Teams – Page 2 – Jay's Lab

Media Bypass for Teams Direct Routing and Required Ports and Traffic with Ribbon SBC Edge (SBC 1000 / SBC 2000 / SBC SWe Lite)

Direct Routing, Direct Routing, Enterprise Voice, Media Bypass, Ribbon, SBC, Teams / November 6, 2022 November 19, 2022

It might be confusing to find the ports required for Teams Media Bypass. Especially, since you need to check different Microsoft documentation and SBC documentation

This article explains the needed firewall ports and why we need them. And I will explain how to find the needed media ports for Ribbon SBC Edge.

Although Local Media Optimization (LMO) might better option than Media Bypass, LMO does not support Teams SBA (Survivable Branch Appliance). In such a case, Media Bypass is a good option to use.

Another reason to choose Media Bypass is that it might be easier for you to implement it over implementing implement LMO.

Type of Teams Calls Traffic

The following are the two types of Teams Calls traffic including Teams Direct Routing

Signaling Traffic:

Traffic that is related to the control of the call such as call initiation and call ending. Such traffic is not heavy, but it is important for the call.

Media Traffic

This traffic contains the actual voice that can be heard during the call. It is heavier and it requires to be delivered with less latency and with the shortest path if possible.

The above two types of traffic are explained in the link:

https://learn.microsoft.com/en-us/microsoftteams/microsoft-teams-online-call-flows

Under the section “Types of traffic”

Teams Direct Routing Call Traffic without Media Bypass

In Direct Routing without Media Bypass, both signaling, and media traffic is from Teams Client to Microsoft Servers to the SBC to PSTN and vice versa (Teams Client <-> Microsoft Servers <-> SBC)

Teams Direct Routing Call Traffic with Media Bypass

With media bypass, the media traffic for Teams telephony is between the Teams client and the SBC (Teams Client <-> SBC) while signaling remains the same (Teams Client <-> Microsoft Servers <-> SBC)

In other words, with Teams Direct Routing the voice traffic is between Teams Client and SBC without sending it to Microsoft Servers

Refer to the following Microsoft article for more details:

https://learn.microsoft.com/en-us/microsoftteams/direct-routing-plan-media-bypass

Local Media Optimization

Local Media Optimization (LMO) is another method of keeping the traffic between Teams Client and the SBC. It is not in the scope of this article.

Enabling Media Bypass Using PowerShell

Use the following PowerShell command to enable Media Bypass on a specific SBC

Set-CSOnlinePSTNGateway -Identity sbc.contoso.com -MediaBypass $true

You can use this command if you already have an SBC with the name sbc.contoso.com defined in your tenant. The SBC sbc.contoso.com Is just an example.

Signaling Ports Between the SBC and Microsoft Servers

The following signaling ports. These ports are always used and needed for all Direct Routing deployment scenarios

From	To	Ports	Comment
52.112.0.0/14 52.120.0.0/14	SBC public IP	5061/TCP	Signaling
SBC public IP	52.112.0.0/14 52.120.0.0/14	5061/TCP	Signaling

The above table is from the following link:

https://learn.microsoft.com/en-us/microsoftteams/direct-routing-plan-media-bypass

Under the section “SIP Signaling: Ports”

Note:

In the above table, I have put port 5061 as the signaling port for SBC. Port 5061 is the default port used for Signaling when using Easy Configuration Wizard of Ribbon Edge. This port can change while running the wizard or after completing the wizard (by changing the resulting “Signaling Group”)

Media Ports Between the SBC and Microsoft Servers

Even though you have configured your SBC with Media Bypass, you need the media ports for non-Media Bypass for a situation such as:

The Public IP of the SBC is not accessible for some reason. In this case, Teams Client will fail over to non-Media Bypass communication
The administrator chooses not to allow access to the Public IP of the SBC other than Microsoft Servers (maybe for security reasons)
There are some Teams Clients that are not capable to support Media Bypass (such as the old 3PIP phones)

In such cases, the media traffic will be without Media Bypass (Teams Client <-> Microsoft Servers <-> SBC)

From	To	Ports	Comment
52.112.0.0/14	SBC public IP	Media Ports Range Defined on the SBC (UDP Ports)	Media
SBC public IP	52.112.0.0/14	3478-3481/UDP 49152-59999/UDP	Media

The above table is from the following link:

https://learn.microsoft.com/en-us/microsoftteams/direct-routing-plan-media-bypass

Under the section “Requirements for using Transport Relays”

For how to find the exact Media Ports on Ribbon Edge SBC, check the section “How to Find and Set the Media Port Range on SBC Edge” section below

Media Ports Between SBC and Teams Clients (Internal Network or Internet)

These are the ports that are used for Media Traffic of Media Bypass for both internal clients and internet clients. This traffic is between the SBC and the Teams clients on (Internal Network or Internet)

From	To	Ports	Comment
Corp LAN or Internet (client)	SBC public IP	Media Ports Range Defined on the SBC (UDP Ports)	Media-bypass
SBC public IP	Corp LAN or Internet (client)	50000-50019/UDP	Media-bypass

The above table is from the following link:

https://learn.microsoft.com/en-us/microsoftteams/direct-routing-plan-media-bypass

Under the section “Media traffic: IP and Port ranges” and subsection “Requirements for direct media traffic (between the Teams client and the SBC)”

For how to find the exact Media Ports on Ribbon Edge SBC, check the section “How to Find and Set the Media Port Range on SBC Edge” section below

How to Know the Media Ports for Ribbon SBC Edge (SBC 1000 / SBC 2000 / SBC SWe Lite)

Below is how to find the media ports for the Ribbon Edge family of SBCs. These ports are mentioned in Microsoft documents as “Defined on the SBC”

How to Find and Set the Media Port Range on SBC Edge

On the Web Interface of the SBC, go to

Settings tab > Media > Media System Configuration

Under the “Port Range” section, you will set the starting port and the number of ports

Regular Call Media Port Range will be from the “Start Port”

And it will calculate the port ranges for you. There will be two port ranges, one is for regular media and the other is for ICE.

The port range that you need to allow on the firewall is from the “Regular Call Media Port Range” to the last port of the “ICE Call Media Port Range”

The following image shows the UDP Media Ports is from 1024 to 1824

Default Media Ports Range for each of SBC Edge models

For each model of the SBC Edge, there is a different range of ports that is already set (you can change it as explained in the section above). The following is a table with the default port range for each module.

Module	SBC 1000	SBC 2000	SBC SWe Lite
Media Port Range	UDP 17586-21186	UDP19386-28386	It depends on the Media Port paired configured in the SBC

The above is from the following link:

https://support.sonus.net/display/UXDOC90/Connect+SBC+SWe+Lite+to+Microsoft+Teams+Direct+Routing+Deployed+in+Azure

On the above link, expand the section “Firewall Rules for the SBC with Media Bypass”

Media Bypass Is Enabled by Default When Using Easy Configuration Wizard of Ribbon SBC Edge

Easy Configuration enables Media Bypass by default according to the following link:

https://support.sonus.net/display/UXDOC80/Best+Practice+-+How+to+Configure+the+SBC+Edge+behind+the+NAT+in+Microsoft+Teams+Direct+Routing

Under the section “Configure SBC when Microsoft Teams is in Media Bypass Mode”

The link above also explains how to disable Media Bypass on Ribbon SBC Edge

Teams Signaling Group Created with Old Version of Easy Configuration Wizard (Old Firmware)

If your Teams signaling group was created with old version of easy setup wizard (old firmware), the Signaling Group might not be enabled for Media Bypass. In that case, you can enable it by following the same link:

https://support.sonus.net/display/UXDOC80/Best+Practice+-+How+to+Configure+the+SBC+Edge+behind+the+NAT+in+Microsoft+Teams+Direct+Routing

Notes About Configuring Media Ports Opened Correctly

The firewall and other network devices need to be configured correctly to allow bi-directional communication between the internal clients and the public IP of the SBC on the specific ports for each direction
The ports from the client to the public IP are different from the ports from the public IP to the clients
In case of the failure of media communication between Teams Client and the public IP of the SBC, the media communication will go through Microsoft Servers (Teams Client <-> Microsoft Servers <-> SBC). The user might notice a slight delay in establishing the call.
In case of the public IP is NATed to an internal IP of the SBC, the internal clients need to have bi-directional communication with the Public IP itself and not the internal IP of the SBC.
When using NATing, outgoing traffic should always go through the public IP specified for the SBC. Many firewall devices are configured to use their default shared IP instead of the specific IP for the SBC. That causes a problem in the configuration because Microsoft Servers are expecting the traffic to come from the public IP that is mapped to the SBC.
Use network packet capturing and analyzing tools such as WireShark to verify that the media traffic is between Teams client and SBC and not between Teams client and Microsoft Servers

Port from Internal Clients (Internal Network) to Microsoft Servers

According to the following link

https://learn.microsoft.com/en-us/microsoftteams/microsoft-teams-online-call-flows

You need to open connectivity to TCP ports 80 and 443, and UDP ports 3478 through 3481.

“Connectivity to Microsoft 365 or Office 365” section

In general, you need to open all the communications mentioned in the link:

https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams

Media Ports from Internal Clients (Internal Network) to Microsoft Servers

Under the section “Skype for Business Online and Microsoft Teams” in the link:

https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams

You will find the UDP ports from 3478 to 3481. These ports are the Media Traffic to Microsoft Servers

Again, you need to open all the communications mentioned in the link:

https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams

Final Note:

You need to check the article and links before you start your implementation. Microsoft keeps changing the required ports and IP addresses needed for Teams communication.

Teams Walkie Talkie

Teams, Teams Client, Teams Mobile Client, Teams Walkie Talkie / September 10, 2022 September 10, 2022

With Teams Walkie Talkie feature you can turn your mobile phone into Walkie Talkie. You speak directly to the mobile device and others can hear you. Below are more details.

How to enable it

To use Teams Walkie Talkie, you need to have a Teams Setup Policy that includes Walkie Talkie as an app. Then you need to assign this policy to the users. This will be explained in more detail in this article.

How to use it

In a traditional phone call, you choose whom you want to call, and dial that person. They can accept the call or reject it call. But for Teams Walkie Talkie, you need first to be on a channel (by joining it), and when you want to talk you press a button and keep talking while the button is pressed, everyone on the same channel is going to hear you. This is like a real Walkie Talkie.

It required a Teams client running on a mobile phone. It needs internet of course. And it will work even if the phone is locked

Part 1: Modifying the Global Setup Policy to Make Walkie Talkie App Available

To enable Walkie Talkie, the users should be assigned a Setup Policy that has the Walkie Talkie app enabled. You can use a custom policy and assign it to a set of users, or you can simply modify a setup policy that is already assigned to the users.

In the below steps, I am modifying the Global Setup Policy that is already assigned by default to all users:

Go to Teams Admin Center > Teams apps > Setup policies and click on the “Global (Org-wide default)” policy

Make user that the “User pinning” option is on

Scroll down to “Pinned apps”

Click on “Add apps”

Search and add the Walkie Talkie app

Click on Add

The app will be added to the list of apps in the policy

To make Walkie Talkie app as the first tab on Teams client, rag the name of the app

Drag it until it reaches the top of the list of the apps

Release it and it will be on the top of the list

Click on “Save” to save the policy

Part 2: Accessing Walkie Talkie and Connecting to A Channel

When you open the Teams App on the mobile, you will notice the Walkie Talkie tab at the bottom of the screen, for my configuration, I made the tab to be the first by making the Walkie Talkie application the first when configuring the policy.

Accessing Walkie Talkie Tab

The following image shows the Tab the option to view the tab

After clicking on Walkie Talkie Tab, you will be taken to Walkie Talkie tab

Selecting a Channel

When you are connected to the channel, you will be able to hear the messages that are broadcasted to this channel, and you will be allowed to broadcast voice messages to that channel

Walkie Talkie tab, click on “Channel” to select the Team and the Channel in that Team where you want your Walkie Talkie to connect to

In my case, I am selecting the General Channel of Team1 as the image below shows

The Walkie Talkie tab/page will show you the selected channel

Connecting to A Channel

Click on the connect button to get connected to the selected channel.

The following shows the app is connecting to that specific channel

Viewing The Other Connected Users to Your Channel

The following image shows that there are two users connected to Walkie Talkie on the same channel

Click on to view the connected users to that channel

The following image shows the connected users

Part 3: Sending a Voice Message

When you click on the microphone button in the middle of the Walkie Talkie tab, you will be “live”, and you can send a voice message to all the users connected to the channel you are connected to. When you are on live, will see the word “Live”. You need to keep the pressing microphone button as long as you are sending the voice message.

Set-CsUser : This cmdlet has been deprecated. Use the new Set-CsPhoneNumberAssignment

Direct Routing, Direct Routing, Enterprise Voice, Teams / July 10, 2022 September 7, 2022

The Old Command Let Set-CsUser

Usually, we enable a user for Teams Direct Routing using the command let:

Set-CsUser -Identity user1@example.com -OnPremLineURI “tel:+xxxxxxxxxxxx;ext=xxxx”-EnterpriseVoiceEnabled $true -HostedVoiceMail $true

The Error When Using the Old Command Let

But right now, if you use this command, you will get the error message

WARNING: OnPremLineURI will be deprecated. Please use LineURI to update user’s phone number.

Set-CsUser : This cmdlet has been deprecated. Use the new Set-CsPhoneNumberAssignment and

Remove-CsPhoneNumberAssignment cmdlets instead. Refer documentation for more details.

At line:1 char:1

+ Set-CsUser -Identity user1@example.com -OnPremLin …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: ({ UserId = Team…onaryOfString }:<>f__AnonymousType104`2) [Set-CsUse

r], Exception

+ FullyQualifiedErrorId : InternalServerError,Microsoft.Teams.ConfigApi.Cmdlets.SetCsUser

As shown in the following image

The New Command Set-CsPhoneNumberAssignment

You cannot use the command Set-CsUser to assign phone number to a user. Instead, you need to use the command Set-CsPhoneNumberAssignment as follows:

Set-CsPhoneNumberAssignment -Identity user1@example.com -PhoneNumber “+xxxxxxxxxxxx;ext=xxxx ” -PhoneNumberType DirectRouting

The Newly Needed Parameter

You must use the last parameter -PhoneNumberType DirectRouting since you are using Direct Routing. Otherwise, Set-CsPhoneNumberAssignment command let will fail.

The Old Parameters

When we were using the old command Set-CsUser, we used to use the following two paraments:

-EnterpriseVoiceEnabled $true

-HostedVoiceMail $true

Enterprise Voice Enabled

Regarding the “Enterprise Voice Enabled” flag, it will be set to true automatically when you set -PhoneNumber to the phone number of the user

But right now, with Set-CsPhoneNumberAssignment, there is no need to use these two parameters (provided that you are using -PhoneNumberType DirectRouting)

Hosted Voice Mail

Regarding Hosted Voice Mail flag, according to the documentation of Set-CsPhoneNumberAssignment, setting HostedVoiceMail for Microsoft Teams users is no longer necessary.

Enabling End-to-end encryption (E2EE)

E2EE, End-to-end encryption, Teams, Teams Client / April 4, 2022 April 3, 2024

Microsoft Teams’ calls are secured and encrypted by default. But using End-to-end encryption (E2EE) makes the media of the call (voice/video) getting encrypted by the client before it is sent to the other client. This would give extra security and, theoretically, even Microsoft cannot decrypt this media traffic.

Both parties of the call must enable E2EE on their Teams client. But before they can do that, an E2EE policy must be assigned to them to allow them to enable encryption.

E2EE is based on a 20-digit security code for each call that is agreed upon between the two clients, and you can view this code during a call as explained below

To have E2EE for the users, you need to do the following

Enable E2EE on Global Policy or create a custom policy and assign it to users
The users themselves enable E2EE on their Teams client

To enable End-to-end encryption (E2EE) using the admin center using the Global Policy

Usually, the Global Policy is assigned to all users by default. So, when enabling E2EE using the global Policy, it will be enabled for all users

On Teams admin center, on the left pane, click on “Enhanced encryption policies”

Select “Global (Org-wide default)” policy and click on Edit

This will show you the details of the Global policy

Under End-to-end encryption, select “Users can turn it on”

Click on “Save”

Creating A Custom E2EE Policy Using Admin Center

Just like any other policy, you can make your custom policy and assign it to a specific set of users

Assigning A E2EE Policy to A User Using Admin Center

Click on Policies

Next to Assigned policies, click on Edit

This will show you the list of the policies that are assigned to the user

Scroll down “Enhanced encryption policy” and then, select the newly created policy

The following image is showing the newly created policy is selected

Click on the “Apply” button

Creating A Custom E2EE Policy Using PowerShell

Updating Teams PowerShell Module

I tried to create the commandlet New-CsTeamsEnhancedEncryptionPolicy for creating a new policy using PowerShell, but the Teams PowerShell Module installed on my PC is old. I had to update my Teams PowerShell Model

To update Teams PowerShell Model, first I started Windows PowerShell as an Administrator

I run the commandlet Update-Module MicrosoftTeams

Then, I tried the command Get-CsTeamsEnhancedEncryptionPolicy to verify that the new module supports Enhanced Encryption Policy

Creating The Policy

I have used the following commandlet to create the customer policy

New-CsTeamsEnhancedEncryptionPolicy -Identity CustomeE2EEPolicy -CallingEndtoEndEncryptionEnabledType DisabledUserOverride

Grant-CsTeamsEnhancedEncryptionPolicy -Identity Jay1@JayTheAmazing.onmicrosoft.com -PolicyName CustomeE2EEPolicy

Assigning A E2EE Policy to A User Using PowerShell

I have used the commandlet Grant-CsTeamsEnhancedEncryptionPolicy to assign the policy to the user as follows:

Grant-CsTeamsEnhancedEncryptionPolicy -Identity Jay1@JayTheAmazing.onmicrosoft.com -PolicyName CustomeE2EEPolicy

Configuring Teams Windows Client to Support E2EE

Click on the … on the upper right corner to show the menu and select Settings

The setting page (dialog box) will be shown

Click on “Privacy”

Scroll down

Until you reach “End-to-end encrypted calls”

Enable “End-to-end encrypted calls” and exit the page (dialog box)

Configuring Teams Mobile Client to Support E2EE

On the client app, click on the upper left corner where it mentions the initials of the name of the user

On the menu that got opened, click on “Settings”

On the “Settings” menu, select “Calling”

Under the “Calling” menu, you will see the option “End-to-end encrypted calls”

Note:

If the option “End-to-end encrypted calls” doesn’t appear in the “Calling” menu, this means that the user doesn’t have “Enhanced Encryption Policy” assigned to it. You need to assign this policy using Web Interface or PowerShell as explained above

Enable the option “Enhanced Encryption Policy” and exit all the menus

To Verify that the call is using E2EE on Teams Windows Client

The following image shows that the call is secured

In the upper left corner, you will see an armor image with a lock next to the time spent on the call. The following is a magnified image

To View The 20-Digit Security Code on Teams Windows Client

If you click on the armor image and it will show you a box saying, “End-to-end encryption enabled for this call” and it will show you the “the 20-digit security code” of this call. Note that this code will be the same in both parties of the call

To Verify that the call is using E2EE on Teams Windows Client

During a call on the mobile app, you will notice the same an armor image with a lock on top of it.

To View The 20-Digit Security Code on Teams Windows Client

Click on this armor image. This will show you the box that says “End-to-end encryption enabled for this call” and it will show you the “20-digit security code” of this call. The following image shows the same security code that is shown above in the Windows client (it is the same call, so both parties will have the same code)

Teams Local Media Optimization – Verifying that Teams Client is Connected Through a Trusted IP

Direct Routing, Enterprise Voice, Local Media Optimization, Teams / March 25, 2022 April 5, 2022

One of the common issues when configuring Local Media Optimization is that the Teams client is not detecting that it is inside the internal network. In this article, I am explaining how to check the logs to see if the Teams Client knows that is internal.

The reason for the client not knowing that it is internal is that it doesn’t find its own Public IP in the list of Trusted IPs (the list is configured on the tenant). And that makes it behave as if it is external and not internal (when a client starts, it will detect its Public IP and compares it to the list of Trusted IPs).

Since the client thinks that it is external and not internal it will not try to connect to the internal interface of Central SBC or downstream SBC at its site for media traffic. Instead, it will try to pass the media traffic through the Public IP of the SBC of the Central SBC or Proxy SBC. Finally, when that connection is not passable, it will try to connect to Microsoft Phone System (Teams servers on the cloud).

Based on my experience, even if you have configured the Trusted IP correctly on the tenet, it takes some time for that change to be reflected on the Teams client. (Although Microsoft documentation says it requires 30 minutes or just restarting the client will make the change to be reflected)

Usually, I don’t enable Local Media Optimization on the SBC device until I am sure that the clients are detecting that they are coming from a Trusted IP by checking the logs (as explained below)

Below I am explaining how to check the logs to verify that the client is detecting that it is coming from a Trusted IP.

Downloading the Logs

To download the logs of Teams Client, click on the keys Ctrl + Alt + Shift + 1 together while Teams client is in focus

On the right side of the screen, you will see some messages that indicate that the downloading started

Opening the log file

To access the log files, open the “Downloads” folder on the computer

Inside it, you see a folder that started with MSTeams Diagnostics Log [Date]__[Time]_

Inside it, you will find a folder named “web”. Open the “web” folder

You will find some logs files, open the file that ends with the word “calling” the file name will be in the format MSTeams Diagnostics Log [Date]__[Time]_calling.txt

Checking The Contents of The Log File

This is how the file would appear

The log file shows Public IP detected doesn’t match any Trusted IP

The following is the log file section that shows that the client’s public IP is detected and it also shows that this IP doesn’t match any of the IPs of the trusted IP list (“reason”: “NotMatched”)

The log file shows that Public IP is matching a Trusted IP

The log file is showing public IP is matching the Trusted IP (“reason”: “Matched“) and it also shows the detected Network Site. With this, we are sure that the client detected that it is internal, and it is ready to utilize your Local Media Optimization settings

Direct Routing Local Media Optimization for Single-Site and Single SBC

Direct Routing, Enterprise Voice, Local Media Optimization, Ribbon, SBC, Teams / March 6, 2022 June 30, 2024

In this article, I am showing how to configure Local Media Optimization for Single Site with Single SBC which is good for:

Simply keeping the media traffic inside the internal network
To avoid sending the media traffic between the internal network and the public IP address (usual configuration of Media Bypass)
Avoid the complex configuration of the firewall

Most of the documents available right now are explaining how to configure Local Media Optimization for multiple sites and it might be hard to figure out how to just simply configure LMO for a single site

Creating a Trusted IP

The trusted IP is the Public IP that your internal clients are using to access the internet. It is the IP that is configured on the NAT setting on your firewall. You might find this IP by searching “what is my IP” on the web browser of your client. But it is better to get the help of the network team or security team. After all, they are the ones who have configured the firewall.

When Teams client starts up, it will contact Teams servers and if the client is connecting these servers using a Trusted IP, the client will be considered as internal, and the client will try to determine to which site it belongs to. During the PSTN calls, the media traffic will be travel between the client and the internal IP (Signaling/Media Private IP) of the SBC (PSTN Gateway).

If the client connects Teams servers using a Public IP that is not in the list of Trusted IPs, it will consider itself as an external client. And in that case, the media traffic (the voice) will be between the Public IP of the SBC (PSTN Gateway) and the client.

Notes:

When the client is accessing the internet from an IP that is not in the list of Public IPs, after it considers itself as external (as explained above), it will try to access the public IP of the SBC (PSTN Gateway). The thing to watch for is that it is not possible in most cases because the firewall will not allow such traffic.

(From what I have seen, if the firewall is not allowing such traffic, the call will ring normally, but the moment the call is answered, the call might not get established or there is a delay in establishing the call)

The clients might be using different Public IP to access the internet. In that case, you need to add all these IPs as Trusted IPs

The following command shows how to add one Trusted IP:

New-CsTenantTrustedIPAddress -IPAddress x.x.x.x -MaskBits 32 -Description “City1 Public IP”

(In the example above, I am putting the IP as x.x.x.x as an example. Replace it with your trusted public IP)

Creating a Region

A region is defined in Microsoft documentation as “A network region contains a collection of network sites. It interconnects various parts of a network across multiple geographic areas”. You can define your region as a country, part of a country, or any sort of geographical area. Sites always need to belong to a region.

The following command shows how to define a region:

New-CsTenantNetworkRegion -NetworkRegionID “Country1”

Creating a Site and Associating It with a Region

When Teams client designates itself as internal (after the client starts up, it will try to determine to what site it belongs to (it checks if it belongs to the subnets of that site).

And based on the Bypass mode settings of the SBC (PSTN Gateway) (the settings of the SBC that are defined on the Tenant), the client will send the media traffic internally or to Teams servers (explained below in the section “Creating Subnets and Associating them with a Site”).

The following command shows how to define a new site and to which Region it belongs too:

New-CsTenantNetworkSite -NetworkSiteID “City1” -NetworkRegionID “Country1”

Creating Subnets and Associating them with a Site

Internal Teams client will know to which Site it belongs to based on its subnet

The following command shows how to define a subnet, and to which site this subnet is associated with

New-CsTenantNetworkSubnet -SubnetID 10.1.1.0 -MaskBits 24 -NetworkSiteID “City1”

Associating the SBC (PSTN Gateway) with a Site

The following command shows an example of how to set the SBC (PSTN Gateway) Local Media Optimization settings and associate it with a site

Set-CsOnlinePSTNGateway -Identity sbc1.example.com -GatewaySiteId “City1” -MediaBypass $true -BypassMode “Always” -ProxySbc $null

Bypass Mode Parameter

When Bypass Mode is set to Always, even if they are not in the same site as the SBC (PSTN Gateway), the internal client will always try to establish media traffic with the internal IP of the SBC (PSTN Gateway)

If Bypass Mode is set to OnlyForLocalUsers, the internal client will establish media traffic with the internal IP of the SBC (PSTN Gateway) only if the internal client is at the same site as the SBC (PSTN Gateway). If the client is not in the same site as the SBC (PSTN Gateway), the Media Traffic will be with Teams Servers.

ProxySbc Mode Parameter

ProxySbc is set to $null because we are using Single Site and Single SBC. $null means that this SBC is not a “downstream SBC”.

Ribbon SBC Edge (SBC 1000 / SBC 2000 / SBC SWe Lite) Settings

Single Site – Single SBC:

If you want to only configure your SBC as a standalone SBC (Single Site – Single SBC), you don’t need to worry about the option of LMO while running the wizard. You simply need to complete the Easy Config Wizard with the Teams Direct Routing option (without selecting Local Media Optimization options when running the “Easy Config Wizard”). After that, you add the configuration for Local Media Optimization as I am showing below.

I Usually Complete Implementing Teams Direct Routing First

What I usually do during my implementations is that I complete configuring, testing, and troubleshooting of Teams Direct Routing without Local Media Optimization (Usually, I face issues, especially with firewall settings). After verifying that Direct Routing is working fine, I add the settings related to Local Media Optimization

Network Interfaces Needed

You need to have two network interfaces:

One network interface for “Signaling/Media Private IP”
Additional network interface for “Private Media Source IP”

Usually, you already have a network interface for “Signaling/Media Private IP” that is enabled for the command Teams Direct Routing. You need to enable an additional network interface “Private Media Source IP”.

Steps To Add “Local Media Optimization” To an Existing Setup

The following is how to modify an existing Teams Direct Routing Configuration to make with Local Media Optimization with one SBC (not Proxy SBC nor “Teams Downstream SBC”)

On the Settings tab, expand Signaling Groups

Expand the “Teams Direct Routing” Signaling Group (this is the usual name that is created by Easy Config Wizard)

Scroll down until your reach the “SIP IP Details” section

Under “Teams Local Media Optimization”, select “Enable”

Under “Signaling/Media Private IP”, make sure that the network interface that is facing the internet is selected (used to get connected to the internet, the same subnet as the Default Gateway and has the Public IP mapped to it)

Under “Private Media Source IP”, make sure that the network interface that is facing the internal network is selected (you need to remember to add a route to the internal network that goes through the gateway of the subnet of this IP)

Scroll down and click on Apply

This is how the “SIP IP Details” section of the Signaling Group would appear after completing the configuration

Configuring Direct Routing to Support Calling/Dialing Internal Extension (For Example Calling 4 Digits or 3 Digits Extension)

Enterprise Voice, Teams / January 30, 2022 April 4, 2022

With Teams Direct Routing and Microsoft UC in general, there is no 4 digits extension or 3 digits extension by default. However, all organization usually used to using a 3 or 4 digits extension assigned to each user. Especially the ones that got migrated from another telephony systems to Teams Direct Routing.

In this article, I will show how to support these short digits extension with Teams Direct Routing. This is achieved by adding a Normalization Rule to the Dial Plan that is used by the user. This rule will transform the 3 or 4 digits the user is dialing to a full E.164 format that matches the usual format of the LineURI for user.

This will work because the 3 or 4 digits extension number is usually the last part of the DID number.

Creating a New Dial Plan

In case you don’t have a dial plan ready to have the normalization rule, you need to create a new dial plan as follows:

New-CsTenantDialPlan -Identity JaysLab -Description “Dial Plan for Jay’s Lab” -SimpleName “JaysLab”

Creating a New Voice Normalization Rule

This is the Normalization Rule that will change the 4 digits that a user dials to a E.164 format. The rule adds the leading common digits of the LineURI of the users (proceeded by +). In my case, the leading digits are +1712458

$4_digits_Extension=New-CsVoiceNormalizationRule -Parent Global -Description ‘4 digits Extension’ -Pattern ‘^(\d{4})$’ -Translation ‘+1712458$1’ -Name ‘4 digits Extension’ -IsInternalExtension $false -InMemory

Adding the New Normalization Rule to the Dial Plan

The created Normalization Rule above needs to be added to the Dial Plan. This Dial Plan could be a newly created one. Or it could be an existing one that is already assigned to users. The below shows adding the Normalization Rule to the Dial Plan that was created earlier in this article

Set-CsTenantDialPlan -Identity JaysLab -NormalizationRules @{add=$4_digits_Extension}

Assigning the Dial Plan to a user

The below shows adding assigning the Dial Plan to a user. No need to do this in case the Dial Plan was already assigned to the user.

Grant-CsTenantDialPlan -Identity User2@jayslab.online -PolicyName JaysLab

Dialing 4 Digits Number (Extension)

This is the test part. The below image show dialing the 4 digits extension

After a few moments Teams will automatically find the user that has that full number, and you can click on it and select it

The below image shows the user is selected and ready to be called

You can even see the details of that user by hover the mouse over the username before dialing as the image below shows

You can click the “Call” button to call that user. The following image shows the established call with the user (it looks exactly similar if you have called that user without dialing the 4 digits)

Alternatively, you can dial the 4 digits number and click on the “Call” button without selecting the user. This is useful if you are sure of the extension number and you want to call it directly.

If you call the user directly, the full E.164 number will be shows at the top the call while in the middle it will show that you are calling the user as the image below shows

User 1 which is the called one, the call pop up appears as any normal call

Part 11: Testing Outgoing and Incoming Calls

Azure SWe Lite, Enterprise Voice, Ribbon, SBC, Step by Step, SWe Lite, Teams / January 29, 2022 April 5, 2022

Testing Outgoing Calls

The following shows dialing a number to make an outgoing call

The following image shows Teams is calling the number

The call is established

If you check the Monitoring Tab of the SBC Web Interface while making a call, you will see something like the following image when the call is ringing

When the call is established, you will something like the image below.

Testing Incoming call

When making incoming calls, I managed to see the notification pop up of Teams client on the Desktop of Windows

The following call shows that the incoming call is established

Part 10: Enable users for Direct Routing, voice, and voicemail

Azure SWe Lite, Enterprise Voice, Ribbon, SBC, Step by Step, SWe Lite, Teams / January 29, 2022 April 5, 2022

In this article, we will enable a user for Teams Direct Routing setup that we have created in the previous steps

Connect a Microsoft Teams PowerShell session

This will ask you to authenticate with a user that has the proper permissions to enable a user and prepare the PowerShell session. You might need to install the Teams PowerShell module if you didn’t do that earlier.

Connect-MicrosoftTeams

Configure The Phone Number and Enable Enterprise Voice and Voicemail Online

The following command is an example of how to assign a number, and enable Enterprise Voice and Voice Mail. Both assigning a number and enabling Enterprise Voice are required to enable a user to use Teams Direct Routing

Set-CsUser -Identity User1@jayslab.online -OnPremLineURI “tel:+17124584557;ext=557” -EnterpriseVoiceEnabled $true -HostedVoiceMail $true

Assign The Voice Routing Policy to a User

This command will assign the Voice Routing Policy that we have created earlier

Grant-CsOnlineVoiceRoutingPolicy -PolicyName “PassAll” -Identity User1@jayslab.online

Assign a Teams Calling Policy

Turning this on will allow users to make calls

Grant-CsTeamsCallingPolicy -PolicyName AllowCalling -Identity User1@jayslab.online

Assign Teams Only mode to users to ensure calls land in Microsoft Teams

This is needed to make sure that the call will land

Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity User1@jayslab.online

Assign a Dial Plan

Usually, you assign a dial plan to a user to translate dial phone numbers that are being dialed by the user to E.164 format that is required by Teams Telephony. For simplicity and to complete the setup, I am assigning the existing default Dial Plan that doesn’t change any number being dialed.

Grant-CsTenantDialPlan -Identity User1@jayslab.online -PolicyName Global

Part 9: Teams Direct Routing Call Routing

Azure SWe Lite, Enterprise Voice, Ribbon, SBC, Step by Step, SWe Lite, Teams / January 29, 2022 April 5, 2022

In this part, we will create an Online Voice Routing Policy and the needed components. You can assign this policy to the users to allow them to make outgoing calls using the on-premise SBC.

For simplicity and to complete the setup. We are creating:

A “Usage”
An “Online Voice Route” that is associated with the new Usage and uses our SBC for all outgoing calls
An “Online Voice Routing Policy” that uses the Usage (this way it will use the new SBC for outgoing calls)

You can improve this configuration by creating more of these 3 voice elements (I cannot explain this part better than Microsoft documentation)

For simplicity also, I am calling each of these components “PassAall”

Preparing the Session

Before you can use any of Teams PowerShell commands, you need to connect the PowerShell to Microsoft Teams Online using the command:

Connect-MicrosoftTeams

Creating a usage

This is how to create a new usage

Set-CsOnlinePstnUsage -Identity global -Usage @{Add=”PassAll”}

Creating an Online Voice Route

The below shows how to create a new Route (Online Voice Route) and associate it with the usage “PassAll” that we have created above

New-CsOnlineVoiceRoute -Identity “PassAll” -Description “PassAll” -NumberPattern “.*” -OnlinePstnGatewayList sbc1.jayslab.online -Priority 1 -OnlinePstnUsages “PassAll”

Creating a new Online Voice Routing Policy

The below shows the creation of a new Online Voice Routing Policy that uses the “PassAll” usage that we have created earlier. This way, this Policy will use the route (Online Voice Route) that we have just created.

New-CsOnlineVoiceRoutingPolicy “PassAll” -OnlinePstnUsages “PassAll”