SIP Traffic
There is going to be a time when you are configuring Teams with Direct Routing and you need to configure the Session Boarder Controller (SBC) and someone is going to ask what the port(s) are and or port range that is needed. This is where things begin to get interesting as we look at these range that is needed. We are going to break them down into two areas: SIP Signaling and Media Traffic.
Let’s dive in; let’s look at the SIP Signaling portion:
One of the things that needs to be understood first is from the SBC point of view to the Microsoft tenant (O365) what you will be connecting to via FQDN. There are three different FQDNs that you could be connecting to and they are the following:
- sip.pstnhub.microsoft.com
- sip2.pstnhub.microsoft.com
- sip3.pstnhub.microsoft.com
Now you will not connect to all of them at the same time but rather in order if the previous one is not available for any reason. So, look at them like Skype for Business copies with regards to Primary, Secondary and Tertiary.
- sip.pstnhub.microsoft.com (Primary)
- sip2.pstnhub.microsoft.com (Secondary)
- sip3.pstnhub.microsoft.com (Tertiary)
The above FQDNs will resolve to any of the following IP addresses:
- 52.114.148.0
- 52.114.132.46
- 52.114.75.24
- 52.114.76.76
- 52.114.7.24
- 52.114.14.70
- 52.114.16.74
- 52.114.20.29
So, what this means is that if your restricting your SBC(s) to talk to or receive traffic from Microsoft (O365) for Direct Routing to specific IPs, make sure you include all the above IPs. For you will be sending to and \ or receiving SIP signaling traffic from any of the above IPs.
SIP Signaling: Ports
Traffic | From | To | Source port | Destination port |
SIP/TLS | SIP Proxy | SBC | 1024 – 65535 | Defined on the SBC (For Office 365 GCC High/DoD only port 5061 must be used) 5068 |
SIP/TLS | SBC | SIP Proxy | Defined on the SBC 5068 | 5061 |
From Microsoft to the Customer SBC
Traffic | From | To | Source port | Destination port |
SIP/TLS | SIP Proxy | SBC | 1024 – 65535 | Defined on the SBC (For Office 365 GCC High/DoD only port 5061 must be used) |
What the above figure is saying is the following:
SIP traffic from the SIP Proxy (Microsoft) to the Customer SBC will originate from source port range of 1024 – 65535. The destination port is what you can define on your SBC. So, in this case you could specify that you only will accept traffic over port 5061. Now that is granularly but you could do that.
From Customer SBC to Microsoft
Traffic | From | To | Source port | Destination port |
SIP/TLS | SBC | SIP Proxy | Defined on the SBC | 5061 |
Now vice versa, SIP traffic from the Customer to the SIP Proxy (Microsoft) will originate from source port range of 1024 – 65535. The destination port of the SIP Proxy within (Microsoft) will be listening on port 5061.
=====================================================================================
Media Traffic
Now let’s dive in and look at the Media portion: The media traffic flows to and from a separate service (Media Processor) in O365. The IP address ranges for Media traffic are as follows:
- 52.112.0.0/14 (IP addresses from 52.112.0.1 to 52.115.255.254).
- 52.120.0.0/14 (IP addresses from 52.120.0.1 to 52.123.255.254).
Media Traffic: Ports
Traffic | From | To | Source port | Destination port |
UDP/SRTP | Media Processor | SBC | 3478-3481 and 49152 – 53247 | Defined on the SBC[SB1] |
UDP/SRTP | SBC | Media Processor | Defined on the SBC | 3478-3481 and 49152 – 53247 |
Now we are going to break this down into two sections; Media traffic coming from O365 (Media Processor) to the local SBC and then traffic vice versa which is leaving the local SBC and going to O365 (Media Processor). We see that media traffic from the Media Processor to the SBC could be between 3478 – 3481 and 49152 – 53247. The destination port section is where the customer could define the port that they want to listen on for the SBC if they want to.
Traffic | From | To | Source port | Destination port |
UDP/SRTP | Media Processor | SBC | 3478-3481 and 49152 – 53247 | Defined on the SBC |
When we look at the opposite direction of the media traffic leaving the local SBC and traveling to O365 (Media Processor) this where the customer needs to have 3478 – 3481 and 49152 – 53247. This is where we specify traffic coming from the FW at the customer needs to be open an allowed to travel to.
Traffic | From | To | Source port | Destination port |
UDP/SRTP | SBC | Media Processor | Defined on the SBC | 3478-3481 and 49152 – 53247 |