This section contains the high-level configuration requirements you must administer when setting up Microsoft® Teams (Teams) in an Avaya SBC deployment. For detailed information about configuring Teams when using the Direct Routing features of Avaya SBC, see the following Teams website:
You must configure the following Avaya SBC information on the Teams system:
Public IP address – A public IP address that can be used to connect to the Avaya SBC system. Avaya SBC supports NAT.
Fully Qualified Domain Name (FQDN) – An FQDN for the Public IP address towards the Microsoft Teams side of the Avaya SBC system. The domain portion of the FQDN is one of the registered domains in your Microsoft 365 or Office 365 organization. For more information, see the following website:
Public DNS entry – A public DNS entry mapping the Avaya SBC FQDN to the public IP address.
Public trusted certificate – A certificate for the Avaya SBC to be used for all communication with Direct Routing. For more information, see the following website:
The Teams media servers use the IP addresses of the Teams connection points sip.pstnhub.microsoft.com, sip2.pstnhub.microsoft.com, and sip3.pstnhub.microsoft.com. This resolves in the following IP address:
52.114.148.0
52.114.132.46
52.114.75.24
52.114.76.76
52.114.7.24
52.114.14.70
52.114.16.74
52.114.20.29
Firewall settings
The following items must be opened in the Teams firewall settings:
The signaling address should be open for the connection point FQDNs sip.pstnhub.microsoft.com, sip2.pstnhub.microsoft.com, and sip3.pstnhub.microsoft.com.
The media port of the range that is configured on the Avaya SBC media interface that points to the Teams SIP server or media server.
The PSTN side signaling IP address and port.
The media IP address and media port range on the Avaya SBC media interface pointing to the PSTN SIP server or media server.
Microsoft Teams must use the standard format of OPTIONS. Avaya SBC sends OPTIONS with the FQDN of the Avaya SBC system. Teams adds the FQDN of the Avaya SBC system in its ACL list. Teams sends OPTIONS for which the Avaya SBC system answers back with a 200OK message.
SIP signaling using TLS
The Teams SIP signaling is set up to use TLS port 5061. For security reasons, the TLS version must be TLS 1.2.
For media server use the following range of IP addresses:
52.112.0.0/14 (IP addresses from 52.112.0.1 to 52.115.255.254)
52.120.0.0/14 (IP addresses from 52.120.0.1 to 52.123.255.254)
Use the port range: Port range from 49152 to 53247.
SIP Response Codes
When configured correctly, you should expect 18x and 200OK messages from the Avaya SBC system. The standard error codes would be 408 (Request Timeout), 480 (Temporarily Unavailable, Teams client reachability problem), 488 (Not Acceptable Here, media interworking problems), 500 (Internal Server Error), and 503 (Service Unavailable).
Elliptical Curve Cryptography (ECC) ciphers
Teams requires the use of the following ECC ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Secure Real-Time Transport Protocol (SRTP) calls
For SRTP calls, Teams must have SRTCP enabled, no Master Key Identifiers (MKI), and a default value of 231 for its lifetime.
