IP Corp > News > news > Microsoft Teams Direct Routing & Cisco CUCM Integration
  • George Goglidze
  • 29 Comments

George Goglidze, CCIE #19926

1. Lab information

1.1. Topology

Below, topology has been used for this lab.

An office location, with:

  • CUCM
  • Firewall
  • Cisco CSR 1000v SBC

A home user with

  • Microsoft Teams.
blog01

IP Addresses given above are not real. But you get the idea.

1.2. Software Versions and Licenses

For lab purposes, a trial licenses have been used everywhere.

  1. CUCM Version 11.5 Restricted
  2. Cisco CSR 1000v IOS XE Software Version 16.12.05

On Microsoft side, for the Direct Routing, the following licenses will be required:

  • Microsoft Phone System.
  • Microsoft Teams + Skype for Business Plan 2, if included in licensing.
  • Microsoft Audio Conferencing (please read the notes and the paragraph below for specific examples about when the license is required).

See here for more details >>

1.3. Certificates

Unfortunately, some public certificates were required for this lab specifically for the SBC, which means spending money on something that was not supposed to be for production (ouch).

Here is the list of Public CA’s that are acceptable by Microsoft Teams Telephony System:

  • AffirmTrust
  • AddTrust External CA Root
  • Baltimore CyberTrust Root*
  • Buypass
  • Cybertrust
  • Class 3 Public Primary Certification Authority
  • Comodo Secure Root CA
  • Deutsche Telekom
  • DigiCert Global Root CA
  • DigiCert High Assurance EV Root CA
  • Entrust
  • GlobalSign
  • Go Daddy
  • GeoTrust
  • Verisign, Inc.
  • com
  • Starfield
  • Symantec Enterprise Mobile Root for Microsoft
  • SwissSign
  • Thawte Timestamping CA
  • Trustwave
  • TeliaSonera
  • T-Systems International GmbH (Deutsche Telekom)
  • QuoVadis

Here’s Microsoft’s link for certificate requirements >>

We will describe how to get the CSR and most of the process to get the publicly signed certificate shortly.

2. Environment

2.1. SBC Basic Configuration

Not much here really, just set an IP and you’re set! Of course, it may become more complex in a production environment, as the SBC is potentially bordering your internal UC infrastructure with the outside world, so security will want to get involved to make things complicated.

The best approach for production environment would be to have two IP Addresses, one for internal communication (which can also be used for Media Bypass/Bypass mode for SRTP traffic), and one for external communication which will be in a DMZ network.

To make this lab more Voice focused and not to go too deep into security aspects, I will make it simple and have a single physical interface on the SBC.

Also, because of my lab’s limitations, I’m using Port NAT on the Firewall to forward all the incoming traffic from Microsoft Teams Telephony System to the SBC. But it’s also possible to have a public IP on the SBC directly.

Warning: If the public IP is directly configured on the SBC, the configuration will be slightly different. Please contact me if more clarification is needed. I’ll be happy to help.

2.2. Firewall Rules

This is still unavoidable ? Get your security hat on, and let’s get to some basic firewall rules. We do not want the whole world to be able to access the SIP Services of your organization. Let’s start locking things down (or opening things up, depending on if you’re a glass half full, or half-empty kind of guy).

 

The following ports are required, for inbound traffic from Microsoft Teams Telephony System:

Source IP Source Port Protocol Destination IP Destination Port NAT Destination Port Description
52.114.148.0
52.114.132.46
52.114.75.24
52.114.76.76
52.114.7.24
52.114.14.70
52.114.16.74
52.114.20.29
1024 – 65535 TCP/TLS <SBC Public IP> <SBC Private IP> 5061 SIPS traffic coming from Microsoft Telephony System
52.112.0.0/14
52.120.0.0/14
3478-3481 and 49152 – 53247 UDP/SRTP <SBC Public IP> <SBC Private IP> 8000-48198 Media Processor

The following ports are required, for outbound traffic to Microsoft Teams Telephony System:

Source IP Source NAT Source Port Protocol Destination IP Destination Port Description
<SBC Private IP> <SBC Public IP> 1024 – 65535 TCP/TLS 52.114.148.0
52.114.132.46
52.114.75.24
52.114.76.76
52.114.7.24
52.114.14.70
52.114.16.74
52.114.20.29
5061 SIPS traffic coming from Microsoft Telephony System
<SBC Private IP> <SBC Public IP> 8000-48198 UDP/SRTP 52.112.0.0/14
52.120.0.0/14
3478-3481 and 49152 – 53247 Media Processor

2.3. DNS Entries

2.3.1. External DNS

The following DNS Entry will have to be configured so that Microsoft can reach your SBC:

  • SBC Public FQDN A Record must point to SBC Public IP Address

In my case:
A Record for sbc1.ccie.club points to 20.1.1.1 (Not my real IP, I challenge you to find the real one and make calls)

Warning: Microsoft will only accept the SBC in the domain that you have already associated with your Microsoft 365 tenant.

2.3.2. Internal DNS

Internally, we must be able to resolve hostnames to internal private IP Addresses, as this will be required for CUCM to SBC communication.

Following A Records and PTR Records will have to be configured:

  • SBC FQDN A Record must point to SBC Private IP Address
  • SBC Private IP Address PTR Record must point to SBC FQDN
  • CUCM FQDN A Record must point to CUCM IP Address
  • CUCM IP Address PTR Record must point to CUCM FQDN

3. Certificate Operations

As mentioned above, we need to install a publicly signed certificate on our SBC, for Microsoft Phone System to accept connections from it.

Let’s generate the CSR.

Note: From now onwards there will be a lot of configuration, and I will specify everything that you will have to modify with red colour, so it’s easier for identification.

3.1. Generate private key

Below command will create a private key on the SBC.

crypto key generate rsa modulus 2048 label sbc exportable

3.2. Create a Trustpoint

Below commands create a trustpoint which will then allow us to generate a CSR.

crypto pki trustpoint sbc
 revocation-check none
 serial-number none
 ip-address none
 fqdn sbc1.ccie.club !Specify your SBC’s public FQDN.
 subject-name cn=sbc1.ccie.club !Same as above.
 enrollment terminal
 rsakeypair sbc

3.3. Generate a CSR

Bellow command will generate a certificate request (CSR) which we can use on your chosen public CA provider to generate a certificate for this SBC.

crypto pki enroll sbc

Something like below will be shown:

sbc1(ca-trustpoint)#crypto pki enroll sbc
% Start certificate enrollment ..

% The subject name in the certificate will include: cn=sbc1.ccie.club
% The subject name in the certificate will include: sbc1.ccie.club
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIICnjCCAYYCAQAwODEXMBUGA1UEAxMOc2JjMS5jY2llLmNsdWIxHTAbBgkqhkiG
9w0BCQIWDnNiYzEuY2NpZS5jbHViMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAnuwWkBGxqNbT5qCsqNPyJZdldN+wIn8+R6A0qNYhJKw1/LhUswr/A/iv
T8dCHGbzxVchIwF9LRh9oZ57LvGoY4LgQIuHJGRzM6HEamrNnzuNnOszhPPkuKm2
Wzwu8jQUc8GeGDCDRlPoatUd+3pdr9WKCXAOx/13AHDA26rjh6wMdP1Off3nTaAB
KDEgHYr6XhpjvHMJbD8qtQwzfA2hW8keUaIOLAH1AszLBpYQf7qS99l2C7Yo/dyt
+p3gmpd8g8TSZo0BobBxEaPmlPXd9u4XwWF3JfSzfCxrY7vGwYoSCHt9D8u4GBJq
627zhyzBTPBN3luCQ8Xn7Kz10D880wIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAO
BgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEFBQADggEBAARFTgQrTvbk3ifl1+HI
iJsqtK97HCg3i+aFBIwh2EQ4eLGEmd0bsFqRZxpJ6x3ofxR5BCplN01NZvu/zWKT
MgOd4HJ3OkKeQcQn7xTNaItPhwP33kV7JCVlPj42Dx/v5mtt01d3Gd85Pz5ef4D1
SECjKszIbDj+9UBw5QE3au381Vj+sOr7gSHeui49dZaYbdQksf68VhLG701pkkzm
mSVJYg5E0tlYNaLlnM/uCLZkEh7IHi13wS5F7RLLY+AX97rI3X0SvgDXiaxtTPn5
HiFjqt/HzPdF9fzv5O/AZogh5Iv65X6e+XrSr1jsbXrxY6NhTCc1wUry0x0sOTBY
MkQ=

—End – This line not part of the certificate request—

3.4. Sign the certificate

I will not cover the steps on how to purchase the private certificate, but it’s relatively easy. It will set you back about £60. Don’t tell me I didn’t warn you. ?

3.5. Import CA certificate into the SBC

Once we execute the command below, it will ask us to paste in the certificate of the CA that has signed our certificate. We must open the file in the text editor, and copy-paste the certificate; it will be like below:

—–BEGIN CERTIFICATE—–
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
—–END CERTIFICATE—–

Above is just an example and not an actual output of the certificate.

Note: Usually, the CA will have a Root Certificate Authority and a Subordinate Certificate Authority, the one that must be used here is from the Subordinate Certificate Authority!

crypto pki authentiate sbc

3.6. Import SBC Certificate

Once we execute the command below, it will ask us to paste in the signed certificate of the SBC. We must open the file in the text editor, and copy-paste the certificate; it will be like below:

—–BEGIN CERTIFICATE—–
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
—–END CERTIFICATE—–

Above is just an example and not an actual output of the certificate.

crypto pki import sbc certiricate

3.7. Import Baltimore Certificate

We must import the Baltimore CA certificate, as this is the CA that Microsoft uses for all of its SIP Proxy servers.

Click here to download Baltimore trust root CA >>

Download the file next to Publicly Trusted Root Certificates. Here’s the direct link >>

The above file is a collection of all Root CA’s that Microsoft uses in the Microsoft 365 environment, but we do not need all of them. We can just open the file, and export only Baltimore certificate.

Once we’ve exported it, we can open it in the notepad.

Once we execute the command below, it will ask us to paste in the Baltimore CA certificate. We must open the file in the text editor, and copy-paste the certificate; it will be like below:

—–BEGIN CERTIFICATE—–
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
—–END CERTIFICATE—–

Above is just an example and not an actual output of the certificate.

crypto pki trustpoint Baltimore_Root_CA
enrollment terminal
revocation-check none
crypto pki authenticate Baltimore_Root_CA

3.8. Import CUCM Self-Signed Certificates

In my lab, all my CUCM certificates were self-signed, but if in your case they are signed by CA, internal or otherwise, then use the same procedure. Still, instead of actual CUCM certificates, you will import your CA root and subordinate certificates.

Also, I only had a single CUCM Subscriber in the cluster, therefore didn’t require any more servers, but if you have more than one subscribers, you will have to import all of the certificates, one from each node, unless you are using CA which has signed all of them. In that case, just import CA root and sub certificates.

Once we execute the command below, it will ask us to paste in the CUCM certificate. We must open the file in the text editor, and copy-paste the certificate; it will be like below:

—–BEGIN CERTIFICATE—–
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
—–END CERTIFICATE—–

Above is just an example and not an actual output of the certificate.

crypto pki trustpoint cucm
enrollment terminal
revocation-check none
crypto pki authenticate cucm

To download CUCM Certificate, go to Cisco Unified OS Administration web page, and then to Security -> Certificate Management.

List all certificates, then locate CallManager certificate like below:

blog02

Click on it, and then download the PEM file by clicking on Download.PEM File button like below:

blog03

4. SBC Configuration

Before pasting below in, make sure you modify the values below for public/private ip addresses and FQDNs that I have used to the ones you are using:
SBC Public IP: 20.1.1.1
SBC Private IP: 192.168.5.100
SBC hostname: sbc1
SBC domain: ccie.club
SBC FQDN: sbc1.ccie.club
DNS Server: 192.168.65.2
NTP Server: 0.uk.pool.ntp.org

4.1. Basic configuration

ip name-server 192.168.65.2 !Set the DNS that can resolve internal and external IP Addresses
ip domain-name ccie.club !Set the domain name (optional)
hostname sbc1 !Set hostname

4.2. Voice Services Configuration

voice service voip
!IP Trust List to allow incoming connections from MS
ip address trusted list
ipv4 52.114.148.0 255.255.255.255
ipv4 52.114.132.46 255.255.255.255
ipv4 52.114.75.24 255.255.255.255
ipv4 52.114.76.76 255.255.255.255
ipv4 52.114.7.24 255.255.255.255
ipv4 52.114.14.70 255.255.255.255
ipv4 52.114.16.74 255.255.255.255
ipv4 52.114.20.29 255.255.255.255
!This is my CUCM IP Address
ipv4 192.168.65.10 255.255.255.255
address-hiding
!This needs reload.
mode border-element
!We must enable SRTP pass-thru between CUCM and MS
srtp pass-thru
allow-connections sip to sip
!This is to make sure the REFER method from MS is not sent across to CUCM
no supplementary-service sip refer
supplementary-service media-renegotiate
sip
session refresh
header-passing
error-passthru
conn-reuse
sip-profiles inbound
!
!
!This will be used to match inbound Dial Peer from MS
voice class uri 290 sip
pattern pstnhub.microsoft.com
!
!I’ve used this to match inbound Dial Peer from CUCM
voice class uri 190 sip
!My CUCM IP Address
pattern 192.168.65.10

voice class codec 1
!Set a list of codecs you want to support
codec preference 1 g711alaw
!
!This is for media bypass support
voice class stun-usage 1
stun usage ice lite
!
!
voice class sip-profiles 299
rule 9 request ANY sip-header Via modify “SIP(.*) 192.168.5.100(.*)” “SIP\1 20.1.1.1\2″
rule 10 request OPTIONS sip-header From modify “<sip:192.168.5.100” “<sip:sbc1.ccie.club
rule 20 request OPTIONS sip-header Contact modify “<sip:192.168.5.100” “<sip:sbc1.ccie.club
rule 30 request OPTIONS sip-header User-Agent modify “(IOS.*)” “\1\x0D\x0AX-MS-SBC: Cisco UBE/CSR1000/\1”
rule 40 response ANY sdp-header Connection-Info modify “IN IP4 192.168.5.100” “IN IP4 20.1.1.1
rule 50 response ANY sdp-header Audio-Connection-Info modify “IN IP4 192.168.5.100” “IN IP4 20.1.1.1
!
voice class sip-profiles 200
rule 10 request ANY sip-header Contact modify “@192.168.5.100:” “@sbc1.ccie.club:”
rule 20 response ANY sip-header Contact modify “@192.168.5.100:” “@sbc1.ccie.club:”
rule 30 request ANY sip-header SIP-Req-URI modify “sip:(.*):5061 (.*)” “sip:\1:5061;user=phone \2”
rule 40 request ANY sip-header User-Agent modify “(IOS.*)” “\1\x0D\x0AX-MS-SBC: Cisco UBE/CSR1000/\1”
rule 50 response ANY sip-header Server modify “(IOS.*)” “\1\x0D\x0AX-MS-SBC: Cisco UBE/CSR1000/\1”
rule 60 request ANY sdp-header Audio-Attribute modify “a=sendonly” “a=inactive”
rule 70 response 200 sdp-header Audio-Connection-Info modify “0.0.0.0” “192.168.5.100
rule 71 response ANY sdp-header Connection-Info modify “192.168.5.100” “20.1.1.1
rule 72 response ANY sdp-header Audio-Connection-Info modify “192.168.5.100” “20.1.1.1
rule 73 request ANY sdp-header Connection-Info modify “192.168.5.100” “20.1.1.1
rule 74 request ANY sdp-header Audio-Connection-Info modify “192.168.5.100” “20.1.1.1
!This one changes the IP Address for the RTCP connection
rule 100 request ANY sdp-header Audio-Attribute modify “192.168.5.100” “20.1.1.1
!This one changes the IP Address for the RTCP connection
rule 110 response ANY sdp-header Audio-Attribute modify “192.168.5.100” “20.1.1.1
!
voice class sip-profiles 290
rule 10 request REFER sip-header From copy “@(.*com)” u04
rule 20 request REFER sip-header Refer-To modify “sip:\+(.*)@.*:5061” “sip:+AAA\1@\u04:5061”
rule 30 request REFER sip-header Refer-To modify “<sip:sip.*:5061” “<sip:+AAA@\u04:5061”
rule 40 response ANY sip-header Server modify “(IOS.*)” “\1\x0D\x0AX-MS-SBC: Cisco UBE/CSR1000/\1”
!
voice class sip-profiles 280
rule 5 request INVITE sip-header SIP-Req-URI copy “@(.*)” u04
rule 10 request INVITE sip-header SIP-Req-URI copy “@(.*:5061)” u01
rule 20 request INVITE sip-header From copy “@(.*)>” u02
rule 30 request INVITE sip-header SIP-Req-URI modify “sip:\+AAA@” “sip:”
rule 40 request INVITE sip-header SIP-Req-URI modify “sip:\+AAA” “sip:”
rule 50 request INVITE sip-header History-Info modify “<sip:\+AAA@” “<sip:”
rule 60 request INVITE sip-header History-Info modify “<sip:\+AAA” “<sip:”
rule 70 request INVITE sip-header To modify “<sip:\+AAA@.*” “<sip:\u04>”
rule 80 request INVITE sip-header To modify “<sip:\+AAA” “<sip:\u04>”
rule 90 request ANY sip-header Contact modify “@.*:” “@\u02:”
rule 100 response ANY sip-header Contact modify “@.*:” “@\u02:”
rule 110 request ANY sdp-header Audio-Attribute modify “a=sendonly” “a=inactive”
rule 120 response 200 sdp-header Session-Owner copy “IN IP4 (.*)” u03
rule 130 response 200 sdp-header Audio-Connection-Info modify “0.0.0.0” “\u03”
rule 140 request ANY sip-header Via modify “SIP(.*) 192.168.5.100(.*)” “SIP\1 20.1.1.1\2″
rule 150 request INVITE sip-header Requested-By modify “sip:192.168.5.100>” “sip:20.1.1.1>”
rule 160 request ANY sdp-header Audio-Connection-Info modify “192.168.5.100” “20.1.1.1
rule 170 request ANY sdp-header Connection-Info modify “192.168.5.100” “20.1.1.1
rule 180 request ANY sdp-header Session-Owner modify “192.168.5.100” “20.1.1.1
rule 190 response ANY sdp-header Audio-Connection-Info modify “192.168.5.100” “20.1.1.1
rule 200 response ANY sdp-header Connection-Info modify “192.168.5.100” “20.1.1.1
rule 210 response ANY sdp-header Session-Owner modify “192.168.5.100” “20.1.1.1
rule 220 request ANY sdp-header Audio-Attribute modify “192.168.5.100” “20.1.1.1
rule 230 response ANY sdp-header Audio-Attribute modify “192.168.5.100” “20.1.1.1
!
!
!
!I’ve used the numbers below on Microsoft Teams side.
voice class e164-pattern-map 200
e164 +44201000000T
!
!
voice class sip-options-keepalive 200
transport tcp tls
sip-profiles 299
!
!This is for Microsoft side of communication
voice class tenant 200
srtp-crypto 1
localhost dns:sbc1.ccie.club
session transport tcp tls
no referto-passing
bind control source-interface GigabitEthernet1
bind media source-interface GigabitEthernet1
no pass-thru content custom-sdp
sip-profiles 200
sip-profiles 290 inbound
early-offer forced
block 183 sdp present
!
!This is for CUCM side of communication
voice class tenant 100
srtp-crypto 1
localhost dns:sbc1.ccie.club
session transport tcp tls
bind control source-interface GigabitEthernet2
bind media source-interface GigabitEthernet2
early-offer forced
!
!Let’s define SRTP crypto settings here
voice class srtp-crypto 1
crypto 1 AES_CM_128_HMAC_SHA1_80
!
!
!
!Inbound dial-peer for CUCM
dial-peer voice 100 voip
description CUCM Inbound
session protocol sipv2
incoming uri from 190
voice-class codec 1
voice-class stun-usage 1
voice-class sip tenant 100
!We must enable SRTP
Srtp
no vad
!
!Outbound  dial-peer to CUCM
dial-peer voice 101 voip
description to cucm
!Destination patterns on CUCM
destination-pattern 1…
session protocol sipv2
!CUCM hostname (must be hostname as we are implementing security with CUCM too, and it is required for TLS negotiation.
session target dns:cucm.ccie.club
voice-class codec 1
voice-class stun-usage 1
voice-class sip tenant 100
voice-class sip options-keepalive
dtmf-relay rtp-nte
!We must enable SRTP
Srtp
no vad
!
!
!Dial-peer to primary Microsoft Proxy Server
dial-peer voice 200 voip
rtp payload-type comfort-noise 13
session protocol sipv2
session target dns:sip.pstnhub.microsoft.com
destination e164-pattern-map 200
voice-class codec 1
voice-class stun-usage 1
voice-class sip tenant 200
voice-class sip options-keepalive profile 200
dtmf-relay rtp-nte
!We must enable SRTP
Srtp
fax protocol none
no vad
!
!Dial-peer to secondary Microsoft Proxy Server
dial-peer voice 201 voip
preference 1
rtp payload-type comfort-noise 13
session protocol sipv2
session target dns:sip2.pstnhub.microsoft.com
destination e164-pattern-map 200
voice-class codec 1
voice-class stun-usage 1
voice-class sip tenant 200
voice-class sip options-keepalive profile 200
dtmf-relay rtp-nte
!We must enable SRTP
Srtp
fax protocol none
no vad
!
!Dial-peer to tertiary Microsoft Proxy Server
dial-peer voice 202 voip
preference 2
rtp payload-type comfort-noise 13
session protocol sipv2
session target dns:sip3.pstnhub.microsoft.com
destination e164-pattern-map 200
voice-class codec 1
voice-class stun-usage 1
voice-class sip tenant 200
voice-class sip options-keepalive profile 200
dtmf-relay rtp-nte
!We must enable SRTP
Srtp
fax protocol none
no vad
!
!Inbound dial-peer to match MS Proxy
dial-peer voice 290 voip
description inbound from Microsoft Phone System
rtp payload-type comfort-noise 13
session protocol sipv2
incoming uri from 290
voice-class codec 1
voice-class stun-usage 1
voice-class sip tenant 200
dtmf-relay rtp-nte
!We must enable SRTP
Srtp
no vad
!
dial-peer voice 280 voip
description Phone System REFER routing
destination-pattern +AAAT
rtp payload-type comfort-noise 13
session protocol sipv2
session target sip-uri
voice-class codec 1
voice-class stun-usage 1
voice-class sip profiles 280
voice-class sip tenant 200
voice-class sip requri-passing
dtmf-relay rtp-nte
!We must enable SRTP
Srtp
no vad
!
sip-ua
no remote-party-id
retry invite 2
transport tcp tls v1.2
!We must set our trustpoint  with our CA signed certificate to be used for TLS operations on SIP.
crypto signaling default trustpoint sbc
handle-replaces
!

5. CUCM Configuration

Assumptions: You already have CUCM configured with phones (in my case Jabber softphone) with extensions; also DNS is configured on the CUCM and can resolve internal IP Address of the SBC.  Please see the section for DNS Entries for more details on internal DNS requirements.

5.1. Secure Cluster Mode

Microsoft forces us to use SRTP protocol for the media traffic, which means we have two ways to go forward.

1. We can use transcoders to transcode unencrypted RTP (from internal IP Phones/CUCM) to Secure RTP (to Microsoft) and vice versa.
2. We can encrypt RTP on the CUCM and use SRTP throughout the entire call end to end.

I have chosen the second option, as I did not have any DSP resources to play with, and configure as a transcoder on the SBC; therefore, we must do the following.

Connect to CUCM Publisher via CLI and execute the following command:

Above is just an example and not an actual output of the certificate.

Note: Usually, the CA will have a Root Certificate Authority and a Subordinate Certificate Authority, the one that must be used here is from the Subordinate Certificate Authority!

utils ctl set-cluster mixed-mode

Warning: Be extremely careful, and make sure you know what you are doing if you are doing this in a production environment, as this will affect a lot of things, and many things can go wrong, starting from failing calls to non-functional applications (UCCX) for example or many more third-party applications integrated with CUCM.  Consult experts and read, read and read, then make sure you have business approval, and then just in case don’t do it anyway! Go with option one transcoders  But if you do, do it at your own risk.

Note: Also, after this command, the CUCM certificates will re-generate from scratch, therefore probably better do this first thing before doing certificate operations.

5.2. Upload SBC’s CA Certificates to the Trust Store

As we will be using TLS communication between CUCM and the SBC (If you’ve chosen the second option too above), we must go to CUCM’s OS Admin web page and upload both, CA Root and Subordinate certificates to the CallManager trust store.

You will need to restart CallManager and TFTP services after this operation.

5.3. SIP Trunk Security Profile

The following SIP Trunk security profile must be configured:

Name Secure SIP Trunk Profile
Device Security Mode Encrypted
Incoming Transport Type TLS
Outgoing Transport Type TLS
X.509 Subject Name sbc1.ccie.club
Incoming Port 5061

5.4. SIP Profile

I have only changed one setting on the SIP Profile:

Early Offer support for Voice and video calls: Mandatory (insert MTP if needed)

Just copy the default SIP Profile, make this change, and save it under a different name.

5.5. SIP Trunk

Below are the specific settings that you need to set on the SIP Trunk, I’ll only specify ones that I have changed and are relevant:

Value Setting
Name SBC1
Transmit UTF-8 for Calling Party Name Checked
SRTP Allowed Checked
Consider Traffic on This Trunk Secure When using both sRTP and TLS
Destination sbc1.ccie.club
Destination Port 5061
SIP Trunk Security Profile Secure SIP Trunk Profile
DTMF Signaling Method OOB and RFC2833

Save, and reset.

5.6. Enable SRTP on Phones

5.6.1. Phone CTL File provisioning

We must make sure that the phones can use SRTP protocol; therefore, they must all be issues with a CTL file.

On the phone configuration page, before we apply the security profile, we must do the following configuration:

blog05

Set certificate operation to: Install/Upgrade
Authentication Mode: By Null String

And reset the phones. Once the phones are back up, if you go back to the configuration of the phone, this setting must be set back to: No pending operation. Which means the installation was successful

Warning: Of course, there are many more options to release the CTL files to phones, but this is the easiest and does not require any manual intervention. Please read up on the topic, as I will not delve much into security in CUCM.

5.6.2. Phone Security Profile

The following security profile was created for Jabber to enable TLS and RTP encryption:

Value Setting
Name Secure CSF
Device Security Mode Encrypted
Transport Type TLS
SIP Phone Port 5061

Now we can assign this security profile to the phones and reset them. Once they are registered again, they are capable of SRTP now.

6. Microsoft Teams Phone System Configuration

I will be configuring most of the things via Powershell, as it is more powerful, and provides more configuration options. But you are welcome to configure it in the admin centre if you are more comfortable with that.

#Install MicrosoftTeams Powershell module
Install-Module MicrosoftTeams

#Import Microsoft Teams module
Import-Module MicrosoftTeams

#Set credentials that will be used for connection to the tenant and make a connection
$userCredential = Get-Credential
$sfbSession = New-CsOnlineSession -Credential $userCredential
Import-PSSession $sfbSession

#Configure new SBC
New-CsOnlinePSTNGateway -Fqdn sbc1.ccie.club -SipSignalingPort 5061 -MaxConcurrentSessions 100 -Enabled $true

#Configure new PSTN Usage
Set-CsOnlinePstnUsage -Identity Global -Usage @{Add=“Unrestricted”}

#Configure new Voice Route
New-CsOnlineVoiceRoute -Identity “Unrestricted” -NumberPattern “.*” -OnlinePstnGatewayList sbc1.ccie.club -Priority 1 -OnlinePstnUsages “Unrestricted”

#Configure a translation rule, for the DDI numbers on CUCM to Extension on the CUCM.
#This translation can be done on the SBC as well, but I wanted to demonstrate how to do this on MS Teams
Set-CsTeamsTranslationRule -Identity ‘ChangeDNIS’ -Pattern ‘^\+442050000(1\d{3})’ -Translation ‘$1’
Set-CsOnlinePSTNGateway -Identity sbc1.ccie.club -OutboundPSTNNumberTranslationRules ‘ChangeDNIS’

Set-CsUser -Identity “george@ccie.club” -OnPremLineURI TEL:+442010000001 -EnterpriseVoiceEnabled $true -HostedVoiceMail $true
Grant-CsOnlineVoiceRoutingPolicy –Identity “george@ccie.club” –PolicyName “Unrestricted”

7. Troubleshooting

There are a few different ways to troubleshoot this. I won’t detail each but will point you in a certain direction.

Firstly, Microsoft Phone System side is very weak on SIP Troubleshooting. It does not provide many tools, and just a single poor error message on the portal saying SIP Options not received, or no activity detected.

But do not despair! We have cisco at our hands on the other side, and indeed they provide a plethora of methods to troubleshoot all kinds of issues.

Before we delve into troubleshooting, let’s see how it all should look, when everything works fine.
Of course, I do not need to tell you how important it is that you make an actual phone call both ways. Pickup your Microsoft Teams client and call your Jabber by dialling a full PSTN number, in our case +442050001001.

The call should be successful, with audio flowing in both directions.

Do the same the other way around. From your Cisco phone call Microsoft Teams DDI, +442010000001 and makes sure the call is successful again.

Once the call is established we can see that it has gone via SBC:

blog11

This shows the call is established, shows the IP Addresses the media is being sent to and shows the codec used.

Then we can see that the dial-peers are up:

blog12

You can see that they are all active in my case, but you may be getting busyout, which means SBC could not bring that connection up. And if indeed that is the case, then we can proceed to troubleshoot the issue.

#1 Network is the issue
I know it’s a cliché, but it is a cliché for a reason. There are a few Firewall ports that need to be open and Port NAT configuration, therefore making sure the Firewall is open correctly is priority number 1.

#2 DNS is an issue
Make sure all names resolve. Please see the DNS section for all the names you must be checking for internal and external DNS.

#3 Certificate issues
Which part of the connection has failed? Is it Microsoft? Or CUCM? Let’s dive into both one by one:

Microsoft side has failed.
Make sure your certificate is installed correctly:

sbc1#show crypto pki trustpoints sbc status
Trustpoint sbc:
Issuing CA certificate configured:
Subject Name:
cn=GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1,o=DigiCert Inc,c=US
Fingerprint MD5: 249F06A9 652B2112 FC4D7368 E6372FEC
Fingerprint SHA1: 2F7AA2D8 6056A877 5796F798 C481A079 E538E004
Router General Purpose certificate configured:
Subject Name:
cn=sbc1.ccie.club
Fingerprint MD5: D4525AFA A23D8DAA 1F5209D1 67D5E72E
Fingerprint SHA1: F1D2C878 458FC5B5 A3A30254 458EF554 5F1C756F
State:
Keys generated …………. Yes (General Purpose, exportable)
Issuing CA authenticated ……. Yes
Certificate request(s) ….. Yes

We can see the certificate is present, and we trust the certificate. We can also compare the Fingerprint of the certificate with the actual certificate and make sure it is the right certificate.

Second, let’s see if the Baltimore certificate is present:

sbc1#show crypto pki trustpoints Baltimore_Root_CA status
Trustpoint Baltimore_Root_CA:
Issuing CA certificate configured:
Subject Name:
cn=Baltimore CyberTrust Root,ou=CyberTrust,o=Baltimore,c=IE
Fingerprint MD5: ACB694A5 9C17E0D7 91529BB1 9706A6E4
Fingerprint SHA1: D4DE20D0 5E66FC53 FE1A5088 2C78DB28 52CAE474
State:
Keys generated …………. Yes (General Purpose, non-exportable)
Issuing CA authenticated ……. Yes
Certificate request(s) ….. None

Again, I would compare the Fingerprint of the certificate to make sure it is the right now.

If both certificates are correct, then the issue is probably not a TLS connection. Let’s check if TLS is established.

sbc1#show tcp brief

TCB   Local Address   Foreign Address   (state)
7FC0BFBF5F10  192.168.5.100.47101  52.114.132.46.5061 ESTAB
7FC12BB24508  192.168.5.100.5061 52.114.132.46.2177  ESTAB
7FC12BAE3128 192.168.5.100.5061  52.114.75.24.8321  ESTAB
7FC0BFF22D78 92.168.5.100.5061 52.114.7.24.2497 ESTAB
7FC0BFEFEEC8 92.168.5.100.5061 52.114.132.46.7490  ESTAB
7FC0BFB3EB78  92.168.5.100.5061 52.114.132.46.7489 ESTAB
7FC0BFBCFAB8 92.168.5.100.5061 52.114.7.24.2496 ESTAB
7FC0BFBF75C0 92.168.5.100.5061 52.114.7.24.5065  ESTAB
7FC0BFB3F780 92.168.5.100.47909 52.114.75.24.5061 ESTAB
7FC0BFD2AE78 192.168.5.100.43517 52.114.75.24.5061 ESTAB
7FC12BC04730 92.168.5.100.5061 52.114.75.24.9344 ESTAB
7FC12B70C148 92.168.5.100.5061 52.114.75.24.8320  ESTAB
7FC0BFF24F78  92.168.5.100.5061 52.114.7.24.5066  ESTAB

In the above output, we can see the connection to Microsoft is established both ways.

In this case, the issue must be in the SIP protocol. I would try the following debugs:

  • debug ccsip messages
  • debug ccsip all (careful it does provide lots of output and can be overwhelming if you do not know what you’re looking for, but on the other hand it can point you to the error).

CUCM Side has failed
I will not show all the outputs above as most of it is very similar to the above Microsoft troubleshooting, but few things are different.

  1. Check that you have uploaded SBC certificate to the CallManager-Trust store. See appropriate section above for more details.
  2. Check cucm certificates truststores same way as we checked Microsoft’s truststores.
  3. If all above is good, start playing around with SIP Traces.
  4. You can download CallManager traces from CUCM as well, which can provide a lot of useful information. I won’t cover how to use RTMT here; if you are here, you should know how to do it. ?

Good luck,

8. References

The following documents have been consulted to create the lab:

Cisco:
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/interoperability-portal/direct-routing-with-cube.pdf

Microsoft:
https://docs.microsoft.com/en-us/microsoftteams/direct-routing-landing-page

Of course, these documents do not cover 100% of everything we have configured. Still, most of the things were just experience acquired during many years of work, and I’m honestly too lazy to search for all the documents that I should be referencing here. I hope nobody will be disappointed!

Some of the things had to be changed. For example, if I used Cisco documentation as is, without modifying anything, the calls did not work. Never take any documentation as gospel, but rather think, try and lab it up.

Good luck and let me know in the comments what you think or if you’ve run into any issues and need any further clarifications.

Leave a Reply

29 Comments

  • kkvi1357

    Dear

    we are going to use the same way of your implementation in our POC for one of the customer .

    SBC will be contact directly to The internet .

    so that’s mean no need to NAT Operation.

    is there any extra configuration

    • Hi, No there is no extra configuration! In fact a little less configuration, so should be easier! All the parts where I’m changing internal IP address to the Public in the SIP Transformation Profiles will need to be removed. Let me know if you run into issues.

  • Hayam

    Hi Dear,
    Thanks for ur effort, but i have one concern.. Is this lab available in a pdf form to be easy to download it ana practise it ?

  • Makashik

    Hi,
    Thanks for your great and simple effort.
    what about video conferencing, if i need video End-points registered on CUCM V.10 to join Microsoft teams video conference through CMS and expressway.
    Thanks

    • Microsoft Teams meetings have no SIP URI to call into, so it would not work like a normal B2B call, but there is of course Microsoft CVI integration, but it’s only for Webex devices, and also they must be registered to the Webex cloud or linked to the cloud with Webex edge for devices.
      So a quick answer is NO CUCM Endpints cannot join Microsoft Teams video conference meetings.

  • Kirk

    I do not even know
    how I ended up right here, however I assumed this post was good.
    I don’t recognise who you
    are however definitely you are
    going to a famous blogger if you happen to are not already.

    Cheers!

    my blog post :: Paul Simonson

  • Dariusz

    This is exactly the tutorial I’ve been searching for!
    Great job and thank you for sharing

  • Elvira

    you are in reality a excellent webmaster. The web site loading speed is amazing.
    It sort of feels that you are doing any unique trick. Also, The contents are masterwork.
    you have done a magnificent process in this topic!

    My web-site … Keisha

  • Marcia

    Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your weblog?
    My blog is in the exact same area of interest as yours and my visitors would definitely benefit from a lot
    of the information you present here. Please let me know if this okay with you.

    Cheers!

    Here is my web-site: Brady

  • Lisa

    Good article! We will be linking to this particularly great article on our site.
    Keep up the great writing.

    Here is my web blog … Silke

  • Andy

    Dear,

    If i choose 1. We can use transcoders to transcode unencrypted RTP (from internal IP Phones/CUCM) to Secure RTP (to Microsoft) and vice versa, do i need to create the secure SIP profile and SIP Trunk Security Profile? Or I just create the unsecure profiles in CUCM?Thanks.

  • Andy

    Dear,

    About voice class sip-profiles 290 and 280, i am confused about these two sip-profiles. In which kind of scenarios, does these sip-profiles will be triggered? When the MS teams transfer the call to Call Manager DID number or other MS Number? Would you please help share a scenario about it? Thanks so much for your time. Thanks.

    Best Regards,
    Andy

    • Hi,

      When Microsoft Teams transfers the call internally (for example from one user to another user, or from AA/Queue to a member), it puts in the Reffer-By field a weird destination which is not a number. So we need to manage it in a different way. We need to add first AAA to identify what it is, then send it back to Teams and remove AAA before we send it back to them.

      If you want to see example of the fields see this blog:
      https://ipcorp.co.uk/cisco-sbc-csr-1000v-cannot-handle-refer-message-from-microsoft-teams/

      Regards,

      • Andy

        Hi,

        Thanks for your example sharing. Actually no matter the MS teams transfer from one user to another user or from AA to a user, we always received the following REFER message from SBC? That is not a common SIP URI like xxx@*.com. So even though we add AAA as prefix, just only identify this is a transfer call, but call can not be transferred normally, right? As the comments in this blogs https://ipcorp.co.uk/cisco-sbc-csr-1000v-cannot-handle-refer-message-from-microsoft-teams/, does remove the content of contact in initial invite message can resolve the transfer issue?

        REFER-TO:
        REFERRED-BY:

        Regards,
        Andy

        • The issue present was identified only on Cisco CSR 1000v, that may be fixed already, I didn’t have TAC case open to report it.
          Removal of content of contact header would not help with anything here.

          • Andy

            Thanks for your information. Not sure other platform will trigger this issue or not. If not, may be no need to add AAA as prefix, REFER-TO and REFERRED-by would be the normal SIP-URI format. So it will be routed by dial-peer normally.

  • David

    Hello

    Thank you so much for this information.
    Could you please send it to me by email?