Installing and configuring the Teams Connector in Azure

The Pexip Teams Connector must be deployed in Microsoft Azure. The Teams Connector handles all Teams communications and meeting requests from the Pexip Infinity platform and passes them on to the Microsoft Teams environment.

No changes should be made to any Pexip Teams Connector (other than as described within this documentation for installing and maintaining your deployment) unless directed to do so by Pexip support. This includes (but is not limited to) any changes to the operating system or the installation of any third-party code/applications.

Architecture overview

The following diagram shows the Teams Connector elements that are deployed in Azure, and how they interact with the Pexip Infinity platform and Microsoft Teams. You do not have to set up these Azure components individually — they are all created as part of the deployment process that is described below.

Note that:

  • The Teams Connector must be deployed in Microsoft Azure. The Azure Virtual Machine scale set (VMSS) allows the Pexip application to run across a group of identical, load balanced VMs.
  • The Pexip Infinity platform can be installed in any supported platform (including Microsoft Azure).
  • The Pexip Conferencing Nodes:

    • can be Transcoding Conferencing Nodes or Proxying Edge Nodes, providing they have a publicly-reachable address
    • must have TLS certificates installed that have been signed by an external trusted CA (certificate authority)
    • can have static NAT and/or dual network interfaces, as the Teams Connector is treated as a lineside connection.
  • The Teams Connector supports connections over TLSv1.2 only, and does not support RC2, RC4, DES and 3DES ciphers.

Preparation, prerequisites and capacity planning

This section lists the various preparation steps you must perform before starting your Teams Connector installation.

Capacity planning

Contact your Pexip authorized support representative to discuss your call capacity requirements, and how many Teams Connector instances are required.

Obtain an Azure subscription and an Azure tenant ID

Ensure that you have an Azure subscription and an Azure tenant ID for your Teams Connector deployment.

Decide Azure deployment region(s) and check quota

Decide in which Azure region you want to deploy the Teams Connector. Large enterprises may want to install a Teams Connector in multiple regions.

  • The Azure region must support Automation and Fs series instance types.

    See Azure automation for more information about Automation and Azure product availability by region.

  • Ensure that you have sufficient resource quota and capacity for your region and instance types.

    By default, Azure Resource Manager virtual machine cores have a regional total limit and a regional per series limit, that are enforced per subscription. Typically, for each subscription, the default quota allows up to 10-20 CPU cores per region and 10-20 cores per series.

    The allocated quota may be increased by opening a support ticket with Microsoft via the Azure Portal. Based on your capacity requirement, you should request a quota increase for your subscription. Ensure that you request a sufficient number of CPU cores. Each Teams Connector instance will use 4 vCPU of type Fs-series. Thus, for example, if 6 Teams Connector instances are required, then the quota must be increased to 4 cores x 6 Fs-series instances = 24 CPU cores of type Fs-series. However we strongly recommend that you request a quota covering more than the minimum, such as 40 cores, to allow for an increase in the future. It may take a number days for the quota increase request to be processed. For more information see https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits.

Install Teams Connector and Conferencing Node certificates

In summary, the certificate usage principles are:

  • The Teams Connector and Pexip Infinity validate the connection in both directions by TLS client certificate validation. This means that every certificate's Enhanced Key Usage properties must be set for both server and client authentication.

  • Public-facing Conferencing Nodes must have a valid publicly-signed PEM-formatted certificate (typically with a .CRT or .PEM extension).
  • The Teams Connector must have a publicly-signed PFX-formatted certificate. Multiple names/certificates are required if deploying Teams Connectors in several regions.

Obtain and prepare the TLS certificate for the Teams Connector

You must install on the Teams Connector a TLS certificate that has been signed by an external trusted CA (certificate authority).

The certificate must be in Personal Information Exchange Format (PFX), also known as PKCS #12, which enables the transfer of certificates and their private keys from one system to another.

  1. Decide on the FQDN (DNS name) you will use for the Teams Connector load balancer in Azure that will front the Teams Connector deployment e.g. pexip-TeamsConn-eu.teams.example.com.

    • This is what you will use as the value of $PxTeamsConnFqdn in the variables initialization script.
    • The certificate's subject name must match the DNS name you will configure in Pexip Infinity (Call control > Microsoft Teams Connectors > Address of Teams Connector) later in the process.
    • It can use a different domain to your Teams and Pexip Infinity deployments.
    • If you intend to deploy other Teams Connectors in other Azure regions, you will need a different DNS name for each Teams Connector and a certificate that matches that identity.
    • It can be a wildcard certificate, where the wildcard character ('*') is the only character of the left-most label of a DNS domain name. Note that Pexip supports RFC 6125 — this means that if you are using subdomains then, for example, a wildcard certificate of *.example.com would match foo.example.com but not bar.foo.example.com or example.com.
  2. Request a certificate for that name and generate the certificate in PFX format. Any intermediate certificates must also be in the PFX file.

You can use the Pexip Infinity Management Node to convert PEM certificates to PFX format (or vice versa), by uploading a PEM-formatted certificate and then downloading it again in PFX format. When downloading you can also include the necessary intermediate certificates in the PFX bundle.

You will use this certificate when installing the Teams Connector as described below.

Ensure Conferencing Nodes have suitable certificates

The Conferencing Nodes (typically Proxying Edge Nodes) that will communicate with the Teams Connector must have TLS certificates installed that have been signed by an external trusted CA (certificate authority). If a chain of intermediate CA certificates is installed on the Management Node (to provide the chain of trust for the Conferencing Node's certificate) those intermediate certificates must not include any HTTP-to-HTTPS redirects in their AIA (Authority Information Access) section.

We recommend that you assign a "pool name" to all of the Conferencing Nodes that will communicate with the Teams Connector. The pool name should be used as a common Subject name on the certificate that is uploaded to each of those Conferencing Nodes. The certificate should also contain the individual FQDNs of each of the nodes in the pool as a Subject Alternative Name on the certificate. This pool name can then be specified on the Teams Connector (the $PxNodeFqdns variable in the initialization script below) as the name of the Conferencing Nodes that it will communicate with.

This approach makes it easier to add extra Conferencing Nodes into the pool as they will all present the same certificate/Subject name to the Teams Connector. If you add a new Conferencing Node with a name that is not configured on the Teams Connector you will have to redeploy the Teams Connector and specify the new names.

See Certificate and DNS examples for a Microsoft Teams integration for more information and examples about certificates, DNS records and using a "pool name" for Conferencing Nodes.

Review firewall ports for the Teams Connector

When deploying the Pexip Teams Connector, the following ports have to be allowed through any firewalls which carry traffic between the Teams Connector components and Microsoft Teams (O365), and between the Teams Connector components and your public-facing Conferencing Nodes (typically Proxying Edge Nodes), and from any management networks.

Source address Source port Destination address Destination port Protocol Notes
Conferencing Nodes
Conferencing Nodes 33000–39999 *Configurable via the Media port range start/end, and Signaling port range start/end options.

Teams Connector load balancer

Teams Connector instance

443 TCP Signaling
Conferencing Nodes 40000–49999 *Configurable via the Media port range start/end, and Signaling port range start/end options. Teams Connector instance 50000-54999 UDP Call media
Teams Connector components
Teams Connector instance ephemeral Microsoft Teams (O365) <any> TCP Signaling
Teams Connector instance ephemeral Conferencing Nodes 443 TCP Signaling
Teams Connector instance 50000-54999 Conferencing Nodes 40000–49999 *Configurable via the Media port range start/end, and Signaling port range start/end options. UDP Call media
Teams Connector instance 55000-59999 Microsoft Teams (O365) <any> UDP Call media
Microsoft Teams (O365)
Microsoft Teams (O365) <any> Teams Connector load balancer

10000-10399

10500-10899

11000-11399

TCP Signaling
Microsoft Teams (O365) <any> Teams Connector instance 55000-59999 UDP Call media
Management
Management workstation <any> Teams Connector load balancer 50000-50399 TCP Only enabled for any workstation addresses specified during Teams Connector installation
Teams Connector instance 3389
Client application viewing the meeting invitation
<any> <any> Conferencing Nodes The Conferencing Nodes referenced in the InstructionUri for the "Alternate VTC dialing instructions". 443 TCP Access to Alternative Dial Instructions

* Configurable via the Media port range start/end, and Signaling port range start/end options (see About global settings).

† The Conferencing Nodes referenced in the InstructionUri for the "Alternate VTC dialing instructions".

Teams Connector Network Security Group (NSG)

A Network Security Group that supports these firewall requirements is created automatically in Azure as a part of the Teams Connector installation process, and is assigned to each Teams Connector instance. Note that the NSG includes:

  • Rules used for internal traffic within the Teams Connector that is forwarded from the load balancer to the instances (to ports 10100, 10101 and 20100) — these ports do not need to be opened between the Conferencing Nodes / Microsoft Teams and the Teams Connector.
  • An "RDP" rule (priority 1000): if the $PxMgmtSrcAddrPrefixes installation variable contains addresses, this rule allows RDP access to the Teams Connector instances from those addresses. If no addresses are specified then a Deny rule is created (so that you can add addresses and allow it later if required).

You may need to modify some of the NSG rules in the future if you subsequently add more Conferencing Nodes to your Pexip Infinity platform, or change the addresses of any management workstations.

Download the Teams Connector application software files

First, you must download the Pexip Teams Connector application to the administrator PC.

  1. Download the Teams Connector ZIP file (Pexip_Infinity_Connector_For_Microsoft_Teams_v21.2_<build>.zip) from the Pexip support site.

    Ensure that the Teams Connector version you download is the same version as your Pexip Infinity deployment.

  2. Extract the files to a folder on your administrator PC.
  3. Verify that the ZIP file is extracted and that you see the following files:

  4. Add your PFX certificate (that also contains all of your intermediates) for the Teams Connector to this folder.

Installing the Teams Connector application into Azure

Installation of the Teams Connector application is performed through PowerShell ISE commands and scripts. These steps summarize the installation process, when installing the Teams Connector for the first time (per Azure subscription):

  1. Update the variables in the initialization script with the real values for your environment, and then run the initialization script.
  2. Run the installation script.
  3. Save the App IDs and passwords output from the installation script into the redeploy script.
  4. Update DNS with the Teams Connector's name and IP address.
  5. Authorize the Pexip CVI applications to join Teams meetings.
  6. Authorize the Trusted app to bypass the Teams lobby and configure dialing instructions.

If you subsequently need to redeploy or upgrade your Teams Connector, or deploy another Teams Connector in a different Azure region, you need to follow a different process as described in Maintaining your Teams Connector deployment.

The following diagram shows a summary of which scripts are used when initially installing and then subsequently maintaining your Teams Connector deployment. The variables initialization script is always the first script used in all scenarios.

General information about using PowerShell with Azure AD and Office 365 can be found at https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-office-365-powershell.

Specify installation variables used in the PowerShell commands

You need to specify a range of PowerShell variables that are used during the installation process.

We recommend that you save these variables as a separate initialization script that you can reuse (and modify the values of any variables if required). This will make it easier if you have to abort and restart the installation for any reason, or if you have to redeploy or upgrade your Teams Connector in the future.

You must replace the example values set in the variables with the real values for your deployment.

If you are deploying a Teams Connector in multiple regions, create a separate initialization script for each region, changing the relevant region-specific variables as appropriate. Save each region-specific version of your script in a safe place.

The PowerShell variables initialization script is listed below.

Note that this script does not produce any output. It only sets some variables for subsequent use in the installation script.

# Powershell variables
# Set the following variables for ease of use of the next commands - if starting a new window, just re-set these variables.

# Name prefix for all Teams Connector resources, e.g. company name.
# PxBaseConnName can have a maximum of 9 characters
# PxBaseConnName + PxVmssRegion must be minimum 3 and maximum 14 chars when combined 
# It cannot contain dashes, spaces or other non a-z0-9 chars.
$PxBaseConnName = "yourname" # replace with your company name
 
# Freetext region shortname (no dashes, only use a-z) to separate regional deployments
$PxVmssRegion = "eu"

# Hostname of Teams Connector in Azure - Must match name in pfx certificate below
# You need a different hostname for each region
$PxTeamsConnFqdn = "pexip-TeamsConn-eu.teams.example.com"
 
# Conference or Edge node pool (must be reachable from Teams Connector in Azure)
# This name must exist in the certificate presented by the Pexip nodes
# Example 1) Multiple individual Edge nodes
# $PxNodeFqdns = "us-pxedge01.vc.example.com,us-pxedge01.vc.example.com"
# Example 2) Certificate with SAN names, this name is in the cert presented by all nodes
$PxNodeFqdns = "pxedge.vc.example.com"

# Azure Subscription ID for Pexip Teams Connector deployment
$PxSubscriptionId = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
 
# Azure Region (must be a supported region)
$PxAzureLocation = "westeurope"
 
# Username for the Windows VM accounts
$PxWinAdminUser = "pexadmin"
 
# Password for the Windows VM accounts (can be set with Get-Credential if desired)
$PxWinAdminPassword = "ReplaceThisPassword!" # Password for Windows account
 
# Number of Teams Connector VMs
$PxTeamsConnInstanceCount = "3"

# Setting the regional resource group name
$PxTeamsConnResourceGroupName = "$($PxBaseConnName)-TeamsConn-$($PxVmssRegion)-RG"

# Setting the STATIC regional resource group name
$PxTeamsConnStaticResourceGroupName = "$($PxBaseConnName)-TeamsConn-$($PxVmssRegion)-static-RG"
 
# Enable incident reporting 
$PxTeamsConnIncidentReporting = $true

# Enable VMSS disk encryption
# This requires Disk Encryption to be registered on the subscription first
# https://blogs.msdn.microsoft.com/azuresecurity/2017/09/28/announcing-azure-disk-encryption-preview-for-virtual-machine-scale-sets/
# Verify if this is enabled by running:
# Get-AzureRmProviderFeature -ProviderNamespace "Microsoft.Compute" -FeatureName "UnifiedDiskEncryption"
$PxTeamsConnDiskEncryption = $false
 
# Wildcard, SAN or single name cert for FQDN of Teams Connector (PxTeamsConnServiceFQDN), 
# the PFX must contain the intermediate chain as well.
$PxPfxCertFileName = ".\your_connector_certificate.pfx"
 
# Management networks – used for RDP access and admin consent
# If not specified (default) – RDP is always blocked
# Any security scans should not come from these IPs
# Example:
# x.x.x.x     Management IP address #1
# y.y.y.y     Management IP address #2
# z.z.z.0/24  Management subnet
# $PxMgmtSrcAddrPrefixes = @( "x.x.x.x", "y.y.y.y", "z.z.z.0/24" ) 
$PxMgmtSrcAddrPrefixes = @() 

# Pexip public facing Conferencing / Edge node IP addresses
# If not specified (default) – HTTPS access is always enabled
#
# Example Pexip Edge nodes public IP source ports:
# a.a.a.a    - IP of us-pxedge01.vc.example.com
# c.c.c.0/28 – IP subnet of eu-pxedges (allows for future expansion)
#
# Example (specifying Pexip Edge nodes and Management networks defined above):
# $PxNodesSourceAddressPrefixes = @( "a.a.a.a", "c.c.c.0/28" ) + $PxMgmtSrcAddrPrefixes
$PxNodesSourceAddressPrefixes = @()

# These are the IPs/subnets that are allowed to access the Admin Consent web page.
# If not specified it is exposed/public by default. If left exposed then anyone accessing this web page can
# see the company's app IDs. You can alternatively turn the application off after granting consent.
# The page URL is in the form: https://$PxBaseConnName-pexip-cvi-abcde.azurewebsites.net/
#
# Example (specifying the Pexip management networks defined above):
# $PxConsentSourceAddressPrefixes = $PxMgmtSrcAddrPrefixes
$PxConsentSourceAddressPrefixes = @()

# Schedule installation of Windows updates to a specific day
# range = 0|1|2|3|4|5|6|7 0 = Every day. 1 through 7 = The days of the week from Sunday (1) to Saturday (7)
$PxWupdScheduledInstallDay = "1"

# Schedule update installation time to a specific hour (UTC)
# range = 0-23 starts with 12 AM (0) and ends with 11 PM (23)
$PxWupdScheduledInstallTime = "22"

# Set active hours to start at a specific hour (UTC)
# If the restart is needed to finish update installation, it won't take place during the active hours.
# range = 0-23 starts with 12 AM (0) and ends with 11 PM (23)
$PxWupdActiveHoursStart = "6"

# Set active hours to end at a specific hour (UTC)
# Time between Active hours start and Active hours end is limited to 18 hours. Script stops if this is not the case.
# range = 0-23 starts with 12 AM (0) and ends with 11 PM (23)
$PxWupdActiveHoursEnd = "22"

# Do you want to allow Microsoft to track and report to Pexip the Azure usage associated with this deployment? 
# You must set $PxCustomerUsageAttribution to either $true (allow reporting) or $false (do not allow reporting)
$PxCustomerUsageAttribution = <replace with $true or $false>

Copied!

The initialization script contains the following variables. If you are deploying a Teams Connector in multiple regions, each version of your script per region should use a different value for those variables ticked as Regional.

Variable name Description and example usage Regional
$PxBaseConnName

This is a prefix used when naming all Teams Connector resources. We recommend using your own company name.

PxBaseConnName can have a maximum of 9 characters, and PxBaseConnName + PxVmssRegion must be a minimum 3 and maximum 14 characters when combined. It cannot contain dashes, spaces or other non a-z0-9 characters, and must start with an alphabetic character.

Note that if you are setting up multiple test environments within the same Azure subscription, ensure that each Teams Connector deployment has a unique $PxBaseConnName.

 
$PxVmssRegion

A short (we recommend 2-4 characters) name to represent the region in which you are deploying the Teams Connector, for example, "eu". This will help in your naming convention if you deploy the Teams Connector in multiple regions.

It cannot contain dashes, spaces or other non a-z0-9 characters.

$PxTeamsConnFqdn

The hostname of the Teams Connector, for example "pexip-TeamsConn-eu.teams.example.com".

This name must match the subject name in the PFX certificate specified in $PxPfxCertFileName. If you are installing multiple Teams Connectors in different regions you must use a different hostname for each region.

This is also the name you will configure in Pexip Infinity (Call control > Microsoft Teams Connectors > Address of Teams Connector) later in the process.

$PxNodeFqdns

The pool name or names of the Conferencing Nodes (typically Proxying Edge Nodes) that will communicate with the Teams Connector. This can be a comma-separated list.

The name(s) specified here must exist in the certificate presented by those Conferencing Nodes. See Ensure Conferencing Nodes have suitable certificates for more information.

(typically)
$PxSubscriptionId The Azure Subscription ID for your Teams Connector installation and botchannel registrations. This takes the format "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee".  
$PxAzureLocation The name of the Azure region into which you are deploying the Teams Connector, for example "westeurope", "southcentralus" etc. as per the RegionName in Decide Azure deployment region(s) and check quota.
$PxWinAdminUser

The account username for the Windows VMs that will be created in Azure. You may need this for RDP login when troubleshooting.

See https://docs.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-username-requirements-when-creating-a-vm for username requirements.

 
$PxWinAdminPassword

The account password for the Windows Teams Connector VMs that will be created in Azure. Alternatively you can use the Get-Credential cmdlet to set the password.

The password must:

  • include at least 3 of the following:
    • 1 lower case character
    • 1 upper case character
    • 1 number
    • 1 special character that is not "\" or "-"
  • be between 12 and 72 characters long
  • not include reserved words or unsupported characters.
 
$PxTeamsConnInstanceCount

The number of Teams Connector instances (VMs) to deploy, for example "3".

You can easily modify the number of Teams Connector instances via the Azure portal after installation of the Teams Connector, to reflect changing capacity requirements.

 

$PxTeamsConnResourceGroupName

The regional resource group name. We recommend setting this variable to a concatenated combination of the first two variables plus some additional text, for example:

$PxTeamsConnResourceGroupName = "$($PxBaseConnName)-TeamsConn-$($PxVmssRegion)-RG"

which, using our examples above, would generate a resource group name of pexip-TeamsConn-eu-RG.

 

$PxTeamsConnStaticResourceGroupName

The static regional resource group name. This is used in the scripts for retrieving name and address information for the load balancer. This should follow the same pattern as the previous variable ($PxTeamsConnResourceGroupName), and be set to a concatenated combination of the first two variables plus some additional text, for example:

$PxTeamsConnStaticResourceGroupName = "$($PxBaseConnName)-TeamsConn-$($PxVmssRegion)-static-RG"

which, using our examples above, would generate a static resource group name of pexip-TeamsConn-eu-static-RG.

 
$PxTeamsConnIncidentReporting When this feature is enabled, incident reports are sent automatically to a secure web server owned and managed by Pexip. The options are $true to enable incident reporting or $false to disable reporting. We recommend keeping this enabled.  
$PxTeamsConnDiskEncryption

Controls whether VMSS (virtual machine scale sets) disk encryption is enabled.

If you want to enable this you must first register Disk Encryption on the Azure subscription. See https://blogs.msdn.microsoft.com/azuresecurity/2017/09/28/announcing-azure-disk-encryption-preview-for-virtual-machine-scale-sets/ for information about how to do this.

You can verify if it is registered by running:

Get-AzureRmProviderFeature -ProviderNamespace "Microsoft.Compute" -FeatureName "UnifiedDiskEncryption"

The options are $true to enable encryption or $false to disable encryption.

When enabled, the keys are stored in an Azure Key Vault.

 
$PxPfxCertFileName The filename of the PFX certificate file to upload to the Teams Connector. See Install Teams Connector and Conferencing Node certificates for more information.
$PxMgmtSrcAddrPrefixes

Specifies the IP addresses of any management workstations / networks that may be required to administer the Teams Connector instances over RDP.

Any addresses specified here are added into the Azure Network Security Group "RDP" rule that is assigned to the Teams Connector instances to allow RDP access to those instances from those addresses. Note that you should not perform any security scans from these addresses.

For example to allow RDP access from:

x.x.x.x     Management IP address #1
y.y.y.y     Management IP address #2
z.z.z.0/24  Management subnet

you would specify $PxMgmtSrcAddrPrefixes = @( "x.x.x.x", "y.y.y.y", "z.z.z.0/24" )

If no addresses are specified i.e. $PxMgmtSrcAddrPrefixes = @( ) then all RDP access is blocked.

 
$PxNodesSourceAddressPrefixes

Specifies the IP addresses of the Conferencing Nodes (typically Proxying Edge Nodes) that can communicate with the Teams Connector instances over port 443 (https).

This is used to populate the Azure Network Security Group "MCU-signalling-endpoint" rule.

For example, if these are the public addresses of your Pexip Conferencing Nodes:

a.a.a.a    - IP of us-pxedge01.vc.example.com
c.c.c.0/28 – IP subnet of eu-pxedges (allows for future expansion)

you would specify:

$PxNodesSourceAddressPrefixes = @( "a.a.a.a", "c.c.c.0/28" ) + $PxMgmtSrcAddrPrefixes

which sets the variable to the addresses of your Conferencing Nodes plus the IP addresses of any management workstations / networks (as specified in the previous variable).

If no addresses are specified i.e. $PxNodesSourceAddressPrefixes = @( ) then anything can connect via https to the Teams Connector instances.

(typically)

$PxConsentSourceAddressPrefixes

Specifies the external IP address (as seen from the Teams Connector's perspective) of the workstation / management network that will be used to provide consent for the Teams Connector apps to access Microsoft Teams in the Office 365 tenant.

If not specified the consent page is exposed/public by default. If left exposed then anyone accessing this page can see the company's app IDs. As an alternative to restricting access, you can turn the application off after granting consent. The URL of the consent page is in the form: https://$PxBaseConnName-pexip-cvi-abcde.azurewebsites.net/.

For example, to use the Pexip management networks defined above you would specify:

$PxConsentSourceAddressPrefixes = $PxMgmtSrcAddrPrefixes

Alternatively, you can specify specific addresses in the same way as shown above when defining the values for $PxNodesSourceAddressPrefixes.

If no addresses are specified i.e. $PxConsentSourceAddressPrefixes = @( ) then anything can connect via https to the consent page.

 
$PxWupdScheduledInstallDay

Schedules the installation of Windows updates (everything that applies to Windows Server 2016) to a specific day.

Range = 0-7 where 0 = every day and 1 through 7 are the days of the week from Sunday (1) to Saturday (7).

Default = "1" (Sunday)

Example: $PxWupdScheduledInstallDay = "1"

$PxWupdScheduledInstallTime

Schedules the Windows update installation time to a specific hour (UTC).

Range = 0-23 starting with 12 AM (0) and ending with 11 PM (23).

Default = "22" (10 PM)

Example: $PxWupdScheduledInstallTime = "22"

$PxWupdActiveHoursStart

Sets the active (business) hours to start at a specific hour (UTC). If a restart is needed to finish a Windows update, it won't take place during the active hours.

Range = 0-23 starting with 12 AM (0) and ending with 11 PM (23).

Default = "6" (6 AM)

Example: $PxWupdActiveHoursStart = "6"

$PxWupdActiveHoursEnd

Sets active (business) hours to end at a specific hour (UTC). The time between Active hours start and Active hours end is limited to a maximum of 18 hours. The script stops if this is not the case.

Range = 0-23 starting with 12 AM (0) and ending with 11 PM (23).

Default = "22" (10 PM)

Example: $PxWupdActiveHoursEnd = "22"

$PxCustomerUsageAttribution

Controls whether Microsoft tracks and reports to Pexip the Azure usage that is associated with your deployment of Pexip software. When enabled, Microsoft is able to identify the installation of Pexip software and correlate the Azure resources that are used to support that software. Microsoft collects this information to provide the best experiences with their products and to operate their business. The data is collected and governed by Microsoft's privacy policies, which can be found at https://www.microsoft.com/trustcenter.

The data made visible to Pexip is controlled by Microsoft, and as of April 2019 includes usage and spend on all of the Azure resources associated with your Teams Connector.

You can also track your usage of resources within the Azure portal.

To enable usage tracking and reporting to Pexip, use:

$PxCustomerUsageAttribution = $true

To disable usage tracking and reporting to Pexip, use:

$PxCustomerUsageAttribution = $false

You must set the $PxCustomerUsageAttribution variable to either $true or $false otherwise the installation will not complete.

 

Installation commands to connect to AzureAD, AzureRm and deploy the Teams Connector

Here are the PowerShell commands to connect to AzureAD, AzureRm, set up Trusted and Guest App IDs, and then deploy the Teams Connector. The purpose of each command is explained as a comment within the script.

Remember to run the variable initialization script (above) first, before running this installation script.

  • As there are several commands in this installation process, we recommend running each group of commands step-by-step within PowerShell (you can copy-paste the commands below) to ensure that no elements are missed, and any unexpected issues are identified. Note that if you use PowerShell ISE instead of the normal PowerShell CLI prompt you can run one line at a time (select section and press F8).
  • Do not install both the AzureRM and Azure Az modules as this will cause conflicts. We recommend using AzureRM, and the installation commands shown below use AzureRM.
  • After launching PowerShell you must change directory to the folder into which you extracted the files from the Teams Connector ZIP.
  • If you are connecting to Azure AD/Rm from your Windows PC for the first time, you must first run the following PowerShell commands (as Administrator):

    Install-Module -Name AzureAD

    Install-Module -Name AzureRM -AllowClobber

  • You must have the "Contributor" role in the Azure subscription used for the Teams Connector to define Pexip as your CVI service provider. If the Azure AD tenant is configured with Users can register applications set to No, then appropriate permissions are also required to register the Pexip apps (see https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#required-permissions for more information).
  • The AzureAD login you use must be a user in the tenant, not a Windows Live ID account.
  • The following script is referred to as the installation script. This script only needs to be run once (per Azure subscription).

    If you need to upgrade or redeploy your Teams Connector, or deploy a new Teams Connector in a different Azure region you should use the redeploy script.

  • Note that the create_vmss_deployment.ps1 command in the script that creates the Teams Connector VMs can take up to 30 minutes to complete.
# Connect to PowerShell AzureAD, AzureRm and import Pexip CVI module
# Azure AD commands
# Connect to AzureAD # If AAD/365 admin is not the same as Azure Resource Manager admin, # the next section is to be run by the AAD admin. # # IMPORTANT: The output of IDs/credentials here must be saved as it will be required later # Connect-AzureAD
# Set execution policy for the current PowerShell process Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process # Connect to Azure Resource Manager PowerShell (in same window to reuse variables)
# This step can be omitted if you only are running the AAD commands to create trusted Apps
Import-Module AzureRM -MinimumVersion 6.0.0 Connect-AzureRmAccount # Import the PexTeamsCviApplication PowerShell module Import-Module .\PexTeamsCviApplication.psm1 # Create two new CVI Applications, one Trusted, and one Guest # Create Trusted App $TrustedApp = New-PexTeamsCviApplication -AppDisplayName "$($PxBaseConnName)TeamsConnTrusted" -ConnectorFqdn $PxTeamsConnFqdn -Confirm:$false $TrustedAppId = $TrustedApp.AppId # Create Trusted App Password $TrustedAppPassword = ($TrustedApp | New-PexTeamsCviApplicationPasswordCredential -KeyIdentifier default).Value # Create Guest App $GuestApp = New-PexTeamsCviApplication -AppDisplayName "$($PxBaseConnName)TeamsConnGuest" -ConnectorFqdn $PxTeamsConnFqdn -Confirm:$false $GuestAppId = $GuestApp.AppId # Create Guest App Password $GuestAppPassword = ($GuestApp | New-PexTeamsCviApplicationPasswordCredential -KeyIdentifier default).Value Write-Host Write-Host Write-Host "`n----------------------------------------`n" Write-Host Write-Host "### App ID and credentials MUST be saved in the redeploy script ###" Write-Host Write-Host "`$TrustedAppId = `"$($TrustedAppId)`"" Write-Host "`$TrustedAppPassword = `"$($TrustedAppPassword)`"" Write-Host "`$GuestAppId = `"$($GuestAppId)`"" Write-Host "`$GuestAppPassword = `"$($GuestAppPassword)`"" Write-Host Write-Host "`n----------------------------------------`n" Write-Host Write-Host # Azure RM commands
# Change context to the Pexip Subscription and set the Trust/Guest credentials Set-AzureRmContext -SubscriptionId $PxSubscriptionId $TrustedAppSecurePassword = ConvertTo-SecureString -AsPlainText $TrustedAppPassword -Force $TrustedAppCred = New-Object System.Management.Automation.PSCredential -ArgumentList $TrustedAppId,$TrustedAppSecurePassword $GuestAppSecurePassword = ConvertTo-SecureString -AsPlainText $GuestAppPassword -Force $GuestAppCred = New-Object System.Management.Automation.PSCredential -ArgumentList $GuestAppId,$GuestAppSecurePassword # Bot channel registration # The Bot Channel registration MUST be globally unique, and only needs to be created once (in any of your regions) # Bot channel Resource group creation (in your main region) $BotChanResourceGroupName = "$($PxBaseConnName)-TeamsBotChan-RG" New-AzureRmResourceGroup -Location $PxAzureLocation -ResourceGroupName $BotChanResourceGroupName # Bot channel registrations for the trusted and the guest AppID # Create trusted bot Register-PexTeamsCviApplicationBot -SubscriptionId $PxSubscriptionId -ResourceGroupName $BotChanResourceGroupName -BotName "$($PxBaseConnName)-Trusted-TeamsBot" -AppId $TrustedAppId -Confirm:$false # Create guest bot Register-PexTeamsCviApplicationBot -SubscriptionId $PxSubscriptionId -ResourceGroupName $BotChanResourceGroupName -BotName "$($PxBaseConnName)-Guest-TeamsBot" -AppId $GuestAppId -Confirm:$false # Deploy Pexip Teams Connector admin consent web page $AdminConsentUrl = Publish-PexTeamsAdminConsentWebSite -SubscriptionId $PxSubscriptionId -ResourceGroupName $BotChanResourceGroupName -PxBaseConnName $PxBaseConnName -TrustedAppId $TrustedAppId -GuestAppId $GuestAppId -SourceAddressPrefixes $PxConsentSourceAddressPrefixes -Confirm:$false # Virtual Machine Scale Set (VMSS) creation # Provide credentials to be used as local user/password for Pexip Teams Connector VMs # Create a password (using the variables above) for the Windows VM $PxWinAdminSecurePassword = ConvertTo-SecureString -AsPlainText $PxWinAdminPassword -Force $PxWinAdminCred = New-Object System.Management.Automation.PSCredential -ArgumentList $PxWinAdminUser,$PxWinAdminSecurePassword # Optionally if you do not prefer to have a password set as a variable, use Get-Credential # $PxWinAdminCred = Get-Credential # Create Resource group for Teams Connector Load Balancer (per region) # This stores the public IP address of the Teams Connector Load Balancer # so that the address can be re-used on upgrade or redeploy # this command can be skipped when redeploying - it's only required when deploying in a new region for the first time New-AzureRmResourceGroup -Location $PxAzureLocation -ResourceGroupName $PxTeamsConnStaticResourceGroupName -Force # Create Resource group for Teams Connector VMSS (per region) New-AzureRmResourceGroup -Location $PxAzureLocation -ResourceGroupName $PxTeamsConnResourceGroupName # Deploy the Teams Connector VMs # this step can take up to 30 minutes to complete .\create_vmss_deployment.ps1 -SubscriptionId $PxSubscriptionId -ResourceGroupName $PxTeamsConnResourceGroupName -VmssName "$($PxBaseConnName)$($PxVmssRegion)" -VMAdminCredential $PxWinAdminCred -PfxPath $PxPfxCertFileName -TeamsConnectorFqdn $PxTeamsConnFqdn -PexipFqdns $PxNodeFqdns -instanceCount $PxTeamsConnInstanceCount -TrustedAppCredential $TrustedAppCred -GuestAppCredential $GuestAppCred -StaticResourcesResourceGroupName $PxTeamsConnStaticResourceGroupName -PublicIPAddressResourceName "$($PxBaseConnName)-TeamsConn-$($PxVmssRegion)-PIP" -IncidentReporting $PxTeamsConnIncidentReporting -Encryption $PxTeamsConnDiskEncryption -RdpSourceAddressPrefixes $PxMgmtSrcAddrPrefixes -PexipSourceAddressPrefixes $PxNodesSourceAddressPrefixes -WupdScheduledInstallDay $PxWupdScheduledInstallDay -WupdScheduledInstallTime $PxWupdScheduledInstallTime -WupdActiveHoursStart $PxWupdActiveHoursStart -WupdActiveHoursEnd $PxWupdActiveHoursEnd -CustomerUsageAttribution $PxCustomerUsageAttribution # supply the PFX certificate file password when prompted # Please enter the password for the PFX certificate '.\xxxxxxxx.pfx': *************** # Generating the next steps summary (this assumes you are connected to AzureAD and AzureRM) # # Setting subscription Set-AzureRmContext -SubscriptionId $PxSubscriptionId # Getting Network Security Group Resource ID $nsgResId = (Get-AzureRmResource -ResourceGroupName $PxTeamsConnResourceGroupName -ResourceType Microsoft.Network/networkSecurityGroups).ResourceId # Getting Public IP details $publicIpAddress = (Get-AzureRmPublicIpAddress -ResourceGroupName $PxTeamsConnStaticResourceGroupName).IpAddress $publicIpFqdn = (Get-AzureRmPublicIpAddress -ResourceGroupName $PxTeamsConnStaticResourceGroupName).DnsSettings.Fqdn # Getting Tenant Details $tenant = Get-AzureADTenantDetail $tenantDomain = ($tenant.VerifiedDomains | Where-Object { $_._Default -eq $True }).Name # Printing next steps Write-Host Write-Host Write-Host "`n--------------------------`n" Write-Host Write-Host "When the Teams Connector is deployed, you have to create a DNS CNAME from your official hostname" Write-Host "then the Office 365 admin must consent for the AppIds to join Teams Meetings" Write-Host Write-Host "1) Setup a DNS CNAME for $($PxTeamsConnFqdn) pointing to " Write-Host " $($publicIpFqdn)" Write-Host Write-Host " When this is done, and you can confirm a DNS lookup of $($PxTeamsConnFqdn) resolves to" Write-Host " your Public IP of the load balancer ($($publicIpAddress)) - you are ready to proceed." Write-host Write-Host "2) Give consent to trusted and guest apps. Go to: $AdminConsentUrl" Write-Host Write-Host " If Management Consent Source Address prefixes are defined, the administrator" Write-Host " doing consent must come from one of these addresses (or subnets)." Write-Host " Consent address prefixes: $($PxConsentSourceAddressPrefixes)" Write-Host Write-Host "`n--------------------------`n" Write-Host Write-Host
Copied!

After deploying the (first) Teams Connector

  1. When the script ran, it generated some output that listed the App IDs and credentials, similar to this:

  2. Copy the four output lines that define the App IDs and passwords and paste them into a copy of the redeploy script, replacing the existing lines that say:

    $TrustedAppId = ""
    $TrustedAppPassword = ""
    $GuestAppId = ""
    $GuestAppPassword = ""

    This means that if you need to run the redeploy script, you will not rerun the commands that imported the PowerShell module and created the apps. Instead you will set the variables to the IDs and passwords of the apps that you created the first time.

  3. Make sure you save your edited version of the redeploy script in a safe place, as it will be needed when you upgrade or if you need to redeploy, or deploy in another region.

    It is critical that you update and store the redeploy script with the Trusted/Guest app ID and passwords to ensure that upgrades/redeploys can be done using the same app IDs.

Update DNS with Teams Connector name and IP address

You must now update DNS with the FQDN of your Teams Connector load balancer that fronts the VM scale set.

The end of the installation script produced instructions for the required DNS changes. If you have closed down PowerShell, you can rerun the script that sets the installation variables, connect to AzureRM and then rerun the last section of the deployment script that prints out the details for you:

Within DNS you need to set up a CNAME record that links the Teams Connector hostname/FQDN to the DNS name that was assigned by Azure to the load balancer. You do not have to set up any A records.

The hostname of the Teams Connector is the name you used in the $PxTeamsConnFqdn variable, for example "pexip-TeamsConn-eu.teams.example.com".

The Azure-assigned DNS name can also be obtained from the Azure portal:

  1. Go to your subscription, then locate and select the resource group named <prefix>-TeamsConn-<region>-static-RG.
  2. Select the item with a Type of Public IP address.
  3. Hover over the DNS name field and a "Click to copy" option appears. Click the option to copy the DNS name, for example pexip-TeamsConn-eu.westeurope.cloudapp.azure.com.

The resulting DNS CNAME record you need to create, when using the example names from above, is:

NAME                                    TYPE   VALUE
-------------------------------------   -----  -------------------------------------------------
pexip-TeamsConn-eu.teams.example.com.   CNAME  pexip-TeamsConn-eu.westeurope.cloudapp.azure.com.
            

You can confirm that the DNS record is working by performing a DNS lookup on the Name (pexip-TeamsConn-eu.teams.example.com in this example), which should resolve to the IP address of the load balancer (40.115.47.191 in this example).

Authorize Pexip CVI applications to join Teams meetings

Your Pexip CVI applications need to be granted permissions to enable access to Microsoft Teams meetings in an Office 365 tenant.

The end of the installation script produced instructions for the URL to visit to provide the necessary consent, for example:

To provide consent to join Teams meetings:

  1. Use a web browser to go to the URL indicated in the output from the installation script and then follow the prompts in the consent wizard to authorize the Trusted and Guest apps.
  2. If the tenant you are logged in with is the tenant you will provide consent for, just select Initiate the consent for your tenant. If you have admin access for another tenant, you can specify an alternative tenant instead.
  3. You are asked to confirm the account. This must be an account with the Application Administrator role, to be able to grant the necessary consent.
  4. The permissions of the Pexip Teams Guest Connector are listed. The domain shown here is the domain where the App registration was created (this is the bot channel registration from the installation script) – it does not have to be the same Azure AD domain as where the Teams users are homed, but for most enterprises it will be the same domain.

  5. You are redirected to choose the account again, to sign the Pexip Teams Trusted Connector.
  6. The same list of permissions has to be accepted for the Trusted Connector.
  7. When admin consent is successfully granted, the success page is displayed.

    We recommend saving the information shown on this page in case of future faultfinding to ensure full knowledge of which apps were consented in which tenant.

Authorize Trusted app to bypass Teams lobby and configure dialing instructions

There are two Pexip apps that route calls into Teams meetings, referred to as the Trusted app and the Guest app.

  • The Trusted app is used to route calls from trusted participants, such as internal employees or calls placed from registered and authenticated devices. The Trusted app can then be assigned the ability to bypass the Teams lobby, meaning callers routed via the Trusted app are admitted directly into the Teams meeting.
  • The Guest app is used to route calls from untrusted participants, such as external guests or calls placed from unknown devices. The Guest app is not assigned the Teams lobby bypass capabilities, meaning callers routed via the Guest app are held in the Teams lobby and have to be admitted into the meeting by an existing participant.
  • Whether the Trusted app or the Guest app is used depends upon the Treat as trusted option that you can set when you configure your Call Routing Rules in Pexip Infinity. For example, if the rule only applies to calls received from registered endpoints then it will typically enable the Treat as trusted option which means that Pexip will use the Trusted app to route the call into the Teams meeting. If the Treat as trusted option is not enabled on the rule, Pexip uses the Guest app to route the call into the Teams meeting. See Call Routing Rules for direct and indirect routing for more information.
  • When a participant receives an invite to a Teams meeting, an "Alternate VTC dialing instructions" link to a webpage of alternative dialing addresses can be included. This provides customizable information for which address to dial, based on the type of client being used, such as a SIP device, an H.323 system or a browser, or whether you want to route callers via a Pexip IVR (Virtual Reception) into which they must enter the conference ID.

The PowerShell commands to configure the lobby bypass and dialing instructions require the Skype Online Powershell module:

  1. Go to https://www.microsoft.com/en-us/download/details.aspx?id=39366 and download SkypeOnlinePowerShell.Exe.
  2. Go to your download folder and run SkypeOnlinePowerShell.Exe.

    Note that the installation may fail if you do not have a compatible version of Microsoft Visual C++. The latest versions of Microsoft Visual C++ are available at https://support.microsoft.com/en-au/help/2977003/the-latest-supported-visual-c-downloads.

  3. Agree to the terms and Install the module.
  4. Start a PowerShell session and run the following commands, where <tenant_name> needs to be your onmicrosoft.com domain for your tenant:

    Import-Module SkypeOnlineConnector

    $sfbSession = New-CsOnlineSession -OverrideAdminDomain "<tenant_name>.onmicrosoft.com"

    Import-PSSession $sfbSession

Defining the Trusted app and Guest app behavior and grant interoperability

The New-CsVideoInteropServiceProvider PowerShell command is used to:

  • define Pexip as your Cloud Video Interop service provider for Microsoft Teams
  • allow the Trusted app to bypass the Teams lobby
  • specify the content of the alternative dialing instructions.

The command takes the form:

New-CsVideoInteropServiceProvider -Name Pexip -TenantKey "<address>" -InstructionUri "<link>" -AllowAppGuestJoinsAsAuthenticated $true -AadApplicationIds "<App ID>"

which contains the following parameters:

  • Name: this is a mandatory parameter and must be set to Pexip.
  • TenantKey: this is the alias (SIP URI address) that you assign to the Pexip Virtual Reception that is to act as the IVR gateway into the Teams meetings. This must take the format name@yourdomain, for example teams@example.com.

    See Routing indirectly via a Virtual Reception (IVR gateway) for more information on configuring the Pexip Virtual Reception.

  • AadApplicationIds: when included, this is always the Trusted app ID and is used in conjunction with setting -AllowAppGuestJoinsAsAuthenticated $true to allow the Trusted app to bypass the Teams lobby. Use the Trusted app ID that was output by the installation script and copied into the redeploy script.
  • InstructionUri: this is a link to a webpage of "Alternate VTC dialing instructions" that the recipient of the meeting invite can look at. The URI must include a set of parameters that control which information is displayed on the page. The URI takes the format:

    https://<node_address>/teams/?conf={ConfId}&ivr=<alias>&d=<domain>&ip=<node_ip_address>&test=<test_call_alias>&prefix=<routing_rule_prefix>&w

    where <node_address> is the "pool name" of your Pexip Conferencing Nodes (it can also be the FQDN or IP address of an individual Conferencing Node).

    To view this webpage, the client application used to view the invitation must be able to access the specified Conferencing Nodes (or alternative server) on HTTPS 443/TCP.

    The InstructionUri parameters are:

    Parameter Mandatory Description
    conf Yes This must be set to {ConfId} and when displayed it will contain the conference ID of the Teams meeting.
    ivr Yes The name part of the alias of the Pexip Virtual Reception that you will configure on Pexip Infinity later, and that will act as the IVR gateway. Do not include the domain — this is the d parameter below. Note that ivr@d must match the name of the alias that you will configure for the Virtual Reception.
    d Yes The domain name of your Pexip Infinity platform. This is used as the domain for all of the URI-style addresses that are displayed on the webpage.
    prefix No A prefix to apply to the conf parameter when building the address to call for direct routing into the Teams meeting. Typically you only need to use a prefix if you have a more complicated dial plan. If used, the prefix will typically match the Call Routing Rules set up in Pexip Infinity to route calls into Teams meetings.
    w No Displays the "From a browser" access details on the webpage. There is no value associated with this parameter. Note that these details are not displayed if the user is viewing the page on Microsoft Edge (as it is expected they would join the Teams meeting directly via Teams itself).
    ip No The public-facing IP address of one of your Conferencing Nodes. You can only specify a single address. When specified, alternative dialing options by IP address (which may be required by some H.323 systems for example) are displayed on the webpage. If included, the IP address that you specify here must also be added as an alias to the Virtual Reception that you will configure on Pexip Infinity later.
    test No Includes a "Test call" option on the webpage, where the value of this parameter is used as the alias to dial. This uses Pexip Infinity's inbuilt Test Call Service; you must also ensure that you set up the associated alias e.g. test_call@example.com in your Pexip Infinity's configuration.

    An example InstructionUri value could be: https://px.vc.example.com/teams/?conf={ConfId}&ivr=teams&d=example.com&ip=198.51.100.40&test=test_call&w

    and that would produce the following webpage (where the Teams conference ID is "234567890"):

    Here is an example of the complete New-CsVideoInteropServiceProvider command:

    New-CsVideoInteropServiceProvider -Name Pexip -TenantKey "teams@example.com" -InstructionUri "https://px.vc.example.com/teams/?conf={ConfId}&ivr=teams&d=example.com&ip=198.51.100.40&test=test_call&w" -AllowAppGuestJoinsAsAuthenticated $true -AadApplicationIds "c054d1cb-7961-48e1-b004-389e81356232"

Use the following steps to assign lobby-bypass capabilities to the Trusted app, define the content of the "Alternate VTC dialing instructions" page, and grant interoperability for the users in your tenant.

The following commands may take up to 6 hours to come into effect.

  1. Assign lobby-bypass capabilities to the Trusted app and specify the "Alternate VTC dialing instructions". This command takes the form:

    New-CsVideoInteropServiceProvider -Name Pexip -TenantKey "<address>" -InstructionUri "<link>" -AllowAppGuestJoinsAsAuthenticated $true -AadApplicationIds "<Trusted App ID>"

    For example (note that all of the available command parameters are described above):

    New-CsVideoInteropServiceProvider -Name Pexip -TenantKey "teams@example.com" -InstructionUri "https://px.vc.example.com/teams/?conf={ConfId}&ivr=teams&d=example.com&test=test_call&w" -AllowAppGuestJoinsAsAuthenticated $true -AadApplicationIds "c054d1cb-7961-48e1-b004-389e81356232"

  2. Grant interoperability for the users in your tenant. To grant interoperability for all users:

    Grant-CsTeamsVideoInteropServicePolicy -PolicyName PexipServiceProviderEnabled -Global

    For testing purposes you can enable interop to named users by using the -Identity switch instead of -Global, for example:

    Grant-CsTeamsVideoInteropServicePolicy -PolicyName PexipServiceProviderEnabled -Identity alice@example.com

The following commands are also available when troubleshooting or maintaining your system:

  • Get-CsVideoInteropServiceProvider: list the existing interop service providers.
  • Set-CsVideoInteropServiceProvider: modify an interop service provider (see Changing the alternative dialing instructions for more information).
  • Remove-CsVideoInteropServiceProvider: remove a provider.
  • Get-CsTeamsVideoInteropServicePolicy -Filter "*enabled*": list the existing service policies.
  • Get-CsOnlineUser -Identity alice@example.com: returns user information.

To change the settings for your Teams meetings, such as customizing your meeting invitations, see https://docs.microsoft.com/en-us/microsoftteams/meeting-settings-in-teams.

Next steps

You must now complete the configuration within Pexip Infinity as described in Configuring Pexip Infinity as a Microsoft Teams gateway.