Discover the correct source IP addresses needed to enable external Media Bypass for direct SBC access in Microsoft Teams Direct Routing deployments.
Table of Contents
Question
You have a Microsoft Teams Phone deployment that uses Direct Routing on a single Session Border Controller (SBC).
You need to recommend which source IP addresses are needed to enable external Media Bypass for direct access to the SBC.
What should you recommend?
Select only one answer.
A. any source IP address
B. 52.112.0.0/14 only
C. 52.120.0.0/14 only
D. 52.112.0.0/14 and 52.120.0.0/14
Answer
To enable external Media Bypass for Microsoft Teams Direct Routing, the Session Border Controller (SBC) must allow media traffic directly from Teams clients outside the corporate network. Media Bypass eliminates reliance on Microsoft’s Transport Relays, routing media directly between the client and the SBC.
A. any source IP address
Explanation
Any source IP address is needed to access the SBC, as the Teams client communicates its media directly to the SBC in these instances. Other ranges can be used only when Media Bypass is not used externally.
Media Bypass Fundamentals
- Media Bypass allows Teams clients to directly connect to the SBC’s public IP, bypassing Microsoft’s media processors.
- For external clients (e.g., remote users), this requires the SBC’s firewall to accept traffic from any source IP address (since client IPs are dynamic and unpredictable).
Security vs. Functionality
- While Microsoft recommends restricting SBC access to Microsoft’s Transport Relay IP ranges (e.g., 52.112.0.0/14 and 52.120.0.0/14) for non-bypassed traffic, external Media Bypass explicitly requires direct client-to-SBC communication.
- Restricting IP ranges would block external clients from establishing direct media paths, defeating the purpose of Media Bypass.
Configuration Requirements
- The SBC must open UDP ports for media traffic (typically 50,000–50,019 for Teams clients and SBC-defined ports for inbound traffic).
- No NAT restrictions: Clients must reach the SBC’s public IP directly, even if behind a firewall.
Why Other Options Are Incorrect
B/C/D (Microsoft IP ranges): These ranges apply to non-bypassed traffic routed via Transport Relays. Media Bypass explicitly bypasses these relays, making these ranges irrelevant.
Best Practices for Security
- Use Local Media Optimization (LMO) to route internal clients to the SBC’s internal IP and external clients to its public IP, reducing exposure.
- Validate firewall configurations for hair-pinning to ensure internal clients can access the SBC’s public IP securely.
By allowing any source IP, you enable external clients to leverage Media Bypass while adhering to Microsoft’s design principles for optimal call quality and reduced latency.
Microsoft 365 Certified Collaboration Communications Systems Engineer Associate MS-721 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Collaboration Communications Systems Engineer MS-721 exam and earn Microsoft 365 Certified Collaboration Communications Systems Engineer Associate certification.