Survivable Branch Appliance (SBA) for Direct Routing
Occasionally, a customer site using Direct Routing to connect to Microsoft Teams Phone may experience an internet outage.
In this scenario, assume that the customer site--called a branch--temporarily can't connect to the Microsoft cloud through Direct Routing. However, the intranet inside the branch is still fully functional, and users can connect to the Session Border Controller (SBC) that is providing PSTN connectivity.
This article describes how to use a Survivable Branch Appliance (SBA) with Teams Phone to support continuity of making and receiving Public Switched Telephone Network (PSTN) calls in case of an outage.
Prerequisites
The SBA is distributable code provided by Microsoft to SBC vendors who then embed code into their firmware or distribute it separately to have the SBA run on a separate VM or hardware.
To get the latest Session Border Controller firmware with the embedded Survivable Branch Appliance, contact your SBC vendor. In addition, the following is required:
The SBC is configured for Media Bypass to ensure that the Microsoft Teams client in the branch site can have media flowing directly with the SBC.
TLS1.2 is enabled on the SBA VM OS.
Ports 3443, 4444, and 8443 are used by Microsoft SBA Server to communicate with the Teams client and is allowed on the firewall.
Port 5061 (or the one configured on the SBC) is used by Microsoft SBA Server to communicate with the SBC and is allowed on the firewall.
UDP Port 123 is used by Microsoft SBA Server to communicate with NTP server and is allowed on the firewall.
Port 443 is used by Microsoft SBA Server to communicate with Microsoft 365 and is allowed on the firewall.
Azure IP Ranges and Service Tags for the Public Cloud are defined according to the guidelines described at: https://www.microsoft.com/download/details.aspx?id=56519
Supported Teams clients
The SBA feature is supported on the following Microsoft Teams clients:
- Microsoft Teams Windows desktop
- Microsoft Teams macOS desktop
- Teams Phones
How it works
During an internet outage, the Teams client switches to the SBA automatically, and ongoing calls continue with no interruptions. No action is required from the user.
As soon as the Teams client detects that the internet is up, and any outgoing calls are finished, the client falls back to normal operation mode, and connects to other Teams services. The SBA uploads collected Call Data Records to the cloud. Call history is updated for review by the tenant administrator.
The Teams client-side outage mechanism for the SBA is designed to ensure continuous connectivity and service availability during network disruptions.
The following conditions must be met:
Client Policy Check: The user is assigned the branch survivability policy for an SBA that the Teams client connects to--only if the appliance is up.
Network Status Check: The Teams client connects to the SBA when the internet is disconnected, but the user's device is still connected to the SBA appliance.
Once these conditions are met, the Teams client pings the SBA appliance, and the client checks the policy. If both of these conditions are met, the following occurs:
Branch Survivability Policy: The branch survivability policy points to the SBA URLs assigned to the user/tenant.
Connection to the SBA on the Teams Client Side: Once the Teams client is offline and the user has the required policies, the Teams client switches to Appliance mode where the user is able to make and receive PSTN calls. A banner is displayed to inform users of the switch to the SBA.
The only UI indicator of the switch to Appliance mode is the banner. If the banner isn't present, the user isn't in SBA mode, and calling won't work.
SBA mode is activated only on desktop clients on a physical machine. VMs and web clients aren't supported at the moment.
When the Microsoft Teams client is in offline mode, the following calling-related functionality is available:
- Making PSTN calls through the local SBA/SBC with media flowing through the SBC.
- Receiving PSTN calls through the local SBA/SBC with media flowing through the SBC.
- Hold and resume of PSTN calls.
- Blind transfer.
- Call forwarding to a single phone number or Teams user.
- Unanswered call forwarding to single phone number or Teams user.
- Redirect of incoming PSTN call to a Call queue or Auto attendant number to a local agent.
- Redirect of incoming PSTN call to a Call queue or Auto attendant number to an alternative Call queue or Auto attendant number.
- VoIP Fallback. If a VoIP call can't be initiated and the receiving party has a PSTN number, a PSTN call is attempted
- VoIP calls between local users. If both users are registered behind the same SBA, a VoIP call can be initiated instead of PSTN call, and the SBA will support the call.
Configuration
For the SBA feature to work, the Teams client needs to know which SBAs are available in each branch site, and which SBAs are assigned to the users in that site. The configuration steps are as follows:
- Create the SBAs.
- Create the Teams branch survivability policy.
- Assign the policy to users.
- Register an application for the SBA with Microsoft Entra ID.
All configuration is done by using Teams PowerShell cmdlets. (The Teams admin center doesn't yet support the Direct Routing SBA feature.)
For information on configuring the SBC, with links to SBC vendor documentation, see Session Border Controller configuration.
Create the SBAs
To create the SBAs, use the New-CsTeamsSurvivableBranchAppliance cmdlet. This cmdlet has the following parameters:
Parameter | Description |
---|---|
Identity | The identity of the SBA |
Fqdn | The FQDN of the SBA |
Site | The TenantNetworkSite where the SBA is located |
Description | Free format text |
For example:
C:\> New-CsTeamsSurvivableBranchAppliance -Fqdn sba1.contoso.com -Description "SBA 1"
Identity : sba1.contoso.com
Fqdn : sba1.contoso.com
Site :
Description : SBA 1
Create the Teams Branch Survivability Policy
To create a policy, use the New-CsTeamsSurvivableBranchAppliancePolicy cmdlet. This cmdlet has the following parameters. The policy can contain one or more SBAs.
Parameter | Description |
---|---|
Identity | The identity of the policy |
BranchApplianceFqdns | The FQDN of the SBA(s) in the site |
For example:
C:\> new-CsTeamsSurvivableBranchAppliancePolicy -Identity CPH -BranchApplianceFqdns "sba1.contoso.com","sba2.contoso.com"
Identity : Tag:CPH
BranchApplianceFqdns : {sba1.contoso.com, sba2.contoso.com}
You can add or remove SBAs from a policy by using the Set-CsTeamsSurvivableBranchAppliancePolicy cmdlet. For example:
Set-CsTeamsSurvivableBranchAppliancePolicy -Identity CPH -BranchApplianceFqdns @{remove="sba1.contoso.com"}
Set-CsTeamsSurvivableBranchAppliancePolicy -Identity CPH -BranchApplianceFqdns @{add="sba1.contoso.com"}
Assign a policy to a user
To assign the policy to individual users, use the Grant-CsTeamsSurvivableBranchAppliancePolicy cmdlet. This cmdlet has the following parameters:
Parameter | Description |
---|---|
Identity | The identity of the user |
PolicyName | The identity of the policy |
For example:
C:\> Grant-CsTeamsSurvivableBranchAppliancePolicy -PolicyName CPH -Identity user@contoso.com
You can remove a policy from a user by granting the $Null policy as shown in the next example:
C:\> Grant-CsTeamsSurvivableBranchAppliancePolicy -PolicyName $Null -Identity user@contoso.com
Register an application for the SBA with Microsoft Entra ID
To allow different SBAs used within your tenant to read required data from Microsoft 365, you need to register an application for the SBA with Microsoft Entra ID.
For more information about application registration, see the following:
You only need to register one application for use by all the SBAs in your tenant.
For the SBA registration, you need the following values created by the registration:
- Application (client) ID
- Client secret
For the SBA application, keep the following in mind:
- The name can be whatever you decide.
- Supported account types = Account in this organizational directory only.
- The Web Redirect Uri = https://login.microsoftonline.com/common/oauth2/nativeclient.
- Implicit grant tokens = Access tokens and ID tokens.
- API permissions = Skype and Teams Tenant Admin Access -> Application permissions -> application_access_custom_sba_appliance.
- Client secret: you can use any description and expiration.
- Remember to copy the client secret immediately after creating it.
- The Application (client) ID is shown on the Overview tab.
Then follow these steps:
- Register the application.
- Set the implicit grant tokens.
- Set the API permissions.
- Create the client secret.
Session Border Controller configuration
For step-by-step guidance on how to configure your Session Border Controller with the embedded Survivable Branch Appliance, see the documentation provided by your SBC vendor:
Known issues and considerations
The following are known issues and considerations:
In SBA mode
- The SBA supports expired client authentication tokens for up to 7 days from the token expiration.
- The Teams client won't be able to connect to the SBA if the Teams client is triggered to negotiate a new token. For example, if a user quits and restarts their Teams client or restarts their device.
- The Teams client won't be able to validate itself with an SBA that it hasn't previously connected with, in the last 24 hours.
In SBA mode, the following user actions aren't supported:
- Switching their Teams client to another tenant
- Sharing location information during an emergency call (E911). Users can still make emergency call but location information won't be shared.
- SBA does not support Emergency Call Routing Policies. EMER dial strings bypass normalization and are always sent without +. Because of this, if the customer has no pattern attached to their regular voice routing policy matching the EMER Dial strings, emergency calls will fail via SBA.
- Reaching other Teams users with reverse number lookup against Microsoft Entra ID Contacts. A dialed number will still be processed by SBA and routed over PSTN.
If the tenant is using Continuous Access Evaluation (CAE) tokens, the SBA will be operational only for about 30 minutes, due to the nature of continuous access evaluation. An alternative would be to disable CAE for the tenant.
When you add new Survivable Branch Appliances, it might take time before you can use them in Survivable Branch Appliance policies.
When you assign a Survivable Branch Appliance policy to a user, it might take time before the SBA is shown in the output of Get-CsOnlineUser.
Report an issue
Report any issues to your SBC vendor's support organization. When reporting the issue, indicate that you have a configured Survivable Branch Appliance.