<img height="1" width="1" src="https://www.facebook.com/tr?id=188095848408072&amp;ev=PageView &amp;noscript=1">

Skype for Business, telephony, Unified Communications, microsoft teams, Modern Workplace, Productivity, PSTN Calling | May 24, 2018, 2:24:14 PM

Microsoft Phone System Direct Routing Public Preview

Configure Direct Trunking to Microsoft Teams with Ribbon SBC Edge

 

As per this week’s announcement, Microsoft Phone System Direct Routing is now in public preview!

What does this mean?

In essence, this means that it is now possible to configure a SIP Trunk directly from a supported on-premises Session Border Controller (SBC) to Microsoft Teams via the internet.

 

 

1-1

 

Microsoft’s Enterprise Voice Strategy for the Cloud

To understand how this fits into the overall picture, the diagram below outlines the main components that come together to enable PSTN connectivity for Office 365 in Australia. This diagram assumes I do not have an on-premises Skype for Business server deployed, and simply want to enable voice services for users homed within Office 365 with minimal on-premises infrastructure:

 

2-1

 

To summarise what options are available today:

  • There are two platforms in the Microsoft cloud that can provide voice services: Skype for Business & Microsoft Teams
  • To enable PBX like capabilities in either, users must have a Phone System license
  • To enable connectivity to the PSTN network, there are three options:
    • Direct routing for Teams - enables PSTN connectivity for Microsoft Teams only. Requires on-premises infrastructure (SBC).
    • Telstra Calling for Office 365 - enables PSTN connectivity for both Skype for Business Online and Microsoft Teams. A pure cloud offering.
    • Cloud Connector Edition (CCE) - enables PSTN connectivity for Skype for Business Online only. Requires on-premises infrastructure (SBC & Hyper-V Host with VMs).

How does Direct Routing Differ from CCE?

Microsoft Cloud Connector edition was a great way to enable PSTN connectivity for Skype for Business Online users, particularly as native cloud calling plans are only now available in Australia. However, CCE will support PSTN connectivity for Skype for Business Online only, not Microsoft Teams. The other key differentiator with Direct Routing is that I no longer need to deploy the Cloud Connector Edition virtual machines as well as an SBC to provide connectivity to the Office 365 cloud: a certified SBC is all that is required.

Another major difference with Direct Routing is that it can be deployed side by side with Telstra Calling for Office 365 Calling Plans. This means we now have greater flexibility in deployment options: I can choose to have some calls route via on-premises infrastructure, and other calls to route to the PSTN network direct from the cloud via Telstra Calling. This is useful in environments where I may want to route some calls to existing on-premises infrastructure (call centres, analogue endpoints, other 3rd party telephony infrastructure), but have the bulk of my organisation’s PSTN calls route via a Telstra Calling Plan (ignore “Microsoft Calling Plan” in the diagram below, in Australia it’s known as a Telstra Calling Plan):

 

3-2

 

Call Routing Options with Microsoft Teams

Now that there are two ways I can route calls to the PSTN from Microsoft Teams at the same time, how do I control what routes where?

Per User Call Routing

Using this approach, users are configured to route all their calls via Direct Routing or via a Telstra Calling Plan. In this example, one user is assigned a Calling Plan (pure cloud), the other a Direct Routing policy (via on-premises SBC):

 

4-1

 

Route Based on Dialling Pattern

Using this approach, calls are routed via Telstra Calling plan or Direct Routing based on the number dialled. For example, if I dial extensions associated with an on-premises call centre, these route via Direct Routing, all other calls via a Telstra Calling Plan:

 

5

 

Call Flow Logic

In the above example, calls route one of two ways depending on the number dialled. But what’s the logic? How does it “know” to route via a calling plan if Direct Routing fails to mind a match? The following diagram outlines the decision tree when a user makes a phone call. As long as the user is licensed for Telstra Calling from within the Office 365 portal, the call will automatically route if no matching Direct Routes are found:

 

6

 

 

Direct Routing: How to Configure

In this section, I will walk through end to end configuration that enables Direct Routing with Microsoft Teams from an on-premises SIP Trunk, via a Ribbon SBC Edge 1000. This section assumes you have an intimate knowledge of Ribbon SBC configuration!

What Do I Need?

The following diagram gives a good overview of all the requirements needed to enable Direct Routing:

 

7

 

For more details on planning and configuring direct routing, check out the following Microsoft Docs:

Plan Direct Routing

Configure Direct Routing

 

Step 1: Office 365 Tenant Direct Routing Configuration

  • Connect to Office 365 Remote PowerShell

 

$acctName=admin@domain.onmicrosoft.com

$sfboSession = New-CsOnlineSession -UserName $acctName

Import-PSSession $sfboSession

 

  • Create Online PSTN Gateway

 

New-CsOnlinePSTNGateway -Fqdn teamstrunk.insynctechnology.com.au -SipSignallingPort 5061 -MaxConcurrentSessions 10 -ForwardCallHistory $true -Enabled $true

 

8

 

  • Create an empty PSTN Usage

 

Set-CsOnlinePstnUsage -Identity Global -Usage @{Add="Australia"}

 

9


  • Create Voice Routes and Associate with PSTN Usage

 

New-CsOnlineVoiceRoute -Identity "AU-Emergency" -NumberPattern "^+000$" -OnlinePstnGatewayList teamstrunk.insynctechnology.com.au -Priority 1 -OnlinePstnUsages "Australia"

New-CsOnlineVoiceRoute -Identity "AU-Service" -NumberPattern "^\+61(1\d{2,8})$" -OnlinePstnGatewayList teamstrunk.insynctechnology.com.au -Priority 1 -OnlinePstnUsages "Australia"

New-CsOnlineVoiceRoute -Identity "AU-National" -NumberPattern "^\+61\d{9}$" -OnlinePstnGatewayList teamstrunk.insynctechnology.com.au -Priority 1 -OnlinePstnUsages "Australia"

New-CsOnlineVoiceRoute -Identity "AU-International" -NumberPattern "^\+(?!(61190))([1-9]\d{9,})$" -OnlinePstnGatewayList teamstrunk.insynctechnology.com.au -Priority 1 -OnlinePstnUsages "Australia"

 

10 

  • Create Voice Routing Policy

 

New-CsOnlineVoiceRoutingPolicy "Australia" -OnlinePstnUsages "Australia"

 

11

 

Step 2: Ribbon SBC Edge 1000 Configuration

Node-Level settings

Ensure the following general node level setting have been configured:

  • From the SBC Web GUI, navigate to System > Node-Level Settings
  • Check NTP configured and time is correct (TLS trunk will not negotiate if time is incorrect)
  • DNS Server configured. To test DNS resolution, make sure the following can be resolved: pstnhub.microsoft.com (test from Diagnostics > Ping Destination)

 

12a

 12b

Note: Don't expect a valid ICMP response, all we care about is a valid DNS resolution (the above example shows a successful resolution).

Certificates

The SIP Trunk I’ll be configuring between the SBC and Microsoft Teams must be a secure TLS trunk. To support this, a public certificate is required.

Important: Ribbon SBC Edge series appliances can only support one certificate installed at a time. If you’re planning to use an existing Edge series SBC for Direct Routing to Teams, you may already be using a certificate to support TLS trunks. If that’s the case, you’ll need to either revert to using TCP for existing trunks before updating the certificate, or adding your SBC’s FQDN to the public certificate that you plan to use for Direct Routing to Teams.

Request Certificate

  • From the SBC Web GUI, navigate to Settings > Security > SBC Certificates
  • Click Generate Sonus CSR
  • Fill in the required fields

13

14

       Make sure to also obtain Trusted Root and Intermediary certificates from your public certification authority, as these will need to be imported to teh Ribbon SBC also

Apply Certificates

After receiving the certificates from the certification authority, install the SBC certificate and the Root/Intermediate certificates:

  • From the SBC Web GUI, navigate to Settings > Security > SBC Certificates > Trusted Root Certificates
  • At the top left of the page click “import” and select the trusted root and (if applicable) any intermediate certificates
  • Validate that the certificate installed correctly

15

  • From the SBC Web GUI, navigate to Settings > Security > SBC Certificates > Sonus Certificate
  • At the top of the page click Import > X.509 Signed Certificate and install
  • Validate that the certificate installed correctly

16

Deploy Baltimore Trusted Root Certificate

The Microsoft Phone System Hybrid Voice Connectivity Interface has DNS name sip.pstnhub.microsoft.com. This interface uses a public certificate provided by Cyber Baltimore CyberTrust Root, which will also need to be trusted by your SBC:

 

17

  • Download the certificate from https://cacert.omniroot.com/bc2025.crt
  • From the SBC Web GUI, navigate to Settings > Security > SBC Certificates > Trusted Root Certificates
  • At the top left of the page click “import” and select the Baltimore trusted root cert
  • Validate that the certificate installed correctly

18

TLS Configuration

Create TLS Profile

The TLS profile defines the crypto parameters for the SIP protocol. To create a new TLS profile:

  • From the SBC Web GUI, navigate to Settings > Security > TLS Profiles
  • At the top left corner of the main pane click “+” and add a new TLS Profile

Parameter

Value

Description

MS Phone System TLS Profile

TLS Protocol

TLS 1.2 Only

Validate Client FQDN

Disabled

 

 

19 

SIP Profile Configuration

SIP profiles allows configuring such parameters as SIP Headers customizations, options tags etc.

  • From the SBC Web GUI, navigate to Settings > SIP > SIP Profiles
  • At the top left corner click “+” and add a new SIP profile

Parameter

Value

Description

MS Phone System SIP Profile

FQDN in From Header

Sonus SBC FQDN

FQDN In Contact Header

Sonus SBC FQDN

Origin Field name

Ribbon SBC FQDN

 

20

 

Media Configuration

Configure Media Crypto Profile

The Media Crypto Profile defines the encryption mechanism to use between the SBC and Microsoft Phone System Interface. To add a Media Crypto Profile:

  • From the SBC Web GUI, navigate to Settings > Media > Media Crypto Profiles
  • At the top left corner click “+” and add a new Media Crypto Profile

Parameter

Value

Description

MS Phone System Media Crypto Profile

Operation Option

Supported

Crypto Suite

AES_CM_128_HMAC_SHA1_80

 

 

21

 

Configure Media List

The Media List defines the codecs and if the crypto mechanism will be used. To create a media Profile:

  • From the SBC Web GUI, navigate to Settings > Media > Media List
  • At the top left corner click “+” and add a new Media List:

Parameter

Value

Description

MS Phone System Media List

Media Profiles List

Default G711a

Default G711u

Crypto Profile ID

MS Phone System Media Crypto Profile

 

 

22 

Configure SIP Server Table

The SIP server table defines the information about the SIP interfaces connected to the Sonus SBC. To add a new SIP Server Table:

 

  • From the SBC Web GUI, navigate to Settings > SIP > SIP Server Tables
  • At the top left corner of the main pane click “+” and add a new SIP Server Table
  • Name the Table and click save
  • Click on the new SIP Server Table, and configure the following

 

Parameter

SBC 1

SBC 2

SBC 3

Priority

1

2

3

Host

sip.pstnhub.microsoft.com

sip2.pstnhub.microsoft.com

sip3.pstnhub.microsoft.com

Port

5061

5061

5061

Protocol

TLS

TLS

TLS

TLS Profile

Microsoft Phone System

Microsoft Phone System

Microsoft Phone System

Monitor

SIP Options

SIP Options

SIP Options

 

 

23a 23b

 

Configure Transformation Tables and Routing Tables

If you’ve made it this far, I would assume you are already familiar with transformation and routing table configuration. For completeness sake, here’s the ones I created for my test Direct Routing number:

 

24a

 24b

 

 

Configure Route Table

You will need to route calls both to and from your Microsoft Teams Direct Routing trunk:

 25a

 25b

 

25c

25d

 

 

Create Signalling Group

To create a new signalling group:

  • From the SBC Web GUI, navigate to Settings > Signalling Groups
  • At the top left corner of the main pane click “Create SIP Signalling Group

Parameter

Value

Description

MS Phone System

Call Routing Table

From MS Phone System

No. of Channels

10

SIP Profile

MS Phone System SIP Profile

SIP Server Table

MS Phone System Sip Server Table

Load Balancing

Priority

Media List ID

MS Phone System Media List

Signalling Media/Private IP

Ethernet 1 (whichever port you’re using to route to/from Office 365)

Outbound NAT Traversal

Static NAT

NAT Public IP (Signalling/Media)

121.50.209.233

Listen Port

Port: 5061

Protocol: TLS

TLS Profile ID: MS Phone System TLS Profile

Federated IP/FQDN

sip.pstnhub.microsoft.com

sip2.pstnhub.microsoft.com

sip3.pstnhub.microsoft.com

sip-all.pstnhub.microsoft.com

 

 

26 

 

Note: Make sure to add sip-all.pstnhub.microsoft.com to the Federated IP/FQDN list. In testing, I was receiving SIP invites from IP addresses that were not resolvable via the three Microsoft documented “pstnhub” FQDNs. This meant that every third inbound call to Microsoft Teams would fail as the source IP was unknown. adding this additional record was the solution.

Once this has been created, confirm you are sending and receiving SIP Options and 200 OK responses in both directions:

  • From the SBC Web GUI, navigate to Settings > Signalling Groups
  • For the MS Phone System Signalling Group, click on Counters

27

Step 3: Enable Users for Direct Routing with Microsoft Teams

Now that the SBC configuration has been completed, we can now enable our Microsoft Teams users for calls via Direct Routing.

Ensure User is Homed to Office 365

If you are still sporting a hybrid Skype for Business environment, it’s only supported to enable users for Direct Routing with Teams if they are homed in Office 365. To check this, run the following cmdlet and ensure the Registrar Pool fqdn ends in “infra.lync.com:

Get-CsOnlineUser -Identity "Patrick Bateman" | fl RegistrarPool

 

28

Ensure User is Licensed for Phone System

Your users will need to be licensed for Microsoft Phone System in order to enable calls within Microsoft Teams. To check:

Connect-MsolService

(Get-MsolUser -UserPrincipalName patrick.bateman@insynctechnology.com.au).Licenses.ServiceStatus

 

29

Enable Telephony Features and Configure Phone Number

The following cmdlet will enable the user for Phone System calling, enable Azure Voicemail, and configure their phone number:

 

Set-CsUser -Identity patrick.bateman@insynctechnology.com.au -EnterpriseVoiceEnabled $true -HostedVoiceMail $true -OnPremLineURI tel:+61799999999

 

30

 

Configure Voice Routing

The final step is to assign the Online Voice Routing Policy we created earlier to the user. To do this:

 

Grant-CsOnlineVoiceRoutingPolicy -Identity "patrick.bateman@insynctechnology.com.au" -PolicyName Australia

To Check everything has been configured correctly, run the following:

Get-CsOnlineUser -Identity "patrick.bateman@insynctechnology.com.au" | Format-List -Property FirstName, LastName, EnterpriseVoiceEnabled, HostedVoiceMail, LineURI, UsageLocation, UserPrincipalName, WindowsEmailAddress, SipAddress, OnPremLineURI, OnlineVoiceRoutingPolicy

 

31

 

 

Testing

Outbound to PSTN

 

32a

32b

 

 

Inbound Call from PSTN

 33

 

 

 

Resources

A lot of the diagrams for this post came from a great video available on YouTube. Check it out here: Office 365 Microsoft Teams Direct Routing Deep Dive.

 

I hope you find this post useful. As usual, ping me with any questions or queries, always happy to help.

 

Subscribe to Our Blog

Stay up to date with the latest tips and news

Insync

Isn’t it nice when things just work?

What does your organisation need to “just work”?

PLATFORMS

UNIFIED COMMUNICATIONS

IDENTITY

AUTOMATION
 

Still not sure what you need?

No problem! We can help.

CONTACT US