Top
Microsoft Teams Direct Routing and Sentinel Interoperability PBX Scenario
This configuration notes explains the required configuration to use Microsoft Teams with the Sentinel and an IP PBX.
- External 3rd party SIP trunk
- PRI or FXS/FXO telephony interfaces to legacy PBX
- Analog telephone adaptors (ATA)
For more information on the Microsoft Direct Route planning, visit: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-plan.
Top
Requirements for MS Teams
- Refer to the following link for MS Teams direct routing requirements: https://docs.microsoft.com/en-us/microsoftteams/onboarding-checklist-enable-office-365
- A publicly resolvable FQDN for the Sentinel. The FQDN must be in one of the domains
defined under your Microsoft Teams account. For example the SBC FQDN is set to
sbcteams.mediatrix.com, which is under the mediatrix.com domain.
- At least one Microsoft Teams user must be created under the same domain. In our example, we have created one such account: media5user@mediatrix.com
- DID Phone Numbers to dial in, you can get DID phone numbers under Microsoft Teams admin
Center/Users/Phone Numbers and assign it to a specific user (or auto-attendant, which is a pseudo-user).
Top
Connecting to MS Teams with PowerShell
- Download and install Power Shell: https://docs.microsoft.com/en-us/SkypeForBusiness/set-up-your-computer-for-windows-powershell/set-up-your-computer-for-windows-powershell
- Open PowerShell from your PC. Run it as Administrator.
- Install Microsoft Teams module if needed: https://docs.microsoft.com/en-us/MicrosoftTeams/teams-powershell-install#install-the-teams-powershell-module
- Type Set-executionPolicy –ExecutionPolicy RemoteSigned
- Click Yes to all.
- Enter Import-Module MicrosoftTeams
- Enter Connect-MicrosoftTeams
- Enter your tenant admin user name and password.
Top
Configuring MS Teams Voice Routing
Top
Requirements for the Sentinel
- DGW software version: MediatrixSentinel_Dgw_48.0.2430 or newer.
- Rulesets created to use Teams with the Sentinel. Contact your sales representative.
- A server certificate with the SBC FQDN in the Common Name or Subject Alternative Name
signed by one of the approved public CA by Microsoft. In our test, the SBC host
certificate was signed by Comodo (one-month Free Trial):
- Key length 2048 bits
- Signature Hash algorithm: SHA 256
- Extended Usage: ClientAuthentication and ServerAuthentication
- Common Name: sbcteams.mediatrix.com
- SAN may contain wild card FQDN, most root CA will charge extra for that; the Comodo free trial does not allow that so it was skipped
- Generate the necessary CSR (Certificate Signing Request), and later combine the private key and the CA signed certificate to form a host certificate to upload to the Sentinel: Refer to https://documentation.media5corp.com/display/DGWLATEST/Creating+a+Media5+Device+Host+Certificate+with+OpenSSL
- Install Baltimore Cybertrust Root CA certificate on the SBC (https://www.digicert.com/digicert-root-certificates.htm); this is to validate against MS Teams servers (sip.pstnhub.microsoft.com, sip2.pstnhub.microsoft.com, sip3.pstnhub.microsoft.com)
- Associate the host certificate to the SBC service. Make sure only 1 certificate is associated to it. Refer to https://documentation.media5corp.com/display/DGWLATEST/Using+Trusted+CA+and+Host+Certificates for more details.
- To speed up incoming calls from Teams, as calls from Teams Direct Routing server may
come from another IP (not the same as the ones resolved by DNS), set up the following
static DNS entries
Hoc.StaticHosts.DeleteAllRows Hoc.InsertStaticHost Name="sip.pstnhub.microsoft.com" IpAddresses="52.114.132.46,52.114.148.0,52.114.132.46,52.114.75.24, 52.114.76.76,52.114.7.24,52.114.14.70" #the sequence of IP addresses may vary from region to region, ping MS Teams FQDN to find out what it is resolved into for your region
Top
Sentinel Set-Up for Teams
The following is the Network topology tested in this setup.
- A FreePBX (peered to lan_ip_pbx_ca call agent) is used as the enterprise IP PBX. It has a SIP trunk pointing to the Sentinel SBC, signaling is plain UDP and media is un-encrypted RTP
- The Microsoft Direct Routing trunk is peered to the MS_Teams_Direct_Routing_ca call agent. The signaling with MS Teams is over TLS and media is encrypted with sRTP.
- The topology between FreePBX and MS Teams is as follows:
- The Sentinel SBC is deployed behind a NAT firewall and only the Uplink interface is used. TCP port 5061, as well as UDP 21000-21010, are port forwarded to the SBC by the NAT firewall.
Top
Importing Rulesets
Top
Configuring the Local Firewall
Use this procedure if you cannot apply the specific firewall rules at the external NAT firewall outlined in the Microsoft Direct Routing Planning guide: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-plan
More information about configuring local firewall rules on DGW is available on: https://documentation.media5corp.com/display/DGWLATEST/Configuring+Local+Firewalls
- Go to Network/Local Firewall.
-
In the Local Firewall Rules table,
complete the fields for each rule managing the TCP packets as follows:
- Activation: Enable
- Source Address: IP address of the TCP incoming packet.
- Destination Address: Uplink
- Protocol: TCP
- Destination Port: 5061
- Action: Accept
-
Complete the fields for each rule managing the UDP packets as follows:
- Activation: Enable
- Source Address: IP address of the UDP incoming packet.
- Destination Address: Uplink
- Source Port: Source port of the incoming UDP packet.
- Protocol: UDP
- Destination Port=30000-30999
- Action: Accept
- Click Save & Apply.
Top
Configuring the Signaling Interfaces
Top
Configuring the Media Interfaces
Top
Configuring the MS_Teams_Direct_Routing_ca Call Agent
- Go to SBC/Configuration.
- In the Call Agent Configuration table, click .
-
In the Configure Call Agent table,
complete the fields as follows:
- Name: MS_Teams_Direct_Routing_ca
- Enable: checked
- Signaling Interface: teams_s
- Media Interface: teams_m
- Peer Host: sip.pstnhub.microsoft.com:5061
- Force Transport: Tls
- Keep-Alive Interval: 30
- Blacklisting Duration: 60
- Blacklisting Delay: 0
- Custom Header: X-MS-SBC: Mediatrix/%productseries%/%version%
- In the Call Agent Rulesets table, from the Name select MS_Teams_interop.
- In the Parameters field, enter the CC=Country Code and the DIGITS=Number of digits of CC + 1, eg.CC=1 DIGITS=2, or CC=34 DIGITS=3.
- Click Save.
Top
Configuring the lan_ip_pbx_ca Call Agent
- Go to SBC/Configuration.
- In the Call Agent Configuration table, click located on the same line as lan_ip_pbx_ca
-
In the Configure Call Agent table, complete the fields as follows:
- Name: lan_ip_pbx_ca
- Enable: checked
- Signaling Interface: pbx_s
- Media Interface: pbx_m
- Peer Host: IP address of the local IP PBX
- Force Transport: none
- Keep-Alive Interval: 30
- Blacklisting Duration: 0
- Blacklisting Delay: 0
- In the Call Agent Rulesets table, from the Name select force_media_plain_rtp_handle_replaces
- Click Save.
Top
Associating Routing Ruleset to the Configuration
- Go to SBC/Configuration.
- In the Routing Rulesets table, click .
- From the Name selection list, choose MS_Teams_PBX_routes
- Click Apply.
Top
MS_Teams_to_pbx Routing Ruleset
- If the MS Teams client dials any number, the call is routed to lan_ip_pbx_ca, i.e. FreePBX.
- If the call is initiated from the FreePBX, the call is routed to MS Teams, transport is forced to TLS.