Session Border Controller for MSPs: How to Secure and Scale Multi-Client Voice

Session Border Controller for MSPs

If you run a managed service provider that touches voice, you already know the pain. Every client has a different PBX, a different SIP trunk provider, and a different set of requirements that somehow all need to work together. Microsoft Teams Direct Routing requests are stacking up. The FCC wants STIR/SHAKEN compliance. And the person who configured your current SBC just gave their two weeks’ notice.

A Session Border Controller (SBC) sits at the center of all of this. It secures voice traffic at the network edge, normalizes SIP signaling between incompatible systems, enforces regulatory compliance, and isolates client environments from each other. For MSPs specifically, the SBC is not just a network element; it is the operational backbone of a multi-client voice business.

This page covers what MSPs specifically need from an SBC, how to evaluate the options on the market, and what the real economics look like when you are managing voice across dozens of accounts.

Key Terms and Concepts
A quick-reference glossary for terms used throughout this article.
SBC (Session Border Controller) A network element that sits at the edge of your network, inspecting and modifying SIP signaling and media streams to enforce security policies, normalize incompatible systems, and isolate tenant environments from each other.
NAP (Network Access Point) A logical configuration within an SBC that represents a connection point for either a carrier, a PBX, or a Teams environment. Each NAP carries its own routing rules and security policies.
Teams Direct Routing A Microsoft feature that allows organizations to bring their own Session Border Controller and SIP trunk provider to handle voice calling within Microsoft Teams, rather than relying on Microsoft’s carrier connectivity.
STIR/SHAKEN An FCC-mandated framework for combating caller ID spoofing. The SBC handles call signing at origination and verification at termination to authenticate that calls are coming from legitimate sources.
B2BUA (Back-to-Back User Agent) An SBC architecture that terminates and re-originates every SIP session, giving the SBC complete control over signaling on both the incoming and outgoing legs. This is essential for SIP normalization across multiple vendors.
TDoS (Telephony Denial of Service) A type of attack that floods a voice infrastructure with malicious SIP calls or registration attempts to disrupt legitimate voice service. Built-in SBC protection detects and throttles these attacks at the signaling layer.
SIP Normalization The process of modifying SIP headers and parameters to make traffic from one system compatible with another. Different PBX platforms and carriers use incompatible SIP dialects; the SBC bridges these differences.
Topology Hiding A security feature that removes internal IP addresses from SIP headers so that external parties cannot map your internal network infrastructure through SIP signaling inspection.
SRTP (Secure Real-time Transport Protocol) Encryption of voice media (RTP) in transit. Required for Teams Direct Routing and other security-sensitive deployments.
High Availability (1+1) Active/standby redundancy where a second SBC instance stands by to take over if the primary instance fails, ensuring continuous voice service with minimal downtime.

Why MSPs Need a Dedicated SBC Strategy

Most SBC vendor content is written for single-enterprise deployments: one company, one PBX, one carrier. That is not how MSPs work. An MSP managing 50 business clients might be routing SIP traffic across three or four carriers, supporting FreePBX for one client, 3CX for another, and NetSapiens for a third, all while fielding requests to add Microsoft Teams calling.

There are five forces pushing MSPs toward a more deliberate SBC strategy right now.

Teams Direct Routing is the Number One Purchase Trigger

More than half of the MSP conversations TelcoBridges has had in the past year started with a client asking about Teams voice. The client wants to make and receive phone calls inside Microsoft Teams, and the MSP needs an SBC that supports Direct Routing to make that happen. This single use case is driving more SBC evaluations than any other.

STIR/SHAKEN Compliance Pressure is Real

FCC rules require voice service providers to implement STIR/SHAKEN call authentication. Some upstream carriers have reduced their attestation levels (dropping from A-level to C-level), which means MSPs are being forced to handle their own call signing. An SBC that integrates with third-party signing services gives MSPs the flexibility to meet these requirements without being locked into a single vendor’s proprietary implementation.

Security Threats Target VoIP Infrastructure Directly

Telephony Denial of Service (TDoS) attacks, SIP registration floods, and toll fraud are not theoretical risks. One MSP reported receiving 1,500 malicious calls per day from distributed real-person sources in a sustained TDoS campaign. A standard network firewall does not inspect SIP signaling or media; it cannot distinguish a legitimate INVITE from an attack. The SBC is the only network element purpose-built to handle these threats.

Multi-Tenant Complexity Compounds Over Time

Each new client adds a carrier, a PBX platform, a set of dial plans, and a compliance profile. Without a centralized SBC, an MSP ends up managing this complexity across scattered configurations. A single SBC instance with proper tenant isolation reduces this to a manageable, repeatable deployment pattern.

Staff Turnover Creates Immediate Operational Risk

When the person who manages your SBC leaves, every client’s voice service is one misconfiguration away from an outage. This is the most common trigger for MSPs to evaluate managed SBC services. The decision is not about technical capability; it is about time and risk.

What to Look for in an SBC for MSPs

Not every SBC is built for multi-client operations. Enterprise SBCs are designed around a single organization’s needs. What follows are the specific capabilities that matter when you are running voice for many clients from a single platform.

Multi-Tenant Architecture

The SBC needs to support logical separation between client environments within a single deployment. In practice, this means configurable Network Access Points (NAPs) or trunk groups per client, so that traffic from Client A never crosses into Client B’s environment.

Look for an SBC that supports a large number of NAPs. ProSBC, for example, supports up to 1,024 Network Access Points per server, which means a single instance can handle hundreds of client-carrier relationships. Each NAP carries its own routing rules, security policies, and call detail records, giving MSPs the per-client isolation they need without deploying separate SBC instances for every account.

Microsoft Teams Direct Routing Support

Since Teams DR is the most common driver for MSP SBC purchases, this capability deserves close scrutiny.

Teams Direct Routing requires SIP over TLS for encrypted signaling, SRTP for encrypted media, and SIP OPTIONS health check support. The SBC must present a valid TLS certificate that chains to a trusted Certificate Authority, and it needs to handle the specific SIP header requirements that Microsoft expects.

A note on certification: Microsoft maintains a list of certified SBCs for Teams Direct Routing. Some SBCs appear on this list; others support Teams DR technically without holding formal Microsoft certification. ProSBC supports Teams Direct Routing and has been successfully deployed in Teams DR environments, but it has not obtained formal Microsoft certification (it does not appear on Microsoft’s certified SBC list). If your clients require a certified SBC specifically, check Microsoft’s published list. If your clients need Teams voice to work reliably, the technical implementation matters more than the certification badge.

STIR/SHAKEN and Regulatory Compliance

FCC rules require that voice service providers implement STIR/SHAKEN to combat caller ID spoofing. The SBC is typically the network element that handles call signing (at origination) and verification (at termination).

There are two approaches in the market. Some SBC vendors bundle a proprietary STIR/SHAKEN implementation that locks you into their chosen signing partner. Others provide an open integration model where the SBC connects to any third-party signing service via standard APIs.

For MSPs, the open model is almost always better. You may need to work with TransNexus for one carrier relationship and Neustar for another. ProSBC’s Ruby routing engine integrates with any third-party signing service, supporting full STIR/SHAKEN signing, attestation, and verification with primary and secondary URL redundancy. If the signing service is temporarily unavailable, a fallback mechanism appends a P-Identity-Bypass header so calls are not dropped.

STIR/SHAKEN attestation has three levels: A (Full) means the provider authenticates the calling party, B (Partial) means the provider knows where the call originates but not the specific caller, and C (Gateway) means the call enters from an untrusted source. MSPs handling their own attestation need an SBC that gives them control over which level to assign per route.

Security at the Network Edge

An SBC built for MSP operations needs layered security that goes beyond basic access control. The key capabilities to evaluate:

DoS and DDoS ProtectionBuilt into the SBC, not bolted on as an add-on. The SBC should detect and throttle SIP floods, INVITE storms, and registration attacks at the signaling layer.

Dynamic Blacklisting and Call Access ControlAllows blocking specific IP ranges, calling numbers, or called numbers. Percentage-based greylisting is useful for throttling suspicious traffic without hard-blocking it.

SIP Registration Scanning ProtectionDetects and blocks registration flood attacks, which are a common precursor to toll fraud.

Topology HidingConceals your internal network IP addresses from external parties. This prevents attackers from mapping your infrastructure through SIP headers.

A standard network firewall is not a substitute. Firewalls operate at the IP and port level with global rules. They cannot inspect SIP signaling, they do not understand VoIP-specific attack patterns, and SIP ALG (Application Layer Gateway) features on consumer firewalls are notorious for breaking legitimate VoIP traffic rather than protecting it.

Deployment Flexibility

MSPs run diverse infrastructure. Some are all-in on AWS. Others run VMware or KVM/Proxmox on-premises. Some have clients in regulated industries that require data to stay within specific jurisdictions.

The SBC should run on the platforms MSPs already use: AWS, Microsoft Azure, VMware, KVM/Proxmox, or bare metal servers. ProSBC runs on all of these, and AWS is the most widely deployed option among ProSBC customers. For MSPs with clients in regions that have data residency requirements (GDPR, for example), the ability to deploy on the client’s own infrastructure while maintaining centralized management is critical.

Configurable Routing and API Access

MSPs managing complex voice environments need more than static routing tables. The SBC should offer a configurable routing engine that can make real-time decisions based on call parameters.

ProSBC provides a Ruby routing engine that exposes call parameters for custom logic. This supports fraud detection scoring (querying external services like TransNexus ClearIP or SecureLogix per call), external HTTP queries for CRM integration or number portability lookups, and configurable routing rules that can be adjusted per NAP without touching the core configuration.

This is different from marketing claims about “AI-powered routing” or “intelligent call management.” What MSPs actually need is access to the call data and the ability to write rules against it. The distinction matters: configurable means you control the logic; “intelligent” usually means the vendor controls it.

SBC Pricing for MSPs: The Real Economics

Most SBC vendors do not publish pricing. You fill out a form, wait for a sales call, and eventually receive a quote that is difficult to compare against alternatives. This makes it nearly impossible for MSPs to model per-client economics before committing.

ProSBC is the only SBC vendor with publicly listed per-session pricing. The base rate is $1.25 per session per server per year. No hidden platform fees. No minimum term.

Here is what that looks like at typical MSP scale: 500 sessions on a single server costs $625 per year. Add a second server for 1+1 High Availability (active/standby redundancy for maximum uptime and minimal downtime), and the licensing doubles to $1,250 per year. With 24/7 support included, a 500-session HA deployment runs approximately $2,500 per year.

Adding Teams Direct Routing support costs $0.75 per session per year. So a 500-session deployment with Teams DR, HA, and 24/7 support comes to approximately $3,125 per year.

At larger scale, the economics get even better. A 1,500-session deployment without HA costs $1,875 per year.

ProSBC vs. Competitors: Pricing Comparison

For comparison: Oracle’s SBC pricing runs approximately $100 per session per year. That means a 1,500-session Oracle deployment costs roughly $150,000 per year. The same deployment on ProSBC costs under $2,000. Ribbon pricing varies, but a 1,400-session example quoted approximately $3,850 per year in licensing plus an $8,000 one-time setup fee.

The pricing model is subscription-based (OPEX), not a hardware capital expenditure. There are no per-minute charges, no hidden platform fees, and no minimum term beyond the annual subscription.

The Managed Service Option

For MSPs who do not want to manage the SBC themselves, TelcoBridges offers a fully managed SBC service. This includes ProSBC+ with 1+1 HA, 24/7 support, setup, integration, testing, and ongoing monitoring.

The managed service starts at approximately $500 to $600 per month for smaller deployments (around 100 sessions). For larger deployments (1,000+ sessions), pricing runs approximately $1 per session per month.

The managed service can be deployed on the customer’s own platform (AWS, Azure, VMware, or KVM) or hosted by TelcoBridges. The customer chooses. Either way, the customer retains full access to their SBC.

Compare the managed service cost ($5,000 to $20,000 per year depending on scale) against the cost of hiring a dedicated SBC engineer ($60,000 to $100,000 per year in salary alone, before benefits, training, and on-call coverage). For most MSPs, the math is straightforward.

Self-Managed vs. Managed SBC: Which Path Fits Your MSP?

This is not a one-size-fits-all decision. It depends on your team, your scale, and your appetite for operational risk.

Self-Managed Works When

  • Your team includes someone with SBC expertise (or the willingness to build it)
  • You want full control over configuration and updates on your own schedule
  • You have the capacity to handle troubleshooting and incident response for voice issues across your client base

Managed Makes More Sense When

  • Your SBC person just left (or never existed)
  • You are growing your client base faster than your technical team
  • Your clients expect 24/7 voice uptime but your team operates on business hours
  • You want to offer Teams Direct Routing and STIR/SHAKEN to clients without building that expertise in-house

The most common pattern TelcoBridges sees: an MSP starts self-managed, their SBC administrator leaves for another role, and the managed service conversation happens within weeks. The trigger is not a lack of capability. It is a lack of time, combined with the realization that voice infrastructure is not where the MSP’s competitive advantage lies.

A middle ground exists too. Some MSPs start with the managed service while they are learning the platform, then transition to self-managed once they have built internal expertise. The managed service contract is billed monthly, so there is no long-term lock-in.

How to Evaluate an SBC: MSP Checklist

Before committing to any SBC platform, run through these questions. They are specific to MSP operations and will surface the differences between options faster than a generic feature comparison.

1

Can You Test It Without a Sales Call?

If the vendor requires you to talk to sales before you can touch the product, that tells you something about their go-to-market model. ProSBC Lab offers a permanently free 3-session lab license that is self-serve and takes approximately 20 minutes to get running. There is also a 30-day free trial with 500 concurrent sessions. No sales call required for either.

2

Does It Support Your PBX Platforms?

If your clients run FreePBX, confirm that the SBC handles the specific SIP quirks of each platform.

3

Can You Isolate Client Traffic?

Ask how many NAPs or trunk groups the SBC supports per instance. If the answer is less than a few hundred, you will hit a ceiling as your client base grows.

4

What Does Pricing Look Like at Your Scale?

Model the cost at your current session count and at 2x growth. Include support, HA, and any add-ons (Teams DR, STIR/SHAKEN). If the vendor will not give you pricing without a meeting, use ProSBC’s published rates as a benchmark.

5

Is There a Managed Option If You Need It Later?

Even if you plan to self-manage today, knowing that a managed path exists protects you against the staff turnover scenario. Confirm whether the managed service can run on your existing infrastructure.

6

How Does It Handle Teams Direct Routing?

Ask specifically whether the SBC supports or is certified for Teams DR, and understand what that means for your clients. Certification appears on Microsoft’s published list. Support means the technical implementation works but is not formally listed by Microsoft.

7

What Is the Back-to-Back User Agent (B2BUA) Architecture?

An SBC that operates as a full B2BUA terminates and re-originates every SIP session, giving complete control over signaling on both legs. This is essential for SIP normalization across multiple vendors. A lightweight SIP proxy does not offer this level of control.

Getting Started

The fastest way to evaluate an SBC for your MSP is to run it in a lab.

ProSBC Lab

A permanently free, 3-session license designed specifically for testing. It is self-serve (no sales call, no approval process), sets up in approximately 20 minutes, and includes Teams Direct Routing capability. Use it to validate your specific SIP trunk configurations, test PBX interoperability, and confirm that the platform works before committing any budget.

30-Day Free Trial

If you need to test at production scale, the 30-day free trial provides 500 concurrent sessions. This is enough to onboard a real client environment and validate under load. A credit card is required, and the trial can be cancelled anytime before day 30.

Managed Service

For MSPs who want the SBC running without managing it, TelcoBridges’ Managed Service handles the full deployment: setup, integration, testing, monitoring, and 24/7 support. The managed service runs on your infrastructure or is hosted by TelcoBridges, your choice. Contact TelcoBridges directly to scope a managed deployment.

ProSBC is built by TelcoBridges, a Canadian telecom infrastructure company with over 20 years of SIP deployment experience and installations in more than 110 countries. ProSBC supports up to 60,000 sessions per server and 350,000 endpoint registrations.

Frequently Asked Questions

What is the best SBC for MSPs?

The best SBC for MSPs depends on your specific needs, but key criteria include multi-tenant architecture supporting hundreds of Network Access Points, Teams Direct Routing support, STIR/SHAKEN compliance capability, DoS/DDoS protection built into the platform, flexible deployment options (AWS, Azure, VMware, KVM), and transparent pricing. ProSBC is designed specifically for MSP operations and offers all of these capabilities with publicly listed pricing at $1.25 per session per server per year.

How much does an SBC cost for an MSP?

SBC pricing varies widely depending on vendor and deployment scale. ProSBC offers transparent per-session pricing at $1.25 per session per server per year. A 500-session deployment with 1+1 High Availability and 24/7 support runs approximately $2,500 per year. Adding Teams Direct Routing costs an additional $0.75 per session per year. For comparison, Oracle SBC pricing runs approximately $100 per session per year, while some vendors like Ribbon run several thousand dollars plus setup fees. Many vendors do not publish pricing, requiring a sales conversation.

Do MSPs need STIR/SHAKEN compliance?

Yes, FCC rules require voice service providers to implement STIR/SHAKEN call authentication. MSPs managing voice for multiple clients need to handle call signing (at origination) and verification (at termination). The SBC is typically the network element that performs this function. An SBC with open integration to third-party signing services (such as TransNexus or Neustar) gives MSPs flexibility to work with multiple signing partners rather than being locked into a single vendor’s proprietary implementation.

Can one SBC serve multiple MSP clients?

Yes, a properly designed SBC with multi-tenant architecture can serve hundreds of MSP clients from a single instance. The key capability is configurable Network Access Points (NAPs) or trunk groups that logically separate each client’s environment. ProSBC, for example, supports up to 1,024 Network Access Points per server, with each NAP carrying its own routing rules, security policies, and call detail records. This allows a single SBC to handle complex multi-client deployments without deploying separate instances for every account.

Evaluate ProSBC for Your MSP

ProSBC Lab is free to use, takes 20 minutes to set up, and requires no sales call. Test it with your own SIP configurations and see how it handles your specific multi-client environment.

Request a Demo
Start Your 30-Day Free Trial

Explore ProSBC features and deployment options.