• Darren O'Connor

Microsoft Teams Direct Routing with Cisco CUBE (Unified Border Element).

Updated: Jun 17, 2020

We've been working on this for a while now but we're glad to see the two communications giants Cisco and Microsoft working together to onboard Cisco CUBE's as supported SBC's for Teams Direct Routing.  Up until the 11th June 2020 you were limited to a select few of supported SBC vendors - namely AudioCodes, Ribbon, Oracle but we're glad to finally see Cisco added to the list. 

So, what does a typical Teams Direct Routing deployment look like? To help you on your way we're happy to share what we've been putting into practice.


Prior to deployment make sure you have the following in place for EACH SBC:

- Public IP Address

- FQDN name matching SIP addresses of the users

- Public cert, issued by one of the supported CA’s:

  • AffirmTrust

  • AddTrust External CA Root

  • Baltimore CyberTrust Root

  • Buypass

  • Cybertrust

  • Class 3 Public Primary Certification Authority

  • Comodo Secure Root CA

  • Deutsche Telekom

  • DigiCert Global Root CA

  • DigiCert High Assurance EV Root CA

  • Entrust

  • GlobalSign

  • Go Daddy

  • GeoTrust

  • Verisign, Inc.

  • Starfield

  • Symantec Enterprise Mobile Root for Microsoft

  • SwissSign

  • Thawte Timestamping CA

  • Trustwave

  • TeliaSonera

  • T-Systems International GmbH (Deutsche Telekom)

  • QuoVadis

- CUBE licensing - Requires, IPbase, UC and Security feature set

To license your Microsoft Teams Direct Routing deployment the following licences are required:

- Microsoft Phone System licence in MS365 (typically included in the E5 packaged) and an add-on for E3.


Microsoft Teams Direct Routing allows the connection of your SBC to the Microsoft phone system. The SBC can be connected to almost any telephony trunk, or connect with third-party PSTN equipment.

Typical Network Connectivity/Topology:

Environment Setup:


- MS Teams Direct Routing environment is located on the WAN

- Cisco CUCM is located on the LAN


- MS Teams Direct Routing operates with SIP-over-TLS transport Type

- Cisco CUCM operates with SIP-over-UDP or SIP-over-TCP transport type


- Teams Direct Routing supports G.711A-law, G.711U-law, G.729 and G.722 and SILK

- Cisco CUCM Supports G.711A-law, G.711U-law and G.722 codecs

Media Transcoding

- Cisco CUCM operates with RTP media type

- MS Teams Direct Routing operates with SRTP media type

IP Ranges and ports:

SIP Signalling and Ports (TLS/SIP):

Media ports (UDP/SRTP)

SIP Signaling FQDN's

Global fqdn - sip.pstnhub.microsoft.com

Secondary - sip2.pstnhub.microsoft.com

Tertiary - sip3.pstnhub.microsoft.com


All resolvable to following IP's:







Media Traffic

· (IP addresses from to

· (IP addresses from to


Microsoft Phone System Direct Routing allows only TLS connections from SBCs for SIP traffic with a certificate signed by one of the aforementioned certificate authorities.

Generate CSR from CUBE, issue to CA to sign. Upload Root, Intermediate and Device to CUBE

Certificate Hierarchy

|- Root |-- Intermediate |--- Device

sbc(config)#crypto key generate rsa general-keys label sbc exportable

The name for the keys will be: sbc

Choose the size of the key modulus in the range of 360 to 4096 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 2048

% Generating 2048 bit RSA keys, keys will be exportable...

[OK] (elapsed time was 2 seconds)

sbc(config)#crypto pki trustpoint device-trustpoint

sbc(ca-trustpoint)#enrollment terminal pem

sbc(ca-trustpoint)#subject-name cn=<hostname@domain>

sbc(ca-trustpoint)#fqdn <hostname@domain>

sbc(ca-trustpoint)#rsakeypair <keyname>


sbc(config)#crypto pki enroll device-trustpoint

% Start certificate enrollment ..

% The subject name in the certificate will include: cn=<hostname@domain>

% The subject name in the certificate will include: <hostname@domain>

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]:

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:



---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]:


Issue to CA.

Upload the Certs to the CUBE

Root Certificate

Import root certificate as a separate trustpoint 

! crypto pki trustpoint root enrollment terminal pem revocation-check none ! crypto pki auth root ! ! Paste in ROOT.pem output then hit enter !

Intermediate and Device Certificates

Next you authenticate the intermediate certificate with the previously created device-trustpoint for CUBE.

After this you then import the device certificate into the same trustpoint.

! crypto pki authenticate device-trustpoint ! ! Paste in INTER.pem output and hit enter

! crypto pki import device-trustpoint certificate ! ! Paste in DEVICE.pem output and hit enter

GeoTrust/CyberTrust Cert

There is one last certificate to make this work and that is the Cybertrust / Geotrust certificate which is downloaded from a third party website.

On this website you normally download the Baltimore CyberTrust Root certificate.

Copy this to a file , ensure to select Base-64 encoded X.509 and ensure you name the files to end with .pem

Open the new file in a notepad and copy all the content and include the BEGIN and END.

! crypto pki trustpoint cybertrust enrollment terminal pem revocation-check none ! crypto pki auth cybertrust ! ! Paste in cybertrust cert and hit enter !

Set the default trustpoint and enable TLS

In order for CUBE to properly present certificates you need to set a default trustpoint as well as enable TLS 

! sip-ua crypto signaling default trustpoint device-trustpoint ! voice service voip sip session transport tcp tls

CUBE Configuration - Cisco have kindly documented a full CUBE configuration for support with Teams which you'll find useful to complete the remainder of your CUBE configuration. 


If you or your company are looking to migrate to Microsoft Teams and need assistance with your setup please reach out. You can contact us via email at enquires@uccert.co.uk

Why not run a proof of concept. UCcert are happy to provide a trial SBC and assist you with its setup.

277 views0 comments

Recent Posts

See All