Home » Sonus

Category Archives: Sonus

PSTN Survival With Microsoft Teams, Polycom VVX and Ribbon SBC

At EC19, Yealink announced a partnership with Ribbon to deliver PSTN survival with Microsoft Teams for their Teams Phones. I don’t have a Yealink, but I do have a few VVX’s lying around my home office, so I thought I would give it a shot and see if I can get this working on other handsets. Turns out I can and that means I do not have to invest in new hardware for this disaster event solution. Better still it works for Skype for Business On-Prem and Online as well as Microsoft Teams!

So, how does it work conceptually? Basically the VVX phone registers to both Skype for Business Online (Teams via SIP Gateway) and to the SBC at the same time. When registration fails to Skype for Business / Teams, the phone will failover the active registration to the SBC and become essentially a basic SIP phone for making and receiving calls.

In order to facilitate this functionality, there are a couple of per-requisites.

  • The SBC must have local SIP registrar licenses to cover the number of phones you want to have this capability
  • The VVX phones must be running UCS 5.8 onwards

To set this up I will say right now is not that easy, or scale-able. This solution is really meant for mission critical phones that must survive a failure and not every phone in your business. Why, will become apparent as you read on. But basically, you would provide this capability maybe for your senior execs, inbound sales / support teams and main office reception type scenarios.

First we need to configure a Cloud IP Phone Policy in the tenant. This is so we can disable the management of firmware by Office 365. The reason for this is we need UCS 5.8 or higher, and Microsoft will force a rollback to UCS 5.6 if managed by Office 365. As there is only the global policy, this would mean that all phones would be affected.

Set-CsIPPhonePolicy -Identity Global -EnableDeviceUpdate $False

Now update your VVX to UCS 5.8 either by Phone Web UI or on-prem provisioning server.

Before we touch the phone any further, we now need to set up the SBC to support this. Assuming you now have the required Local Registrar license installed.

First on the SBC go to SIP > Local Registrars and create one. I’ve called mine “Teams Fallback SIP”

Now from SIP > Local / Pass thru Auth tables create an auth table. I’ve called mine “Teams Local Fallback”.

In this auth table, create an account for the phone that you want to survive. Note it is important that the address URI is the same as the DDI assigned to the user in Teams. The username and password can be anything. But for simplicity sake, the username is the DDI and I’ve set the password to 12345

Now we have the account set up, we need to catch registrations, so we need to create a signalling group. Under signalling groups create a SIP SG, I’ve called mine “Teams Fallback Phone”

The settings of the SG should be:

  • Call Routing Table (select any for now – we will come back to this)
  • SIP Profile: Default
  • SIP Mode: Local Registrar
  • Registrar: Teams Fallback SIP
  • Media List: Default
  • Listen Ports: 5060 TCP/UDP
  • Federated IP: <your network range>

Now create a call route table to handle outbound calls from phones when they are in a fallback mode.

Go back to the Signalling Group and set the call routing table to this and apply the settings.

Now we have the bones of the configuration we need. Now to configure the outbound call route. From the routing table we created, add a route to your ITSP. You can use the same transformation tables created for your Teams -> ITSP if it is compatible

This is now outbound calling configured. Now let’s configure inbound.

For inbound we need to ensure that the fallback route is only tried if the primary (via Microsoft Teams Direct Routing) is unresponsive. There are a few ways in which to achieve this, but I am going with the simple way. Rather than using cause code re-routes, I am simply going to add my fallback signalling group to the existing ITSP -> Teams route entry as a second possible destination for calls.

The way that this works is destination SGs are attempted on a first to last basis. As the Teams SG will almost always be up, the calls will always route via that. In an outage, which is what we want, it will not be available so the 2nd SG is tried and this is to our local SIP registrar table.

The SBC configuration is now complete. Now we need to configure the VVX phone.

You will need to add the following configuration to your phone’s cfg file


Where is the IP address of your SBC, the userId is the sip user we created in the local auth table and it’s password.

Now the solution is ready the last note of interest is the experience.

By default, phones register to Office 365 for a period of 10 minutes. usually the phone re-registers when the time gets to 50% or 5 minutes. The phone is a single line, therefore, can only have one active registration for calls at any one time.

During a failure event, there may be a period of 10 minutes where no calling is possible until the registration with Office 365 times out, the phone will then automatically mark the backup registration active. Calls during this time inbound will receive a busy tone, and the message back from the phone will be a SIP 486 “Busy Here” message.

Once the phone realises that it can no longer register to Office 365 calls will proceed as normal, but the phone will be in a basic mode, which is nothing more than a landline type service.

As you can see, the solution would be quite hard to scale beyond the few critical phones you need and it is quite limited, but its giving your critical users something rather than nothing in a time where you need to be focused on restoring a service, not providing an ad-hoc workaround on a case by case basis.

Legacy PBX Number Presentation to Skype for Business Using Sonus SBCs and AD based RNL

A customer messaged me last week and asked me a question regarding number presentation to Skype for Business when users still on their legacy PBX system placed a call to a Skype for Business endpoint. The customer explained to me that when a Skype for Business user called an extension on their legacy PBX system, the caller display name showed the name of the caller. However, when a legacy PBX user called a Skype for Business endpoint, the caller display showed the extension number rather than the name of the caller, therefore not allowing the Skype for Business user to easily identify the caller.

The reason why when a Skype for Business user calls the legacy PBX extension the caller’s name is display is because out of the box, Skype for Business sends both the extension number and the name of the caller in the FROM header in the SIP INVITE to the legacy PBX. For Example:

FROM: “David Williams” <sip:+441270212000@skypefe1.domain.com:5068;user=phone>

Using SIP standards, the legacy PBX automatically interprets this and is able to display the name of the caller to the handset.

However, the legacy PBX system appeared to be configured with just extension numbers only. The system had no local directory to associate an extension with a name of the employee who has that extension supplied to them. The result of this was that when the legacy PBX sent the INVITE to Skype for Business the FROM header simply included just the extension number, like

FROM: sip:1005@legacypbx.domain.com:5060;user=phone

End user experience on a Skype for Business client is:


Skype for Business / Sonus Survivable Branch Appliance Firewall Rules

Deploying a Survivable Branch Appliance (SBA) into a Skype for Business topology takes a bit of planning. As part of the planning exercise you will no doubt be discussing what firewall ports are required in order to deploy the SBA securely from both external and internal source based attacks. Reading documentation from various sources online, I have yet to find a definitive and concise firewall rule table that addresses an SBA directly. However, breaking down an SBA into components it contains:

  • Session Border Controller
  • Skype for Business Mediation Server (collocated)
  • Skype for Business Registrar Server (collocated)
  • Skype for Business CMS local replica (collocated)

With this in mind I have collected all the ports required for a SBA deployment in a security conscious network.

Note: that these ports relate to the Sonus SBC 1000/2000 with the ASM SBA module installed. Other manufacturers of SBA’s may have other port requirements.


Skype for Business and Sonus–Remote Site Survivability (an alternative approach)

When deploying Skype for Business to medium sized organisations, the main challenges tend to be around how to ensure that remote sites adjacent to the main headquarters remain online for as long as possible in the event of an infrastructure failure. If you follow the Skype for Business architecture, you will know that the best practice is to deploy some hardware to remote sites that warrant it. Whether the requirement is down to user count, or a business critical process mandates a remote site’s availability service level agreement, this is often a battle between affordability and best practice. We Skype consultants will always peddle best practice recommendations to our customers, because we know they work, and more importantly, we know that the solution is backed by both Microsoft, and other hardware / software vendors. This results in our customer’s receiving the best possible after care service, a supported topology and upgrade path, ensuring the integrity of the complete product lifecycle is maintained.


Skype for Business and Sonus–Part 6–Getting around NAT

In Part 5 we discussed how to handle encrypted signalling and media. In this article we will be discussing how to configure the Sonus SBC to work behind a NAT firewall. If you have been following this blog series, in part 1 we discussed the recommended connectivity setup. This was to connect the SBC directly to your WAN by public IP address. However, there are some (actually majority) of customers who have a network configuration that is not optimised for this type of connectivity. In these scenarios, the SBC usually sits behind the network edge firewall and services are passed through from the outside world to the SBC using NAT.


Skype for Business and Sonus – Part 5 – Adding Encryption

In Part 4, we discussed and walked through how to connect the SBC up between the PSTN and Skype for Business using simple unencrypted signalling and media. In this article we will discuss how to create a secure connection to Skype for Business and encrypt the media traffic between them.

The first thing we must do is request and install an SSL certificate on the SBC. This can be from either a trusted SSL provider (if you are connecting to external services over TLS too) or from your internal PKI system, if you are encrypting internal traffic only.


Skype for Business and Sonus – Part 4 – Connecting it all together

In Part 3 of this series, we configured Skype for Business for enterprise voice and added the Sonus SBC to the topology as an available PSTN gateway. In this article we will discuss and walkthrough how to accept telephone calls from Skype for Business and route to the PSTN and vice versa.

Before we begin with the walkthrough guides, let’s take a moment to discuss how the SBC will handle this. As we go through this guide you will hear words like Signalling Group (SG), Transformation Table, Call Route, Media List, SIP Server table etc. Don’t be alarmed by the time this is over, you will be comfortable with these terms and what they mean and their role in the successful call flow. To begin with I will show you the call setup (signalling) workflow through the SBC from Skype for Business to the PSTN.


Skype for Business and Sonus – Part 3 – Configuring Skype for Business

In Part 2 we discussed and walked through how to configure the Sonus SBC system settings including networking, security and other system dependencies. In this article we will be configuring Skype for Business to use the Sonus SBC as an appropriate gateway to the PSTN for Enterprise Voice. To begin with we will be making the connection using unencrypted TCP connections to make it simple. TLS trunk configuration will come in a later article that will cover some common advanced configurations and settings.

As part of this article we will setup the gateway and trunk inside Skype for Business, create a simple dial plan and voice policy and assign a user a DDI so that we can test inbound and outbound calling later on. Please excuse the briefness of some topics as this article assumes a level of competency with Skype for Business.

Firstly, please make sure that you have a DNS record configured for your Sonus SBC in your internal DNS zone. This record is a simple “A” or pointer record to the SBC IP. Alternatively, an IP address of the SBC can be used instead of the FQDN for TCP connectivity.


Skype for Business and Sonus – Part 2 – Configuring the Foundations

In Part 1 we discussed the basics of where and how to install the Sonus SBC. In this article we will be discussing how to prepare the SBC 1000 for production readiness including; licencing, updating, controlling access, networking and system settings.

It is important to set solid footings in order to ensure easier administration moving forward and for proper security.


The first task I undertake is to licence the SBC. Out of the box, the device is pretty much an expensive book stop. With no licence applied, essentially all you can do is make one registration to the SBC but no calls can be placed through the device. Gather your device serial number you obtained from part 1. When you purchase an SBC the device should be accompanied by an email from Sonus that provides a link to their self-licencing portal and access code. If you do not have this email, please contact your supplier to obtain this. Once submitted your licence key will be provided to you via e-mail. This e-mail can take about 5 minutes to arrive, so don’t panic if it not sitting in your inbox immediately. The key is hash of your device serial number, the features purchased and the validity period of the licence. Copy the licence key to your clipboard and from your SBC, click on Settings tab > System > Licensing > Install New License


Skype for Business and Sonus – Part 1 – Getting Started

If you have deployed Skype for Business and now your company wants to introduce enterprise voice functionality for users, you may well find yourself looking for supported telephony equipment. There are a number of vendors out there that provide SIP connectivity hardware for Skype for Business. However, here in the UK, it seems that Sonus Session Border Controllers (SBCs) are the number one, preferred choice over the other competitors.

This article does not go into detail over which device is best for you, that is down to your own informed choice. However, if you have landed on this post then there is a good chance that you have already decided to use Sonus SBCs and got your hands on either the 1000, or 2000 SBC model.

This article is the first in a series, that provides step by step guides on configuring the Sonus SBC with Skype for Business in order to provide PSTN connectivity for your SfB users. Before we start jumping in and configuring the SBC, we must first understand how the functions on the SBC work.


%d bloggers like this: