As the deployment of SBCs to support MS Teams Direct routing is a complex topic and is still evolving, I have seen customers muddling on placement of SBCs and Firewalls in their DMZ or external network. The development of the SBC primarily occurred due to the specific media and messaging related deficiencies of firewalls for Unified Communications (UC)/Real-Time Communications (RTC).
I have tried here to capture possible SBC deployments for Microsoft Teams considering placement of firewalls too, however before proceeding let us see how SBCs evolved over Firewalls.
SBCs and firewalls differ in several aspects. General purpose data firewalls have historically provided poor SIP support causing problems with SIP call flows. Another weak spot for firewalls is RTP support. If a firewall cannot automatically open and close UDP ports for RTP (signaled within SIP, which could be a SIP limitation of the firewall), then the firewall requires forcing open a large range of UDP ports. If encrypted signaling is used (TLS, IPsec) then both signaling, and media ports will need to be forced opened through the firewall.
Another firewall consideration is performance and throughput for RTP flows. Regardless of UDP port support (dynamic or static) for RTP, sizing of the firewall is paramount to account for all the simultaneous RTP flows the network must sustain. A firewall properly sized for RTP traffic may be significantly more expensive than a firewall that does not.
SBC-Firewall Placement Scenarios:
Direct SBC Deployment: Most networks will likely deploy both firewalls and SBCs, but considering an SBC is essentially a purpose-built firewall for Real-Time Communications and since legacy firewalls can perform poorly for UC/RTC, the SBC is typically deployed in parallel, rather than in series, with a traditional firewall. This is the most common and preferred approach.
SBC-Firewall Serial Deployment: Deployments using a serial configuration can apply when the limitations of the firewall are less of a concern due to smaller performance and capacity requirements of those environments. If RTP bypasses the firewall to connect directly to the SBC, then one may question the utility of the firewall at all in this network configuration.
SBC- SBC Serial Deployment: It is unlikely to see this architecture, but some organizations prefer keeping PSTN network away from their core voice infrastructure. In the below picture, SBC 2 is connected to Telecom provider, and to SBC 1 on the other side, while SBC 1 is connected to core Teams infrastructure talking to endpoints and Microsoft Cloud.