Teams Integration

[kobyhud]

As for my troubleshooting steps.

I can see my gateway make an outbound SIP OPTIONS ping every 60 seconds to microsoft it looks like this:
OPTIONS sip:sip.pstnhub.microsoft.com:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS sbc.example.com:5083;rport;branch=z9hG4bKe6HgFv5vDcB1a
Max-Forwards: 70
From: <sip:sip.pstnhub.microsoft.com:5061>;tag=e8S6260DyyFvp
To: <sip:sip.pstnhub.microsoft.com:5061>
Call-ID: 079a560b-82fb-123b-549c-00163e1597f2
CSeq: 54616233 OPTIONS
Contact: <sip:gw+8b28ce16-60d0-40ff-a0d8-9ec4fc1d3842@sbc.example.com:5083;transport=tls;transport=tls;gw=8b28ce16-60d0-40ff-a0d8-9ec4fc1d3842>
User-Agent: FreeSWITCH
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Length: 0

Microsoft appropriately and immediately responds with :
SIP/2.0 200 OK
FROM: <sip:sip.pstnhub.microsoft.com:5061>;tag=e8S6260DyyFvp
TO: <sip:sip.pstnhub.microsoft.com:5061>
CSEQ: 54616233 OPTIONS
CALL-ID: 079a560b-82fb-123b-549c-00163e1597f2
VIA: SIP/2.0/TLS sbc.example.com:5083;branch=z9hG4bKe6HgFv5vDcB1a;rport
CONTENT-LENGTH: 0
ALLOW: INVITE,ACK,OPTIONS,CANCEL,BYE,NOTIFY
SERVER: Microsoft.PSTNHub.SIPProxy v.2022.7.18.3 i.USWE2.6

At this point according to https://docs.microsoft.com/en-us/mi...ct-routing/sip-options-tls-certificate-issues
MS is supposed to then send a SIP OPTIONS request to my server, to which I am supposed to respond with a 200 OK and then my trunk should be marked as active and all will be well with the world. However, I never see a sip options request from Microsoft.
Their document says this about this case (For everyone's reference SBC is Fusionpbx to MS, and SIP proxy is MS's side):
"The SBC receives the 200 OK response from the SIP proxy but not the SIP options that were sent from the SIP proxy. If this error occurs, make sure that the FQDN that's listed in the Record-Route or Contact header is correct and resolves to the correct IP address.
Another possible cause for this issue might be firewall rules that are preventing incoming traffic. Make sure that firewall rules are configured to allow incoming connections from all SIP proxy signalling IP addresses."

My FQDN resolves properly on the open internet to a single IP address, and Microsoft is able to send calls there as well. The firewall at this point is wide open to MS on this port, as evidenced by outbound calls from Teams clients working successfully to my FusionPBX machine. I can see normal sip phone call traffic occur with sngrep via my encrypted sip capture translation.

So, I suppose something could still be wrong with my tls configuration, I have tried two separate Letsencrypt certificates, one with only the FQDN and one a wildcard???

 

[kobyhud]

Well, in a fit of frustration I went an got Kamailio sort of working. Meaning at least I was able to get my SBC in direct routing to be marked as active. I used the exact same certificate from letsencrypt as well.

It doesn't make sense why freeswitch/fusion isn't working.

Kamailio Options Request:
OPTIONS sip:sip.pstnhub.microsoft.com;transport=tls SIP/2.0
Via: SIP/2.0/TLS sbc-host02.example.com:5061;branch=z9hG4bKa21.f2fb18a6000000000000000000000000.0
From: <sip:sbc-host02.example.com>;tag=a12b5cb3c1e96b5315976acbea1b3737-4e0e3c71
To: <sip:sip.pstnhub.microsoft.com;transport=tls>
Call-ID: 66e7c2c966acfbd3-752@127.0.1.1
CSeq: 10 OPTIONS
Contact: <sip:sbc-host02.example.com:5061;transport=tls>
User-Agent: kamailio (5.3.9 (x86_64/linux))
Max-Forwards: 70
Content-Length: 0

MS Options Response:
SIP/2.0 200 OK
FROM: <sip:sbc-host02.example.com>;tag=a12b5cb3c1e96b5315976acbea1b3737-4e0e3c71
TO: <sip:sip.pstnhub.microsoft.com;transport=tls>
CSEQ: 10 OPTIONS
CALL-ID: 66e7c2c966acfbd3-752@127.0.1.1
VIA: SIP/2.0/TLS sbc-host02.example.com:5061;branch=z9hG4bKa21.f2fb18a6000000000000000000000000.0
CONTENT-LENGTH: 0
ALLOW: INVITE,ACK,OPTIONS,CANCEL,BYE,NOTIFY
SERVER: Microsoft.PSTNHub.SIPProxy v.2022.7.18.3 i.USWE2.3

MS Options Request:
OPTIONS sip:sbc-host02.example.com:5061;transport=tls SIP/2.0
FROM: <sip:sip-du-a-us.pstnhub.microsoft.com:5061>;tag=bbc85d01-53bc-4b50-91e7-3997e9cf45ac
TO: <sip:sbc-host02.example.com>
CSEQ: 1 OPTIONS
CALL-ID: 4a38bd85-ed06-4014-9abb-3fc0709d1a12
MAX-FORWARDS: 70
VIA: SIP/2.0/TLS 52.114.148.0:5061;branch=z9hG4bK71bdd414
CONTACT: <sip:sip-du-a-us.pstnhub.microsoft.com:5061>
CONTENT-LENGTH: 0
USER-AGENT: Microsoft.PSTNHub.SIPProxy v.2022.7.18.3 i.USWE2.3
ALLOW: INVITE,ACK,OPTIONS,CANCEL,BYE,NOTIFY

Kamailio Response:
SIP/2.0 200 Keepalive
FROM: <sip:sip-du-a-us.pstnhub.microsoft.com:5061>;tag=bbc85d01-53bc-4b50-91e7-3997e9cf45ac
TO: <sip:sbc-host02.example.com>;tag=d04ca6db88519a751d012e1d2335a582.bcf77a35
CSEQ: 1 OPTIONS
CALL-ID: 4a38bd85-ed06-4014-9abb-3fc0709d1a12
VIA: SIP/2.0/TLS 52.114.148.0:5061;branch=z9hG4bK71bdd414
Server: kamailio (5.3.9 (x86_64/linux))
Content-Length: 0

 

[DigitalDaz]

I cannot remember exactly, I'll check later but look at the difference between the kamailio and freeswitch when it comes to the contact and from fields.

 

[kobyhud]

Yes Daz,

If someone has a functioning freeswitch gateway and profile with all of the options set that would probably be helpful.

I'm not sure whether the From and the To actually make a difference. I actually tweaked my kamailio config and was able to have it send OPTIONS pings over to my Freeswitch port and was able to get the SBC go "active" in the microsoft interface. But I do think something is wrong with the contact string in freeswitch as I was still unable to send a call through to microsoft, though I did get further than I have ever been.

I can't seem to get rid of the xxxx@ portion in the contact <sip:gw+8b28ce16-60d0-40ff-a0d8-9ec4fc1d3842@sbc.example.com:5083;transport=tls;transport=tls;gw=8b28ce16-60d0-40ff-a0d8-9ec4fc1d3842>.
I don't like seeing the double transport=tls either.
as for the extra gw=uuid I'm pretty sure that one gets ignored.

Freeswitch documentation would seem to agree:
Param "extension-in-contact" is used to force what the contact info will be in the registration. If you are having a problem with the default registering as gw+gateway_name@ip you can set this to true to use extension@ip. If extension is blank, it will use username@ip.

From what I can tell you can't get rid of the username portion of the contact.

 

[kobyhud]

A SIP trace from a functioning freeswitch would be nice as well...?

 

[DigitalDaz]

This help?

    <gateway name="msft-sip">
      <param name="username" value="dummy"/>
      <param name="password" value="password"/>
      <param name="proxy" value="sip.pstnhub.microsoft.com:5061"/>
      <param name="from-domain" value="$${sbc_contact_name}"/>
      <param name="from-user" value="pinger"/>
      <param name="expire-seconds" value="800"/>
      <param name="register" value="false"/>
      <param name="register-transport" value="tls"/>
      <param name="retry-seconds" value="30"/>
      <param name="context" value="default"/>
      <param name="caller-id-in-from" value="true"/>
      <param name="ping" value="45"/>
      <param name="contact-in-ping" value="true"/>
      <variables>
              <variable name="sip_cid_type"  value="pid"/>
      </variables>
    </gateway>

vars.xml:  <X-PRE-PROCESS cmd="set" data="sbc_contact_name=sbc1.trunk4teams.com"/>

 

[DigitalDaz]

Its a while since I messed with this, I'm not using it in production but it definitely worked.

I had also abandoned the gateway method of ping, I think it was too unreliable and instead was using crons every minute, one for each ms server:

/usr/bin/sipp -sf /usr/share/sip-tester/sip-options-ping.xml sip.pstnhub.microsoft.com:5061 -t l1  -l 1 -m 1 -tls_cert /etc/letsencrypt/live/sbc2.trunk4teams.com/fullchain.pem -tls_key /etc/letsencrypt/live/sbc2.trunk4teams.com/privkey.pem >/dev/null 2>&1

I had to mess with the watchdog timer for the more remote regions for me

root@sbc2:~# cat /usr/share/sip-tester/sip-options-ping.xml
<?xml version="1.0" encoding="ISO-8859-2"?>

<!-- This scenario tests an OPTIONS ping -->

<scenario>
  <send retrans="500">
    <![CDATA[
      OPTIONS sip:sip.pstnhub.microsoft.com:5061;transport=tls SIP/2.0
      Via: SIP/2.0/TLS sbc2.trunk4teams.com:5061;branch=[branch]
      Max-Forwards: 70
      From: <sip:sbc2.trunk4teams.com>;tag=S172S1gtcaQFp
      To: <sip:sbc2.trunk4teams.com>
      Call-ID: [call_id]
      Cseq: [cseq] OPTIONS
      Contact: <sip:gw+mstf-sip@sbc2.trunk4teams.com:5061;transport=tls;gw=mstf-sip>
      User-Agent: SONUS SBCSWeLite 9.0.2v266 Ribbon
      Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, NOTIFY, PUBLISH, SUBSCRIBE
      Supported: timer, path, replaces
      Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer
      Content-Length: 0
    ]]>
  </send>

  <recv response="200"/>
</scenario>

 

[DigitalDaz]

Oh, as you can also see, I was using a bogus SONUS USer-Agent, that was not necessary though

 

[kobyhud]

Daz,

First of all, Thanks!

So I was going to migrate to SIPP next, I probably should have just started there instead of wasting the time with kamailio. Using a modified OPTIONS request in SIPP I was able to get the SBC to mark itself as active in Teams. YAY!?

However, calls to Teams are still failing with a 503, Q.850 cause 42 SWITCH_CONGESTION. I think its because my Contact string is still bogus coming out of my gateway.

INVITE sip:+numberinteams@sip.pstnhub.microsoft.com:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS sbc.example.com:5083;branch=z9hG4bK93HpB4DQQ1Hmm
Max-Forwards: 69
From: "OT Demo" <sip:+localnumber@sbc.example.com>;tag=S2cXpFKvFc3Zc
To: <sip:+18018772147@sip.pstnhub.microsoft.com:5061>
Call-ID: 052c6d0b-84a6-123b-008e-00163e1597f2
CSeq: 54708422 INVITE
Contact: <sip:gw+8b28ce16-60d0-40ff-a0d8-9ec4fc1d3842@sbc.example.com:5083;transport=tls;transport=tls;gw=8b28ce16-60d0-40ff-a0d8-9ec4fc1d3842>
User-Agent: FreeSWITCH
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Privacy: none
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 269
X-Grandstream-PBX: true
P-Access-Network-Info: IEEE-EUI-48;eui-48-addr=74-83-C2-DF-FF-53
P-Emergency-Info: IEEE-EUI-48;eui-48-addr=00-0B-82-66-49-12
X-accountcode: demo-sip.example.com
X-FS-Support: update_display,send_info
P-Asserted-Identity: "OT Demo" <sip:+localnumber@sbc.example.com>


The more I look at it I'm thinking that double "transport=tls" has to be the problem.

Now how does a double transport=tls get added? Well after messing around with tls-bind-params and turning register-transport tls on and off; I figured I better look around further, and right under the sofia.conf.lua when register-transport is set to tls a contact-params is added.

I comment that line out of the lua script and suddenly my gateway finally has a different error message from my invite complaining that I haven't offered SRTP! Yahoo! A new error message. A half an hour or so later I find that I need to action export rtp_secure_media_outbound=mandatory in my outbound route and bada bing! I'm making calls to Teams.

Then because I am a glutton for punishment I halt my sipp options messages cronjob and restart my pings directly from my gateway with the ping options and my gateway stays active!

Now, I don't know why Marc put that contact-params of transport=tls in, but I'm guessing that it is no longer needed? Or that register-transport will already imply and add transport=tls for you? Perhaps it is something that has changed. But for now I am finally ready to take a nap.

 

[DigitalDaz]

I did a bit more digging yesterday.

If I were you I would stick with the sipp for the options pings. What we found was that over time, using gateways, they all slowly died, this was due to freeswitch marking them bad after a number of failures.

The sipp will NEVER mark them bad and just continue banging away forever just hit them each every minute in cron and the gateways should stay responsive forever.

 

[DigitalDaz]

Just for your info, my setup has nothing whatsoever to do with fusionpbx. Its just a lean, standalone freeswitch.

I figured that way I can connect it to anything, its just a teams appliance,. Glad you are making progress by the way

 

[kobyhud]

I had a gateway mark itself out of service because of the PING problem you mentioned last week, but because of how many times I had messed with those configurations I wasn't sure whether it was something I did or not. I'll keep an eye on it, it is certainly easy enough to go back to SIPP if necessary.

 

[leandrodes87]

Hy Kobyhud,



I am new in FusionPBX/Freeswitch, i has small knhow how about SIP, no much, i has a FusionPBX in GCP with some clients, each clients has a one domain in my FusionPBX, my FusionPBX stay in 4.5.13 Version.



My clients wants integration Microsoft Teams to make and receive calls, i studing about direct routing, but i don't want to make a other server with kamailio or other SBC, its possible connect FusionPBX to Microsoft Teams direct? If possible, its possible connect various domains this FusionPBX to various clients with diferentes domains Microsoft Teams?



I stays very interessing about this, its possible make a step by step this, my FusionPBX already connection TLS for extensions, my certificate its LetsEncrypt, i renew this certificates manually in 60 days, if necessari anymore information please say me, beceause I has aproximaly 3 clients interesing about this, if not they will change.

 

[kobyhud]

leandrodes,

The value you get out of my steps may vary based upon your knowledge of FusionPBX and of freeswitch call routing, but I will endeavor to flesh out the instructions I started earlier in this thread.

Then maybe someone will turn it into a sticky or a wiki article later.

Hy Kobyhud,



I am new in FusionPBX/Freeswitch, i has small knhow how about SIP, no much, i has a FusionPBX in GCP with some clients, each clients has a one domain in my FusionPBX, my FusionPBX stay in 4.5.13 Version.



My clients wants integration Microsoft Teams to make and receive calls, i studing about direct routing, but i don't want to make a other server with kamailio or other SBC, its possible connect FusionPBX to Microsoft Teams direct? If possible, its possible connect various domains this FusionPBX to various clients with diferentes domains Microsoft Teams?



I stays very interessing about this, its possible make a step by step this, my FusionPBX already connection TLS for extensions, my certificate its LetsEncrypt, i renew this certificates manually in 60 days, if necessari anymore information please say me, beceause I has aproximaly 3 clients interesing about this, if not they will change.

 

[kobyhud]

I updated my steps to where I am more likely to land, and for sure the freeswitch gateway pings don't keep the gateways alive. You are better off using SIPP for sure.

 

[glennbtn]

Have we got any step by step guide to get this up an running. The more I read everywhere the more confused I seem to get LOL

 

[kobyhud]

Look at post

Have we got any step by step guide to get this up an running. The more I read everywhere the more confused I seem to get LOL

My steps are earlier in the thread.

Teams Integration

You don’t need an E3 you can basically have any office 365 license and then get the “Phone System” add on. I just use the 365 Business Premium plus Phone System addon

www.pbxforums.com

 

[markjcrane]

kobyhud​

Saw your message today and created this commit. Hope it helps make it easier for someone

comment out line in sofia.conf.lua
--table.insert(xml, [[ <param name="contact-params" value="transport=tls"/>]]);

So in attempt to make this easier I removed the contact-params from the sip-transport section. Then commited it as a seperate parameter that is defined in gateway edit page. This means people won't have to remove it from the code. If anyone used this setting or needs it they can add the value in the new contact params setting in the gateway edit page.

Contact-params (#6545)