Trusted devices for lobby bypass: trial, orderability and configuration

The Trusted devices and Teams Meetings lobby bypass licenses are optional add-ons for customers with Microsoft Teams CVI or Google Meet interoperability that allows lobby-bypass for SIP video endpoints that are not registered to the service — this enables them to join the interop meeting directly and not have to wait to be admitted by the meeting host.

Video endpoints that are registered on the Pexip Service under the same company that has the Teams CVI / Google Meet interop service do not need a trusted device license — they are automatically treated as trusted and can bypass the Teams / Google Meet lobby.

Trusted device add-on license

With the Trusted device add-on, lobby-bypass can be enabled for:

  • Endpoints that are not registered on the Pexip Service.
  • Endpoints that are registered on the Pexip Service, but are part of a different company (for example where a large organization is managed as different companies within the Pexip Service).

Teams Meetings lobby bypass add-on license

The Teams Meetings lobby bypass license is an add-on to the Connect for Zoom Rooms license that specifically enables lobby bypass for the customer's Zoom Rooms into their Teams meetings.

Contents

This article covers:

How it works

Each type of trust method works in different ways.

Non-registered SIP endpoints

Pexip offers two ways to trust non-registered SIP endpoints:

  • SIP authentication (recommended): this is defined as a challenge rule in the Partner Portal.
  • IP address: this is defined as a trust rule in the Partner Portal.

You can use a combination of both methods.

SIP authentication

When using SIP authentication:

  • The video endpoint calls from a domain that the Pexip Service is configured to challenge. After providing authentication, the call bypasses the lobby. If it does not provide authentication, the call disconnects.
  • If the call is from a domain that is not set up to be challenged, the user is placed in the lobby.

This is the most secure trust option. It requires that customer’s SBC can authenticate on behalf of its clients. (Pexip can provide the customer with a username/password to be used.)

Pexip supports multiple domains to be challenged per customer.

IP address

When using IP address authentication:

  • The endpoint is trusted if the call comes from a pre-configured list of IP addresses. This assumes that the customer's call control system is correctly configured to validate the endpoint, and that it only relays their own traffic to the Pexip Service.
  • Any calls not coming from an approved IP address are placed in the lobby.
  • You can further restrict this rule to only include endpoints coming from a specific domain. This is useful when multiple companies share one call control infrastructure.

Pexip supports multiple IP addresses / network masks.

Registered SIP endpoints with a different company

To trust endpoints that are registered on the Pexip Service but belong to a different company, Pexip simply needs to know which (one or more) companies should be trusted when the company with the Teams / Google Meet interop license has a Teams / Google Meet meeting. All of the registered endpoints with those associated companies will then bypass the Teams / Google Meet lobby.

Zoom Rooms

To trust Zoom Rooms, Pexip needs to know your customer's Zoom Account Number, so that it can identify your customer's Zoom Rooms and provide trusted lobby bypass (a signed hash of the associated Zoom account number is included in the request to Pexip when a Zoom Room attempts to join a Teams meeting).

Note that lobby bypass only works for Zoom Rooms that are integrated with the Calendar Service.

Supported devices and call control systems

Any SIP (2.0) compatible system is supported.

Non-SIP calls, e.g. H.323, are not supported. Any such calls bypass any policy rules and are handled as if no rules have been set.

We have tested against self-hosted Pexip Infinity and we also expect other session border controller (SBC) systems to work successfully. Note that the Cisco Expressway is not a suitable system for use with the SIP authentication method (however, IP address trust works correctly with Expressway).

Trials, paid licenses and orderability

This section describes how to:

Creating a Trusted Device while in Evaluation mode

When Evaluation mode is open, you can configure your trusted device rules as described below (this is the same process as with a paid license).

When the company's evaluation period closes, all active rules become deactivated.

Ordering a Trusted Device paid license

To order a Trusted Device paid license:

  1. In the Purchasing tab, select .
  2. Select the Trusted Device License and submit the order by following the standard orderability wizard. Note that the license quantity is the number of third-party endpoints to be trusted.

  3. You can then configure your trusted device rules as described below.

Ordering additional Trusted Device licenses

To order additional trusted licenses:

  1. In the Purchasing tab, select the Actions menu for the Trusted Device License, and select the Edit Plan option.

  2. Set the new total number of licenses needed — one per video endpoint that needs to be trusted — and then follow the standard orderability wizard to submit the order.

    Note that you will receive the same amount of Endpoint subscription licenses and Trusted Device licenses.

Ordering a Teams Meetings lobby bypass add-on

To order a Teams Meetings lobby bypass add-on license:

  1. In the Purchasing tab, select .
  2. Select the Teams Meetings lobby bypass add-on license and submit the order by following the standard orderability wizard. Note that the license quantity should be the same as the company's number of Pexip Connect for Zoom Rooms licenses.

  3. You can then configure the trusted Zoom accounts as described below.

Configuring trusted devices

This section explains how to set up trusted devices for a company.

Registered endpoints with a different company

You cannot currently configure this yourself via the Partner Portal. Please contact your Pexip account manager with the details (Partner Portal URLs) of the companies to be trusted by the company with the Teams / Google Meet interop license.

Non-registered endpoints

You can use the Partner Portal to configure the trusted devices for each company, under the Interop tab. You can add one or more rules as required for each company:

  • One or more trusted calling domains with SIP Authentication
  • One or more trusted IP Trust addresses or networks
  • You can combine SIP Authentication and IP Trust criteria

Using Challenge and Trust rules

When using a Policy action of Challenge:

  • Trust is based on the calling party domain (From domain) plus SIP authentication.
  • The SIP Username and Password required for authentication are automatically generated as a suggestion. However, the customer can provide their own values to be used instead.
  • Each calling party domain to be trusted should be configured individually.

When using a Policy action of Trust:

  • Trust is based on the calling party source IP address or IP network.
  • Configure the Source IP Address with either a specific IP address (/32), or with an IP host network and netmask in CIDR notation.
  • Lists of IP addresses are not accepted – you must enter lists of /32 IP addresses one by one.

An IP address specified without a netmask is assumed to be a /32 address:

When setting an IP host network and network mask, set the IP network and network mask explicitly:

Finally, if sharing call control infrastructure between multiple companies, use the optional From domain field to only trust devices coming from this particular domain and IP address/mask:

The tool does not automatically determine the IP network for you if you use a specific host address and a network mask, e.g. 176.121.88.66/21.

Enabling rules

All rules are set in an inactive state by default, and you have to manually activate them to enable them for production use. When a rule is marked active the trusted devices policy will be enabled within a few minutes.

Activating a challenge rule before the customer configures their call control with credentials on their side, will result in failed calls. Therefore, make sure to coordinate activating the challenge rule with configuring the customer's call control credentials.

Configuring Zoom accounts for Teams Meetings lobby bypass

You can use the Partner Portal to configure your customer's Zoom Account Numbers that are associated with their Zoom Rooms. This is mandatory to enable the Zoom Rooms for Teams Meetings lobby bypass feature.

For each company, under the Interop tab, in the Zoom section you can add one or more Zoom Accounts as required: