Enabling Media Bypass for Teams Direct Routing

In the previous blog post a Ribbon SBC1000 was configured for Teams Direct Routing using SIP Trunk from Masergy and tests calls made using the new Poly CCX Native Teams phones. That setup was configured with the default non media-bypass where media always flowed between the SBC and Microsoft Office365 Teams media processors or relays. As a follow up to that, this blog posts walks through the configuration of media bypass in the same lab setup, allowing media to flow directly between the Teams phones and the SBC, thereby simplifying the media flow allowing for potentially better call quality. Since it is fairly straightforward to configure media bypass, this post also provides wireshark packet capture on the SBC to show the media flow between non media-bypass and media-bypass calls

The mechanics of Teams Direct Routing media bypss is already well explained in the Microsoft documentation here and there's no need to dive into the details in this post. Just to summarize, when in non media-bypass, both signaling and media traffic will flow between the SBC and the Microsoft Phone System as shown below:

With media bypass enabled, signalling will still flow between the SBC and Microsoft Phone System but media will be able to flow directly between the Teams phones and the SBC, thereby eliminating the hop out to the internet as shown below:

Before going into the configuration and network packet captures, its worth calling out a few important points as mentioned in the Microsoft Docs. These include

• Media bypass leverages protocols called Interactive Connectivity Establishment (ICE) on the Teams client and ICE Lite on the SBC. Hence we need to enable ICE Lite on our Ribbon SBC1000 which was possible from verion 8.0.2 of the SBC firwmare
• For internal networks, the Teams client must be able to access the public IP of the SBC from the internal network to leverage media bypass. This is the recommended solution when a user is in the same network as the SBC.
• For external networks, the Teams client can either access the SBC public IP directly for media bypass, otherwise if it cannot then the client will communicate to SBC via Transport Relays. For media optimization purposes, Microsoft recommends only allowing transport relays to access the SBC public IP. However just for testing purposes to show the media bypass flows, we will allow the Teams phones to reach the public IP of the SB in our setup.
• Media Processors are always in the path for end user non-bypassed calls, but never in the path for bypassed calls. Media Processors are always in the path for all voice applications such as Call Park, Organizational Auto Attendant, and Call Queues

To begin configuring for media bypass, we first make sure that ICE Lite is enabled on the SBC1000 Sigaling Group Table for the Teams Direct Routing connection as shown below:

For Media Bypass, the following firewall ports are required on the SBC1000:

Inbound Public (Internet to SBC):

• Media for SBC 1000: UDP 17586-21186 (default)
• Media for SBC 2000: UDP 19386-28386 (default)

Outbound Public (SBC to Internet):

• Media: UDP 50000-50019

• If the device that handles the NAT between the Teams Client and SBC Public IP is performing PAT (Port Address Translation), verify that this device has the source port range of the Teams Client media or open all the ports from 1024 to 65535.

Before enabling Media Bypass, lets first do a packet capture of the Teams phone making a call to PSTN without media bypass. As can be seen in the wireshark screenshot below, all media traffic is flowing between the Teams media processor and the SBC, and between the SBC and the SIP trunk. Hence the media traffic on the phone is always going to the O365 cloud:

To enable media bypass on our tenant Phone System we simply use the Skype online powershell and set the PSTN gateway to enable media bypass using the Set-CSOnlinePSTNGateway cmdlet as shown below. We'll want to wait a few minutes for the settings to take effect:

Now we are ready to leverage media bypass place calls from the Poly CCX Teams phone to PSTN and start packet captures on the SBC. Our phone is behind a firewall with NAT and thus the phone's IP as seen by SBC is the public NAT'ed IP. ​As can be seen in the wireshark screenshot below, all media traffic is now flowing directly between the phone and the SBC, and between the SBC and the SIP trunk. Hence the media traffic on the phone is no longer going via the O365 cloud:

---

As mentioned earlier, this direct media flow between the phone and the SBC is only possible because the phone can reach the public IP of the SBC. If we follow Microsoft's recommendation of only allowing Teams Transport Relays to communicate with the SBC, then the media from the phone will first reach the Transport relay before hitting the SBC. There should not be any noticeable delay as the transport relays are located in many geographical locations and the nearest available one will always be used for the media path.

In conclusion, media bypass enables Teams clients to shorten the path of media traffic and reduce the number of hops in transit for better performance. With media bypass, media is kept between the Session Border Controller (SBC) and the client instead of sending it via the Microsoft Phone System and this hopefully this blog posts serves as a reference on the configuration of SBC and also showing the actual network packet trace of both media-bypass and non media-bypass scenarios.