Accessing Certificates page

On the Web Interface of the SBC, go to the “Tasks” tab

On the “Tasks” tab and expand “SBC Easy Setup”

Click on “Certificates”

This will take you to the “Certificates” page where you can manage the certificates of the SBC

Importing Root CA, Issuing CA, and Baltimore CA

On the Trusted CAs tab (which is the first tab on this page)

Click on the import button

The “Import Trusted CA Certificate” box will be shown

On the Mode, select “File Upload” (you can use Copy and Paste mode if you want to import the certificate as a Base64 text)

Click on Choose File

Select the file of the Root Certificate and click on Open

The filename of the certificate will be shown. Click on the “OK” button

The Web Interface will show you a message that says it will trust a CA. Click on the “OK” button

The newly imported certificate will be listed under the “Trusted CAs” list

Do the same thing to import the issuing CA (both the root and the issue CAs are on the same table and managed in the same way). The only difference is that you need to import the root CA first then the issue CA

Use the same thing to import the “Baltimore” CA certificate (which is required to communicate with Teams Direct Routing servers on Microsoft 365)

The below image shows the root, the issuing CA and “Baltimore” certificates under “Trusted CAs”

Importing SBC Primary Certificate with Its Private Key

Because I have a certificate with its private key with me (already requested and generated on some other system), I am using the option to import it. It is usually with the (*.pfx file) extension

(If you don’t have a certificate, you can generate it using the “Generate CSR” tab)

To import the certificate with its private key, go to the “SBC Primary Certificate” tab

Click on “Import” and select “PKCS12 Certificate and Key” (to import the *.pfx file)

The “Import PKCS12 Server Certificate” will be shown

Click on “Choose File”

Select the file that contains the certificate with its private key and click on Open

Type the “Password” that is used to protect the content of the *.pfx file and then click on the “OK” button

A message will be shown to inform you that you are going to import the certificate. Click on the “OK” button

The certificate will be imported, and its details will be shown

You need to select the correct “host name” and “domain name” that you will be using in your DNS A record (also will be used in the name of the certificate of the SBC. Remember that the domain name part should be a domain that is added to Microsoft 365 tenant.

If you want to change the host name of the SBC, it is better to do that before running the “Easy Config Wizard”. That is because the wizard will create some components that use that name in their config.

For me, I have selected a temporary “host name” and “domain name” during the creation of the SBC earlier. So, I must change them before running the wizard.

Below are the steps to change the “host name” and “domain name”

On the “Setting” tab of the Web Interface of the SBC, go to System > Node-Level Setting

Under “Host Information”, you will see the current “Host Name” and “Domain Name” of the SBC

Change the “Host Name” and “Domain Name”

Click on the “Apply” button

Note:

It is better to restart the SBC after changing the “host name” and/or “domain name”

After completing the previous two steps:

• Add the domain that will contain the SBC to Microsoft 365 (for example, add the domain example.com if your SBC name will be SBC1.example.com)
• Enabling a user in that domain

You can now successfully connect the SBC to Teams Direct Routing

Connecting the SBC using Admin Center

Open “Microsoft Teams admin center”

On the menu on the left side of the portal, expand “Voice”

On the “Voice” menu, select “Direct Routing”

This will take you “Direct Routing” settings page

Click on “SBCs”

Click on the “Add” button

This will take you “Direct Routing\ Add SBC” page where you can define a new SBC with its settings

Type the name of your SBC

Under the SIP signaling port, the port number there is “5067”

I am changing the port to 5061. Which is the default port number that is usually created by the “Easy Setup” wizard of Ribbon SBC when you select the Direct Routing option

Under “Concurrent call capacity”, specify the number of channels you will select in “Easy Setup” wizard.

This number usually equals the maximum number of SIP sessions to your SIP provider.

Don’t forget to turn on the “Enabled” button

Click on the “Save” button at the end of the page

If you haven’t added the domain to Microsoft 365 and enabled a user under that domain, you will get a message similar to the one below

We can’t use the “sbc.domain.com” domain as it hasn’t been set up in the organization. Please try again. If you continue to have problems, contact Microsoft customer support.

As the image below shows

However, if everything is correct, you will get the message “Item was created” as the image below shows

The name of the newly registered SBC will be under the list of SBCs

Note:

The SBC would be shown to have errors because it is not yet configured to work with Direct Routing or the DNS record of type A that should point to its IP has not yet been created

Registering the SBC using PowerShell

Alternatively, you can register the SBC using New-CsOnlinePSTNGateway PowerShell command as the example below shows

New-CsOnlinePSTNGateway -Identity sbc1.jayslab.online -Enabled $true -SIPSignalingPort 5061 -MaxConcurrentSessions 4

After you have registered a domain name, you need to add at least one user with a Phone System license (in my case I am using an E5 license which includes Phone System) and the SIP address of that user should have the FQDN portion of the SIP address matching the created base domain. This is needed to complete the registration of the SBC.

On Microsoft 365 admin center, expand Users > Active users

Click on Add a user

The “Add a user” wizard will be started

Fill in the details of that user, the most important part is that under “Domain” you make sure that you have selected the domain which will be used for registering the SBC

I cleared “Automatically create a password” this allows me to enter the password myself (that is just my personal preference)

I typed the password

I cleared “Require this user to change their password when they first sign in” (that is also my personal preference).

I typed the password and clicked on Next

The user needs to have a Phone System license. In my trial tenant, I have “Office 365 E5”, so I am assigning this type of license to this user

Click on Next

This will take you to Review and finish the page. Where you can check the settings that you have selected

Click on “Finish adding”

The wizard will work on adding the user

The wizard will confirm that the user is added

Click on Close

Now you will be able to see the user in the list of “Active users”. You might need to search the user if you have a big number of users

On Azure Admin Portal, to access the resulting VM network settings by going to Virtual machine Name > Networking

When you check the networking of the resulting VM, you will see the two network interfaces of the VM

One dedicated to the Management of SBC. And the other is for Signaling and Media traffic

Signaling Network Interface

Below is an image that shows the details of the Signaling network interface (the first interface)

Notice that the Inbound port rules include only the ports of HTTP and HTTPS (also ports to be used by Azure)

Signaling and Media Interface

Click on the interface of Signaling and Media traffic to view its details

The below shows the details of the Signaling and Media interface

Below, I am copying the public IP address for this interface so that I can use it to access the web interface of the SBC

About Accessing the Web Interface

Ideally, to manage the SBC, you will be connected to the SBC VM Web Interface through the IP address of the management interface.

Probably you will connect a machine to the management subnet. Or you will connect the management interface to your usual Azure management network

Note:

Note that although both interfaces have a public IP assigned to them, only the public IP address of the second interface (Signaling and Media Interface) is accessible over the internet. That is because only the second interface (Signaling and Media Interface) is routed to the internet.

To simplify our configuration, I will keep the HTTPS port to the second interface (Signaling and Media Interface) opened and I will access the SBC Web Interface through its public IP

Accessing the Web Interface of SBC

In the browser of your computer, access the public IP of the Signaling and Media Interface

Once you pass the certificate warning, you will get the web interface as shown below

(The public certificate is not yet installed)

Logging On to The Web Interface

Click on the “Enter” button

You will access the login page

Type the User Name and Password you have specified while creating the VM (We have specify them on the “SBC SWe Lite settings” tab)

The credentials are correct, you will be asked to put a different password and to confirm it

Click on the “Apply” button

It will show you a message indicating that the password got changed

It will take you back again to login page

Type the User Name and the new Password and Login

Below is the Web Interface after logging on

In this article, I am showing how to create a Ribbon SBC SWe Lite VM on the Azure cloud and make it ready to be integrated with Teams Direct Routing

I am selecting the “Quick Launch” Template of Ribbon SBC SWe Lite from the marketplace

Such setup can be used for production or just simply to learn, test, and practice configuring a Teams Direct Routing with SBC

It might not be feasible to purchase a hardware SBC and to have public IP setup with correct firewall settings just for learning or practicing.

With Azure, you can have it configured with minimum cost and you can even use the Azure pay as you go option or even use the Azure trial to reduce the cost.

The installation will continue to full work until the trial is finished (I think the trial ends within 1 month).

You can contact a Ribbon distributor to purchase permeant licenses if you like to keep using your setup.

Below are the steps to do the deployment.

Selecting the VM from Azure Market Place

Access your Azure Admin Portal

Click on the search bar

In the search bar, search for Ribbon SBC SWe Lite. For example, type “sbc swe”

You will have types of VM Templates available in the Marketplace:

• SBC SWe Lite
• SBC SWe Lite ➲ Quick Launch

We will use “SBC SWe Lite ➲ Quick Launch” Template because it is designed to deploy SWe SBC Lite with the recommended configuration and is suitable for Teams Direct Routing (things like 2 Network Interfaces with the correct range of ports opened)

This will start wizard-like steps to collect the information needed to build the VM

Creating The VM And Selecting the Options

Click on the “Create” button

This will take you to the Basics tab

Basics Tab

The subscription will be automatically selected

If you select an existing Resource Group with resources inside it, it will give you an error

It requires its own Resource Group

For my case, I am creating a new Resource Group to be used for the SBC and named it SBCResourceGroup

Under Region, select the region where you want the VM to be created within

Type the name to be used as a Virtual Machine name inside Azure
Specify the Required # of simultaneous calls (to tell you the truth, I couldn’t find the purpose of this parameter tell this moment)

Virtual Machine Settings Tab

On Virtual Machine Settings, I kept the default settings

Networking Settings Tab

I kept the default settings (where it will create a new virtual network with two subnets)

Each of the two subnets is going to be connected to a network interface of the VM

• Management subnet (connected to Management interface)
• Signaling & Media subnet (connected to Signaling & Media interface)

(This way, the VM will be automatically created with the recommended configuration by Ribbon)

Note:

You can select your own existing virtual network and select the subnets to be used

SBC SWe Lite Settings Tab

On the SBC SWe Lite Settings tab, specify the username and the password for the VM

The username cannot be a revers word such as admin

Follow the correct password policy

On the SBC SWe Lite Settings tab, I have typed a temporary hostname and a temporary domain name for the VM. I am planning to change these settings later inside the configuration of the SBC after the deployment is completed.

Review + create Tab

On the last tab “Review + create”. It will validate your settings and will show you “Validation Passed” if everything is acceptable to create the VM

It will also show you the summary of the settings that you

I had to scroll down to check all the settings

If all the settings are acceptable, click on the “Create” button. This will start the deployment of the VM.