Professional Documents
Culture Documents
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2021 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 About 1
Limitations/Disclaimer 1
Requirements 1
About This Solution 2
Objectives 2
Microsoft Teams Direct Routing: Solution Overview 2
Microsoft Teams Direct Routing: Establishing Secure Connectivity b/w Cube and Teams with Mutual
TLS 3
Microsoft Teams Direct Routing: SIP Signaling, FQDNs, and IP Ranges 3
Topology 4
Equipment Details 4
Session Users 4
CHAPTER 3 Scenarios 9
What’s Next? 43
Limitations/Disclaimer
To meet the specified requirements of this lab, these scenarios are intended to demonstrate Cisco Cube (Direct
Routing) solution. There are various ways this can be accomplished, depending on the situation and the
customer's goals/requirements. Please ensure you consult all current official Cisco documentation and Microsoft
documentation before proceeding with a design or installation. This lab is primarily intended to be a learning
tool and may not necessarily follow best practice recommendation at all times, in order to convey specific
information.
This lab is limited to ten sessions in RTP only. All the Microsoft commands were true at the time of writing
this lab; therefore, any changes with Microsoft Call Control, please consult Microsoft documentation.
Requirements
Required Optional
Laptop
Microsoft Tenant
Objectives
This lab provides hands-on training in deploying direct routing for PSTN connectivity using CUBE. It also
provides detailed explanation, verification procedures, and best practices.
Note that this lab is limited to ten sessions in RTP only. Any issues with Microsoft Call control should be
directed to Microsoft. The main purpose of this lab is to show CUBE config for direct routing.
• 52.114.76.76
• 52.114.7.24
• 52.114.14.70
• 52.114.16.74
• 52.114.20.29
• Ports for the above IP addresses need to be opened to allow incoming and outgoing traffic to and from
these addresses for signaling.
• If the firewall supports DNS names, FQDN sip-all.pstnhub.microsoft.com resolves to all the above
IPs.
Topology
This lab includes several server virtual machines. Most of the servers are fully configurable using the
administrative-level account. Administrative account details are included in the lab guide steps where relevant
and in the server details table.
Equipment Details
Name Description Host Name (FQDN) IP Address Username Password
Session Users
These are preconfigured users available for your session.
Internal Deployment
User Name User ID Password Endpoint Devices
Extension Model
Get Started
Follow the steps to schedule a session of the content and configure your presentation environment.
Procedure
Step 1 Initiate your dCloud session. [Show Me How] (Skip if you are in a proctored environment.)
Note It may take up to 45 minutes for your session to become active.
Step 2 Click View to open the active session. (Skip if you are in a proctored environment.)
Step 3 If you are connecting directly to the session from a stand-alone laptop or other device, install and access Cisco
AnyConnect on your laptop, using the AnyConnect credentials in the Cisco dCloud UI. [Show Me How]
• Recommended Method: Use Cisco AnyConnect [Show Me How] and local laptop RDP client.
• Windows Users: It is recommended to use some version of Remote Desktop Manager to save the
connections to each virtual machine. An example of a manager is the Microsoft Remote Desktop, which
can be found at
https://www.microsoft.com/en-us/p/microsoft-remote-desktop/9wzdncrfj3ps?rtc=1#activetab=pivot:overviewtab.
• Mac Users: It is recommended to use the Microsoft Remote Desktop (MRD) [ ] or CoRD [
] applications to connect to the virtual machines. MRD can be downloaded for free from the Mac App
Store. CoRD can be downloaded free at http://cord.sourceforge.net/. Each application gives you the
capability to save the connections for each virtual machine.
Caution DO NOT use the Microsoft remote desktop client that comes with your Mac. It will have
security issues connecting to the AD1 and Mail1 virtual machines.
Note For best results, use either the Chrome or Firefox web browsers.
Procedure
Step 1 In order to run this lab, you need some information from the Details tab on your dCloud dashboard session
page. Obtain the information from Session Details.
Important Each session has a unique domain that will be used when creating Microsoft Direct Routing. The
image below is only an example. Do not use the information in the image below for your session.
It is highly recommended to take note of the below information now so that you can refer to it
throughout the
abl.
Step 2 You also need the public IP information that is needed for our CUBE. The IP address we will use to create
DNS record in this lab will be located as highlighted in the below image.
Step 3 Under Phone Numbers, take note of the DID number that is assigned to extension 6018, as we will be using
that number when dialing into Microsoft Teams.
Caution Follow the lab guide and do not start any VMs until asked in the later steps.
Using your Personal Webex App client we need to create A and TXT records that will be used in this lab.
The TXT record will be created at a later stage once we assign our domain to Microsoft Tenant.
We will now create A records with the easy-to-use Global Demo Collab Bot.
Note It is the requirement from MSFT that Cube needs to have Public, Internet Routable IP address.
Procedure
Step 1 Open your personal Cisco Webex App. At the top, click the + icon and choose Send a direct message. Search
for and select Global Demo Collab Bot. Type and send the message help.
Step 2 You will be prompted with an option page. Under Labs, click Cube.
Step 3 In Domains, select your domain that was assigned to you when the session started. Select A for Type Record
field. For Name or TXT Record, type Cube. Under Public IP, enter the public IP address that was assigned
to the Cube in your session. Click Submit.
Note For instructions on how to find your Domain and Public IP info, see the Get Started section.
For Domain, we use format gdedemoX.com. Remember to replace X with your assigned domain.
Also, remember to use the correct DNS Address as explained in the Get Started section above.
Step 4 You will receive a message stating that the A / TXT Recorded has been modified.
Procedure
Step 1 Open your Bot space again in your personal Webex App. If not already, type "help" and press Enter.
Note If not already done, you can search for "Global Demo Collab Bot" to interact with it.
Step 2 Under Microsoft, click Acct. Creation. Follow the Bot prompts to choose your country code, input your
ten-digit cell phone number, and click Submit. (No worries, the Bot doesn't keep your cell phone number.)
You will receive a text with a six-digit code.
Step 3 Enter the six-digit code for the Microsoft product and click Submit. You will receive a username and password
for a generated Microsoft tenant (user).
Step 4 Take note of your tenant username and password. We will be using this info when proceeding with the lab to
log in into Microsoft account and enabling Direct Routing.
Note Your username might differ from examples in this guide. Ensure you use your username in your
lab.
Step 5 When signing in to your Microsoft account, if you get the Help us to protect your account warning, click
Skip for now.
Step 7 On the left column, click Admin. If you get the Help us to protect your account warning, click Skip for
now again.
Step 8 Navigate to Users > Active Users. Select Charles Holland. Make sure under Licenses and Apps, you see
E5 licenses.
Important If you get errors or you are not assigned a license using the Bot, you can manually create your
Microsoft trial account. Follow the manual instructions at Create Microsoft Trial Tenant.
Caution Please follow the lab guide and DO NOT start any VMs until asked to do so in later steps.
Procedure
Step 1 If not already connected, use Cisco AnyConnect to VPN into your lab session or connect via RDP session to
Workstation 1 (198.18.1.36). Log in as dcloud\cholland with password dCloud123! Ignore/accept
any security warnings.
Step 2 Using Firefox, open the browser and sign into the Office365 account (https://admin.microsoft.com) with
the credentials created in the above step.
Note We used the Demo Bot in the above steps to create Microsoft Tenant trial account.
Step 3 Once signed in, click Show All. Click Settings > Domains.
Step 4 On the Domains page , click + Add domain on the top left.
Step 5 On the new page, enter the domain that you was assigned to you (for example, gdedemoX.com; remember to
replace the X with your assigned Domain). Click Use this domain at the bottom of the page.
Step 6 Click More Options. Select the radio button for Add a TXT record to the domain’s DNS records and click
Continue.
Step 7 MSFT wants us to verify our domain. DO NOT CLICK VERIFY on this page. You will be presented a
TXT record information. Take a note of the info as we will be using the GDE Bot again to create this TXT
record in our DNS server.
Note The image is for reference ONLY. Please use the info from your session.
Step 8 On your personal Webex App, open the GDE BOT space again that you created earlier. Type "help" and
press Enter.
Step 9 Under Labs, click Cube again.
Step 10 In Domains, select the Domain you are using and assigning to Microsoft Tenant (for example, gdedemoX.com).
Select TXT for Type Record field. For Name or TXT Record, type "@".
Step 11 Under Public IP, enter the TXT value that was shown by the MSFT tenant. Click Submit. You will be
displayed a message when the record is created or modified.
Note Please make sure when creating TXT record you use the domain from the drop-down that is assigned
to you only.
Remember to replace X with your assigned domain.
Step 12 Go back to your browser page. As the DNS record takes some time to be propagated everywhere, please give
it a few minutes before clicking Verify.
Step 13 Once verified, you will have the option from Microsoft requesting How do you want to connect to your
domain? Click More options.
Step 14 Click the radio button for Add your own DNS records. Click Continue.
Step 15 On the ADD DNS record page, uncheck the option for Exchange and Exchange Online Protection. Click
Advanced Option. Select Skype for Business. Click Continue.
Step 16 You will see the message Domain setup is complete. Click Done.
Step 17 At this stage, you can see your domain under Settings > Domains.
Step 18 We can now create a new user that can be used in this lab when testing Direct Routing. On the Microsoft
admin portal, click Users on the left. Select Active Users. Click Add User.
Step 19 Create a demo user as shown in the image below with name Omer Ilyas and password dCloud123! Under
Domain, be sure to select the recently acquired domain (gdedemoX.com; remember to replace X with your
assigned domain). Uncheck the boxes for Require this user to change their password when they first sign
in and also for Send password in email upon completion.
Step 20 Click Next.
Step 22 Click Next. On the Optional Settings page, click Finish adding.
Step 23 Once created, you will receive a user creation message that Omer Ilyas added to active users. Click Close.
Note Remember to delete the domain from your Microsoft Tenant account after finishing the lab.
Step 1 If not already connected, use Cisco AnyConnect to VPN into your lab session or connect via RDP session to
Workstation 1 (198.18.1.36). Log in as dcloud\cholland with password dCloud123! Ignore/accept
any security warnings.
Step 2 On the WKST1 desktop, you have a folder name Certs [ ]. If you open that folder at this stage, it will
have no certs in there. We will follow the steps below that will allow us to have Cube and public certs uploaded
in this folder.
Note Please refer to the Microsoft documentation when creating certs for direct routing at Public trusted
certificate for the SBC.
Step 3 Go back to your dCloud Session page and click the Servers tab.
Step 4 On the pop-up window that appears, click syslog on the list.
Caution DO NOT power on the Cube at this stage.
Step 5 Click On to power on the syslog. The syslog will take a couple of minutes to power on. The server will run
a few scripts for the lab and will shut down automatically.
Step 6 If not already open, open the Certs [ ] folder on your WKST1 desktop. You can see the certs that will be
used to configure Cube.
Note It might take few minutes for the certs to show up in the folder.
Procedure
Step 1 Go back to your dCloud session page and click the Servers tab.
Step 2 On the pop-up window, click Cube in the list.
Caution Make sure the syslog server is shut down and you DO NOT power on the syslog server.
Step 3 Click On to power on the Cube. The Cube will take a couple minutes to power on. If you would like, you can
use a command prompt and start a continuous ping (ping 198.18.133.226 -t) to monitor the
connectivity status.
Step 4 Once the Cube is accessible, open the PuTTY program [ ] using the icon on the taskbar.
Step 5 Double-click LocalGateway under Saved Sessions. If you receive any security alerts, click Yes.
Step 6 Log in with username/password admin/dCloud123!
Step 7 At the command prompt, enter the command:
config t
Step 8 Enter the following command (you can copy and paste from this guide) and press Enter:
crypto key import rsa CUBE_PEM exportable pem encryption terminal dCloud123!
Step 9 After entering the command, it will prompt you to paste in the public key. Open the Certs folder.
Step 10 Select pubkey1.pem and open in Notepad++. Copy the PUBLIC KEY from the document. When copying
the keys/certs, always copy the entire entry including the BEGIN and END statements along with all the
dashes (-).
Step 11 After pasting the key on the PuTTY session for Cube, press Enter until you get the prompt to paste the private
key.
Step 12 Open the privkey1-rsa.pem in Notepad++. Copy the full Private Key and paste it into the PuTTY
window.
Step 13 After pasting in the private key, press Enter to move to an empty line and then type quit. Press Enter. You
should see the prompt %Key pair import succeeded.
Step 14 Copy and paste the next command from the Certs folder into the PuTTY window:
crypto pki import CUBE_CA_CERT pem terminal password dCloud123!
Step 15 After entering the previous command, open the chain.pem from the Certs folder in Notepad++ and copy the
certificate and paste it into the PuTTY window.
Step 16 After pasting in the chain.pem certificate, press Enter until you are prompted again for the private key.
Step 17 Once prompted for the private key, copy the private key from privkey1-rsa.pem and paste it into the PuTTY
window.
Step 18 After pasting the key, press Enter to move to an empty line. Type “quit” and press Enter.
Step 19 Now open the cert.pem file in Notepad++. Copy the Cube signed certificate and paste it into the PuTTY
window. Then press Enter until you get back to the router prompt. You should see the message %PEM files
import succeeded.
Step 20 Enter the following command, as it will allow you to test the certificate that is applied to the Cube.
ip http secure-server
ip http secure-trustpoint CUBE_CA_CERT
ip http authentication enable
Step 21 You can now test a secure connection by using your own browser and navigating to the Cube’s address at
https://cube.gdedemoX.com. You should not receive an insecure certificate warning now.
Note Remember to replace X with your assigned domain. The certs used in this lab are for testing
environment only.
To list the total number of concurrent calls later in this lab, you can use the following command:
show call active total-calls
Download the CA certificate from this URL. Open the base 64 CER/PEM file with Notepad++, copy the
text, and paste it into the terminal when prompted.
conf t
crypto pki authenticate baltimore
Once you paste the certificate, press Enter. You will be prompted Do you accept this certificate?. Type
"yes" and press Enter. You will be prompted with the message saying certificate successfully imported.
Specify the Default trustpoint and TLS Version with SIP-UA Defaults
Cube direct routing accepts TLS version 1.2 connections with a signed CA certificate. You must configure
SIP-UA to only accept TLS version 1.2, and configure your Cube to send certificates with a TLS connection.
conf t
sip-ua
no remote-party-id
retry invite 2
transport tcp tls v1.2
crypto signaling default trustpoint CUBE_CA_CERT
handle-replaces
!
end
X.X.X.X"
rule 74 request ANY sdp-header Audio-Connection-Info modify "IN IP4 198.18.1.226" "IN
IP4 X.X.X.X"
rule 80 request ANY sdp-header Audio-Attribute modify
"(a=crypto:.*inline:[A-Za-z0-9+/=]+)" "\1|2^31"
rule 90 response ANY sdp-header Audio-Attribute modify
"(a=crypto:.*inline:[A-Za-z0-9+/=]+)" "\1|2^31"
rule 100 request ANY sdp-header Audio-Attribute modify "a=candidate.*"
"a=label:main-audio"
rule 110 response ANY sdp-header Audio-Attribute modify "a=candidate.*"
"a=label:main-audio"
!
end
Note Replace X.X.X.X with your session provided public IP address that is assigned
to the Cube.
Rule10,20: Change the domain as per your session info (for example,
cube.gdedemoX.com).
Rule70,71,72,73,74: Change the public IP address to your session assigned public
IP.
Note Replace X.X.X.X with your session provided public IP address that is assigned to Cube.
Rule 9,40,50, change the IP to your session public IP.
Rule 11,21,change the domain as per your session info (for example, cube.gdedemoX.com).
Note Change the domain as per your session info (for example, cube.gdedemoX.com).
Codecs
Only the G711ulaw codec has been used for this tested configuration. Ensure that only codecs supported by
both PSTN and Microsoft Phone System are included in this configuration.
Conf t
!
voice class codec 1
codec preference 1 g711ulaw
!
end
Dial Peers
Outbound Dial Peers to Phone Systems Using TLS with SRTP
To ensure the correct failover order, the following prioritized dial peers are used. To simplify configuration,
a common E164 pattern map defining all numbers and prefixes used by Phone System is used for all three
dial peers. The configuration for all three dial peers are the same, with the exception of preference and Phone
System proxy FQDN.
Conf t
!
voice class e164-pattern-map 200
e164 6018
!
dial-peer voice 200 voip
description towards Phone System Proxy 1
preference 1
rtp payload-type comfort-noise 13
session protocol sipv2
session target dns:sip.pstnhub.microsoft.com
destination e164-pattern-map 200
voice-class codec 1
voice-class sip tenant 200
voice-class sip options-keepalive profile 200
dtmf-relay rtp-nte
srtp
fax protocol none
no vad
!
dial-peer voice 201 voip
description towards Phone System Proxy 2
preference 2
rtp payload-type comfort-noise 13
session protocol sipv2
session target dns:sip2.pstnhub.microsoft.com
destination e164-pattern-map 200
voice-class codec 1
Inbound Dial Peers from Phone Systems Using TLS with SRTP
The inbound dial-peer from Phone System is selected using the SBC FQDN as presented in the incoming TO:
header.
Conf t
!
voice class uri 290 sip
host cube.gdedemoX.com
!
dial-peer voice 290 voip
description inbound from Microsoft Phone System
rtp payload-type comfort-noise 13
session protocol sipv2
incoming uri to 290
voice-class codec 1
voice-class sip tenant 200
dtmf-relay rtp-nte
srtp
no vad
!
end
Note Change the domain as per your session info (for example cube.gdedemoX.com).
Outbound Dial Peers to Phone Systems for REFER Using TLS with SRTP
To correctly handle call transfers, INVITEs following a REFER from Phone System, must be directed back
to Phone System. Inbound REFER messages are processed by dial peer 290 and the associated SIP profile
adds a routing prefix (AAA) to the refer-to header. The subsequent INVITE is therefore routed to Phone
System through the following dial peer after the routing prefix is removed.
Conf t
!
dial-peer voice 280 voip
description Phone System REFER routing
destination-pattern +AAAT
rtp payload-type comfort-noise 13
session protocol sipv2
session target sip-uri
voice-class codec 1
voice-class sip profiles 280
voice-class sip tenant 200
voice-class sip requri-passing
dtmf-relay rtp-nte
srtp
no vad
!
!
end
Step 1 If not already connected, use Cisco AnyConnect to VPN into your lab session or connect via RDP session to
Workstation 1 (198.18.1.36) and log in as dcloud\cholland with password dCloud123! Ignore/accept any
security warnings.
Step 2 Open Windows PowerShell as an administrator.
Step 3 Run the following commands to connect to your Office Tenant you have created earlier. When prompted for
password, use dCloud123!
Note Replace the XXXXX with your admin account credentials you have created earlier when using
GDE Bot.
Step 5 We will now run the following commands in powershell to create an Online PSTN Gateway:
New-CsOnlinePSTNGateway -Fqdn cube.gdedemoX.com -SipSignalingPort 5061 -MaxConcurrentSessions
100 -Enabled $true
Get-CsOnlinePSTNGateway cube.gdedemoX.com
Note Change the domain as per your session info (for example, cube.gdedemoX.com).
Step 6 We will enable Enterprise Voice for our demo user that we created earlier and assign them 6018 as the phone
number:
Set-CsUser -Identity "omer@gdedemoX.com" -EnterpriseVoiceEnabled $true -HostedVoiceMail
$true -OnPremLineURI tel:6018
Note Change the user email to the address you have created earlier.
Step 1 If not already connected, use Cisco AnyConnect to VPN into your lab session or connect via RDP session to
Workstation 1 (198.18.1.36) and log in as dcloud\cholland with password dCloud123! Ignore/accept any
security warnings.
Step 2 Open the browser, if not already signed in , sign into Office365 account with the credentials created earlier.
Step 3 Once signed, click Show All. Select Teams from the left column.
Note If you get a pop up stating, Help us protect your account, click Skip for now.
Step 4 Click Voice routing policies. Select Global(Org-wide default). Click Add PSTN usage. In the flyout
window, click ADD.
Step 5 Create a new PSTN Usage Record and call it PSTNUR. Click the checkbox below it and click Apply. Click
Save.
Step 6 Under Voice, select Direct Routing. You will notice our SBC already added. While on the Direct Routing
tab, click Voice routes. Select Add and fill in the following info:
• Add voice Route: US Dialling
• Priority: 2
• Dialed number pattern: \+1.*
• SBC enrolled: Click Add SBCs. Select cube.gdedemoX.com and click Apply.
• PSTN usage records: Click Add PSTN usage. Select PSTNUR and click Apply.
• Click Save.
Step 7 Under Voice in the left column, select Calling Policies. Click ADD.
Step 8 Click the toggle to enable Busy on Busy is available when in a call. Assign the policy a name, for example,
Busy on Busy Enabled. Click Save.
Step 9 To configure a Caller ID policy, navigate to Voice > Caller ID Policies > Add.
Step 10 Enter the caller ID policy Name, for example, Anonymous Policy, and select Replace the Caller ID with
Anonymous. Click Save to complete the configuration.
Step 11 Select Users from the left column. You can see the user we created earlier.
Step 12 Click on the new user name Omer Ilyas. Select Policies. Click Edit next to Assigned policies. In the flyout
window, under Calling policy, select Busy on Busy enabled. While still in the flyout window, under Caller
ID policy, select Anonymous Policy. Once done, click APPLY.
Step 13 To check your SBC status, navigate to Voice > Direct Routing. You will see your gateway configured with
the status of Active.
Note Ignore if you get the warning under TLS connectivity status stating The certificate that is being
used is expiring in 30 days.
Important As this lab is deployed in RTP, you can dial US national numbers only.
Step 1 If not already connected, use Cisco AnyConnect to VPN into your lab session or connect via RDP session to
Workstation 1 (198.18.1.36) and log in as dcloud\cholland with password dCloud123! Ignore/accept any
security warnings.
Step 2 Open the browser. Download the Microsoft Teams client on WKST1. You can also download Microsoft
Teams client on your personal device as well.
Step 3 Once downloaded, log in as the demo user you created earlier (for example, omer@gdedemoX.com with the
password of dCloud123!).
Note Replace X with your assigned domain.
Step 4 On the left, click the Call icon. You will see the dial pad that will allow you to make US national calls only.
Procedure
Step 1 Select the DID number that is assigned to extension 6018, as shown below.
Procedure
Step 1 Using Firefox, open the browser and sign into your Office365 account (https://admin.microsoft.com) with
the credentials created.
Step 2 Once signed in, click Show All. Click Settings > Domains.
Step 3 Click your user's name (e.g. Omer) and press Delete key.
Step 4 Select your session-assigned domain (e.g. gdedemoX.com) and press Delete key or click Remove.
Note You can end your session only after you remove your session-assigned domain.
What’s Next?
• Check out the new and updated Collaboration dCloud demos and labs: https://dcloud-cms.cisco.com/
architectures/collaboration
• Check out the full dCloud library: https://dcloud.cisco.com/datacentres
• See more demos on Demo Zone: https://www.cisco.com/c/en/us/products/demos.html