Architecture

SBC (Session Border Controller)

An SBC sits at the edge between a private network (PBX, internal SIP) and an external SIP/PSTN network (carrier, internet). It handles security, NAT traversal, codec transcoding, topology hiding, and traffic shaping — functions that a plain SIP proxy cannot do.

What an SBC actually does

• Security: SIP firewall, DoS protection, brute-force lockout, IP ACLs.
• NAT traversal: rewrites SDP/Contact headers and bridges media so calls work across NAT.
• Transcoding: Opus ↔ G.711, G.729 ↔ G.711 between networks with different codec support.
• Topology hiding: the carrier sees only the SBC's public IP — not your internal PBX topology.
• Number normalization: rewrites caller-ID and dialed numbers between local format and E.164.
• Encryption boundary: terminates SIP-TLS / SRTP from the public side, re-originates plain SIP/RTP to the private PBX.

When you need an SBC

• Connecting Microsoft Teams to a non-Microsoft SIP carrier (Teams Direct Routing requires a certified SBC).
• Multi-carrier deployments where you want a single trust boundary.
• High-volume traffic where the PBX itself cannot handle SIP firewalling and codec transcoding.

DIDHub provides a managed SBC for Teams Direct Routing — see Teams setup. For PBX-direct trunks, no separate SBC is required.

Related terms