What is Teams SIP Gateway?
Teams SIP Gateway is Microsoft’s BYOD (that’s Bring Your Old Device… not Bring your own beer) offering. Consequently, enabling you to do more with less by repurposing some of your devices from your old phone system. For example, Skype for Business IP phones, Cisco IP phones with multiplatform firmware, Avaya phones (coming soon). As well as IP phones by vendors like Poly, Yealink and AudioCodes.
Teams SIP gateway also supports DECT offerings from Spectralink, Poly, Yealink and Gigaset.
Do you have analogue devices? Because, if you’re looking for something more retro for an analogue device. Teams SIP Gateway Analogue is also in Public Preview. Check out this blog without delay.
This post will review the pre-requisites and help you to get started with SIP Gateway straightaway.
Requirements
- SIP Gateway is available in Worldwide and government community cloud (GCC) tenants. However, it is not yet available for GCC High or DOD
- In order to use SIP Gateway, you must have the following licences:
- Microsoft Teams
- Skype for Business Online (Plan 2) – This isn’t a standalone license that can be purchased.
- Microsoft Phone System
- PSTN Connectivity
- E.g. Business/Ex/Fx licences + Phone System (not required for E5), Shared Device
- Teams users must have a phone number with PSTN calling enabled to use SIP Gateway.
Devices
Here’s an insight of what devices are compatible today:
SIP Device Type | Vendor and Model (* Public Preview) |
IP Desk Phones | AudioCodes: 405/400HD series Cisco: 6821 and 7800/8800 series Poly: VVX 100/200/300/400/500/600 series Yealink: T20/T30/T40/T50 series Avaya: J129/J139/J159/J169/J179/J189 series* |
IP Conference Phones | AudioCodes: RX50 Poly: Trio 8500/8800 |
IP DECT Phones, Base Stations | Ascom: d43/d63/d83/Myco3 series handsets, IP-DECT Access Points IPBsx, Gateway IPBL, Virtual Appliance IPVM Gigaset: N610/N670/N870/ N870E base stations Poly: 20/30/40 Rove series handsets, B1/B2/B4 base stations Spectralink: 72xx/75xx/76xx/77xx/PP8 series handsets, IP-DECT 200/400/6500/Virtual IP-DECT Yealink: W56H,W73H,W59R series handsets, W70B/W80/W90 base stations |
Overhead Paging, Alerters and Speakers | Algo: IP Speakers: 8180G2/8186/8188/8189/8190/8190S/ 8196* IP Intercom: 8028G2/8201/8063* IP Visual Alerters: 8128G2/8138* IP Paging Adapters: 8301/8373* IP Display Speakers: 8410/8420* |
ATA Devices | AudioCodes: MP-112 FXS, MP-114 FXS, MP-114 FXS_FXO, MP-118 FXS, MP-118 FXS_FXO, MP-124 FXS* Cisco: ATA 191, ATA 192* Poly: OBI 300, OBI 302* |
Configuring Teams SIP Gateway
Before you can configure SIP Gateway, do the following:
- Firstly, reset SIP devices to factory default settings. You or your organisation’s users must reset each SIP device used with SIP Gateway to its factory default settings. To find out how to do that, see the manufacturer’s instructions.
- Then ensure to open your firewall to Microsoft 365 and Teams. Open your network’s firewall to Microsoft 365 and Teams traffic as described in Office 365 URLs and IP address ranges. Firewall rules are needed for outbound traffic only.
- Make sure the SIP devices are not behind a proxy. Ensure that http/s traffic bypasses any corporate http/s proxy.
- Open the UDP port. Open UDP port in the range 49152 to 53247 for IP ranges 52.112.0.0/14 and 52.122.0.0/15.
- Open the TCP port. Open TCP port 5061 for IP ranges 52.112.0.0/14 and 52.122.0.0/15.
- Open the following IP addresses for HTTP and HTTPS:
- 13.75.175.145
- 52.189.219.201
- 51.124.34.164
- 13.74.250.91
- 13.83.55.36
- 23.96.103.40
Next, you’ll need to enable SIP Gateway for user’s in your organisation.
To enable SIP Gateway in the Teams admin center, follow these steps:
- Go to the Teams admin center
- At the left, under Voice, select Calling policies.
- At the right under Manage policies, select the appropriate calling policy assigned to users or, if necessary, create a new calling policy and assign it to the required users.
- Select Manage policies, select a policy, and then select Edit.
- Turn on the setting for SIP devices can be used for calls, and then select Save.
Note: Policy propagation may take up to 24 hours.
Set the SIP Gateway provisioning server URL
You can set the SIP Gateway provisioning server’s URL in your Dynamic Host Configuration Protocol (DHCP) server. Users who work remotely must configure it manually.
Using DHCP
For each SIP device, set one of the following SIP Gateway provisioning server URLs:
- EMEA:
http://emea.ipp.sdg.teams.microsoft.com
- Americas:
http://noam.ipp.sdg.teams.microsoft.com
- APAC:
http://apac.ipp.sdg.teams.microsoft.com
Add SIP devices to your Teams organization by configuring the above SIP Gateway provisioning server URL in your DHCP server. To learn more about DHCP server, see Deploy and manage DHCP. Also, you can use DHCP option 42 to specify the Network Time Protocol (NTP) server, and DHCP option 2 to specify the offset from Coordinated Universal Time (UTC) in seconds. The devices in your organization will be routed to the SIP Gateway provisioning server. Successfully provisioned SIP phones will display the Teams logo and a soft button for sign-in.
Ensure SIP devices are on the minimum supported firmware version for onboarding. During onboarding, SIP Gateway will push the default configuration and authentication user interface to the device. To find out the required firmware version for SIP devices, see Plan for SIP Gateway.
Manually
Users who work remotely must manually configure the provisioning server URL into their SIP device by using the following steps:
- Open Settings on the device and get the device’s IP address.
- Open a browser window, enter the device’s IP address, log in (if necessary) and configure the provisioning server’s URL in the device’s web utility.
- Under Settings or Advanced settings on the web utility, enter the provisioning server URL shown above.
Configure conditional access
Conditional Access is an Azure Active Directory (Azure AD) feature that helps ensure that devices that access your Microsoft 365 resources are properly managed and secure. SIP devices are not managed by Intune hence conditional access checks applied to them are stricter than those applied to users. SIP Gateway authenticates SIP devices with Azure AD, so if your organization uses Conditional Access for devices in the corporate network, it should exclude the following SIP Gateway service IP addresses:
- North America:
- East US: 52.170.38.140
- West US: 40.112.144.212
- EMEA region:
- North EU: 40.112.71.149
- West EU: 40.113.112.67
- APAC region:
- Australia East: 20.92.120.71
- Australia Southeast: 13.73.115.90
Provisioning and Signing In
Provisioning
To streamline your tasks, you can enroll SIP devices in the Teams admin center either one at a time or in batches. Here’s how:
- Log in to the Teams admin center.
- Select Teams devices > SIP devices.
- At the upper right, select Actions > Provision devices and follow one of these steps:
- To provision one device:
- a. Under Waiting on activation, select Add.
- b. On the Add MAC addresses pane, enter the MAC address and Location of the device, and then select Apply.
- c. Under Waiting on activation, select the device you just added, and then select Generate verification code.
- d. Then, on the Provision devices pane, under Verification code, note the verification code for the SIP device.
User Sign In
To pair a SIP device after the user authenticates using corporate credentials, a user must:
- Press Sign-in on the SIP phone to display the authentication URL and pairing code. The pairing code is time-sensitive. If it expires, the user must press Back on the phone and start the sign-in process again.
- Navigate to the authentication URL on the user’s desktop or mobile browser and use corporate credentials to log in.
- Enter the pairing code displayed on the SIP phone into the web authentication app to pair the SIP phone with the user’s account. On a successful sign-in, which might take a while, the SIP phone will display the phone number and username, if the device supports it.
Common Area Phone Sign In
- To provision many devices:
- a. Under Waiting on activation, at the right, select Export (the Microsoft Excel icon).
- b. On the Provision devices pane, under Upload multiple MAC addresses, select download a template.
- c. Save Template_Provisioning.csv to your computer and fill in the MAC id and Location fields.
- d. On the Provision devices pane, select Upload multiple MAC addresses.
- e. At the right on the Upload MAC addresses pane, select Select a file, and select the Template_Provisioning.csv file that contains your data.
- f. On the Provision devices pane, under Waiting on activation, select a device and then select Generate verification code to generate a one-time verification code for each provisioned device. Note the verification code for each SIP device.
- On the SIP device, dial the enrollment feature code followed by the verification code. On the SIP device, dial the enrollment feature code *55* (used by SIP Gateway for enrollment one-time-verification code validation), followed by the verification code that is generated in Teams Admin Center for this particular device. For example, if the verification code is 123456, dial *55*123456 to enroll the device.
- Afterwards, on the Provision devices pane, under Waiting for sign in, select Signed out.
- When in the Sign in a user dialog, the authentication URL and pairing code will be displayed.
- Then, navigate to the authentication URL on the user’s desktop or mobile browser and use corporate credentials to log in.
- Finally, enter the pairing code displayed in the Sign in a user dialog into the web authentication app to pair the SIP phone with the user’s account. On a successful sign-in, which might take a while, the SIP phone will display the phone number and username, if the device supports it.
Further information can be found at Configure SIP Gateway – Microsoft Teams | Microsoft Learn