Top

Microsoft Teams Direct Routing and Sentinel Interoperability PBX Scenario

This configuration notes explains the required configuration to use Microsoft Teams with the Sentinel and an IP PBX.

The Sentinel SBC from Media5 is the Session Border Controller used in the Enterprise model of Microsoft. It terminates MS Direct Routing trunk and provides interconnections to various types of telephony endpoints, not covered on this document:
  • External 3rd party SIP trunk
  • PRI or FXS/FXO telephony interfaces to legacy PBX
  • Analog telephone adaptors (ATA)

For more information on the Microsoft Direct Route planning, visit: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-plan.


Top

Requirements for MS Teams

  • Refer to the following link for MS Teams direct routing requirements: https://docs.microsoft.com/en-us/microsoftteams/onboarding-checklist-enable-office-365
  • A publicly resolvable FQDN for the Sentinel. The FQDN must be in one of the domains defined under your Microsoft Teams account. For example the SBC FQDN is set to sbcteams.mediatrix.com, which is under the mediatrix.com domain.

  • At least one Microsoft Teams user must be created under the same domain. In our example, we have created one such account: media5user@mediatrix.com
  • DID Phone Numbers to dial in, you can get DID phone numbers under Microsoft Teams admin Center/Users/Phone Numbers and assign it to a specific user (or auto-attendant, which is a pseudo-user).


Top

Connecting to MS Teams with PowerShell

Before you begin
Microsoft Visual C++ 2017 x 64 Minimum Runtime - 14.10.25008 package must be installed.
Steps
  1. Download and install Power Shell: https://docs.microsoft.com/en-us/SkypeForBusiness/set-up-your-computer-for-windows-powershell/set-up-your-computer-for-windows-powershell
  2. Open PowerShell from your PC. Run it as Administrator.
  3. Install Microsoft Teams module if needed: https://docs.microsoft.com/en-us/MicrosoftTeams/teams-powershell-install#install-the-teams-powershell-module
  4. Type Set-executionPolicy –ExecutionPolicy RemoteSigned
  5. Click Yes to all.
  6. Enter Import-Module MicrosoftTeams
  7. Enter Connect-MicrosoftTeams
  8. Enter your tenant admin user name and password.

Top

Configuring MS Teams Voice Routing

Context
Steps
  1. In the MS Teams PowerShell, enter the command to create the Direct Routing SIP trunk.
    Note: For example New-CsOnlinePSTNGateway –Fqdn sbcteams.mediatrix.com -SipSignalingPort 5061 -MaxConcurrentSessions 5 -Enabled $true
  2. Enter the command to create the actual voice route that will be used to route calls to the SBC.
    For example
    Set-CsOnlinePstnUsage –Identity Global –Usage @{Add=”Montreal514Sherbrooke819”}
    and
    New-CsOnlineVoiceRoute -Identity "Montreal Sherbrooke" -NumberPattern "^\+1(514|819)(\d{7})$" 
    -OnlinePstnGatewayList sbcteams.mediatrix.com -Priority 1 -OnlinePstnUsages "Montreal514Sherbrooke819"
    and
    New-CsOnlineVoiceRoutingPolicy "Montreal Sherbrooke" -OnlinePstnUsages "Montreal514Sherbrooke819"
  3. Enter the command to assign the routing policy to the users.
    Note: For example Grant-CsOnlineVoiceRoutingPolicy –Identity "user1@mediatrix.com" –PolicyName "Montreal Sherbrooke"
  4. In case you need to assign an OnPremise number to specific user, enter the command:
    Note: For example Set-CsUser -Identity "user1@mediatrix.com" -EnterpriseVoiceEnabled $true -HostedVoiceMail $true -OnPremLineURI tel:42565

Top

Requirements for the Sentinel

  • DGW software version: MediatrixSentinel_Dgw_48.0.2430 or newer.
  • Rulesets created to use Teams with the Sentinel. Contact your sales representative.
  • A server certificate with the SBC FQDN in the Common Name or Subject Alternative Name signed by one of the approved public CA by Microsoft. In our test, the SBC host certificate was signed by Comodo (one-month Free Trial):
    • Key length 2048 bits
    • Signature Hash algorithm: SHA 256
    • Extended Usage: ClientAuthentication and ServerAuthentication
    • Common Name: sbcteams.mediatrix.com
    • SAN may contain wild card FQDN, most root CA will charge extra for that; the Comodo free trial does not allow that so it was skipped


  • Generate the necessary CSR (Certificate Signing Request), and later combine the private key and the CA signed certificate to form a host certificate to upload to the Sentinel: Refer to https://documentation.media5corp.com/display/DGWLATEST/Creating+a+Media5+Device+Host+Certificate+with+OpenSSL
  • Install Baltimore Cybertrust Root CA certificate on the SBC (https://www.digicert.com/digicert-root-certificates.htm); this is to validate against MS Teams servers (sip.pstnhub.microsoft.com, sip2.pstnhub.microsoft.com, sip3.pstnhub.microsoft.com)
  • Associate the host certificate to the SBC service. Make sure only 1 certificate is associated to it. Refer to https://documentation.media5corp.com/display/DGWLATEST/Using+Trusted+CA+and+Host+Certificates for more details.
  • To speed up incoming calls from Teams, as calls from Teams Direct Routing server may come from another IP (not the same as the ones resolved by DNS), set up the following static DNS entries
    Hoc.StaticHosts.DeleteAllRows
    Hoc.InsertStaticHost Name="sip.pstnhub.microsoft.com"
    IpAddresses="52.114.132.46,52.114.148.0,52.114.132.46,52.114.75.24,
    52.114.76.76,52.114.7.24,52.114.14.70"
    
    #the sequence of IP addresses may vary from region to region, ping MS Teams FQDN 
    to find out what it is resolved into for your region
Note: There are also different FQDNs for US government and Department of Defense, please follow the MS Teams Direct Routing planning document. You can find the IP addresses for these domains there.

Top

Sentinel Set-Up for Teams

The following is the Network topology tested in this setup.

  • A FreePBX (peered to lan_ip_pbx_ca call agent) is used as the enterprise IP PBX. It has a SIP trunk pointing to the Sentinel SBC, signaling is plain UDP and media is un-encrypted RTP
  • The Microsoft Direct Routing trunk is peered to the MS_Teams_Direct_Routing_ca call agent. The signaling with MS Teams is over TLS and media is encrypted with sRTP.
  • The topology between FreePBX and MS Teams is as follows:

  • The Sentinel SBC is deployed behind a NAT firewall and only the Uplink interface is used. TCP port 5061, as well as UDP 21000-21010, are port forwarded to the SBC by the NAT firewall.

Top

Importing Rulesets

Before you begin
Rulesets must first be imported. Contact your sales representative to obtain the required rulesets to use Teams with the Sentinel.
Context
This procedure is valid for Call Agent and Routing Rulesets.
Steps
  1. Go to Management/File.
    Note: Step 2 is only required when importing the first Ruleset and if you are not using a secure connection to access the Management Interface (http://).
  2. Click Activate unsecure file importation from the Web browser.
  3. From the Path field, select sbc/rulesets/.
  4. Click Browse, and navigate to the following Rulesets to import:
    1. force_media_plain_rtp_handle_replaces.crs
    2. MS_Teams_interop.crs
    3. MS_Teams_PBX_routes.rrs
    Note: Ruleset file extension must be *.crs for Call Agent Rulesets or *.rrs for Routing Rulesets.
  5. Click Import.
Result
The imported Rulesets will appear in the Internal files table, with the selected path in front of the name. The Ruleset will be available in the tables of the SBC/Rulesets page.


Top

Configuring the Local Firewall

Context

Use this procedure if you cannot apply the specific firewall rules at the external NAT firewall outlined in the Microsoft Direct Routing Planning guide: https://docs.microsoft.com/en-us/microsoftteams/direct-routing-plan

More information about configuring local firewall rules on DGW is available on: https://documentation.media5corp.com/display/DGWLATEST/Configuring+Local+Firewalls

Steps
  1. Go to Network/Local Firewall.
  2. In the Local Firewall Rules table, complete the fields for each rule managing the TCP packets as follows:
    1. Activation: Enable
    2. Source Address: IP address of the TCP incoming packet.
    3. Destination Address: Uplink
    4. Protocol: TCP
    5. Destination Port: 5061
    6. Action: Accept
  3. Complete the fields for each rule managing the UDP packets as follows:
    1. Activation: Enable
    2. Source Address: IP address of the UDP incoming packet.
    3. Destination Address: Uplink
    4. Source Port: Source port of the incoming UDP packet.
    5. Protocol: UDP
    6. Destination Port=30000-30999
    7. Action: Accept
  4. Click Save & Apply.
Result
For example


Top

Configuring the Signaling Interfaces

Steps
  1. Go to SBC/Configuration.
  2. In the Signaling Interface Configuration cable, configure the pbx_s as follows:
    1. Name: pbx_s
    2. Network: Uplink
    3. Port: 5062
    4. Secure Port : 5063
    5. Allowed Transport: All
    6. TLS Mode: Client
    7. Public Address: leave empty
    Note: This is the signaling interface used by the LAN IP PBX (no NAT)
  3. Click and complete the fields as follows.
    1. Name: teams_s
    2. Network: Uplink
    3. Port: 5060
    4. Secure Port : 5061
    5. Allowed Transport: TlsOnly
    6. TLS Mode: Both
    7. Public Address: FQDN assigned to the SBC
    Note: This is the signaling interface used by MS Teams (interface set to TLS only), the public address field must contain the FQDN assigned to the SBC (this is mandatory for MS Teams to require the FQDN in the SIP Contact host part, otherwise it will reply with a SIP 403 Forbidden)
Result

Top

Configuring the Media Interfaces

Context
Steps
  1. Go to SBC/Configuration.
  2. in the Media Interface Configuration table, configure the pbx_m Media interface as follows:
    1. Name: pbx_m
    2. Network: Uplink
    3. Port Range: 21000-21200
    4. Public Address: leave empty
    Note: This is the media interface used by the LAN IP PBX (no NAT)
  3. Click and configure the fields as follows:
    1. Name: teams_m
    2. Network: Uplink
    3. Port Range: 30000-30999
    4. Public Address: external Public IP address of the SBC
    Note: This is the media interface used by MS Teams (with near end NAT enabled, public IP address assigned)
Result

Top

Configuring the MS_Teams_Direct_Routing_ca Call Agent

Steps
  1. Go to SBC/Configuration.
  2. In the Call Agent Configuration table, click .
  3. In the Configure Call Agent table, complete the fields as follows:
    1. Name: MS_Teams_Direct_Routing_ca
    2. Enable: checked
    3. Signaling Interface: teams_s
    4. Media Interface: teams_m
    5. Peer Host: sip.pstnhub.microsoft.com:5061
    6. Force Transport: Tls
    7. Keep-Alive Interval: 30
    8. Blacklisting Duration: 60
    9. Blacklisting Delay: 0
    10. Custom Header: X-MS-SBC: Mediatrix/%productseries%/%version%
  4. In the Call Agent Rulesets table, from the Name select MS_Teams_interop.
  5. In the Parameters field, enter the CC=Country Code and the DIGITS=Number of digits of CC + 1, eg.CC=1 DIGITS=2, or CC=34 DIGITS=3.
  6. Click Save.
Result



Top

Configuring the lan_ip_pbx_ca Call Agent

Steps
  1. Go to SBC/Configuration.
  2. In the Call Agent Configuration table, click located on the same line as lan_ip_pbx_ca
  3. In the Configure Call Agent table, complete the fields as follows:
    1. Name: lan_ip_pbx_ca
    2. Enable: checked
    3. Signaling Interface: pbx_s
    4. Media Interface: pbx_m
    5. Peer Host: IP address of the local IP PBX
    6. Force Transport: none
    7. Keep-Alive Interval: 30
    8. Blacklisting Duration: 0
    9. Blacklisting Delay: 0
  4. In the Call Agent Rulesets table, from the Name select force_media_plain_rtp_handle_replaces
  5. Click Save.
Result



Top

Associating Routing Ruleset to the Configuration

Steps
  1. Go to SBC/Configuration.
  2. In the Routing Rulesets table, click .
  3. From the Name selection list, choose MS_Teams_PBX_routes
  4. Click Apply.
Result

Top

MS_Teams_to_pbx Routing Ruleset

  • If the MS Teams client dials any number, the call is routed to lan_ip_pbx_ca, i.e. FreePBX.
  • If the call is initiated from the FreePBX, the call is routed to MS Teams, transport is forced to TLS.