP for the SBC. That causes a problem in the configuration because Microsoft Servers are expecting the traffic to come from the public IP that is mapped to the SBC.
- Use network packet capturing and analyzing tools such as WireShark to verify that the media traffic is between Teams client and SBC and not between Teams client and Microsoft Servers
Port from Internal Clients (Internal Network) to Microsoft Servers
According to the following link
https://learn.microsoft.com/en-us/microsoftteams/microsoft-teams-online-call-flows
You need to open connectivity to TCP ports 80 and 443, and UDP ports 3478 through 3481.
“Connectivity to Microsoft 365 or Office 365” section
In general, you need to open all the communications mentioned in the link:
Media Ports from Internal Clients (Internal Network) to Microsoft Servers
Under the section “Skype for Business Online and Microsoft Teams” in the link:
You will find the UDP ports from 3478 to 3481. These ports are the Media Traffic to Microsoft Servers
Again, you need to open all the communications mentioned in the link:
Final Note:
You need to check the article and links before you start your implementation. Microsoft keeps changing the required ports and IP addresses needed for Teams communication.