Introduction
- On December 21, 2021, Microsoft published MC307310 to the Office 365 Message Center
- The notice includes these additional changes to Teams Direct Routing that go into effect on March 1, 2022:
- Two (2) fully qualified domain names (FQDNs) will no longer be supported by Microsoft Teams:
- sip-all.pstnhub.microsoft.com
- sip-all.pstnhub.gov.teams.microsoft.us
- Microsoft recommends using these subnets for “any classification or access control list (ACL) rules and not the sip-all FQDN when configuring SBCs for Direct Routing”
- 52.112.0.0/14
- 52.120.0.0/14
- AudioCodes immediately released Product Notice 0448, “Microsoft Major Updates for Teams Direct Routing” in response to this change
- The AudioCodes notice includes the previously documented change regarding Microsoft not supporting SIP requests with the Replaces headers. This was detailed in our previous blog article, Microsoft Changes to Teams Direct Routing Sessions Border Controller Configurations - Changes needed by Jan. 3rd as well as this new change regarding the FQDNs
- Based on these changes, AudioCodes updated their Direct Routing Configuration notes:
- Classification Rules
- Change the Source IP Address on the Classification rule from 52.112.*.* to 52.*.*.*
- If you have a Classification rule with a Source IP Address of 52.120.*.*, it can be deleted
- Firewall Rules
- Replace the Teams relevant firewall rules pointed to IP addresses in the 52.*.*.* network range with rules specific to these subnets:
- 52.112.0.0/14
- 52.120.0.0/14
- These changes can be found in the latest versions of the AudioCodes Teams Direct Routing Configuration Notes:
- Connecting AudioCodes SBC to Microsoft Teams Direct Routing Enterprise Model
- Connecting AudioCodes SBC with Analog Device to Microsoft Teams Direct Routing Enterprise Model
- Connecting AudioCodes SBC to Microsoft Teams Direct Routing Hosting Model
- Connecting AudioCodes SBC to Microsoft Teams Direct Routing with Local Media Optimization
- Customers need to verify that these FQ DNS have been scrubbed from their Teams Direct Routing enabled AudioCodes SBCs before March 1, 2022
- Most currently installed SBCs are probably not pointing to these FQDNs
- Most have the Source IP Address of their Classification rule not pointing to 52.*.*.*
- SBCs that have the firewall rules configured are probably pointed at a list of individual host addresses in the 52.114.*.* subnet range
- Customers should also review the SBC’s Message Condition Rule and the Teams Proxy Set to ensure that they do not refer to these FQDNs
Checking and updating the FQDNs
- The problematic FQDNs have never, as far as we know, been referenced in any AudioCodes configuration guides for Teams Direct routing
- The FQDNs could be referenced on an AudioCodes SBC in the:
- Classification rules
- Message Condition Rules
- Teams Proxy Set
- SBC Firewall Rules
Classification Rules
1) Once signed on to the SBC, click on “Actions”2) Then Click on “Configuration File”. Follow the prompts to save the file
3) Click on “Setup”
4) Then “Signaling & Media”
5) Then “SBC”
6) Click on “Classification”
7) Click on each Classification rule where the Source IP Group is “Teams” (or however you refer to your Microsoft Teams IP Group)
8) Scroll down to view the settings
- The “Source IP Address” is not 52.*.*.*
- The “Source Username Pattern”, “Source Host” or “Destination Username Pattern” fields have anything other than an asterisk (*) as their values
10) As needed, change the “Source IP Address” to 52.*.*.* and the three (3) fields to an asterisk (*)
11) If you made any changes, click the “Apply” button
12) The “Save” button should now have a red box around it. Click the button then click “Yes” when prompted
- Make a note of the “Message Condition” rule referenced by the Classification rule
- If you have a second Classification rule for Microsoft Teams that references the 52.120.*.* subnet, delete it then save your changes when prompted
Message Condition Rules
1) Click on “Message Manipulation”2) Then click on “Message Conditions”
3) Select the rule referenced by the Classification rule
4) The value for the condition field for Microsoft 365, Office 365, and Office 365 GCC tenants should be:
- header.contact.url.host contains 'pstnhub.microsoft.com'
5) If it isn’t, click the “Edit” button, correct, and save it as before
- From the “SIP Signaling FQDNs” section of the Microsoft Plan Direct Routing article, the values for the condition field for the other GCC tenants should be:
- Office GCC DoD tenants:
- header.contact.url.host contains 'sip.pstnhub.dod.teams.microsoft.us'
- Office 365 GCC High tenants:
- header.contact.url.host contains 'sip.pstnhub.gov.teams.microsoft.us'
Teams Proxy Set
1) Click on “Core Entities”
2) Then on “Proxy Sets”
3) Click on the “Teams” Proxy Set
4) Scroll down to view its settings
5) Click on “Proxy Addresses”
6) For Microsoft 365, Office 365, and Office 365 GCC tenants, the “Proxy Addresses” should be:
Index |
Proxy Address |
Transport Type |
Proxy Priority |
Proxy Random Weight |
0 |
sip.pstnhub.microsoft.com:5061 |
TLS |
1 |
1 |
1 |
sip2.pstnhub.microsoft.com:5061 |
TLS |
2 |
1 |
2 |
sip3.pstnhub.microsoft.com:5061 |
TLS |
3 |
1 |
7) If they are not correct, click the “Edit” button, apply the corrections then Save the changes as before
- From the “SIP Signaling FQDNs” section of the Microsoft Plan Direct Routing article, the Proxy Addresses for the other GCC tenants should be (these FQDNs are implied from the Microsoft documentation but are not called out specifically in the AudioCodes configuration guides):
Office GCC DoD tenants:
Index |
Proxy Address |
Transport Type |
Proxy Priority |
Proxy Random Weight |
0 |
sip.pstnhub.dod.teams.microsoft.us:5061 |
TLS |
|
|
- Office 365 GCC High tenants:
Index |
Proxy Address |
Transport Type |
Proxy Priority |
Proxy Random Weight |
0 |
sip.pstnhub.gov.teams.microsoft.us:5061 |
TLS |
|
|
For Office GCC DoD and Office 365 GCC High tenants, the values for the “Proxy Hot Swap” and “Proxy Load Balancing Method” fields in the Teams Proxy Set can be left at their default values of “Disable”
SBC Firewall Rules
- Using the firewall rules on the AudioCodes SBCs is completely optional. Most customer do not use them and rely on rules on their perimeter firewalls
- If you have implemented firewall rules on an AudioCodes SBC, verify that they are inline with the latest guidance in the configuration guides
For more information on implementing firewall rules on an AudioCodes SBC, please take a look at our Securing an AudioCodes Session Border Controller – Firewall Rules blog article
1) Click on “IP Network”
2) Click on “Security”
3) Then click on “Firewall”
- Here are the supported firewall rules from the AudioCodes configuration guide for Microsoft 365, Office 365, and Office 365 GCC tenants (you may have additional rules for the other interfaces on the SBC):
Index |
Source IP |
Subnet Prefix |
Start Port |
End Port |
Protocol |
User Specific Interface |
Interface ID |
Allow Type |
0 |
<Public DNS Server IP> (e.g. 8.8.8.8) |
32 |
0 |
65535 |
Any |
Enable |
WAN_IF |
Allow |
1 |
52.112.0.0 |
14 |
0 |
65535 |
TCP |
Enable |
WAN_IF |
Allow |
2 |
52.120.0.0 |
14 |
0 |
65535 |
TCP |
Enable |
WAN_IF |
Allow |
3 |
xxx.xxx.xxx.xxx |
32 |
0 |
65535 |
UDP |
Enable |
WAN_IF |
Allow |
49 |
0.0.0.0 |
0 |
0 |
65535 |
Any |
Enable |
WAN_IF |
Allow |
- From the “SIP Signaling FQDNs” section of the Microsoft Plan Direct Routing article, the Teams subnet firewall ranges for the other GCC tenants should be:
- Office GCC DoD tenants:
- 52.127.64.0/21
- Office 365 GCC High tenants:
- 52.127.88.0/21
- Please note that these ranges are not documented by AudioCodes in their guides for these tenants. These are recommendations from Enabling Technologies based on the Microsoft documentation
- While you can use FQDNs in the “Source IP” field, it is not recommended
- ***WHEN UPDATING THE SBC’S FIREWALL RULES, MAKE SURE THAT YOU HAVE BACKED UP THE CONFIGURATION FILE. PROCEED CAUTIOUSLY WHEN MAKING CHANGES. YOU CAN EASILY LOCK YOURSELF OUT OF THE SBC! ***
Summary
- Microsoft will no longer support the Teams Direct Routing FQDNS sip-all.pstnhub.microsoft.com or sip-all.pstnhub.gov.teams.microsoft.us as of March 1, 2022
- These FQDNs should be scrubbed from any Microsoft Teams Direct Routing enabled AudioCodes SBCs before March 1, 2022
- AudioCodes has revised their guidance for the Teams IP subnet ranges and their configuration on AudioCodes SBCs. While the existing ranges will continue to work, the range in the Classification rules should be updated as soon as possible
- Customers must verify that their SBCs are properly configured to support this change before March 1, 2022
- Enabling Technologies is available and ready to answer any questions that you might have. If you need help making this change, please contact us at contact@enablingtechcorp.com