The identity-aware sovereign communications gateway. SBC, WebRTC meetings, Voice AI, OIDC and EU Wallet verification — self-hosted in one European stack.
For regulated organisations that would otherwise buy an SBC, identity platform, meeting service and AI telephony system separately.
Hot-reload, no restart Air-gappable ICE-Lite (RFC 8445) TURN UDP / TCP / TLS
The CodeB SIP bridge is a Session Border Controller in the classic sense: it sits at the boundary of your VoIP network, secures and normalises every SIP message, rewrites Contact URIs through NAT, gates calls by per-tenant policy, signs outbound caller-ID, and writes audit-grade CDRs. What it does that legacy SBC appliances don’t: ship in the same Windows + IIS install as an OpenID Connect identity provider, an EU Digital Identity Wallet verifier, browser meetings with a self-hosted SFU, and a voice-AI receptionist on every virtual number.
TCO angle: traditional procurement adds up an SBC contract, an IdP contract, a meeting-tool contract and an AI-telephony contract — with four support phones to ring. CodeB is four product lines under one licence and one support contract.
Where the SBC sits in the call path.
External traffic enters from the public internet (SIP trunks, hardphones, PSTN). Every byte hits the CodeB SBC border first — ACL, FraudGuard, NAT rewrite, identity gate, recording sidecar — before reaching any tenant. Internal participants land on the same boundary from the inside: browsers (WebRTC), SIP phones (soft + hard), AI virtual numbers. One process, one audit log, per-tenant isolation by request domain.
The function pure SBCs delegate to a separate box.
Many traditional SBC deployments still require a separate meetings, signalling, TURN or browser-application layer — even when WebRTC is supported, the meeting/SFU tier usually lives in a different product. CodeB integrates the SBC, WebRTC gateway, TURN, browser meetings and SFU in one installation, on the same process and the same TURN.
ICE-Lite + TURN on UDP / TCP / TLS
The bridge speaks ICE-Lite (RFC 8445) on the SIP side. Modern hardphones (Yealink T5x, Polycom VVX, Cisco 7800/8800, Sangoma P-series, Snom D-series) negotiate a working media path through any NAT topology without phone-side STUN configuration — host + TURN relay candidates in every SDP answer, STUN BINDING checks answered on the RTP socket, USE-CANDIDATE nomination locks the proven path. TURN on UDP, TCP and TLS in the same .NET service — works through 443-only firewalls. No third-party STUN, no per-minute TURN bills.
Zero-config provisioning. On every bridge boot the service inspects each tenant’s configuration and auto-generates any missing TURN credentials — long-term secret, realm, advertised host:port and static credentials — then persists them atomically to appsettings.json. New tenants onboarded between boots get the same credentials filled in the moment the bridge next starts. The operator never edits a TURN secret by hand. Operator-set values are preserved; only missing keys are filled in.
DTLS-SRTP ↔ RTP / SRTP
Browsers send DTLS-SRTP encrypted media. SIP trunks expect plain RTP (most carriers) or SRTP with carrier-side keys. The bridge terminates the DTLS-SRTP session and re-emits the right thing on the trunk leg — no key material crosses the call boundary in the clear.
Opus ↔ G.711 transcoding
Browsers prefer Opus at 48 kHz. PSTN runs G.711 µ-law at 8 kHz. The bridge transcodes both directions with proper resampling — no chipmunked audio, no carrier rejection on unknown payloads.
Click-to-call from any web page
One <script> tag on a public site. Visitor clicks the floating button, lands in a WebRTC room, the SBC dials your team’s SIP extension. The visitor’s page never sees the real number — alias resolved server-side.
Mid-call PSTN add
During a browser meeting, press Dial phone, type a number, the bridge places a SIP call via your trunk and bridges the dialled party into the room as a participant. Comparable to a PBX “add participant”, inside a WebRTC tool.
One TURN for SBC + SFU
The self-hosted Selective Forwarding Unit for larger meetings runs on the same Windows process and shares the same TURN. No second relay to provision, no second firewall hole. SBC and SFU see the same media-key context.
Force-Relay knob for flaky networks
Some endpoints — mobile browsers behind aggressive carrier NATs, locked-down corporate Wi-Fi, IPv6/NAT64 networks — can’t hold a direct peer-to-peer media path. The browser meeting client supports a relay-only mode that pins all media through the integrated TURN server, trading 50–100 ms of added latency for a stable, predictable path.
Three ways to enable: ?relay=1 in the meeting URL (per-visit), a one-line console call (codebRelay.set(true), sticky per browser), or a tenant-wide default for operators who serve a known-mobile audience. ?relay=0 always wins so a sender can override a sticky preference for one call. Mobile browsers on a cellular link auto-detect and switch on relay-only by default, matching the network conditions most likely to need it.
Who is calling — the SBC actually knows.
Conventional SBCs normally consume identity from an external directory or IAM platform — Azure AD, LDAP, a separate OIDC IdP — reachable across the network. CodeB includes the OIDC IdP, passkeys and EU Wallet verifier in the same installation. The session that authenticates the user is the same session that authorises the call, joins the meeting, signs the recording and answers the AI receptionist. One credential store, one audit trail, no inter-vendor federation to break.
OpenID Connect IdP
Full OIDC provider per tenant. RS256 signing keys, PKCE, refresh-token rotation, discovery document, JWKS endpoint, standard authorization-code flow. Federated downstream apps sign in against the SBC. RFC 6749, RFC 8252, OpenID Connect Core 1.0.
Passkeys (FIDO2 / WebAuthn)
Phishing-resistant passwordless sign-in built in. Per-tenant relying-party ID, discoverable credentials, user-verification required, fall-back to password kept available. No password lives on a server we don’t control. W3C Web Authentication Level 2, CTAP 2.
EU Digital Identity Wallet
Native EUDI Wallet verifier and login button. Citizens present a verifiable credential from their wallet over OID4VP 1.0 / SIOPv2. Same flow accepts member-state pilots today and the production wallet at full rollout. eIDAS 2.0 (Regulation 2024/1183).
SIP-layer identity binding
A REGISTER’s digest credentials, a passkey session, an OIDC token and an EU Wallet presentation all resolve to the same per-tenant subject. Per-trunk PAI / RPID / From URI signing on the outbound leg uses that subject so the carrier sees verified caller-ID.
Magic-link + delegated invites
Short-lived signed links for guests, contractors, one-off webinar attendees. No account creation needed. Same audit trail. Same tenant scope. Same revocation surface as everything else.
JWT-bearer + wallet-as-recovery
RFC 7523 JWT-bearer grant for service-to-service. EU Wallet presentation can bypass current_ha1 in password recovery when the verified presentation matches the account — cuts a help-desk ticket out of every forgotten password.
Trunk peer authentication (depth)
Trunks are authenticated by source IP and digest credentials — no spoofable Host header, no trust-on-DNS-name. Auto-blacklist on SIP digest brute-force, REGISTER flooding and 603-flood premium-rate fraud patterns. Reactive symmetric-RTP relearning and proactive NAT-RTP rewrite keep audio flowing through any NAT topology the trunk presents.
Why this matters for an SBC buyer: every classic SBC procurement assumes you already pay separately for an identity stack (Entra ID, Okta, ForgeRock, Ping, Active Directory Federation Services, or a homegrown IdP), then glue the two together at integration time. CodeB delivers the identity surface inside the same install, so a small-or-mid-sized regulated organisation can stand up SBC + meeting + voice AI + IdP at once and audit them through one log.
Everything an SBC is expected to do.
The standard SBC checklist, mapped to what we shipped. Auditable in the source.
| Capability | How CodeB does it |
|---|---|
| Security — toll fraud, DoS, malformed SIP, premium-rate blocking | ACL with CIDR + glob + per-tenant rules, implicit-whitelist anti-self-lockout, auto-blacklist on brute-force, FraudGuard daily caps, E.164 prefix blocklist, public-listener rate limit per-IP buckets. |
| NAT / firewall traversal | SIP registrar rewrites Contact URIs to the REGISTER source endpoint; bridge does symmetric RTP redirection to the real audio source; integrated TURN (UDP / TCP / TLS) means no third-party STUN/TURN service in the call path. |
| Protocol normalisation | RFC 4028 session-timer injection for carriers that need it; SDP rewrites that skip private and loopback addresses; Opus ↔ G.711 transcoding on the bridge. |
| Session control & policy | Per-tenant maximum-concurrent-inbound, public-listener rate-limit, per-tenant license-gate hooks (counted entitlements + consumable budgets), per-call metering of minutes, AI tokens, data, storage and API calls. |
| Media resilience | Adaptive video bitrate ladder (720p → 480p → 360p → 240p) keeps the picture alive on slow uplinks instead of dropping to audio-only. Auto ICE restart on transport failure with five-attempt back-off sized for cellular UDP blackouts (30–60s). Post-restart keyframe-force so the peer decoder picks up the new stream immediately. Audio rarely drops; video resumes typically in under a second. |
| Topology hiding | Bridge brokers all SIP and RTP; trunk peer IPs never appear on the client side; visitor browsers never see PBX hostnames, trunk credentials or carrier endpoints. |
| CDR / forensic logging | Per-tenant dial log, bridge log, transcripts.jsonl, ECDSA-P256-signed recording sidecars (file SHA-256, speaker-turn timeline, per-peer consent log) and per-tenant audit log under App_Data/<tenant>/logs/. |
| Identity assertion (PAI / RPID / From) | Per-trunk P-Asserted-Identity, Remote-Party-ID and From URI signing so carriers requiring trusted-number presentation get the right header without you hand-editing SIP messages. |
| Multi-tenancy | Per-tenant App_Data/<host>/ isolation with its own credentials, trunks, ACL rules, signing keys and CDRs. SIP REGISTERs resolve to a tenant by the URI domain; cross-tenant data leaks are prevented at every read and write boundary. |
| Anonymous / CLIR routing | Inbound INVITE sniffing for RFC 3323 Privacy tokens and common UA markers; per-tenant inbound routing rules can send all withheld callers to a screener vnum or a dedicated AI persona without affecting normal traffic. |
| E.164 normalisation | Whitelists, blocklists, ACLs and route rules treat +<cc>... and 00<cc>... equivalently — phones without a "+" key (most hardphones, all PSTN keypads) still match operator-entered rules in either form. |
| Codec support | Opus at 48 kHz, G.711 a-law and µ-law at 8 kHz, G.722 wideband, DTMF RFC 4733 / RFC 2833. Transcoding on the bridge. |
| High availability | Active-passive via NTFS-replicated App_Data/<tenant>/. Multi-node active-active HA cluster is on the roadmap, not shipping today — published honestly so procurement teams aren’t surprised mid-RFP. |
| Hot reload | ACL rules, trunks, certificates, virtual-number prompts, per-tenant settings — all hot-reloaded by FileSystemWatcher within seconds of an admin save. No service restart, no maintenance window, no in-flight call drop. |
What we have actually put a call through.
Devices and services where CodeB has dialled at least one bidirectional, audio-bearing call in lab or production. Anything not on this list isn’t claimed — ask before assuming.
Hardphones
Yealink T5x family (T54W, T57W). Polycom VVX 250 / 350 / 450. Cisco 7800 / 8800 series. Sangoma P-series (P310 / 315 / 320 / 325 / 330 / 370). Snom D-series (D717, D785). Sangoma S-series with ICE-capable firmware. AVM FRITZ!Box and FRITZ!Fon on the LAN side.
Softphones
MicroSIP on Windows. Bria (Counterpath / Alianza) on Windows / macOS / iOS / Android with ICE enabled. Linphone with ICE on. Acrobits Softphone. Browser SIP via sip.js / JsSIP.
SIP trunks & PBX
Sipgate (sip-trunk.sipgate.de). Pembroke ITSP. FRITZ!Box trunk-style registration. Asterisk and FreePBX as upstream PBX. Generic SIP-over-TLS trunks to standards-compliant carriers.
Want a specific phone or trunk added to this list? Tell us and we’ll run it on a lab tenant within a week.
The four products legacy SBCs don’t include.
OpenID Connect IdP
Per-tenant RS256 keys, PKCE-only public clients, RFC 7662 introspection, RFC 7009 revocation, RP-Initiated Logout. Passkeys (FIDO2 / WebAuthn) and magic-link sign-in. Live EU Digital Identity Wallet verifier on OID4VP 1.0 + HAIP 1.0 + SD-JWT VC.
Browser meetings + SFU
HD WebRTC meetings, peer-to-peer mesh by default, auto-promotes to a self-hosted Selective Forwarding Unit on the same box when bandwidth tightens or rooms grow. Signed recordings with forensic-grade ECDSA-P256 sidecars. The SBC and the SFU share the same TURN.
Voice AI receptionist
Per-virtual-number persona prompts, real-time AI Voice Engine, multilingual, transfer-to-human on intent. Outbound AI campaigns with scheduled-dial, retry on no-answer, live monitor UI, signed webhooks. Pluggable engine, fixed contract.
Click-to-call embed
One <script> tag on any web page. Visitor clicks the floating button, lands in a CodeB room, the SIP bridge dials your team’s phone. The visitor’s page never sees the real number — it’s referenced by an unguessable alias and routed server-side.
Per-tenant admin UI
One browser console per tenant. Trunks, virtual numbers, prompts, recordings, transcripts, ACL rules, sign-ins, CDRs — all behind your own OIDC. No vendor login screen. No SaaS console.
Unified audit log
Every sign-in next to every meeting next to every SIP call next to every voice-AI transcript — one filter bar, one CSV export, one timeline. Forensic and compliance teams stop stitching three vendor consoles together.
The honest disqualifiers.
If your scenario is in this list, the legacy carrier-grade SBC vendors are the right answer — we’ll say so.
Tier-1 carrier interconnect
SIP-T / SIP-I inter-carrier signalling for national carrier peering is not a CodeB scope. The legacy six-figure SBC appliances remain the right answer.
Carrier-scale transcoding
If you need media transcoding farms doing tens of thousands of concurrent calls per box, we’re not built for that workload. We’re sized for SMB, regional and regulated-industry deployments.
Formal SBC procurement badges
Designed to support NIS2, DORA and EU Cyber Resilience Act implementation requirements at the software level — published security.txt, atomic-write persistence, structured audit logs, per-tenant data isolation. A control-mapping document (cyber-resilience.html) tracks which CodeB feature satisfies which Annex I / risk-management / incident-handling requirement. We don’t carry ETSI TS 102 027 or carrier-RFP-shaped certifications, which procurement teams sometimes treat as required. The regulations themselves cover organisational processes, governance and operations, not software alone.
SS7 / Diameter / Megaco
PSTN-core-network signalling is outside the VoIP-edge SBC role we cover. The bridge speaks SIP — UDP, TCP, TLS — and the carrier-side SBC of your trunk provider handles the SS7 gateway.
Hyperscale SaaS console
We’re self-hosted by design. If you specifically want a hosted SBC-as-a-service where someone else handles the uptime, the hosted SIP-trunk providers are the right answer for that workload — with the data-residency and per-minute trade-offs they bring.
50-vendor integration marketplace
If your operations depend on a deep marketplace of pre-built CRM, ITSM and ticketing connectors, the carrier SaaS vendors have a bigger catalogue. We expose webhooks and a REST API; integrations are coded against those, not picked from a list.
Where the bundle wins on procurement.
- Regional public sector that has to keep voice and identity on its own infrastructure (NIS2, GDPR, sectoral data-residency rules) and would otherwise stitch an SBC + IdP + meeting tool together from three vendors.
- Healthcare — clinic networks, telemedicine providers, dental groups — that need recording-grade audit (MiFID-II-style signed sidecars), strong patient-identity assertion, and zero exposure of clinical voice data to a third-party cloud.
- Regulated finance and legal with recording requirements and consent-gate obligations on every party (signed per-peer consent log on every recording, attached to the call).
- Manufacturing and embedded / air-gapped sites where the SBC has to run in a fully disconnected network. CodeB has no cloud dependency in the call path.
- Telecoms (MVNOs, eSIM brands, retailers) who need an EU Wallet verifier in front of SIM and eSIM activation flows — covered separately on telecoms.html, sits on the same SBC substrate.
- IT resellers / MSPs who want a single per-tenant multi-customer stack with their own brand on the admin UI — one bridge process, many tenants, isolated by request domain.
Three categories, one honest comparison.
No vendor names, no fake battle-cards — just the structural trade-offs between a traditional SBC appliance, a hosted SBC-as-a-service, and CodeB. Pick the column that matches your buying constraint.
| Concern | Traditional appliance SBC | Hosted SBC-as-a-service | CodeB |
|---|---|---|---|
| Deployment | Hardware appliance, weeks of integrator config, hands-on rack work. | Provisioned in minutes, but the call path runs through someone else’s cloud. | One MSI on a fresh Windows VM. Same binary on bare metal, Hyper-V, VMware, Azure or AWS. |
| Identity stack | Consumes identity from an external IdP — Azure AD, LDAP, on-prem AD FS — you buy and operate separately. | Federates to your IdP, but your federation tokens leave your premises on every call. | OIDC identity provider, FIDO2 passkeys, EU Wallet verifier and magic links shipped inside the same install. One credential store. |
| Meetings / SFU | Out of scope — buy a separate meeting product, integrate via SIP trunk. | Often a separate SKU from the same vendor, additional per-seat cost. | Browser WebRTC meetings + self-hosted SFU on the same Windows process. Same TURN as the SBC. |
| Voice AI | Out of scope — integrate a third-party voice-AI vendor over SIP and webhooks. | Add-on SKU; AI traffic leaves your tenant. | AI receptionist per virtual number, outbound AI campaigns, multilingual, signed transcripts and recordings — built in. |
| Data residency | On your hardware, but identity and meetings frequently are not. | The vendor’s cloud is where the call lives. Data-residency clauses are contractual, not architectural. | Air-gappable; nothing in the call path needs to leave your network. Per-tenant App_Data/<host>/ on local NTFS. |
| Hardware lock-in | Yes — vendor-specific chassis, support contract, refresh cycle every 5–7 years. | No hardware, but you don’t control the upgrade window either. | None — commodity Windows host of your choice. Move VMs between hypervisors freely. |
| Pricing model | Capex on the box, opex on a support contract, ports licensed individually. | Per-seat or per-minute subscription, frequently with consumption overage. | One licence, one support contract, four product lines included. No per-port, no per-AI-minute. |
| Procurement signal | National-carrier-grade, formal ETSI / JITC certifications, six-figure entry. | SaaS convenience for organisations that have accepted the cloud-call trade-off. | For regulated organisations that have to keep voice, identity, meetings and AI on infrastructure they verify themselves. |
Three ways to evaluate.
A free live tenant on infrastructure you can verify, a 20-minute technical walkthrough on the SBC + identity bundle, or a direct conversation. Replies within one business day.