Applies to: Exchange Online

Topic Last Modified: 2012-12-11

Session border controllers (SBCs) enable you to connect your on-premises telephony network to a Microsoft datacenter over a dedicated public WAN connection. An SBC sits on the edge of your on-premises IP network and connects to a second SBC in a Microsoft datacenter.

SBCs require the use of digital certificates to encrypt all traffic between your on-premises organization and the Microsoft datacenter. You must obtain a digital certificate for the network border element, such as a session border controller, that you’re using to communicate with Exchange hybrid and online deployments. Digital certificates establish trust between your on-premises organization and the Microsoft datacenter and enable mutual Transport Layer Security (mutual TLS). After this trust is established, the network border elements at your on-premises organization and at the Microsoft datacenter exchange session keys, and use these keys to encrypt the subsequent data traffic.

In hybrid or online deployments, a UM IP gateway represents an SBC. The subject common name in the certificate must match the fully qualified domain name (FQDN) value in the Address box on the UM IP gateway that you create. For example, if you specify the FQDN address on your UM IP gateway, make sure that the subject name and subject alternative name in the certificate contain the same value: The name that you use is case-sensitive, so make sure the case is the same on both the certificate and the UM IP gateway. If you’re using an Acme Packet SBC and the common name doesn’t match the UM IP gateway’s FQDN, the call will be rejected with a 403 error.

Because SBCs are designed to sit on the network edge, they also function as a firewall. If you set up an SBC behind your organization’s firewall, it can cause configuration problems.

Supported session border controllers

The following SBCs have been successfully tested for interoperability with Exchange hybrid and online deployments. Note that the capabilities and compatibilities of SBCs can vary, and the way you set them up can be different depending on other equipment on your network. Consult with the SBC manufacturer to see whether there are specific configuration notes for Unified Messaging in a hybrid or online deployment.



Configuration notes


Acme Packet

Net-Net 3820 or 4500

Acme Packet SBC in Microsoft Office 365 Unified Messaging

Dedicated SBC


Mediant 1000B MSBG

MSBG Session Border Controller (SBC) with IP PBX

Dedicated SBC


Mediant 1000B MSBG

MSBG Gateway and Session Border Controller (SBC) with Legacy PBX

SBC and IP gateway



Ingate SIParator Configuration Notes

Dedicated SBC


VX 1200 & VX1800

NET VX SBC Configuration Notes

SBC option for a VoIP gateway product