Maintaining your Teams Connector deployment

After you have installed and configured your Teams Connector there are several maintenance tasks you may need to perform, such as adding extra Conferencing Nodes, changing your call capacity or upgrading the platform to the latest software version.

Modifying the Teams Connector's configuration

If you need to change the configuration on the Teams Connector after it has been deployed, you must make the necessary changes to the variables in your initialization script and then redeploy it using the new configuration, as described below. Configuration changes that require redeployment include:

  • Changing the Teams Connector's certificate.
  • Changing the pool name or node FQDNs of the associated Conferencing Nodes (the name referenced by the $PxNodeFqdns variable in the initialization script).

Note that you do not need to redeploy the Teams Connector if you need to change the Azure Network Security Group configuration, for example to add the IP address of a new Conferencing Node, or if you need to modify the number of Teams Connector instances.

Upgrading the Teams Connector to the latest software

When upgrading the Teams Connector to version 26, you must redeploy it using your original variables initialization script (although you should update it to specify a new $tags variable, and you may apply any configuration changes, if required), and with the latest application software files and v26 redeployment script, as described below.

When upgrading your Teams Connector to version 26:

  • You must be using Az module version 4.7.0 or later.
    • To check your installed version you can run:
      Get-InstalledModule -Name Az -AllVersions
    • To install the latest Az version you can run:
      Install-Module -Name Az -MinimumVersion 4.7.0 -AllowClobber -Scope AllUsers
  • When upgrading from a previous major release (e.g. from v24.n to v26.1), you must use the latest version of the redeploy script as contained here. You can use your existing redeploy script if you are upgrading to a new minor/ "dot" release for the same major version (e.g. from 26.0 to 26.1).

    When using a new redeploy script, update the two lines in the redeploy script that say:

    $AppId = ""
    $AppPassword = ""

    to contain the app ID and password from the version of the redeploy script you saved from your existing deployment.

  • There are some important changes to the scripts in version 26:

    • The variables initialization script contains a new $tags variable. This provides the ability to optionally specify a set of tags (name-value pairs) to apply to the Azure resources that are created for the Teams Connector.
    • The installation and redeploy/upgrade scripts have both been updated to use the new $tags variable.
    • The redeploy/upgrade script now removes the dynamic Azure resource groups for you (those named <prefix>-TeamsConn-<region>-RG that contain the existing Teams Connector instances). This means you no longer have to perform this step manually via the Azure portal when upgrading or redeploying.

    • In 26.1 the requirement to set up a DNS CNAME record for your Teams Connector hostname has been removed, and you are requested to create a DNS A-record instead. The end of the installation script contains the new steps to create the A-record, and the redeploy script no longer contains the request to check/change your CNAME record. Existing deployments that use a CNAME will still work, but that can be replaced with an A record (by pointing the hostname of your Teams Connector ($PxTeamsConnFqdn) to the Public IP address of the load balancer), if you want to align your DNS process with our latest guidelines.
  • If you have deployed multiple Teams Connectors, you must follow the same redeploy process (with the appropriate variable initialization script) for each Teams Connector.
  • As with all upgrades, you can continue to use the Pexip CVI app from your existing deployment.

Redeploying the Teams Connector

The Teams Connector redeployment process described below is required when you want to:

  • Upgrade the Teams Connector software.
  • Change the Teams Connector's configuration (such as its certificate, or the names of the associated Conferencing Nodes).
  • Deploy a new Teams Connector in a different Azure region.

Note that there is no need to backup the Teams Connector as there are no specific settings, status or history information to preserve — if the deployment is lost you can just reinstall it with this redeploy process.

There are three main steps to redeploying the Teams Connector:

  1. Check that you have the latest relevant version of the Teams Connector software, and your variable initialization and redeploy scripts.
  2. Ensure that the person performing the redeployment is an Azure Owner of the static resource group in each region.
  3. Reinstall the Teams Connector software.

Before running your scripts we recommend that you check the Azure status (https://status.azure.com) for your region. Any ongoing issues in your region with the Azure services used by the Teams Connector could cause the script to fail.

The redeployment steps are shown in the following diagram and are then described in detail below.

Deployment script flowchart

Check Teams Connector software, retrieve your original scripts, and check your Azure environment

  1. Download the latest relevant version of the Teams Connector ZIP file (Pexip_Infinity_Connector_For_Microsoft_Teams_v26.1_<build>.zip) from the Pexip download page.

    Ensure that the Teams Connector version you download is the same version as your Pexip Infinity deployment (including minor/ "dot" releases).

  2. Extract the files to a folder on a local drive on your administrator PC.
  3. Add your PFX certificate for the Teams Connector to this folder.
  4. Retrieve your saved copies of the initialization and redeploy scripts. You should have created and stored your version of these scripts after you completed your initial installation of your first Teams Connector.

  5. Check your saved copy of the initialization script that sets the environmental variables:

    • If you are redeploying and need to change any of the previous configuration you should also adjust your initialization script as required.
    • If you have Teams Connectors in many regions, ensure that you have the correct versions of the initialization scripts that set the regional variables to the appropriate values.
  6. Check your saved copy of the redeploy script:

    • If you are upgrading to v26, ensure that you use the latest version of the redeploy script instead of your previously saved copy, but that you have updated it with your Pexip App ID and credentials from your previously saved copy, as described immediately below.
    • Confirm that the redeploy script contains your Pexip App ID and credentials:

      • When the installation script ran, it generated some output that listed the App ID and credentials, similar to this:

      • These output lines should have been used to replace the two existing lines in the redeploy script that say:

        $AppId = ""
        $AppPassword = ""

        This means that when you run the redeploy script, you will reuse the app and password that you created the first time.

    • You should use the redeploy script in all scenarios except for when deploying a Teams Connector for the very first time for your Azure subscription i.e. you should use the redeploy script when upgrading, redeploying, or deploying a new Teams Connector in another region.
    • You only need one version of this script — you can use the same redeploy script in every region if you have multiple Teams Connectors.
  7. Ensure that the person performing the redeploy/upgrade has Azure Owner permissions for the pre-existing static resource group in Azure (the name of this resource group takes the format <prefix>-TeamsConn-<region>-static-RG). If you have deployed in multiple regions you must do this for the static resource group in each region.

    The static resource group is used for the Azure Key Vault (which provides enhanced security to the Teams Connector). Azure requires that contributors who want to create resources that use the Azure Key Vault must have an Owner role for the resource group that holds that Key Vault (as the Owner role is required to grant access to resources). The Owner role is only required for the static resource group — the Contributor role in the Azure subscription is sufficient to successfully run the redeploy script that creates all of the other resources used for the Teams Connector.

    If the Owner of the Azure subscription will be performing the redeploy/upgrade then this step can be skipped, otherwise the subscription Owner must make the person performing the upgrade an Owner of the static resource group. To do this:

    These steps must be performed by the Owner of the Azure subscription used for the Teams Connector.

    1. Run the following PowerShell command to connect to Azure:

      Connect-AzAccount

      Then follow the prompts to sign in to Azure.

    2. Run the variable initialization script that you used when your first installed the Teams Connector (to set the required subscription, resource group name and region variables).
    3. Ensure that you are using the Azure subscription for the Teams Connector:

      Set-AzContext -SubscriptionId $PxSubscriptionId

    4. Ensure that the person who will perform all of the remaining upgrade/redeploy steps has the Azure Owner role for the static resource group by running the following command:

      New-AzRoleAssignment -SignInName <email_name> -RoleDefinitionName "Owner" -ResourceGroupName $PxTeamsConnStaticResourceGroupName

      where <email_name> is the email address / user principal name of the person who will perform the remaining upgrade/redeploy steps; for example where alice@example.com will perform the upgrade/redeploy:

      New-AzRoleAssignment -SignInName alice@example.com -RoleDefinitionName "Owner" -ResourceGroupName $PxTeamsConnStaticResourceGroupName

    Note:

    • In the future, if another person/contributor were to upgrade or redeploy the Teams Connector, that person would also have to be granted the Owner role for the static resource group.
    • You can also use the Azure portal to check/assign permissions by selecting the resource group and using the Access control (IAM) option.
  8. Ensure you have only version 3.0.0 and higher of the Azure PowerShell module (Az) installed (uninstall the AzureRM PowerShell module if necessary). See https://docs.microsoft.com/en-us/powershell/azure/migrate-from-azurerm-to-az?view=azps-3.1.0 for more information.

Redeploy the Teams Connector

To redeploy the Teams Connector:

  1. In PowerShell, run your initialization script that sets the environmental variables.

    If you have Teams Connectors in many regions, ensure that you run the version of the initialization script that sets the regional variables to the appropriate values.

  2. In PowerShell run your redeploy script.

    You only need one version of this script — you can use the same script in every region if you have multiple Teams Connectors.

This is the redeploy script. It is a variation on the installation script that only performs the necessary commands to redeploy the Teams Connector. As with the initial installation, we recommend running each group of commands step-by-step within PowerShell.

This script applies to software version 26. If you are using an earlier version you should refer to our previous documentation.

Copy to clipboard
# Ensure the correct script and software combination is being used
try {$PxConnMajorVersion = (Get-Content .\version.json -ErrorAction Stop | Out-String | ConvertFrom-Json).major} catch {Write-Warning "Can't find version.json file. Make sure you run the installation script from the folder into which you extracted the files from the Teams Connector ZIP"}

if ($PxConnMajorVersion -ne "26"){Write-Warning "The Connector version (extracted ZIP files) and this deployment script version do not match. Connector version = $PxConnMajorVersion. Deployment script version = 26"}

# Connect to PowerShell Azure Resource Manager account
# Set execution policy for the current PowerShell process, when prompted type A (Yes to All)
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

# Connect to Azure with an authenticated account for use with Azure Resource Manager (in same window to reuse variables)
# If the Import-Module step fails, ensure you have a suitable version of Az installed (4.7.0+)
Remove-Module "Az*" -ErrorAction SilentlyContinue
Import-Module Az -MinimumVersion 4.7.0
Connect-AzAccount

# Before running the following commands, update the following 2 lines/variables with the App ID and password
# that were output when the installation script was run
$AppId = ""
$AppPassword = ""

# Change context to the Pexip Subscription and set the app credentials
Set-AzContext -SubscriptionId $PxSubscriptionId

$AppSecurePassword = ConvertTo-SecureString -AsPlainText $AppPassword -Force
$AppCred = New-Object System.Management.Automation.PSCredential -ArgumentList $AppId,$AppSecurePassword

# Virtual Machine Scale Set (VMSS) creation
# Provide credentials to be used as local user/password for Pexip Teams Connector VMs
# Create a password (using the variables above) for the Windows VM
$PxWinAdminSecurePassword = ConvertTo-SecureString -AsPlainText $PxWinAdminPassword -Force
$PxWinAdminCred = New-Object System.Management.Automation.PSCredential -ArgumentList $PxWinAdminUser,$PxWinAdminSecurePassword

# Optionally if you did not want to specify the password as a variable, use Get-Credential
# $PxWinAdminCred = Get-Credential

# Remove the existing dynamic resource groups
$PxTeamsConnResourceGroup = Get-AzResourceGroup -Name $PxTeamsConnResourceGroupName -Location $PxAzureLocation
if ($PxTeamsConnResourceGroup)
{
    $resources = Get-AzResource -ResourceGroupName $PxTeamsConnResourceGroupName
    $resNames = $resources | ForEach-Object {return "`n" + $_.Name + " " + $_.ResourceType}
    Write-Host "In order to redeploy Pexip Teams Connector, resource group $PxTeamsConnResourceGroupName has to be deleted. Resources: $resNames"
    Remove-AzResourceGroup -Name $PxTeamsConnResourceGroupName | Out-Null
}
$PxTeamsConnResourceGroup = Get-AzResourceGroup -Name $PxTeamsConnResourceGroupName -Location $PxAzureLocation -ErrorAction SilentlyContinue
if ($null -ne $PxTeamsConnResourceGroup)
{
    Write-Warning "$PxTeamsConnResourceGroupName still exists, however it has to be removed before redeploying!"
}

# Create Resource group for Teams Connector VMSS (per region)
# This section of the script is region specific, ensure that the initial variables
# are set with the correct values for $PxAzureLocation, $PxTeamsConnFqdn and $PxVmssRegion
New-AzResourceGroup -Name $PxTeamsConnResourceGroupName -Location $PxAzureLocation -Tag $tags

# Deploy the Teams Connector VMs
# this step can take up to 30 minutes to complete
.\create_vmss_deployment.ps1 -SubscriptionId $PxSubscriptionId -ResourceGroupName $PxTeamsConnResourceGroupName -VmssName "$($PxBaseConnName)$($PxVmssRegion)" -VMAdminCredential $PxWinAdminCred -PfxPath $PxPfxCertFileName -TeamsConnectorFqdn $PxTeamsConnFqdn -PexipFqdns $PxNodeFqdns -instanceCount $PxTeamsConnInstanceCount -AppCredential $AppCred -StaticResourcesResourceGroupName $PxTeamsConnStaticResourceGroupName -IncidentReporting $PxTeamsConnIncidentReporting -RdpSourceAddressPrefixes $PxMgmtSrcAddrPrefixes -PexipSourceAddressPrefixes $PxNodesSourceAddressPrefixes -WupdScheduledInstallDay $PxWupdScheduledInstallDay -WupdScheduledInstallTime $PxWupdScheduledInstallTime -WupdActiveHoursStart $PxWupdActiveHoursStart -WupdActiveHoursEnd $PxWupdActiveHoursEnd -CustomerUsageAttribution $PxCustomerUsageAttribution -Tag $tags

# supply the PFX certificate file password when prompted

# Please enter the password for the PFX certificate '.\xxxxxxxx.pfx': ***************

# Printing finished message
Write-Host
Write-Host
Write-Host "`n--------------------------`n"
Write-Host
Write-Host " All steps completed."
Write-Host
Write-Host "`n--------------------------`n"
Write-Host
Write-Host

Maintaining access to the Admin Consent web page

Reinstating the Admin Consent web page

If you are upgrading and you need to maintain access to the Admin Consent web page (typically only necessary if you are a service provider), then after completing the commands in the redeploy script you should also run the following additional PowerShell commands to reinstate the Admin Consent web page:

Import-Module .\PexTeamsCviApplication.psm1

$BotChanResourceGroupName = "$($PxBaseConnName)-TeamsBotChan-RG"

$AdminConsentUrl = Publish-PexTeamsAdminConsentWebSite -SubscriptionId $PxSubscriptionId -ResourceGroupName $BotChanResourceGroupName -PxBaseConnName $PxBaseConnName -AppId $AppId -SourceAddressPrefixes $PxConsentSourceAddressPrefixes -Confirm:$false -Tag $tags

and then

Write-Host "To give consent to the app, go to: $AdminConsentUrl"

Note that if you run the above commands in a new window/session you will first need to run the PowerShell variables initialization script.

Changing the workstation / management network addresses that can access the consent page

To change the workstation / management network addresses that can provide consent for the Teams Connector app (the addresses that were initially specified in $PxConsentSourceAddressPrefixes):

  1. In the Azure portal, go to the botchannel registration resource group — this is called <prefix>-TeamsBotChan-RG.
  2. Select the App Service object.
  3. Under Settings, select Networking.
  4. Select Configure Access Restrictions.
  5. Modify the addresses as required and save your changes.

Adding or removing Conferencing Nodes

You can change the pool of Conferencing Nodes that communicates with the Teams Connector without having to redeploy the Teams Connector itself, providing that the certificate installed on any new Conferencing Nodes contains an identity that was in the $PxNodeFqdns initialization script variable when the Teams Connector was originally deployed.

For example, if you have a Teams Connector deployed as shown in Certificate and DNS examples for a Microsoft Teams integration i.e.

  • two existing Conferencing Nodes called px01.vc.example.com and px02.vc.example.com
  • both nodes have the same certificate installed with subject name px.vc.example.com, and altNames px.vc.example.com, px01.vc.example.com and px02.vc.example.com
  • the Teams Connector was deployed with the $PxNodeFqdns variable set to px.vc.example.com

and you want to add a new Conferencing Node px03.vc.example.com, you would have to:

  1. Install a certificate on the new Conferencing Node that contains the common px.vc.example.com identity.

    To remain consistent with our example certificate naming policy this would mean creating a new certificate with a subject name of px.vc.example.com and altNames of px.vc.example.com, px01.vc.example.com, px02.vc.example.com and px03.vc.example.com. You would then install this certificate on the new node and the two existing nodes.

    Note that purely from a Teams Connector perspective, the node certificate only needs to contain the identity specified in the $PxNodeFqdns variable, but if the same Conferencing Nodes handle SIP and Skype for Business / Lync signaling then the example certificate naming policy used here is more appropriate.

  2. You may need to update the Network Security Group associated with your Teams Connector in Azure.

    The "MCU-signalling-endpoint" rule (priority 120) specifies the IP addresses of the Conferencing Nodes that can communicate with the Teams Connector. These addresses were based on the value of the $PxNodesSourceAddressPrefixes initialization script variable. If individual IP addresses were specified then you need to add the IP address of the new Conferencing Node to this NSG rule. If the variable specified an IP subnet and the new node's address is within that subnet, then no changes are required.

  3. If you had to update the NSG rule, you should add the same new address to the $PxNodesSourceAddressPrefixes variable in your stored initialization script to keep it in sync with your actual deployment in case it is needed for a future redeployment or upgrade.

Removing Conferencing Nodes

If you need to remove a Conferencing Node from the pool for any reason, you do not need to make any immediate changes to your Teams Connector / Azure configuration. However, you should make any necessary changes to the $PxNodesSourceAddressPrefixes variable in your stored initialization script to keep it in sync with your actual deployment.

Changing the alternative dialing instructions or IVR address

You can use the Set-CsVideoInteropServiceProvider command to change the alternative dialing instructions or the IVR address (TenantKey).

Changing the alternative dialing instructions

You can update the webpage of "Alternate VTC dialing instructions" that the recipient of the meeting invite can look at, by adding or removing some of the address types that are displayed.

You do this by using the Set-CsVideoInteropServiceProvider command and supplying a new InstructionUri parameter, following the same rules as described when you first created the service provider.

In our original example, the service provider was created with the command:

New-CsVideoInteropServiceProvider -Name Pexip -TenantKey "teams@example.com" -InstructionUri "https://px.vc.example.com/teams/?conf={ConfId}&ivr=teams&d=example.com&ip=198.51.100.40&test=test_call&w" -AllowAppGuestJoinsAsAuthenticated $true -AadApplicationIds "c054d1cb-7961-48e1-b004-389e81356232"

To change the instructions to remove the "Test call" option, for example, the revised InstructionUri parameter would be "https://px.vc.example.com/teams/?conf={ConfId}&ivr=teams&d=example.com&ip=198.51.100.40&w"

and the command to apply the revised InstructionUri parameter would be:

Set-CsVideoInteropServiceProvider -Identity Pexip -InstructionUri "https://px.vc.example.com/teams/?conf={ConfId}&ivr=teams&d=example.com&ip=198.51.100.40&w"

Changing the IVR address (TenantKey)

The IVR address (TenantKey) is the alias that you assign to the Pexip Virtual Reception that is to act as the IVR gateway into the Teams meetings. In our original example this was set to teams@example.com.

To change the address you can use the Set-CsVideoInteropServiceProvider command and supply a new TenantKey parameter, for example:

set-CsVideoInteropServiceProvider -Identity Pexip -TenantKey "newaddress@example.com"

Note that when using Set-CsVideoInteropServiceProvider, the first parameter is called -Identity, not -Name.

These changes may take up to 6 hours to come into effect.

Changing the call capacity of a Teams Connector

When you install a Teams Connector application in Azure, you initially specify the number of Teams Connector instances (VMs) to deploy.

You can subsequently modify the number of instances via the Azure portal, to reflect changing capacity requirements.

To change the number of instances:

  1. In the Azure portal, for your subscription, go to the Virtual machine scale set in your Teams Connector resource group.
  2. In the Settings menu, select Scaling.
  3. Use the slider in the Configure tab to increase/decrease the instance count as appropriate.

    Note that if you reduce the instance count, any calls that are being handled by an instance that Azure chooses to delete will be dropped.

Adding extra Teams Connectors in other Azure regions

Large enterprises may want to install a Teams Connector in multiple regions to provide local capacity/resources.

As with your initial Teams Connector installation, you must follow the same guidelines when deploying additional Teams Connectors:

  • The Azure region for the new Teams Connector must support Automation and Fs series instance types. Ensure that you have sufficient resource quota and capacity for those instance types in that region.
  • Each Teams Connector that you deploy needs a unique DNS name and a certificate that matches that identity.
  • You may also be deploying a new pool of Conferencing Nodes to use with the new Teams Connector. These nodes would typically be in the same Azure region as the new Teams Connector, or in an on-premises datacenter in the same geographic area. You may want to use a different certificate (with a different pool name) for this set of Conferencing Nodes.

Note that you do not need to create any new apps or perform any additional app authorizations when installing additional Teams Connectors — only one app registration is required per tenant.

Installing the additional Teams Connector application into Azure

As with the initial installation, you deploy additional Teams Connector applications through PowerShell ISE commands and scripts:

  1. Create a new variables initialization script for the new Azure region. You should do this by making a copy of your existing initialization script.
  2. Update the regional variables in the new initialization script with the values for your new Azure region. The variables you need to update are:

    • $PxVmssRegion: the short name that represents the new region in which you are deploying the new Teams Connector.
    • $PxTeamsConnFqdn: the hostname of the new Teams Connector.
    • $PxNodeFqdns: the pool name or names of the Conferencing Nodes that will communicate with the new Teams Connector.
    • $PxAzureLocation: the name of the Azure region into which you are deploying the new Teams Connector.
    • $PxPfxCertFileName: the filename of the PFX certificate file to upload to the new Teams Connector.
    • $PxNodesSourceAddressPrefixes: the IP addresses of the Conferencing Nodes that will communicate with the new Teams Connector instances.
  3. Create the static resource group for the new region and ensure that the person performing the installation has the Owner role for it:

    These steps must be performed by the Owner of the Azure subscription used for the Teams Connector.

    1. Run the following PowerShell command to connect to Azure:

      Connect-AzAccount

      Then follow the prompts to sign in to Azure.

    2. Run the variable initialization script (to set the required subscription, resource group name and region variables).
    3. Ensure that you are using the Azure subscription for the Teams Connector:

      Set-AzContext -SubscriptionId $PxSubscriptionId

    4. Create the resource group for static resources for the Teams Connector / region:

      New-AzResourceGroup -Name $PxTeamsConnStaticResourceGroupName -Location $PxAzureLocation -Force -Tag $tags

    5. Ensure that the person who will perform all of the remaining installation steps has the Azure Owner role for the static resource group you have just created. If the Owner of the Azure subscription will perform all of the remaining installation steps then you can skip to Run the redeploy script to install the Teams Connector into the new region. below.

      Otherwise, you must run the following command to assign the Owner role for the resource group you have just created to the person who will perform all of the remaining installation steps:

      New-AzRoleAssignment -SignInName <email_name> -RoleDefinitionName "Owner" -ResourceGroupName $PxTeamsConnStaticResourceGroupName

      where <email_name> is the email address / user principal name of the person who will perform the remaining installation steps; for example where alice@example.com will perform the upgrade/redeploy:

      New-AzRoleAssignment -SignInName alice@example.com -RoleDefinitionName "Owner" -ResourceGroupName $PxTeamsConnStaticResourceGroupName

    Note:

    • The steps to create the static resource group are not required when redeploying or for subsequent upgrades. They are only required when deploying in a region for the first time.
    • In the future, if another person/contributor were to upgrade or redeploy the Teams Connector, that person would also have to be granted the Owner role for the static resource group.
    • You can also use the Azure portal to check/assign permissions by selecting the resource group and using the Access control (IAM) option.
  4. Run the redeploy script to install the Teams Connector into the new region.

    This should be the script that you produced after the initial installation or most recent upgrade. This script should already have the variables for the App ID and password updated with the correct values for your deployment. As with the initial installation, we recommend running each group of commands step-by-step within PowerShell.

  5. Update DNS with the new Teams Connector's name and IP address.

Note that you do not need to create any new apps or perform any additional app authorizations when installing additional Teams Connectors.

Pexip Management Node configuration

To configure Pexip Infinity to use the new Teams Connector:

  1. If required, set up new Conferencing Nodes / locations that will use the new Teams Connector.
  2. Ensure that the Conferencing Nodes have suitable certificates installed (see Certificate and DNS examples for a Microsoft Teams integration).
  3. Configure a new Microsoft Teams Connector (Call control > Microsoft Teams Connectors) where the address of the Teams Connector is the name specified in $PxTeamsConnFqdn in your new initialization script for the new Azure region.
  4. Assign the new Teams Connector to the locations (and thus Conferencing Nodes) where you want that new Teams Connector to be used (Platform > Locations).
  5. Now that you have multiple Teams Connectors you must ensure that calls are routed via your desired Conferencing Nodes to the appropriate Teams Connector. This assumes that GeoDNS or your call control system is routing incoming calls to the appropriate Conferencing Nodes / locations.

    • When you have just one Teams Connector, all of the Call Routing Rules handling calls to Microsoft Teams are typically all configured with an Outgoing location set to the one location containing your Conferencing Nodes that communicate with your Teams Connector.
    • When you have two (or more) Teams Connectors, you will also have two (or more) locations, where each location typically contains the Conferencing Nodes that are local to each Teams Connector.

    To ensure that your calls are routed via the most appropriate Conferencing Nodes and Teams Connectors, you must modify your existing Call Routing Rules and also create some new rules. Typically the best way to do this is to use the Calls being handled in location setting on each rule, so that you can route calls via the appropriate Teams Connector based on where the incoming call was originally received.

    For example, if you previously only had a single location (called "Europe-DMZ") containing all of your Conferencing Nodes and that location was also configured as the Outgoing location on all of your rules, then all calls would have been received in — and routed out of — those nodes to your single Teams Connector (also most likely deployed in a European Azure region).

    Let's assume that you now add a second location (called "USA-DMZ") containing new Conferencing Nodes and you want to route calls local to America to a new Teams Connector that is deployed in an American region, and keep your other calls routed via the Europe nodes and Europe Teams Connector. You now need to have another set of Call Routing Rules that are based on (i.e. copies of) your existing rules but where you:

    • keep the same rule settings for protocols, alias regexes and trust settings across each pair of rules
    • assign a Priority value for each new rule that keeps it next to the rule it was based upon
    • specify the Calls being handled in location and Outgoing location fields as appropriate for each pair of rules, meaning that:

      • your original rule now has Calls being handled in location = "Europe-DMZ" and Outgoing location = "Europe-DMZ"
      • your new rule has Calls being handled in location = "USA-DMZ" and Outgoing location = "USA-DMZ"

      Note that if you have many locations, you can specify some higher priority rules (lower numbers) with a specific location defined in Calls being handled in location, and have a lower priority rule with Calls being handled in location set to Any location to handle any calls that were not caught by the previous location-specific rules.

    This means that Incoming calls will be routed via the Teams Connector that is local to the Conferencing Nodes that received the call.

This example diagram shows how your Call Routing Rules should evolve when moving from routing all calls via a single Teams Connector to deploying a second Teams Connector in another Azure region. Note that this example also includes locations/nodes in the enterprise internal network, in addition to the locations/nodes in the DMZ.

Routing rules for one Teams Connector compared to two Teams Connectors

You do not have to change your existing Virtual Reception configuration — there is minimal performance overhead by always using a single location and Teams Connector to resolve Teams Conference IDs entered into a Virtual Reception.

Changing management workstation access

When you deploy a Teams Connector, a Network Security Group (NSG) is created within Azure. The NSG includes an "RDP" rule (priority 1000) that controls RDP access to the Teams Connector instances from any addresses specified in the $PxMgmtSrcAddrPrefixes installation variable. If no addresses were specified then a Deny rule is created instead.

You can change or enable this rule if you want to specify a different set of management workstation addresses. To do this:

  1. In the Azure portal, for your subscription, go to the Network security group in your Teams Connector resource group.
  2. Select rule 1000 RDP.
  3. Change the Source IP addresses/CIDR ranges as appropriate for the management workstation / network subnet addresses you want to allow RDP access.
  4. Set Action to Allow or Deny as appropriate.
  5. Select Save.
  6. Update the $PxMgmtSrcAddrPrefixes installation variable in your stored initialization script to match your changes applied to the NSG to keep the script in sync with your actual deployment.

Uninstalling the Teams Connector

This section describes how to completely remove a Teams Connector installation, for example if you have a test system that you no longer need.

  1. Delete all of the resource groups from Azure:

    1. Identify all of your existing Teams Connector resources in Azure: in the Azure portal, for your subscription, go to Resource groups and search for the prefix that you used when naming your resources — this is the value of the $PxBaseConnName variable in the initialization script.

      You will see resource groups with names in the following formats:

      • <prefix>-TeamsBotChan-RG: this contains the Bot channel registrations.
      • <prefix>-TeamsConn-<region>-RG: this contains the Teams Connector instances (Virtual Machine scale set).
      • <prefix>-TeamsConn-<region>-static-RG: this includes the Azure Key Vault and the public IP address of the Teams Connector.

      If you have deployed a Teams Connector in multiple regions you will see several <prefix>-TeamsConn-... resource groups.

    2. Select each resource group in turn (with the prefix of the Teams Connector you want to delete), and then select Delete resource group and confirm with the name of the resource group.

      Note that as from v26, the Azure Key Vault is only soft-deleted when the static resource group is deleted. This means that if you subsequently redeploy your Teams Connector using the same variables initialization script, you will encounter deployment errors due to conflicts with key vault object names. To avoid this you must first purge the soft-deleted key vault:

      1. Go to the Key Vaults services within Azure.
      2. Select Manage deleted vaults.
      3. Select the subscription and purge the key vault.

  2. Remove the App registration from Azure:

    1. Within the Azure portal, select Azure Active Directory.
    2. Under Manage, select App registrations.
    3. Select the app registration with the prefix of the Teams Connector you want to delete, and then Delete it.
  3. Remove the Cloud Video Interop service provider from your tenant:

    1. Start a PowerShell session and run the following commands to sign in to your Teams tenant:

      Import-Module MicrosoftTeams

      Connect-MicrosoftTeams

    2. Run the command:

      Remove-CsVideoInteropServiceProvider -Identity Pexip

  4. Remove references to the Teams Connector from the Pexip Management Node:

    1. Change or delete any locations, Virtual Receptions or Call Routing Rules that are using the Teams Connector.
    2. Go to Call control > Microsoft Teams Connectors and delete the Teams Connector address.
  5. Remove from DNS the record that refers to the FQDN of the Teams Connector load balancer.