Direct Routing For Microsoft Phone System Lab: Americas Headquarters

Direct Routing for Microsoft Phone System Lab
First Published: 2021-03-03

Last Modified: 2021-03-03
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2021 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 About 1
Limitations/Disclaimer 1
Requirements 1
About This Solution 2
Objectives 2
Microsoft Teams Direct Routing: Solution Overview 2
Microsoft Teams Direct Routing: Establishing Secure Connectivity b/w Cube and Teams with Mutual
TLS 3
Microsoft Teams Direct Routing: SIP Signaling, FQDNs, and IP Ranges 3
Topology 4
Equipment Details 4
Session Users 4
CHAPTER 2 Getting Started 7
Before You Present 7

Get Started 7
CHAPTER 3 Scenarios 9
Prerequisites for Direct Routing 9

Creating A Records for the Domain 11
Create MSFT Trial Tenant 13
Direct Routing Onboarding Process 15
Configuring Cube and Enabling Direct Routing 20
Cube Certificate Configurations 21
Cube Global Configurations 25
Doman Name 25

iii
Contents
Configure Call Admission Control (CAC) 25

Install CA Cert for Microsoft 25
Create PKI trustpoint for the CA 26
Specify the Default trustpoint and TLS Version with SIP-UA Defaults 26
Configure Voice Service VoIP 26
Message Handling Rules 27
Dial Peers 31
Connecting to Your O365 Tenant Using Powershell 33
Microsoft Phone System Direct Routing Configuration 35
Testing PSTN Calls 37
Local SBC Testing 37
Connect to Microsoft Teams Client 38
Call from MSFT Teams App to PSTN 39
Call from PSTN to MSFT App 40
Clean up / Delete Your Session Domain from MSFT Tenant 40
CHAPTER 4 What's Next? 43
What’s Next? 43

iv
CHAPTER 1
About
• Limitations/Disclaimer, on page 1
• Requirements, on page 1
• About This Solution, on page 2
• Objectives, on page 2
• Microsoft Teams Direct Routing: Solution Overview, on page 2
• Microsoft Teams Direct Routing: Establishing Secure Connectivity b/w Cube and Teams with Mutual
TLS, on page 3
• Microsoft Teams Direct Routing: SIP Signaling, FQDNs, and IP Ranges, on page 3
• Topology, on page 4
• Equipment Details, on page 4
• Session Users, on page 4
Limitations/Disclaimer
To meet the specified requirements of this lab, these scenarios are intended to demonstrate Cisco Cube (Direct
Routing) solution. There are various ways this can be accomplished, depending on the situation and the
customer's goals/requirements. Please ensure you consult all current official Cisco documentation and Microsoft
documentation before proceeding with a design or installation. This lab is primarily intended to be a learning
tool and may not necessarily follow best practice recommendation at all times, in order to convey specific
information.
This lab is limited to ten sessions in RTP only. All the Microsoft commands were true at the time of writing
this lab; therefore, any changes with Microsoft Call Control, please consult Microsoft documentation.
Requirements
Required Optional
Cisco AnyConnect® Client None
Laptop
Microsoft Tenant

1
About
About This Solution
About This Solution

Customers using Microsoft Phone System have the option of connecting to the public telephony network
using a certified session border controller (SBC), such as the Cisco Unified Border Element (CUBE).
Objectives
This lab provides hands-on training in deploying direct routing for PSTN connectivity using CUBE. It also
provides detailed explanation, verification procedures, and best practices.
Note that this lab is limited to ten sessions in RTP only. Any issues with Microsoft Call control should be
directed to Microsoft. The main purpose of this lab is to show CUBE config for direct routing.
Microsoft Teams Direct Routing: Solution Overview

• Media Bypass Disabled/Off (without Media ByPass)
• Media traverses the Microsoft Cloud Media Processor
• Media always flows through Cube

2
About
Microsoft Teams Direct Routing: Establishing Secure Connectivity b/w Cube and Teams with Mutual TLS
Microsoft Teams Direct Routing: Establishing Secure

Connectivity b/w Cube and Teams with Mutual TLS
Customers using Direct Routing uses SIP options sent by the session border controllers to monitor SBC health.
There are no actions required from the tenant administrator to enable the SIP options monitoring. The collected
information is taken into consideration when routing decisions are made.
Direct Routing takes the regular interval options three times (the regular interval is one minute). If options
were sent during the last three minutes, the SBC is considered healthy.
Microsoft Teams Direct Routing: SIP Signaling, FQDNs, and IP

Ranges
• Microsoft advertises the following SIP Proxy FQDNs:
• sip.pstnhub.microsoft.com – Global FQDN – must be tried first
• sip2.pstnhub.microsoft.com – Secondary FQDN
• sip3.pstnhub.microsoft.com – Tertiary FQDN
• The above FQDNs resolve to one of the following IP addresses:

• 52.114.148.0
• 52.114.132.46
• 52.114.75.24

3
About
Topology
• 52.114.76.76
• 52.114.7.24
• 52.114.14.70
• 52.114.16.74
• 52.114.20.29
• Ports for the above IP addresses need to be opened to allow incoming and outgoing traffic to and from
these addresses for signaling.
• If the firewall supports DNS names, FQDN sip-all.pstnhub.microsoft.com resolves to all the above
IPs.
Topology
This lab includes several server virtual machines. Most of the servers are fully configurable using the
administrative-level account. Administrative account details are included in the lab guide steps where relevant
and in the server details table.
Equipment Details
Name Description Host Name (FQDN) IP Address Username Password
Cube CSR1000V Cube 198.18.133.226 admin dCloud123!

198.18.1.226
AD1 Active Directory, DNS, AD FS ad1.dcloud.cisco.com 198.18.133.1 administrator dCloud123!
Workstation Windows 10 wkst1.dcloud.cisco.com 198.18.1.36 cholland dCloud123!

1
Session Users
These are preconfigured users available for your session.

4
About
Session Users
Internal Deployment
User Name User ID Password Endpoint Devices
Extension Model
Charles Holland cholland dCloud123! Microsoft Teams 6018 Hybrid

5
About
Session Users

6
CHAPTER 2
Getting Started
• Before You Present, on page 7
• Get Started, on page 7
Before You Present

Cisco dCloud strongly recommends that you perform the tasks in this document before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.
Get Started
Follow the steps to schedule a session of the content and configure your presentation environment.
Procedure
Step 1 Initiate your dCloud session. [Show Me How] (Skip if you are in a proctored environment.)
Note It may take up to 45 minutes for your session to become active.
Step 2 Click View to open the active session. (Skip if you are in a proctored environment.)
Step 3 If you are connecting directly to the session from a stand-alone laptop or other device, install and access Cisco
AnyConnect on your laptop, using the AnyConnect credentials in the Cisco dCloud UI. [Show Me How]
• Recommended Method: Use Cisco AnyConnect [Show Me How] and local laptop RDP client.
• Windows Users: It is recommended to use some version of Remote Desktop Manager to save the
connections to each virtual machine. An example of a manager is the Microsoft Remote Desktop, which
can be found at
https://www.microsoft.com/en-us/p/microsoft-remote-desktop/9wzdncrfj3ps?rtc=1#activetab=pivot:overviewtab.
• Mac Users: It is recommended to use the Microsoft Remote Desktop (MRD) [ ] or CoRD [
] applications to connect to the virtual machines. MRD can be downloaded for free from the Mac App

7
Getting Started
Get Started
Store. CoRD can be downloaded free at http://cord.sourceforge.net/. Each application gives you the
capability to save the connections for each virtual machine.
Caution DO NOT use the Microsoft remote desktop client that comes with your Mac. It will have
security issues connecting to the AD1 and Mail1 virtual machines.

8
CHAPTER 3
Scenarios
• Prerequisites for Direct Routing, on page 9
• Creating A Records for the Domain, on page 11
• Create MSFT Trial Tenant, on page 13
• Direct Routing Onboarding Process, on page 15
• Configuring Cube and Enabling Direct Routing, on page 20
• Connecting to Your O365 Tenant Using Powershell, on page 33
• Microsoft Phone System Direct Routing Configuration, on page 35
• Testing PSTN Calls, on page 37
• Clean up / Delete Your Session Domain from MSFT Tenant, on page 40
Prerequisites for Direct Routing

The following are required before adding CUBE as a Direct Routing Session Bordering Controller:
• Public, Internet routable IP address.
• Cisco Webex client to use the GDE Bot.
• Fully Qualified Domain Name (FQDN) for CUBE from the same domain that is used by Phone System.
• Public certificate for the CUBE FQDN issued by one of the Certificate Authorities supported by Microsoft.
• Cert must include the CUBE FQDN as the common name (CN) in the subject field or a wildcard in SAN.
• The lab requires a Microsoft Tenant, that will you will create following instructions for the GDE Bot in
Webex. The account created will be a trial account from Microsoft and shouldn’t be used for production.
Note For best results, use either the Chrome or Firefox web browsers.
• To demonstrate Direct Routing, users have to install a Microsoft Teams client.
Follow these instructions to obtain needed information to run this lab.

9
Scenarios
Prerequisites for Direct Routing
Procedure
Step 1 In order to run this lab, you need some information from the Details tab on your dCloud dashboard session
page. Obtain the information from Session Details.
Important Each session has a unique domain that will be used when creating Microsoft Direct Routing. The
image below is only an example. Do not use the information in the image below for your session.
It is highly recommended to take note of the below information now so that you can refer to it
throughout the
abl.
Step 2 You also need the public IP information that is needed for our CUBE. The IP address we will use to create
DNS record in this lab will be located as highlighted in the below image.
Important Ensure you do not use the info under DNS

.d
Aseser

10
Scenarios
Creating A Records for the Domain
Step 3 Under Phone Numbers, take note of the DID number that is assigned to extension 6018, as we will be using
that number when dialing into Microsoft Teams.
Caution Follow the lab guide and do not start any VMs until asked in the later steps.
Using your Personal Webex App client we need to create A and TXT records that will be used in this lab.
The TXT record will be created at a later stage once we assign our domain to Microsoft Tenant.
We will now create A records with the easy-to-use Global Demo Collab Bot.
Note It is the requirement from MSFT that Cube needs to have Public, Internet Routable IP address.
Procedure
Step 1 Open your personal Cisco Webex App. At the top, click the + icon and choose Send a direct message. Search
for and select Global Demo Collab Bot. Type and send the message help.

11
Scenarios
Step 2 You will be prompted with an option page. Under Labs, click Cube.
Step 3 In Domains, select your domain that was assigned to you when the session started. Select A for Type Record
field. For Name or TXT Record, type Cube. Under Public IP, enter the public IP address that was assigned
to the Cube in your session. Click Submit.
Note For instructions on how to find your Domain and Public IP info, see the Get Started section.
For Domain, we use format gdedemoX.com. Remember to replace X with your assigned domain.
Also, remember to use the correct DNS Address as explained in the Get Started section above.

12
Scenarios
Create MSFT Trial Tenant
Step 4 You will receive a message stating that the A / TXT Recorded has been modified.

We will now prepare our Microsoft Office 365 trial tenant with the easy-to-use Global Demo Collab Bot.
Procedure
Step 1 Open your Bot space again in your personal Webex App. If not already, type "help" and press Enter.
Note If not already done, you can search for "Global Demo Collab Bot" to interact with it.
Step 2 Under Microsoft, click Acct. Creation. Follow the Bot prompts to choose your country code, input your
ten-digit cell phone number, and click Submit. (No worries, the Bot doesn't keep your cell phone number.)
You will receive a text with a six-digit code.
Step 3 Enter the six-digit code for the Microsoft product and click Submit. You will receive a username and password
for a generated Microsoft tenant (user).

13
Scenarios
Step 4 Take note of your tenant username and password. We will be using this info when proceeding with the lab to
log in into Microsoft account and enabling Direct Routing.
Note Your username might differ from examples in this guide. Ensure you use your username in your
lab.
Step 5 When signing in to your Microsoft account, if you get the Help us to protect your account warning, click
Skip for now.
Step 6 If prompted to Stay Signed in?, click No.

14
Scenarios
Direct Routing Onboarding Process
Step 7 On the left column, click Admin. If you get the Help us to protect your account warning, click Skip for
now again.
Step 8 Navigate to Users > Active Users. Select Charles Holland. Make sure under Licenses and Apps, you see
E5 licenses.
Important If you get errors or you are not assigned a license using the Bot, you can manually create your
Microsoft trial account. Follow the manual instructions at Create Microsoft Trial Tenant.
Caution Please follow the lab guide and DO NOT start any VMs until asked to do so in later steps.
Procedure
Step 1 If not already connected, use Cisco AnyConnect to VPN into your lab session or connect via RDP session to
Workstation 1 (198.18.1.36). Log in as dcloud\cholland with password dCloud123! Ignore/accept
any security warnings.
Step 2 Using Firefox, open the browser and sign into the Office365 account (https://admin.microsoft.com) with
the credentials created in the above step.
Note We used the Demo Bot in the above steps to create Microsoft Tenant trial account.
Step 3 Once signed in, click Show All. Click Settings > Domains.
Step 4 On the Domains page , click + Add domain on the top left.
Step 5 On the new page, enter the domain that you was assigned to you (for example, gdedemoX.com; remember to
replace the X with your assigned Domain). Click Use this domain at the bottom of the page.

15
Scenarios
Step 6 Click More Options. Select the radio button for Add a TXT record to the domain’s DNS records and click
Continue.
Step 7 MSFT wants us to verify our domain. DO NOT CLICK VERIFY on this page. You will be presented a
TXT record information. Take a note of the info as we will be using the GDE Bot again to create this TXT
record in our DNS server.
Note The image is for reference ONLY. Please use the info from your session.
Step 8 On your personal Webex App, open the GDE BOT space again that you created earlier. Type "help" and
press Enter.
Step 9 Under Labs, click Cube again.
Step 10 In Domains, select the Domain you are using and assigning to Microsoft Tenant (for example, gdedemoX.com).
Select TXT for Type Record field. For Name or TXT Record, type "@".
Step 11 Under Public IP, enter the TXT value that was shown by the MSFT tenant. Click Submit. You will be
displayed a message when the record is created or modified.
Note Please make sure when creating TXT record you use the domain from the drop-down that is assigned
to you only.
Remember to replace X with your assigned domain.

16
Scenarios
Step 12 Go back to your browser page. As the DNS record takes some time to be propagated everywhere, please give
it a few minutes before clicking Verify.
Step 13 Once verified, you will have the option from Microsoft requesting How do you want to connect to your
domain? Click More options.
Step 14 Click the radio button for Add your own DNS records. Click Continue.
Step 15 On the ADD DNS record page, uncheck the option for Exchange and Exchange Online Protection. Click
Advanced Option. Select Skype for Business. Click Continue.

17
Scenarios
Step 16 You will see the message Domain setup is complete. Click Done.
Step 17 At this stage, you can see your domain under Settings > Domains.
Step 18 We can now create a new user that can be used in this lab when testing Direct Routing. On the Microsoft
admin portal, click Users on the left. Select Active Users. Click Add User.
Step 19 Create a demo user as shown in the image below with name Omer Ilyas and password dCloud123! Under
Domain, be sure to select the recently acquired domain (gdedemoX.com; remember to replace X with your
assigned domain). Uncheck the boxes for Require this user to change their password when they first sign
in and also for Send password in email upon completion.
Step 20 Click Next.

18
Scenarios
Step 21 Assign the Office 365 E5 license. Click Next.

19
Scenarios
Configuring Cube and Enabling Direct Routing
Step 22 Click Next. On the Optional Settings page, click Finish adding.
Step 23 Once created, you will receive a user creation message that Omer Ilyas added to active users. Click Close.
Note Remember to delete the domain from your Microsoft Tenant account after finishing the lab.
Configuring Cube and Enabling Direct Routing

Procedure
Workstation 1 (198.18.1.36). Log in as dcloud\cholland with password dCloud123! Ignore/accept
any security warnings.

20
Scenarios
Cube Certificate Configurations
Step 2 On the WKST1 desktop, you have a folder name Certs [ ]. If you open that folder at this stage, it will
have no certs in there. We will follow the steps below that will allow us to have Cube and public certs uploaded
in this folder.
Note Please refer to the Microsoft documentation when creating certs for direct routing at Public trusted
certificate for the SBC.
Step 3 Go back to your dCloud Session page and click the Servers tab.
Step 4 On the pop-up window that appears, click syslog on the list.
Caution DO NOT power on the Cube at this stage.
Step 5 Click On to power on the syslog. The syslog will take a couple of minutes to power on. The server will run
a few scripts for the lab and will shut down automatically.
Step 6 If not already open, open the Certs [ ] folder on your WKST1 desktop. You can see the certs that will be
used to configure Cube.
Note It might take few minutes for the certs to show up in the folder.

In the lab, we have already obtained a signed certificate. You will need to apply the certificate to the Cube
using the next steps for Direct Routing calls to succeed. The lab session’s Cube is currently powered off and
you will need to power it on first using the session’s power controls.
Procedure
Step 1 Go back to your dCloud session page and click the Servers tab.
Step 2 On the pop-up window, click Cube in the list.
Caution Make sure the syslog server is shut down and you DO NOT power on the syslog server.

21
Scenarios
Step 3 Click On to power on the Cube. The Cube will take a couple minutes to power on. If you would like, you can
use a command prompt and start a continuous ping (ping 198.18.133.226 -t) to monitor the
connectivity status.
Step 4 Once the Cube is accessible, open the PuTTY program [ ] using the icon on the taskbar.
Step 5 Double-click LocalGateway under Saved Sessions. If you receive any security alerts, click Yes.
Step 6 Log in with username/password admin/dCloud123!
Step 7 At the command prompt, enter the command:
config t
Step 8 Enter the following command (you can copy and paste from this guide) and press Enter:
crypto key import rsa CUBE_PEM exportable pem encryption terminal dCloud123!
Step 9 After entering the command, it will prompt you to paste in the public key. Open the Certs folder.
Step 10 Select pubkey1.pem and open in Notepad++. Copy the PUBLIC KEY from the document. When copying
the keys/certs, always copy the entire entry including the BEGIN and END statements along with all the
dashes (-).
Step 11 After pasting the key on the PuTTY session for Cube, press Enter until you get the prompt to paste the private
key.
Step 12 Open the privkey1-rsa.pem in Notepad++. Copy the full Private Key and paste it into the PuTTY
window.
Step 13 After pasting in the private key, press Enter to move to an empty line and then type quit. Press Enter. You
should see the prompt %Key pair import succeeded.

22
Scenarios
Step 14 Copy and paste the next command from the Certs folder into the PuTTY window:
crypto pki import CUBE_CA_CERT pem terminal password dCloud123!
Step 15 After entering the previous command, open the chain.pem from the Certs folder in Notepad++ and copy the
certificate and paste it into the PuTTY window.
Step 16 After pasting in the chain.pem certificate, press Enter until you are prompted again for the private key.
Step 17 Once prompted for the private key, copy the private key from privkey1-rsa.pem and paste it into the PuTTY
window.
Step 18 After pasting the key, press Enter to move to an empty line. Type “quit” and press Enter.

23
Scenarios
Step 19 Now open the cert.pem file in Notepad++. Copy the Cube signed certificate and paste it into the PuTTY
window. Then press Enter until you get back to the router prompt. You should see the message %PEM files
import succeeded.
Step 20 Enter the following command, as it will allow you to test the certificate that is applied to the Cube.
ip http secure-server
ip http secure-trustpoint CUBE_CA_CERT
ip http authentication enable

24
Scenarios
Cube Global Configurations
ip http authentication local

end
Step 21 You can now test a secure connection by using your own browser and navigating to the Cube’s address at
https://cube.gdedemoX.com. You should not receive an insecure certificate warning now.
Note Remember to replace X with your assigned domain. The certs used in this lab are for testing
environment only.
Step 22 Save your current config by entering the command:

copy run start
Cube Global Configurations

Doman Name
Use the same Domain name for the router as used for the Microsoft 365 tenant.
Conf t
ip domain name gdedemoX.com
Note Remember to replace X with your assigned domain.
Configure Call Admission Control (CAC)

Call processing capacity for any Cube instance will be influenced by several considerations, including software
version, features configured, and the platform itself. To ensure calls continue to be processed reliably, configure
Call Admission Control as follows to reject calls when use of system resources exceeds 80%.
call threshold global cpu-avg low 75 high 85
call threshold global total-mem low 75 high 85
call treatment on
end
To list the total number of concurrent calls later in this lab, you can use the following command:
show call active total-calls
Install CA Cert for Microsoft

Create the CA certificate trustpoint used to validate Microsoft Phone System TLS messages.
conf t
crypto pki trustpoint baltimore
enrollment terminal
revocation-check crl
end
Download the CA certificate from this URL. Open the base 64 CER/PEM file with Notepad++, copy the
text, and paste it into the terminal when prompted.

25
Scenarios
Create PKI trustpoint for the CA
conf t
crypto pki authenticate baltimore
Once you paste the certificate, press Enter. You will be prompted Do you accept this certificate?. Type
"yes" and press Enter. You will be prompted with the message saying certificate successfully imported.
Create PKI trustpoint for the CA

conf t
crypto pki trustpoint DST_Root_X3
enrollment terminal pem
revocation-check none
!
crypto pki trustpoint Lets_Encrypt_Authority_X3_signed_by_DST_Root_X3
enrollment terminal pem
chain-validation continue DST_Root_X3
revocation-check none
!
crypto pki trustpoint CUBE_CA_CERT
enrollment pkcs12
revocation-check crl
rsakeypair CUBE_CA_CERT
!
end
Specify the Default trustpoint and TLS Version with SIP-UA Defaults
Cube direct routing accepts TLS version 1.2 connections with a signed CA certificate. You must configure
SIP-UA to only accept TLS version 1.2, and configure your Cube to send certificates with a TLS connection.
conf t
sip-ua
no remote-party-id
retry invite 2
transport tcp tls v1.2
crypto signaling default trustpoint CUBE_CA_CERT
handle-replaces
!
end
Configure Voice Service VoIP

To secure the Cube, you must enable the Cube with the IP Address trusted list feature under Voice Service
VoIP Mode and list MSFT IP address ranges to only accept calls from.
Conf t
voice service voip
ip address trusted list
ipv4 52.114.0.0 255.255.0.0
ipv4 198.18.133.0 255.255.255.0
ipv4 52.112.0.0 255.252.0.0
ipv4 52.120.0.0 255.252.0.0
rtcp keepalive
address-hiding
mode border-element
allow-connections sip to sip

26
Scenarios
Message Handling Rules
no supplementary-service sip refer

supplementary-service media-renegotiate
sip
session refresh
header-passing
error-passthru
conn-reuse
sip-profiles inbound
!
end
Message Handling Rules

SIP Profiles Manipulations for Outbound Messages to PSTN Trunk
Message manipulations are required to remove ICE candidate headers when Media Bypass is disabled in
Phone System. Also, we will use SDP inactive instead of sendonly. This is a specific requirement for the
PSTN trunk in this case.
Conf t
voice class sip-profiles 100
rule 10 request ANY sdp-header Audio-Attribute modify "a=candidate.*" "a=label:main-audio"
rule 20 response ANY sdp-header Audio-Attribute modify "a=candidate.*" "a=label:main-audio"
rule 30 request ANY sdp-header Audio-Attribute modify "a=sendonly" "a=inactive"
!
end
SIP Profiles Manipulations for Outbound Messages to Phone System

The following SIP profiles are required to do the following:
• Replace Cube IP address with Fully qualified domain names (FQDN) in both the From and Contact
headers of INVITE and OPTIONS messages.
• Set the audio SDP attribute to inactive instead of sendonly for calls on hold.
• Set user=phone in all requests.
• Add the X-MS-SBC header containing SBC version details in all request and response.
• Set crypto life-time as 2^31 in all SDP sent from Cube.
conf t
!
rule 10 request ANY sip-header Contact modify "@198.18.1.226:" "@cube.gdedemoX.com:"
rule 20 response ANY sip-header Contact modify "@198.18.1.226:" "@cube.gdedemoX.com:"
rule 30 request ANY sip-header SIP-Req-URI modify "sip:(.*):5061 (.*)"
"sip:\1:5061;user=phone \2"
rule 40 request ANY sip-header User-Agent modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco
UBE/CSR1000/\1"
rule 50 response ANY sip-header Server modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco
UBE/CSR1000/\1"
rule 70 response 200 sdp-header Audio-Connection-Info modify "0.0.0.0" "X.X.X.X"
rule 71 response ANY sdp-header Connection-Info modify "IN IP4 198.18.1.226" "IN IP4
X.X.X.X"
rule 72 response ANY sdp-header Audio-Connection-Info modify "IN IP4 198.18.1.226" "IN
IP4 X.X.X.X"
rule 73 request ANY sdp-header Connection-Info modify "IN IP4 198.18.1.226" "IN IP4

27
Scenarios
SIP Profiles Manipulations for Inbound Messages from Phone System
X.X.X.X"
rule 74 request ANY sdp-header Audio-Connection-Info modify "IN IP4 198.18.1.226" "IN
IP4 X.X.X.X"
rule 80 request ANY sdp-header Audio-Attribute modify
"(a=crypto:.*inline:[A-Za-z0-9+/=]+)" "\1|2^31"
rule 90 response ANY sdp-header Audio-Attribute modify
"(a=crypto:.*inline:[A-Za-z0-9+/=]+)" "\1|2^31"
rule 100 request ANY sdp-header Audio-Attribute modify "a=candidate.*"
"a=label:main-audio"
rule 110 response ANY sdp-header Audio-Attribute modify "a=candidate.*"
"a=label:main-audio"
!
end
Note Replace X.X.X.X with your session provided public IP address that is assigned
to the Cube.
Rule10,20: Change the domain as per your session info (for example,
cube.gdedemoX.com).
Rule70,71,72,73,74: Change the public IP address to your session assigned public
IP.
SIP Profiles Manipulations for Inbound Messages from Phone System

The following SIP profiles are required to:
• Handle REFER and ensure that the subsequent INVITE is sent to the correct Phone System proxy.
• Add a routing prefix to the user part of REFER To header to direct the subsequent INVITE to Microsoft
Phone System.
• Remove ice-candidates in SDP request and response, which are not required when Media Bypass is
disabled.
• Ensure that the correct platform ID is used. More info can be found here.
conf t
!
rule 10 request REFER sip-header From copy "@(.*com)" u04
rule 20 request REFER sip-header Refer-To modify "sip:\+(.*)@.*:5061"
"sip:+AAA\1@\u04:5061"
rule 30 request REFER sip-header Refer-To modify "<sip:sip.*:5061" "<sip:+AAA@\u04:5061"
rule 40 response ANY sip-header Server modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco
UBE/CSR1000/\1"
rule 50 request ANY sdp-header Audio-Attribute modify "a=ice-.*" "a=label:main-audio"
rule 60 request ANY sdp-header Attribute modify "a=ice-.*" "a=label:main-audio"
!
end
SIP Profiles Manipulations for REFER INVITE to Phone System

With the above REFER-TO user part modification, the dial-peer 280 will be matched and the INVITE sent
to Phone System after removing the user part routing prefix.
conf t
!

28
Scenarios
SIP Header Pass-through List

rule 10 request INVITE sip-header SIP-Req-URI copy "@(.*:5061)" u01
rule 20 request INVITE sip-header From copy "@(.*)>" u02
rule 30 request INVITE sip-header SIP-Req-URI modify "sip:\+AAA@" "sip:"
rule 40 request INVITE sip-header SIP-Req-URI modify "sip:\+AAA" "sip:+"
rule 50 request INVITE sip-header History-Info modify "<sip:\+AAA@" "<sip:"
rule 60 request INVITE sip-header History-Info modify "<sip:\+AAA" "<sip:+"
rule 70 request INVITE sip-header To modify "<sip:\+AAA@(.*)>" "<sip:\u01>"
rule 80 request INVITE sip-header To modify "<sip:\+AAA(.*)@.*>" "<sip:+\1@\u01>"
rule 90 request ANY sip-header Contact modify "@.*:" "@\u02:"
rule 100 response ANY sip-header Contact modify "@.*:" "@\u02:"
rule 120 response 200 sdp-header Session-Owner copy "IN IP4 (.*)" u03
rule 130 response 200 sdp-header Audio-Connection-Info modify "0.0.0.0" "\u03"
rule 140 request ANY sip-header Allow-Header modify " REFER," ""
rule 141 response ANY sip-header Allow-Header modify " REFER," ""
!
end
SIP Header Pass-through List

Pass-through Referred-By header to be used in the REFER INVITE send to Phone System.
conf t
!
voice class sip-hdr-passthrulist 290
passthru-hdr Referred-By
!
voice service voip
sip
pass-thru headers 290
!
end
Option Keepalives and SRTP Crypto

We will replace Cube IP address with fully qualified domain names (FQDN) in both the From and Contact
headers of OPTIONS messages. It is essential that the FQDN in the contact header matches the domain name
configured for the Phone System tenant.
conf t
!
rule 9 request ANY sip-header Via modify "SIP(.*) 198.18.1.226(.*)" "SIP\1 X.X.X.X\2"
rule 11 request OPTIONS sip-header From modify "<sip:198.18.1.226" "<sip:cube.gdedemoX.com"
rule 21 request OPTIONS sip-header Contact modify "<sip:198.18.1.226"

"<sip:cube.gdedemoX.com"
rule 30 request OPTIONS sip-header User-Agent modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco
UBE/CSR1000/\1"
rule 40 response ANY sdp-header Connection-Info modify "IN IP4 198.18.1.226" "IN IP4
X.X.X.X"
rule 50 response ANY sdp-header Audio-Connection-Info modify "IN IP4 198.18.1.226" "IN IP4
X.X.X.X"
rule 140 request ANY sip-header Allow-Header modify " REFER," ""
rule 141 response ANY sip-header Allow-Header modify " REFER," ""
!
voice class sip-options-keepalive 200
sip-profiles 299
!
voice class srtp-crypto 1
crypto 1 AES_CM_128_HMAC_SHA1_80
!
End

29
Scenarios
Phone System Tenant
Note Replace X.X.X.X with your session provided public IP address that is assigned to Cube.
Rule 9,40,50, change the IP to your session public IP.
Rule 11,21,change the domain as per your session info (for example, cube.gdedemoX.com).
Phone System Tenant

We will define parameters for the trunk towards the phone system.
Conf t
!
voice class tenant 200
srtp-crypto 1
localhost dns:cube.gdedemoX.com
session transport tcp tls
no referto-passing
bind control source-interface GigabitEthernet1
bind media source-interface GigabitEthernet1
pass-thru headers 290
no pass-thru content custom-sdp
sip-profiles 200
sip-profiles 290 inbound
early-offer forced
block 183 sdp present
!
end
Note Change the domain as per your session info (for example, cube.gdedemoX.com).
PSTN Trunk Tenant

We will define parameters for the trunk towards the PSTN.
Conf t
!
voice class tenant 100
options-ping 60
session transport udp
bind control source-interface GigabitEthernet2
bind media source-interface GigabitEthernet2
no pass-thru content custom-sdp
sip-profiles 100
early-offer forced
!
End
Number Translation Rules

The following translation rules ensure numbers presented to Microsoft Phone System are in +E164 format.
Translation rules used for the PSTN trunk should format numbers in accordance with the SP requirements.
Conf t
!
voice translation-rule 200
rule 1 /^\+1$.*$/ /\1/
!

30
Scenarios
Codecs
voice translation-profile 200

translate calling 200
translate called 200
!
voice translation-rule 100
rule 1 /^$[2-9].........$/ /+1\1/
!
voice translation-profile 100
translate calling 100
translate called 100
!
end
Codecs
Only the G711ulaw codec has been used for this tested configuration. Ensure that only codecs supported by
both PSTN and Microsoft Phone System are included in this configuration.
Conf t
!
voice class codec 1
codec preference 1 g711ulaw
!
end
Dial Peers
Outbound Dial Peers to Phone Systems Using TLS with SRTP
To ensure the correct failover order, the following prioritized dial peers are used. To simplify configuration,
a common E164 pattern map defining all numbers and prefixes used by Phone System is used for all three
dial peers. The configuration for all three dial peers are the same, with the exception of preference and Phone
System proxy FQDN.
Conf t
!
voice class e164-pattern-map 200
e164 6018
!
dial-peer voice 200 voip
description towards Phone System Proxy 1
preference 1
rtp payload-type comfort-noise 13
session protocol sipv2
session target dns:sip.pstnhub.microsoft.com
destination e164-pattern-map 200
voice-class codec 1
voice-class sip tenant 200
voice-class sip options-keepalive profile 200
dtmf-relay rtp-nte
srtp
fax protocol none
no vad
!
preference 2
session target dns:sip2.pstnhub.microsoft.com
voice-class codec 1

31
Scenarios
Inbound Dial Peers from Phone Systems Using TLS with SRTP

dtmf-relay rtp-nte
srtp
fax protocol none
no vad
!
preference 3
session target dns:sip3.pstnhub.microsoft.com
voice-class codec 1
dtmf-relay rtp-nte
srtp
fax protocol none
no vad
!
end
Inbound Dial Peers from Phone Systems Using TLS with SRTP
The inbound dial-peer from Phone System is selected using the SBC FQDN as presented in the incoming TO:
header.
Conf t
!
voice class uri 290 sip
host cube.gdedemoX.com
!
description inbound from Microsoft Phone System
incoming uri to 290
voice-class codec 1
dtmf-relay rtp-nte
srtp
no vad
!
end
Note Change the domain as per your session info (for example cube.gdedemoX.com).
Outbound Dial Peers to Phone Systems for REFER Using TLS with SRTP
To correctly handle call transfers, INVITEs following a REFER from Phone System, must be directed back
to Phone System. Inbound REFER messages are processed by dial peer 290 and the associated SIP profile
adds a routing prefix (AAA) to the refer-to header. The subsequent INVITE is therefore routed to Phone
System through the following dial peer after the routing prefix is removed.
Conf t
!
description Phone System REFER routing

32
Scenarios
Outbound Dial Peers to PSTN Using UDP with RTP
destination-pattern +AAAT
session target sip-uri
voice-class codec 1
voice-class sip profiles 280
voice-class sip requri-passing
dtmf-relay rtp-nte
srtp
no vad
!
!
end
Outbound Dial Peers to PSTN Using UDP with RTP

Conf t
!
voice class uri 190 sip
host ipv4:198.18.133.3
!
description outbound to PSTN
destination-pattern +1[2-9]..[2-9]......$
session target ipv4:198.18.133.3
voice-class codec 1
dtmf-relay rtp-nte
no vad
!
description inbound from PSTN
translation-profile incoming 100
incoming uri via 190
voice-class codec 1
dtmf-relay rtp-nte
no vad
!
end
Connecting to Your O365 Tenant Using Powershell

Procedure
Workstation 1 (198.18.1.36) and log in as dcloud\cholland with password dCloud123! Ignore/accept any
security warnings.
Step 2 Open Windows PowerShell as an administrator.
Step 3 Run the following commands to connect to your Office Tenant you have created earlier. When prompted for
password, use dCloud123!

33
Scenarios
Connecting to Your O365 Tenant Using Powershell
$userCredential = Get-Credential -UserName 'cholland@XXXXX.onmicrosoft.com' -Message "Enter

Password"
Note Replace the XXXXX with your admin account credentials you have created earlier when using
GDE Bot.
Step 4 Once connected, run each line individually:

$sfbsession = New-CsOnlineSession -Credential $userCredential
Import-Module "C:\Program Files\Common Files\Skype for Business
Online\Modules\SkypeOnlineConnector\SkypeOnlineConnector.psd1"
Import-PSSession $sfbsession
Step 5 We will now run the following commands in powershell to create an Online PSTN Gateway:
New-CsOnlinePSTNGateway -Fqdn cube.gdedemoX.com -SipSignalingPort 5061 -MaxConcurrentSessions
100 -Enabled $true
Get-CsOnlinePSTNGateway cube.gdedemoX.com
Note Change the domain as per your session info (for example, cube.gdedemoX.com).

34
Scenarios
Microsoft Phone System Direct Routing Configuration
Step 6 We will enable Enterprise Voice for our demo user that we created earlier and assign them 6018 as the phone
number:
Set-CsUser -Identity "omer@gdedemoX.com" -EnterpriseVoiceEnabled $true -HostedVoiceMail
$true -OnPremLineURI tel:6018
Note Change the user email to the address you have created earlier.

Procedure
security warnings.
Step 2 Open the browser, if not already signed in , sign into Office365 account with the credentials created earlier.
Step 3 Once signed, click Show All. Select Teams from the left column.
Note If you get a pop up stating, Help us protect your account, click Skip for now.
Step 4 Click Voice routing policies. Select Global(Org-wide default). Click Add PSTN usage. In the flyout
window, click ADD.
Step 5 Create a new PSTN Usage Record and call it PSTNUR. Click the checkbox below it and click Apply. Click
Save.
Step 6 Under Voice, select Direct Routing. You will notice our SBC already added. While on the Direct Routing
tab, click Voice routes. Select Add and fill in the following info:
• Add voice Route: US Dialling

35
Scenarios
• Priority: 2
• Dialed number pattern: \+1.*
• SBC enrolled: Click Add SBCs. Select cube.gdedemoX.com and click Apply.
• PSTN usage records: Click Add PSTN usage. Select PSTNUR and click Apply.
• Click Save.
Step 7 Under Voice in the left column, select Calling Policies. Click ADD.
Step 8 Click the toggle to enable Busy on Busy is available when in a call. Assign the policy a name, for example,
Busy on Busy Enabled. Click Save.
Step 9 To configure a Caller ID policy, navigate to Voice > Caller ID Policies > Add.
Step 10 Enter the caller ID policy Name, for example, Anonymous Policy, and select Replace the Caller ID with
Anonymous. Click Save to complete the configuration.
Step 11 Select Users from the left column. You can see the user we created earlier.
Step 12 Click on the new user name Omer Ilyas. Select Policies. Click Edit next to Assigned policies. In the flyout
window, under Calling policy, select Busy on Busy enabled. While still in the flyout window, under Caller
ID policy, select Anonymous Policy. Once done, click APPLY.

36
Scenarios
Testing PSTN Calls
Step 13 To check your SBC status, navigate to Voice > Direct Routing. You will see your gateway configured with
the status of Active.
Note Ignore if you get the warning under TLS connectivity status stating The certificate that is being
used is expiring in 30 days.
Testing PSTN Calls

Local SBC Testing
Now that you have a fully configured and registered SBC, with MSFT you can test calls to/from.
Important As this lab is deployed in RTP, you can dial US national numbers only.

37
Scenarios
Connect to Microsoft Teams Client
Connect to Microsoft Teams Client

Procedure
security warnings.
Step 2 Open the browser. Download the Microsoft Teams client on WKST1. You can also download Microsoft
Teams client on your personal device as well.
Step 3 Once downloaded, log in as the demo user you created earlier (for example, omer@gdedemoX.com with the
password of dCloud123!).
Note Replace X with your assigned domain.
Step 4 On the left, click the Call icon. You will see the dial pad that will allow you to make US national calls only.

38
Scenarios
Call from MSFT Teams App to PSTN
Call from MSFT Teams App to PSTN

As this lab is only deployed in RTP datacenter, you should be able to call any US national numbers.

39
Scenarios
Call from PSTN to MSFT App
Call from PSTN to MSFT App

Now you can test calls from/to the PSTN. The DID numbers to dial from the PSTN are located in your dCloud
Session Details tab.
Procedure
Step 1 Select the DID number that is assigned to extension 6018, as shown below.
Step 2 Answer the call on your MSFT Teams app.

Step 3 The call flow in dCloud is as follows:
a) Incoming DID comes into dCloud from PSTN.
b) Platform gateways translate that DID into a four-digit extension (6018).
c) Call is routed through the SBC into MSFT and to the extension of the user.
Clean up / Delete Your Session Domain from MSFT Tenant

Once done with the lab, before shutting the session down, please delete the domain from Microsoft Tenant.
Because of the limitations, we need to make sure your session-assigned domain is deleted from your MSFT
tenant. It will allow other users to run the lab.
Procedure
Step 1 Using Firefox, open the browser and sign into your Office365 account (https://admin.microsoft.com) with
the credentials created.
Step 2 Once signed in, click Show All. Click Settings > Domains.
Step 3 Click your user's name (e.g. Omer) and press Delete key.
Step 4 Select your session-assigned domain (e.g. gdedemoX.com) and press Delete key or click Remove.

40
Scenarios
Note You can end your session only after you remove your session-assigned domain.

41
Scenarios

42
CHAPTER 4
What's Next?
• What’s Next?, on page 43
What’s Next?
• Check out the new and updated Collaboration dCloud demos and labs: https://dcloud-cms.cisco.com/
architectures/collaboration
• Check out the full dCloud library: https://dcloud.cisco.com/datacentres
• See more demos on Demo Zone: https://www.cisco.com/c/en/us/products/demos.html

43
What's Next?
What’s Next?

44

Direct Routing For Microsoft Phone System Lab: Americas Headquarters

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Direct Routing For Microsoft Phone System Lab: Americas Headquarters

Uploaded by

Copyright:

Available Formats

Direct Routing for Microsoft Phone System Lab

First Published: 2021-03-03

CHAPTER 2 Getting Started 7

Before You Present 7

Prerequisites for Direct Routing 9