A session border controller (SBC) is a purpose-built network element that sits at the border between two VoIP networks and controls the SIP signaling and RTP media that cross it. It is the demarcation point where one party’s trust in the traffic ends and the other’s begins. Carriers deploy SBCs at the edges of their networks as a matter of basic architecture; enterprises deploy them when their PBX or Teams environment needs a controlled, secure interface to the outside world. This guide is written by SIPNEX, an FCC-licensed carrier — the carrier-side view of what SBCs actually do, where they belong, and when you need to own one.
Session border controller functions
An SBC is a back-to-back user agent: it terminates every SIP session on one side and re-originates it on the other. Nothing passes through untouched. That design is what makes every one of its functions possible, and it is also what separates an SBC from a firewall that merely inspects packets in flight. The core functions of deployed SBCs are documented by the IETF in RFC 5853, and they group into five jobs.
Security demarcation. The SBC is the only element that untrusted networks can reach. It enforces access control on SIP sources, rate-limits registration and INVITE floods, drops malformed messages before they reach softswitches or PBXs, and terminates TLS/SRTP where encryption ends. Everything behind it can assume the traffic has already been screened.
NAT traversal. Because the SBC rewrites signaling and relays media itself, it solves the private-address problem that breaks so many SIP deployments: it presents routable addresses to the far side regardless of what NAT sits behind it, keeps pinholes alive, and makes audio flow where a naive router would produce one-way or dead air.
Protocol normalization. No two SIP stacks speak quite the same dialect. The SBC repairs and translates between them — header manipulation, SIP variant interworking, codec transcoding where the two sides share no common codec, DTMF format conversion. Interop problems get fixed once at the border instead of on every endpoint.
Topology hiding. By re-originating every session, the SBC strips the internal addresses, hostnames, and routing structure of the network behind it from the messages it sends. The far side sees one address: the SBC. Internal infrastructure stays invisible to peers, competitors, and attackers.
Media anchoring. The SBC forces RTP through itself rather than letting endpoints exchange media directly. That is what enables lawful intercept, quality measurement, transcoding, and recording — and it guarantees the media path actually works, because both endpoints only ever talk to the anchor.
Where SBCs sit in a VoIP network
SBCs live at borders, and there are two that matter.
The carrier edge. Every serious carrier runs SBCs at its network perimeter — facing peer carriers on one side and customers on the other. This is not a product feature; it is how a voice network is built. When your PBX or dialer sends an INVITE to a SIP trunking provider, the element that answers is the carrier’s SBC. It authenticates you, polices your traffic against your allowed rate, normalizes your SIP dialect, anchors your media, and hides the carrier’s internal switching core from you — exactly the five functions above, pointed in both directions. SIPNEX operates its network this way structurally: customer traffic and peer traffic each cross a controlled border, which is a large part of why interop and audio-path problems get caught at the edge instead of mid-call.
The enterprise edge. An organization runs its own SBC when its phone system needs a controlled interface to external SIP networks. The clearest example is Microsoft Teams: Direct Routing requires a Microsoft-certified SBC between Teams and your carrier’s SIP trunks — Microsoft certifies specific vendors and firmware versions and only supports Direct Routing through certified devices. The SBC translates between Teams’ SIP implementation and the carrier’s, which is protocol normalization doing exactly the job it exists for. Our Teams Direct Routing solution page covers how the carrier side of that architecture fits together.
Large contact centers, ITSPs reselling voice, and enterprises peering with multiple carriers sit in the same category: any operation whose border carries enough traffic, enough carriers, or enough compliance obligations to justify a controlled demarcation point of its own.
SBC vs firewall vs SIP ALG
These three get conflated constantly, and the differences decide whether your calls work.
A firewall filters packets by address, port, and protocol. It has no concept of a SIP dialog: it cannot know that the INVITE it passed on port 5060 promised RTP on a dynamically negotiated port pair, so it either blocks the media or requires holes wide enough to defeat the point. Firewalls are necessary — they are just not voice-aware.
A SIP ALG is a firewall vendor’s attempt to bolt that awareness on: a router function that rewrites SIP packets in flight to fix NAT addressing. In practice it is the anti-pattern cousin of the SBC — a partial, frequently broken rewrite that mangles headers, breaks registrations, and causes one-way audio. It shares the SBC’s goal (NAT traversal) with none of its architecture: no session state ownership, no media anchoring, no normalization, no security posture. The standard advice from carriers, SIPNEX included, is to turn it off — our SIP ALG explainer covers why in detail, with router-specific disable guides.
An SBC owns the session end to end. It is a SIP endpoint in its own right, not a packet rewriter, which is why it can do securely and reliably what an ALG attempts and botches. The practical rule: keep the firewall, disable the ALG, and let an SBC — yours or your carrier’s — handle the border.
When you need your own SBC
Not every operation should buy one. The honest decision tree looks like this.
Rely on the carrier edge when you run a single PBX or dialer against one or two SIP trunk providers. The carrier’s SBC already performs registration handling, NAT traversal, normalization, and traffic policing at its side of the border. A well-configured firewall with SIP ALG disabled, plus a PBX that handles its own NAT settings, is a normal and sound architecture at this scale. Adding an enterprise SBC here buys complexity, not capability.
Deploy your own SBC when one of these is true: you run Teams Direct Routing (a certified SBC is a hard requirement, not a preference); you interconnect with multiple carriers and need one consistent SIP dialect facing your core; you resell voice and must hide your customers and infrastructure from your upstreams; you have regulatory or recording obligations that demand media anchoring under your control; or your scale makes the border itself a security surface worth dedicated policing.
Either way, the carrier behind the border still matters. An enterprise SBC normalizes signaling — it cannot fix a provider’s routing quality, attestation level, or channel limits. Pair the right border architecture with a carrier worth bordering; our guide to vetting SIP trunk providers covers what to check on that side.
Frequently asked questions
What does a session border controller do?
A session border controller manages the SIP signaling and RTP media crossing the boundary between two VoIP networks. Its five core functions are security demarcation (screening and policing all traffic at the border), NAT traversal, protocol normalization between different SIP implementations, topology hiding (concealing internal network structure), and media anchoring (forcing audio through a controlled relay). It does this by terminating every session on one side and re-originating it on the other, as described in IETF RFC 5853.
Is an SBC the same as a firewall?
No. A firewall filters packets by address, port, and protocol but has no understanding of SIP sessions — it cannot correlate signaling with the dynamically negotiated media ports a call uses. An SBC is a voice-aware SIP endpoint that owns the entire session, anchors the media, and normalizes the signaling. Most networks run both: the firewall guards general traffic while the SBC — the enterprise’s own or the carrier’s edge SBC — controls the voice border.
What is the difference between an SBC and SIP ALG?
Both target NAT traversal, but a SIP ALG is a router feature that rewrites SIP packets in flight — partially, statelessly, and often incorrectly, which is why it causes one-way audio and dropped registrations. An SBC terminates and re-originates the session as a full SIP endpoint, so its rewrites are complete and consistent. Carriers routinely tell customers to disable SIP ALG; our SIP ALG explainer covers the failure modes and per-router disable steps.
Does Microsoft Teams Direct Routing require a certified SBC?
Yes. Microsoft only supports Phone System with Direct Routing through SBCs it has certified, on specific vendor firmware versions, and reserves the right to reject support cases involving non-certified devices. The certified SBC sits between Teams and your carrier’s SIP trunks and translates between the two SIP implementations. The carrier side of that pairing is covered on our Teams Direct Routing page.
Do I need my own SBC for a SIP trunk?
Usually not at small and mid scale. Your carrier already runs SBCs at its network edge, handling NAT traversal, normalization, and traffic policing on its side of the border — a single PBX or dialer with a properly configured firewall and SIP ALG disabled connects to a SIP trunk without one. An enterprise SBC earns its cost when you run Teams Direct Routing, interconnect with multiple carriers, resell voice, or need media anchoring for recording or compliance under your own control.
SIPNEX is an FCC-licensed carrier that runs controlled SBC borders at every edge of its network — so the traffic on your SIP trunk is screened, normalized, and media-anchored before it ever reaches the PSTN. Point your PBX, dialer, or certified SBC at a carrier built for it: get connected or call (833) 665-2220.
Keep reading.
The carrier built by operators, for operators.
FCC-licensed carrier with its own STIR/SHAKEN SP certificate. Operator-owned. SIP trunks built for operators who dial at volume.