A sovereign SBC with identity, voice AI and meetings already inside.
The CodeB SIP bridge is a Session Border Controller in the classic sense: it sits at the boundary of your VoIP network, secures and normalises every SIP message, rewrites Contact URIs through NAT, gates calls by per-tenant policy, signs outbound caller-ID, and writes audit-grade CDRs. What it does that legacy SBC appliances don’t: ship in the same Windows + IIS install as an OpenID Connect identity provider, an EU Digital Identity Wallet verifier, browser meetings with a self-hosted SFU, and a voice-AI receptionist on every virtual number.
Where the SBC sits in the call path.
External traffic enters from the public internet (SIP trunks, hardphones, PSTN). Every byte hits the CodeB SBC border first — ACL, FraudGuard, NAT rewrite, identity gate, recording sidecar — before reaching any tenant. Internal participants land on the same boundary from the inside: browsers (WebRTC), SIP phones (soft + hard), AI virtual numbers. One process, one audit log, per-tenant isolation by request domain.
The function pure SBCs delegate to a separate box.
Classic SBCs speak SIP — UDP / TCP / TLS — and stop at the SIP-to-SIP boundary. Browser callers need a separate WebRTC gateway, usually a different vendor or an open-source stack glued on the side with its own TURN, signalling layer and operations burden. CodeB’s SBC does both natively, on the same process and the same TURN.
DTLS-SRTP ↔ RTP / SRTP
Browsers send DTLS-SRTP encrypted media. SIP trunks expect plain RTP (most carriers) or SRTP with carrier-side keys. The bridge terminates the DTLS-SRTP session and re-emits the right thing on the trunk leg — no key material crosses the call boundary in the clear.
Opus ↔ G.711 transcoding
Browsers prefer Opus at 48 kHz. PSTN runs G.711 µ-law at 8 kHz. The bridge transcodes both directions with proper resampling — no chipmunked audio, no carrier rejection on unknown payloads.
ICE / TURN built in
Integrated TURN server on UDP, TCP and TLS in the same .NET service. The browser’s ICE candidate list contains the bridge’s TURN, so symmetric-NAT visitors still reach the call. No third-party STUN, no Twilio TURN bills.
Click-to-call from any web page
One <script> tag on a public site. Visitor clicks the floating button, lands in a WebRTC room, the SBC dials your team’s SIP extension. The visitor’s page never sees the real number — alias resolved server-side.
Mid-call PSTN add
During a browser meeting, press Dial phone, type a number, the bridge places a SIP call via your trunk and bridges the dialled party into the room as a participant. Comparable to a PBX “add participant”, inside a WebRTC tool.
One TURN for SBC + SFU
The self-hosted Selective Forwarding Unit for larger meetings runs on the same Windows process and shares the same TURN. No second relay to provision, no second firewall hole. SBC and SFU see the same media-key context.
Who is calling — the SBC actually knows.
Classic SBCs route bytes. They assert caller-ID on the SIP layer (PAI / RPID) but they cannot tell you who the human is — that lives in a separate identity product, often a separate vendor entirely. CodeB folds a full identity provider into the same process. The session that authenticates the user is the same session that authorises the call, joins the meeting, signs the recording and answers the AI receptionist. One credential store, one audit trail.
OpenID Connect IdP
Full OIDC provider per tenant. RS256 signing keys, PKCE, refresh-token rotation, discovery document, JWKS endpoint, standard authorization-code flow. Federated downstream apps sign in against the SBC. RFC 6749, RFC 8252, OpenID Connect Core 1.0.
Passkeys (FIDO2 / WebAuthn)
Phishing-resistant passwordless sign-in built in. Per-tenant relying-party ID, discoverable credentials, user-verification required, fall-back to password kept available. No password lives on a server we don’t control. W3C Web Authentication Level 2, CTAP 2.
EU Digital Identity Wallet
Native EUDI Wallet verifier and login button. Citizens present a verifiable credential from their wallet over OID4VP 1.0 / SIOPv2. Same flow accepts member-state pilots today and the production wallet at full rollout. eIDAS 2.0 (Regulation 2024/1183).
SIP-layer identity binding
A REGISTER’s digest credentials, a passkey session, an OIDC token and an EU Wallet presentation all resolve to the same per-tenant subject. Per-trunk PAI / RPID / From URI signing on the outbound leg uses that subject so the carrier sees verified caller-ID.
Magic-link + delegated invites
Short-lived signed links for guests, contractors, one-off webinar attendees. No account creation needed. Same audit trail. Same tenant scope. Same revocation surface as everything else.
JWT-bearer + wallet-as-recovery
RFC 7523 JWT-bearer grant for service-to-service. EU Wallet presentation can bypass current_ha1 in password recovery when the verified presentation matches the account — cuts a help-desk ticket out of every forgotten password.
Why this matters for an SBC buyer: every classic SBC procurement assumes you already pay separately for an identity stack (Entra ID, Okta, ForgeRock, Ping, Active Directory Federation Services, or a homegrown IdP), then glue the two together at integration time. CodeB delivers the identity surface inside the same install, so a small-or-mid-sized regulated organisation can stand up SBC + meeting + voice AI + IdP at once and audit them through one log.
Everything an SBC is expected to do.
The standard SBC checklist, mapped to what we shipped. Auditable in the source.
| Capability | How CodeB does it |
|---|---|
| Security — toll fraud, DoS, malformed SIP, premium-rate blocking | ACL with CIDR + glob + per-tenant rules, implicit-whitelist anti-self-lockout, auto-blacklist on brute-force, FraudGuard daily caps, E.164 prefix blocklist, public-listener rate limit per-IP buckets. |
| NAT / firewall traversal | SIP registrar rewrites Contact URIs to the REGISTER source endpoint; bridge does symmetric RTP redirection to the real audio source; integrated TURN (UDP / TCP / TLS) means no third-party STUN/TURN service in the call path. |
| Protocol normalisation | RFC 4028 session-timer injection for carriers that need it; SDP rewrites that skip private and loopback addresses; Opus ↔ G.711 transcoding on the bridge. |
| Session control & policy | Per-tenant maximum-concurrent-inbound, public-listener rate-limit, per-tenant license-gate hooks (counted entitlements + consumable budgets), per-call metering of minutes, AI tokens, data, storage and API calls. |
| Topology hiding | Bridge brokers all SIP and RTP; trunk peer IPs never appear on the client side; aliased dial numbers (e.g. n_dbbe66524a5cd792) keep real PSTN numbers off the public web. Public URLs reference aliases, never numbers. |
| CDR / forensic logging | Per-tenant dial log, bridge log, transcripts.jsonl, ECDSA-P256-signed recording sidecars (file SHA-256, speaker-turn timeline, per-peer consent log) and per-tenant audit log under App_Data/<tenant>/logs/. |
| Identity assertion (PAI / RPID / From) | Per-trunk P-Asserted-Identity, Remote-Party-ID and From URI signing so carriers requiring trusted-number presentation get the right header without you hand-editing SIP messages. |
| Multi-tenancy | Per-tenant App_Data/<host>/ isolation with its own credentials, trunks, ACL rules, signing keys and CDRs. SIP REGISTERs resolve to a tenant by the URI domain; cross-tenant data leaks are prevented at every read and write boundary. |
| Anonymous / CLIR routing | Inbound INVITE sniffing for RFC 3323 Privacy tokens and common UA markers; per-tenant inbound routing rules can send all withheld callers to a screener vnum or a dedicated AI persona without affecting normal traffic. |
The four products legacy SBCs don’t include.
OpenID Connect IdP
Per-tenant RS256 keys, PKCE-only public clients, RFC 7662 introspection, RFC 7009 revocation, RP-Initiated Logout. Passkeys (FIDO2 / WebAuthn) and magic-link sign-in. Live EU Digital Identity Wallet verifier on OID4VP 1.0 + HAIP 1.0 + SD-JWT VC.
Browser meetings + SFU
HD WebRTC meetings, peer-to-peer mesh by default, auto-promotes to a self-hosted Selective Forwarding Unit on the same box when bandwidth tightens or rooms grow. Signed recordings with forensic-grade ECDSA-P256 sidecars. The SBC and the SFU share the same TURN.
Voice AI receptionist
Per-virtual-number persona prompts, real-time AI Voice Engine, multilingual, transfer-to-human on intent. Outbound AI campaigns with scheduled-dial, retry on no-answer, live monitor UI, signed webhooks. Pluggable engine, fixed contract.
Click-to-call embed
One <script> tag on any web page. Visitor clicks the floating button, lands in a CodeB room, the SIP bridge dials your team’s phone. The visitor’s page never sees the real number — it’s referenced by an unguessable alias and routed server-side.
Per-tenant admin UI
One browser console per tenant. Trunks, virtual numbers, prompts, recordings, transcripts, ACL rules, sign-ins, CDRs — all behind your own OIDC. No vendor login screen. No SaaS console.
Unified audit log
Every sign-in next to every meeting next to every SIP call next to every voice-AI transcript — one filter bar, one CSV export, one timeline. Forensic and compliance teams stop stitching three vendor consoles together.
The honest disqualifiers.
If your scenario is in this list, the legacy carrier-grade SBC vendors are the right answer — we’ll say so.
Tier-1 carrier interconnect
SIP-T / SIP-I inter-carrier signalling for national carrier peering is not a CodeB scope. The legacy six-figure SBC appliances remain the right answer.
Carrier-scale transcoding
If you need media transcoding farms doing tens of thousands of concurrent calls per box, we’re not built for that workload. We’re sized for SMB, regional and regulated-industry deployments.
Formal SBC procurement badges
We’re aligned with NIS2, DORA and the EU Cyber Resilience Act, with a published security.txt and atomic-write persistence. We don’t carry ETSI TS 102 027 or carrier-RFP-shaped certifications, which procurement teams sometimes treat as required.
SS7 / Diameter / Megaco
PSTN-core-network signalling is outside the VoIP-edge SBC role we cover. The bridge speaks SIP — UDP, TCP, TLS — and the carrier-side SBC of your trunk provider handles the SS7 gateway.
Hyperscale SaaS console
We’re self-hosted by design. If you specifically want a hosted SBC-as-a-service where someone else handles the uptime, the hosted SIP-trunk providers are the right answer for that workload — with the data-residency and per-minute trade-offs they bring.
50-vendor integration marketplace
If your operations depend on a deep marketplace of pre-built CRM, ITSM and ticketing connectors, the carrier SaaS vendors have a bigger catalogue. We expose webhooks and a REST API; integrations are coded against those, not picked from a list.
Where the bundle wins on procurement.
- Regional public sector that has to keep voice and identity on its own infrastructure (NIS2, GDPR, sectoral data-residency rules) and would otherwise stitch an SBC + IdP + meeting tool together from three vendors.
- Healthcare — clinic networks, telemedicine providers, dental groups — that need recording-grade audit (MiFID-II-style signed sidecars), strong patient-identity assertion, and zero exposure of clinical voice data to a third-party cloud.
- Regulated finance and legal with recording requirements and consent-gate obligations on every party (signed per-peer consent log on every recording, attached to the call).
- Manufacturing and embedded / air-gapped sites where the SBC has to run in a fully disconnected network. CodeB has no cloud dependency in the call path.
- Telecoms (MVNOs, eSIM brands, retailers) who need an EU Wallet verifier in front of SIM and eSIM activation flows — covered separately on telecoms.html, sits on the same SBC substrate.
- IT resellers / MSPs who want a single per-tenant multi-customer stack with their own brand on the admin UI — one bridge process, many tenants, isolated by request domain.
Three ways to evaluate.
A free live tenant on infrastructure you can verify, a 20-minute technical walkthrough on the SBC + identity bundle, or a direct conversation. Replies within one business day.