Microsoft Teams Direct Routing with Cisco CUBE (Unified Border Element).
Updated: Jun 17, 2020
We've been working on this for a while now but we're glad to see the two communications giants Cisco and Microsoft working together to onboard Cisco CUBE's as supported SBC's for Teams Direct Routing. Up until the 11th June 2020 you were limited to a select few of supported SBC vendors - namely AudioCodes, Ribbon, Oracle but we're glad to finally see Cisco added to the list.
So, what does a typical Teams Direct Routing deployment look like? To help you on your way we're happy to share what we've been putting into practice.
Prior to deployment make sure you have the following in place for EACH SBC:
- Public IP Address
- FQDN name matching SIP addresses of the users
- Public cert, issued by one of the supported CA’s:
AddTrust External CA Root
Baltimore CyberTrust Root
Class 3 Public Primary Certification Authority
Comodo Secure Root CA
DigiCert Global Root CA
DigiCert High Assurance EV Root CA
Symantec Enterprise Mobile Root for Microsoft
Thawte Timestamping CA
T-Systems International GmbH (Deutsche Telekom)
- CUBE licensing - Requires, IPbase, UC and Security feature set
To license your Microsoft Teams Direct Routing deployment the following licences are required:
- Microsoft Phone System licence in MS365 (typically included in the E5 packaged) and an add-on for E3.
Microsoft Teams Direct Routing allows the connection of your SBC to the Microsoft phone system. The SBC can be connected to almost any telephony trunk, or connect with third-party PSTN equipment.
Typical Network Connectivity/Topology:
- MS Teams Direct Routing environment is located on the WAN
- Cisco CUCM is located on the LAN
- MS Teams Direct Routing operates with SIP-over-TLS transport Type
- Cisco CUCM operates with SIP-over-UDP or SIP-over-TCP transport type
- Teams Direct Routing supports G.711A-law, G.711U-law, G.729 and G.722 and SILK
- Cisco CUCM Supports G.711A-law, G.711U-law and G.722 codecs
- Cisco CUCM operates with RTP media type
- MS Teams Direct Routing operates with SRTP media type
IP Ranges and ports:
SIP Signalling and Ports (TLS/SIP):
Media ports (UDP/SRTP)
SIP Signaling FQDN's
Global fqdn - sip.pstnhub.microsoft.com
Secondary - sip2.pstnhub.microsoft.com
Tertiary - sip3.pstnhub.microsoft.com
All resolvable to following IP's:
· 220.127.116.11/14 (IP addresses from 18.104.22.168 to 22.214.171.124).
· 126.96.36.199/14 (IP addresses from 188.8.131.52 to 184.108.40.206).
Microsoft Phone System Direct Routing allows only TLS connections from SBCs for SIP traffic with a certificate signed by one of the aforementioned certificate authorities.
Generate CSR from CUBE, issue to CA to sign. Upload Root, Intermediate and Device to CUBE
|- Root |-- Intermediate |--- Device
sbc(config)#crypto key generate rsa general-keys label sbc exportable
The name for the keys will be: sbc
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus : 2048
% Generating 2048 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 2 seconds)
sbc(config)#crypto pki trustpoint device-trustpoint
sbc(ca-trustpoint)#enrollment terminal pem
sbc(config)#crypto pki enroll device-trustpoint
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=<hostname@domain>
% The subject name in the certificate will include: <hostname@domain>
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]:
Issue to CA.
Upload the Certs to the CUBE
Import root certificate as a separate trustpoint
! crypto pki trustpoint root enrollment terminal pem revocation-check none ! crypto pki auth root ! ! Paste in ROOT.pem output then hit enter !
Intermediate and Device Certificates
Next you authenticate the intermediate certificate with the previously created device-trustpoint for CUBE.
After this you then import the device certificate into the same trustpoint.
! crypto pki authenticate device-trustpoint ! ! Paste in INTER.pem output and hit enter
! crypto pki import device-trustpoint certificate ! ! Paste in DEVICE.pem output and hit enter
There is one last certificate to make this work and that is the Cybertrust / Geotrust certificate which is downloaded from a third party website.
On this website you normally download the Baltimore CyberTrust Root certificate.
Copy this to a file , ensure to select Base-64 encoded X.509 and ensure you name the files to end with .pem
Open the new file in a notepad and copy all the content and include the BEGIN and END.
! crypto pki trustpoint cybertrust enrollment terminal pem revocation-check none ! crypto pki auth cybertrust ! ! Paste in cybertrust cert and hit enter !
Set the default trustpoint and enable TLS
In order for CUBE to properly present certificates you need to set a default trustpoint as well as enable TLS
! sip-ua crypto signaling default trustpoint device-trustpoint ! voice service voip sip session transport tcp tls
CUBE Configuration - Cisco have kindly documented a full CUBE configuration for support with Teams which you'll find useful to complete the remainder of your CUBE configuration.
If you or your company are looking to migrate to Microsoft Teams and need assistance with your setup please reach out. You can contact us via email at firstname.lastname@example.org
Why not run a proof of concept. UCcert are happy to provide a trial SBC and assist you with its setup.