eBooks, Guides, & Reports • 13 MIN READ

The Complete Guide to Session Border Controllers

IR Team

Written by IR Team


In the rapidly advancing world of real-time communication, organizations no longer rely only on voice calls as their primary form of communication. Now, there are many components to the Unified Communication and Collaboration (UCC) ecosystems. These include video conferencing, desktop sharing, instant messaging, presence management and team collaboration.

All these elements working together flawlessly requires a signalling protocol, called Session Initiation Protocol (SIP). Session Initiation Protocol initiates and terminates a communication session, which could be a video conference between a team, or a call between two people. It does this by sending messages in the form of data packets between two or more IP endpoints, or SIP addresses.

See what's holding you back from your desired collaboration destination with Collab Compass.

Collab Compass CTA

SIP identifies the presence of the other parties, establishes the connection, and closes it when the session is finished, but has no control over what happens during the connection.

While this is a powerful and integral part of real-time communications, there are challenges including the implementation between various vendors, and security issues involved when moving data across the internet, and this is where Session Border Controllers (SBCs) come in.

What is a session border controller used for?

Session border controllers are designed to control communication that navigates through service provider networks, as well as handling all the signalling and media functions required to make SIP work seamlessly. SBCs enforce the Quality of Service (QoS) for conversations, as well as maintaining security.

Phone calls are referred to as sessions. Session border controller applications (SBC applications) are dedicated hardware devices or software platforms that oversee the way sessions are initiated, conducted and terminated on a voice over Internet Protocol (VoIP) network. SBCs enforce call admission control (CAC) policies and type of service (ToS) marking, or rate limiting for QoS.

The SBC acts as a router between a VoIP network and carrier network, enabling only authorized sessions to pass through the connection point or border.

An SBC defines and monitors the standard of service (QoS) status for sessions, ensuring that callers can actually communicate with each other and that emergency calls are delivered correctly and prioritized above all other calls.

The SBC can also serve as a firewall for session traffic, applying its own QoS rules and identifying specific incoming threats to the communications environment. So in effect it can control an SIP by admitting (or denying), then directing communications between multiple parties and devices.

What is an Enterprise Session Border Controller (E-SBC)?

Businesses use E-SBCs to connect and control the traffic and media services flowing through the enterprise real-time enterprise networks to the public internet, other private IP networks, and to one or more SIP trunk service provider networks.

Through SIP trunks, an E-SBC acts as a management and communication controller between the public telephone network and cloud-hosted services. An E-SBC also enforces interconnection between premise-based systems, including legacy PBXs, UC systems (e.g. Microsoft Teams), and contact center environments

An E-SBC enables:

  • Secure SIP trunking

  • Consolidated VoIP and UC networks

  • IP contact centers

  • Access to cloud and hosted IP communications services

  • Remote workers and branch offices

The main functions of an E-SBC are to access control of IP media communications signaling and media streams. An E-SBC provides a variety of functions including:


  • protection against Denial of Service (DoS) and Distributed DoS (DDoS) attacks

  • safety against toll fraud and theft

  • media and signalling encryption to maintain privacy and protection against impersonation or tampering with a session.

Interoperability between multivendor - The SBC normalizes signalling stream headers and messages to enable moderation of any multivendor incompatibilities.

Protocol interworking – The SBC enables interconnection between various different protocols and codecs.

Quality of Service (QoS) – SBC enforces call admission (or denial) policies, Type of Service (ToS) marking or rate limiting for QoS

Session Routing – Routes sessions across network interfaces, ensuring high availability or least cost routing.

Benefits of an SBC

Not incorporating an SBC as part of a Unified Communications and Collaboration (UCC) network infrastructure is an oversight that can leave systems open to security risks, and cost an organization time and money. So here are some of the benefits:

Connectivity – A session border controller connects a company’s UCC network platform to the internet, hosted Private Branch Exchange (PBX) service providers, and/or a private network. SBCs can be used to route phone traffic through internal IPs no matter what the location, so calls are routed much faster, alleviating the need for traditional, individual phone lines.

Quality – SBCs improve the quality of sessions and enhance ease of use. The PBX can be located on the LAN with a private IP address. An SBC can access control of hosted PBX signalling between the PBX and the service provider, providing signification routing capabilities.

Interoperability & Consistency- Integration of a session border controller to redirect media traffic can help with quality consistency, alleviating missed or dropped calls, poor call quality, or both. SBCs also ensure interoperability of VoIP and video devices, testing VoIP lines, monitoring sessions and more.

Mitigation – SBCs use pattern analysis to flag unusual activity. This could include the unusual surge of traffic during a DoS attack, where an overwhelming amount of traffic from a single IP address or a number of machines are simultaneously trying to make requests from the same server.

Safety – Once a session border controller identifies a potential threat, it can rapidly block the problem, notify the Central Processing Unit (CPU) of the details and implement the protocols to counteract it. An SBC can even notify a business’s other locations of the threat, to warn of similar breaches.

Media and signaling encryption - This approach applies cryptographic scrambling, called signaling encryption, to both the signaling session initiation, protocol (SIP) and media (voice, video, IM, and so on) portion of the call. A properly implemented encryption system means that malicious parties can’t eavesdrop on VoIP calls, video conferences, and other SIP-based communications.

Security – Hackers are continually evolving their attempts to breach security measures. SBC vendors provide an extra layer of protection by renewing their VoIP protocols regularly with patches and updates to keep UC systems safe.

SBC features and functionality

A session border controller does much more than control security. There are several other features and functions, including:

Normalizing Session Initiation Protocol (SIP) – As we’ve already learned, SIP is the primary protocol that controls media traffic across VoIP networks by establishing and finishing connections between two endpoints.

While SIP is a communications standard implemented by the Internet Engineering Task Force (IETF), actual implementations are left up to individual engineers and vendors. This results in systems often lacking interoperability, or using different ‘dialects’ – in other words, they don’t communicate with one another. Session border controller applications detect and normalize mismatching SIP dialects so that the VoIP sessions can continue seamlessly and without disruption.

Media transcoding – Another job of the SBC is to trans-code codecs. Codecs are the encode/decode algorithms that compress voice and video streaming signals across a UC network.

Low and high bandwidth video and voice codecs work differently on computers and tablets, dedicated VoIP phones and mobile smartphones. So if an organization’s PBX switch supports one specific codec, and an incoming call is using a different codec, the SBC will understand both codecs. In real time and in both directions, an SBC will transcode between the two codec types as the media traffic passes through the VoIP networks.

Bandwidth restrictions – There are codecs available that can trade fidelity and audio/video quality for greater compression, therefore using less bandwidth. An SBC sitting between networks recognizes this situation and transcodes to and from lower bandwidth codecs when necessary.

Premises-based/outsourced SBC or SBCaaS? - To decide which option is most suitable for enterprise networks depends on the company’s philosophy on in-house management, internal IP networks, outsourcing and use of cloud media services.

Session border controller on premises/outsourced - When SBCs remain onsite, internal IP networks can be installed and managed by in house. However, this option may overload busy IT staff, require additional hardware, and prevent them from focusing on more strategic endeavors.

Outsourcing the management of VoIP networks to a service provider can be an option. Increasingly however, providers are moving towards the virtual SBC model, where they can handle it from their cloud environment.

SBCs as a Service (SBCaaS) - As many companies are choosing the option of having less hardware to manage on premises, SBCaaS is a good fit for companies using more cloud-based services. It means that IT teams can utilize the benefits of virtualizing servers, storage and other infrastructure. The benefits include faster deployment, higher utilization rates, ease of management and scalability, resulting in lower overall operating costs.

Back-to-Back User Agent (B2BUA) - A Back-to-Back User Agent controls SIP signaling between two separate SIP endpoints. A B2BUA acts as a User Agent Server (UAS) which processes the received requests when received from a User Agent Client.

In the diagram below in SIP Network 1, the SBC receives an 'invite' message. The Session Border Controller in this instance acts as the UAS. The Client (UAC) is the device labeled SIP Device 1. The SBC then propagates the invite message to the outgoing leg and at this point becomes the UAC. In SIP Network 2, the device labeled SIP Device 2 is the UAS. The example below displays the SBC operating as both a User Agent Server and a User Agent Client.  

Back-to-back User Agent 'Invite' message

Image source: Dialogic

What is Lawful Intercept (LI)?

LI is a legally sanctioned process which can enable a service provider or network operator to collect and provide law enforcement officials with intercepted communications of private individuals or organizations through an SBC.

Media Optimization for Direct Routing

Public Switched Telephone Network (PSTN) voice is considered a business-critical application for VoIP networks, with high expectations for voice quality. Direct Routing enables control of media traffic flows, or the ability to redirect calls to accommodate a multitude of network topologies and local telephony setups for various enterprises all over the world.

Below is an example of how an SBC works to redirect media traffic when a user is connected to the corporate network in the user’s home branch office or site.

While on premises, the user is assigned to the local branch office in Germany. The user makes a Direct Routing phone call through Teams.

  • The user’s Teams client communicates to Phone System directly through the REST API, but the media generated during the call flows to the central SBC’s internal IP address.

  • The SBC redirects the flow to Phone System and the connected PSTN network.

  • The central SBC is visible to Phone System through the external IP address only.

Traffic flow when the user is in the ‘home’ site with a centralized SBC and with a connected centralized SIP Trunk.

Diagram showing traffic flow Local Media Optimization.

Image source: Microsoft

What are Digital Signal Processors?

Digital Signal Processors (DSPs) take real-world signals like voice, audio, video, temperature, pressure, or position that have been digitized and then mathematically manipulate them. A DSP is designed to provide measurement for performing mathematical functions like adding, subtracting, multiplying and dividing at speed.

Monitoring and troubleshooting

The modern unified communications (UC) ecosystem is often comprised of VoIP networks, video conferencing applications and complex, multi-vendor systems. The efficient operation of any corporate network relies on the compatibility and communication between all the moving parts - including session border controllers.

IR Collaborate provides end-to-end support and visibility across all SBCs and media gateways, including Cisco, AudioCodes SBC, Oracle SBC, Sonus SBC and more. Get the support you need to effectively monitor, troubleshoot and optimize SBCs, and deliver seamless, reliable customer and remote working interactions.

Find out more about how you gain gain end-to-end visibility across SBCs.

Topics: Communications Performance management Proactive troubleshooting eBooks, Guides & Reports Session Border Controllers Collaborate

Subscribe to our blog

Stay up to date with the latest
Collaborate, Transact and Infrastructure
industry news and expert insights from IR.