The Enabling Technologies Blog

Our team of Cloud Strategy Advisors, Solution Architects, Engineers and former C-Suite Executives work diligently to provide our vistors with the most pressing information.

John Miller /

Microsoft to drop support for some Teams Direct Routing Fully Qualified Domain Names

Introduction 

  • On December 21, 2021, Microsoft published MC307310 to the Office 365 Message Center 
  • The notice includes these additional changes to Teams Direct Routing that go into effect on March 1, 2022: 
  • Two (2) fully qualified domain names (FQDNs) will no longer be supported by Microsoft Teams: 
  • sip-all.pstnhub.microsoft.com 
  • sip-all.pstnhub.gov.teams.microsoft.us 
  • Microsoft recommends using these subnets for “any classification or access control list (ACL) rules and not the sip-all FQDN when configuring SBCs for Direct Routing” 
  • 52.112.0.0/14 
  • 52.120.0.0/14 
  • Classification Rules 
  • Change the Source IP Address on the Classification rule from 52.112.*.* to 52.*.*.* 
  • If you have a Classification rule with a Source IP Address of 52.120.*.*, it can be deleted 
  • Firewall Rules 
  • Replace the Teams relevant firewall rules pointed to IP addresses in the 52.*.*.* network range with rules specific to these subnets: 
  • 52.112.0.0/14 
  • 52.120.0.0/14 
  • These changes can be found in the latest versions of the AudioCodes Teams Direct Routing Configuration Notes: 
  • Customers need to verify that these FQ DNS have been scrubbed from their Teams Direct Routing enabled AudioCodes SBCs before March 1, 2022  
  • Most currently installed SBCs are probably not pointing to these FQDNs 
  • Most have the Source IP Address of their Classification rule not pointing to 52.*.*.* 
  • SBCs that have the firewall rules configured are probably pointed at a list of individual host addresses in the 52.114.*.* subnet range 
  • Customers should also review the SBC’s Message Condition Rule and the Teams Proxy Set to ensure that they do not refer to these FQDNs 

Checking and updating the FQDNs 

  • The problematic FQDNs have never, as far as we know, been referenced in any AudioCodes configuration guides for Teams Direct routing 
  • The FQDNs could be referenced on an AudioCodes SBC in the: 
  • Classification rules 
  • Message Condition Rules 
  • Teams Proxy Set 
  • SBC Firewall Rules 

Classification Rules 

1) Once signed on to the SBC, click on “Actions” 
2) Then Click on “Configuration File”. Follow the prompts to save the file 

Graphical user interface, application

Description automatically generated

3) Click on “Setup” 
4) Then “Signaling & Media” 
5) Then “SBC” 
6) Click on “Classification” 
7) Click on each Classification rule where the Source IP Group is “Teams” (or however you refer to your Microsoft Teams IP Group) 
8) Scroll down to view the settings 

A screenshot of a computer

Description automatically generated

9) Click the “Edit” button if: 
  •  The “Source IP Address” is not 52.*.*.* 
  •  The “Source Username Pattern”, “Source Host” or “Destination Username Pattern” fields have anything other than an asterisk (*) as their values 

Graphical user interface, application

Description automatically generated

10) As needed, change the “Source IP Address” to 52.*.*.* and the three (3) fields to an asterisk (*) 
11) If you made any changes, click the “Apply” button 
12) The “Save” button should now have a red box around it. Click the button then click “Yes” when prompted 

  • Make a note of the “Message Condition” rule referenced by the Classification rule 
  • If you have a second Classification rule for Microsoft Teams that references the 52.120.*.* subnet, delete it then save your changes when prompted 

Message Condition Rules 

1) Click on “Message Manipulation” 
2) Then click on “Message Conditions” 
3) Select the rule referenced by the Classification rule 
4) The value for the condition field for Microsoft 365, Office 365, and Office 365 GCC tenants should be: 
  • header.contact.url.host contains 'pstnhub.microsoft.com' 

5) If it isn’t, click the “Edit” button, correct, and save it as before 

Graphical user interface, text, application

Description automatically generated

  • From the “SIP Signaling FQDNs” section of the Microsoft Plan Direct Routing article, the values for the condition field for the other GCC tenants should be: 
  • Office GCC DoD tenants: 
  • header.contact.url.host contains 'sip.pstnhub.dod.teams.microsoft.us' 
  • Office 365 GCC High tenants: 
  • header.contact.url.host contains 'sip.pstnhub.gov.teams.microsoft.us' 

Teams Proxy Set 

1) Click on “Core Entities” 
2) Then on “Proxy Sets” 
3) Click on the “Teams” Proxy Set 
4) Scroll down to view its settings 
5) Click on “Proxy Addresses” 

Graphical user interface, application, website

Description automatically generated

6) For Microsoft 365, Office 365, and Office 365 GCC tenants, the “Proxy Addresses” should be: 

Index 

Proxy Address 

Transport Type 

Proxy Priority 

Proxy Random Weight 

0 

sip.pstnhub.microsoft.com:5061 

TLS 

1 

1 

1 

sip2.pstnhub.microsoft.com:5061 

TLS 

2 

1 

2 

sip3.pstnhub.microsoft.com:5061 

TLS 

3 

1 

Graphical user interface, application

Description automatically generated

7) If they are not correct, click the “Edit” button, apply the corrections then Save the changes as before 

  • From the “SIP Signaling FQDNs” section of the Microsoft Plan Direct Routing article, the Proxy Addresses for the other GCC tenants should be (these FQDNs are implied from the Microsoft documentation but are not called out specifically in the AudioCodes configuration guides): 

Office GCC DoD tenants: 

Index 

Proxy Address 

Transport Type 

Proxy Priority 

Proxy Random Weight 

0 

sip.pstnhub.dod.teams.microsoft.us:5061 

TLS 

 

 

 

  • Office 365 GCC High tenants: 

Index 

Proxy Address 

Transport Type 

Proxy Priority 

Proxy Random Weight 

0 

sip.pstnhub.gov.teams.microsoft.us:5061 

TLS 

 

 

For Office GCC DoD and Office 365 GCC High tenants, the values for the “Proxy Hot Swap” and “Proxy Load Balancing Method” fields in the Teams Proxy Set can be left at their default values of “Disable” 

SBC Firewall Rules 

  • Using the firewall rules on the AudioCodes SBCs is completely optional. Most customer do not use them and rely on rules on their perimeter firewalls 
  • If you have implemented firewall rules on an AudioCodes SBC, verify that they are inline with the latest guidance in the configuration guides 

For more information on implementing firewall rules on an AudioCodes SBC, please take a look at our Securing an AudioCodes Session Border Controller – Firewall Rules blog article 

1) Click on “IP Network”

2) Click on “Security” 

3) Then click on “Firewall”  

Graphical user interface, text, application, email

Description automatically generated

  • Here are the supported firewall rules from the AudioCodes configuration guide for Microsoft 365, Office 365, and Office 365 GCC tenants (you may have additional rules for the other interfaces on the SBC): 

Index 

Source IP 

Subnet Prefix 

Start Port 

End Port 

Protocol 

User Specific Interface 

Interface ID 

Allow Type 

0 

<Public DNS Server IP> 

(e.g. 8.8.8.8) 

32 

0 

65535 

Any 

Enable 

WAN_IF 

Allow 

1 

52.112.0.0 

14 

0 

65535 

TCP 

Enable 

WAN_IF 

Allow 

2 

52.120.0.0 

14 

0 

65535 

TCP 

Enable 

WAN_IF 

Allow 

3 

xxx.xxx.xxx.xxx 

32 

0 

65535 

UDP 

Enable 

WAN_IF 

Allow 

49 

0.0.0.0 

0 

0 

65535 

Any 

Enable 

WAN_IF 

Allow 

  • From the “SIP Signaling FQDNs” section of the Microsoft Plan Direct Routing article, the Teams subnet firewall ranges for the other GCC tenants should be: 
  • Office GCC DoD tenants: 
  • 52.127.64.0/21 
  • Office 365 GCC High tenants: 
  • 52.127.88.0/21 
  • Please note that these ranges are not documented by AudioCodes in their guides for these tenants. These are recommendations from Enabling Technologies based on the Microsoft documentation 
  • While you can use FQDNs in the “Source IP” field, it is not recommended 
  • ***WHEN UPDATING THE SBC’S FIREWALL RULES, MAKE SURE THAT YOU HAVE BACKED UP THE CONFIGURATION FILE. PROCEED CAUTIOUSLY WHEN MAKING CHANGES. YOU CAN EASILY LOCK YOURSELF OUT OF THE SBC! *** 

Summary 

  • Microsoft will no longer support the Teams Direct Routing FQDNS sip-all.pstnhub.microsoft.com or sip-all.pstnhub.gov.teams.microsoft.us as of March 1, 2022 
  • These FQDNs should be scrubbed from any Microsoft Teams Direct Routing enabled AudioCodes SBCs before March 1, 2022 
  • AudioCodes has revised their guidance for the Teams IP subnet ranges and their configuration on AudioCodes SBCs. While the existing ranges will continue to work, the range in the Classification rules should be updated as soon as possible 
  • Customers must verify that their SBCs are properly configured to support this change before March 1, 2022 
  • Enabling Technologies is available and ready to answer any questions that you might have. If you need help making this change, please contact us at contact@enablingtechcorp.com 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

ref:_00D80KtFf._5000y1WwWQD:ref