Everything you need to know about Microsoft Teams SIP gateway

By Tyler Stosic

UPDATE OCT 17TH:

The previous deadline of 29th of September 2022 is no longer correct, Microsoft have extended this through to July 31st, 2023, however it is recommended to move supported 3PIP devices to Teams SIP Gateway as soon as possible. More information below:

Upgrade Skype for Business Online (3PIP) phones to Microsoft Teams using SIP Gateway – Microsoft Community Hub.

UPDATE AUG 6TH:

On August 5th, 2022, Microsoft posted message MC409857 in the message center advising that customers with 3PIP phone need to migrate away from using 3PIP sign in by the 30th of September 2022 (Also noted phone connecting via 3PIP will start being blocked from signing in to Teams on 1st of November 2022). You will either need to transitioned exiting phones to the SIP Gateway (details below in this blog) or upgrade to Teams native phones. If your tenant does not have any active 3PIP phones you will not see this in your message center as you are not impacted. A summary can be found below:

MC409857 · Published Aug 5, 2022 Action required by Sep 29, 2022

Microsoft has retired Skype for Business Online in July 2021. To continue using your Skype for Business Online phones (aka 3PIP phones) to securely connect and work with Teams, here are the actions you must take:

  • Migrate your 3PIP devices to Microsoft Teams using Teams SIP Gateway, OR
  • Upgrade your 3PIP devices to Microsoft Teams Phone devices.

WHEN THIS WILL HAPPEN:

You need to migrate your 3PIP Devices to SIP Gateway by September 30, 2022. SIP Gateway is the recommended approach for customers to continue using 3PIP phones to connect and work with Teams. We will start blocking your 3PIP devices from connecting to Teams via the existing pathway from November 1st.


In this article, we will be discussing the Microsoft SIP gateway, currently supported devices, pre-requisites for configuration, and the current limitations. Next, we will run through the configuration of two devices via two different methods, the configuration of Poly VVX using user sign-in mode, and a Yealink SIP T42G using Common Area Phone mode/remote provisioning.

WHAT IS THE MICROSOFT TEAMS SIP GATEWAY?

The Microsoft Teams SIP Gateway became generally available in December 2021, allowing SIP registration to Microsoft Teams using compatible desktop handsets allowing core Teams calling functionality. This functionality is provided at no additional cost (assuming accounts are licensed for Microsoft Teams and Phone System), allowing organisations to utilise existing fleets of legacy handsets with basic Teams calling functionality. It is noted that you are not going to get the full functionality that Teams calling can provide via the SIP Gateway, if you need support for features like call queues, video calls, calendar integration, address book search, I would recommend sticking with a Microsoft Teams Certified device.

Setup and registration of devices for the SIP gateway follows familiar processes if you have used remote provisioning services for Skype for Business certified handsets before, the main configuration change will be updating the device provisioning server URL in DHCP. Sign in of the devices is done by utilising the https://microsoft.com/devicelogin URL via the code presented on the handset device, or bulk provisioning from the Teams Admin Centre via MAC address upload (although this still requires a code physically input into the device). There are a few other steps to be aware of, that will be covered in this article.

It is also worth noting that Microsoft Teams SIP gateway is a different service to the 3PIP gateway. Currently Skype for Business certified IP phones can be used to sign into Microsoft Teams and be used with limited functionality (this limited functionality is comparable with the current limited feature set of the SIP gateway). However, Microsoft have previously stated that there will be no feature additions to any Skype for Business certified devices going forward. The support for 3PIP phone with Microsoft Teams was due to be retired on the 31st of July 2023 but has now been extended beyond 2023 with no official date given yet.

LIMITATION OF SIP GATEWAY

The following features are supported utilising compatible devices registered via the SIP Gateway.

  • Inbound/Outbound PSTN calls
  • Inbound/Outbound Teams Calling (Noted SIP Gateway devices can only call users with an assigned number, unable to call via Name/UPN)
  • Call Hold
  • Do Not Disturb
  • Voicemail
  • DTMF
  • Call Transfer
  • Call forwarding
  • Microsoft Teams meeting join (via the meeting access code)

A full list of supported features can be found at the below article:

For comparison, the feature set of Skype for Business Certified IP Phones with Microsoft Teams can be found here:

Skype for Business Certified IP Phones with Microsoft Teams – Microsoft Tech Community

It is noted that phones registered via the SIP gateway do not support Call Queues. Any feature not listed in the above documentation is not supported (although some of these features may work, I would recommend against it due to no support, especially in production environments).

SUPPORTED DEVICE LIST

The list of compatible SIP gateway devices can be found in the below Microsoft Article:

This currently includes several Cisco, Poly, Yealink, Audiocodes and Spectralink handsets, with several Spectralink DECT devices also currently supported. Poly and Ascom DECT devices have been flagged as being supported by end of June, but these are yet to show up on the list, and Yealink and Gigaset DECT devices to be supported by September.

REQUIRED FIREWALL CONFIGURATION

There are a few additional firewall requirements other than the standard “Worldwide endpoints” required by Microsoft Teams, these additional requirements are:

  • Open UDP ports in the range 49152 to 53247 for IP ranges 52.112.0.0/14 and 52.120.0.0/14.
  • Open TCP port 5061 for IP ranges 52.112.0.0/14 and 52.120.0.0/14.
  • Open the following https endpoints (IP addresses and URLs):

o   13.75.175.145

o   52.189.219.201

o   51.124.34.164

o   13.74.250.91

o   13.83.55.36

o   23.96.103.40

o   https://blobsdgapac.blob.core.windows.net

o   https://blobsdgemea.blob.core.windows.net

o   https://blobsdgnoam.blob.core.windows.net

o   https://httpblobsdgapac.blob.core.windows.net

o   https://httpblobsdgemea.blob.core.windows.net

o   https://httpblobsdgnoam.blob.core.windows.net

ADDITIONAL NOTES FOR CONFIGURATION

Any accounts signing into a phone via the Teams SIP gateway are required to be licensed with a Microsoft Teams and Microsoft Teams Phone Standard License (Phone System), or Common Area Phone license for Common Area Phones.

The Calling Policy assigned to any accounts needs to have the “SIP devices can be used for calls” option enabled, also the “Allow Call Redirect” feature must be enabled in the calling Policy, this can be enabled via the below PowerShell command from Teams PowerShell:

Set-CsTeamsCallingPolicy -Identity “PolicyName” -AllowSIPDevicesCalling $true -AllowCallRedirect $true

When using DHCP for provisioning, the scope requires the following entries (In addition to existing standard DNS/Router settings):

  • 042 NTP Server
  • 002 Time Offset
  • 160 Provisioning Server (Poly, Cisco, Audiocodes – Note for Cisco append /$PSN.xml to the provisioning server URL.)
  • 066 Boot Server Host Name (Yealink)

If conditional access is implemented, ensure the following IP addresses are excluded for user sign in

Remote provisioning is available by uploading the MAC addresses of the devices and gaining an enrolment code. This enrolment code can then be input into the device which will onboard it into your M365 Tenant. You can then sign in the device via the TAC.

The Teams admin centre currently provides limited functionality for managing Teams SIP Phones. From the TAC, you can sign out, restart and monitor the device.

SIP GATEWAY SETUP

ORG WIDE CONFIGURATION

To setup the Teams SIP Gateway we firstly need configure to the Teams Calling Policy, if there will only be a subset of users/common area phones that will be utilsing the SIP gateway, it is recommended to create a new calling policy specifically for SIP devices. The following command can be used to create the policy and configure required options (however if you are utilising an existing policy use the Set-CsTeamsCallingPolicy command instead)

New-CsTeamsCallingPolicy -Identity SIPDevices -AllowSIPDevicesCalling $true -AllowCallRedirect Enabled

Next, assign the Policy to any account that will be signing into the SIP gateway

Grant-CsTeamsCallingPolicy -Identity user.name@domain.com -PolicyName SIPDevices.

 DHCP CONFIGURATION

Next, perform the necessary DHCP configuration, use the appropriate SIP Gateway Provisioning Server URLs:

In this example the below options have been configured on a Windows DHCP Server to support both Poly and Yealink phones.

DHCP+Configuration

POLY VVX CONFIGURATION (CONFIGURED VIA USER SIGN IN MODE)

To ensure the Poly pulls down the correct configuration from the Teams SIP Gateway provisioning servers, it is advised to factory reset the devices. This can either be achieved through the Web UI under Utilities > Phone Backup & Restore > Global Settings and select the “Restore” button to reset the configuration.

Factory+Reset+Poly

Alternatively on the handset itself under the Settings > Advanced > Administration Settings > Reset to Factory Defaults > Reset to Factory. It is strongly recommended not to skip this step (In the SIP gateway I have run into issues with phones not pulling down the configuration until a factory reset was performed). If you no longer have access to the admin password of the phone, follow the Poly support article below: How to reset a Polycom VVX phone when the Admin password is lost or unknown [VIDEO TUTORIAL]

Once the Poly has been factory reset (and configured in the correct subnet/DHCP scope), it will start to pull down the required configuration. Upon boot the phone will reach out to the provisioning server and pull the required configuration, if this is not occurring check that the device is on at least the minimum firmware listed in the Microsoft Docs (5.9.5 for the case of all VVX phones at the time of writing) and install the necessary firmware if required and reboot the phone again.

When pulling down the configuration the device will reboot several times, this may take 5 or so minutes. Once it’s been configured, you will be presented with the below screen.

PolyProvisioned

To sign into the device, you can simply select the “Sign in” key, and follow the prompts to sign in via the https://microsoft.com/devicelogin URL. An image of a signed in phone is below:

PolySignedIn

Once sign in is completed, the device will show up in the TAC under SIP devices:

Poly+TAC

YEALINK T42G (CONFIGURED REMOTE PROVISIONING / COMMON AREA PHONE CONFIGURATION)

As we will be configuring the Yealink with remote provisioning and using the Common Area Phone sign in method, ensure the account created is licensed with a Common Area Phone license.

Next, we need to update the phone to the approved firmware version, this is different for most devices, so refer to the “Plan for SIP Gateway” URL to confirm the required version.

In my case, I am using a SIP T42G, so will be upgrading to 29.83.0.130. Log into the phones WebUI, and under Settings > Upgrade, select the required configuration file. Firmware files are publicly available on the Yealink Support website.

Following the upgrade, a factory reset of the phone is to be performed (under Settings > Upgrade) on from the WebUI. The phone will auto-provision with the Teams SIP Firmware, this will take a few minutes and the phone will reboot.

Yealink+Provisioned

Once onboarded, you will see the standard sign in screen, for this phone we will be using the Remote Provisioning method from the Teams Admin Centre.

As we only have one phone we will upload the MAC address manually, but you can also upload as CSV for multiple phones.

Add the MAC, and the phone will show up under “Waiting for Activation”.

RemoteProv Yealink

Then select the phone and select “Generate Verification Code” (Note this code is valid for 24 hours).

RemoteProv Yealink2

Next on the handset, dial *55* followed by the code (eg *55*316629), this will complete the provisioning process and after a few minutes the phone will move to the “Waiting for sign in” page.

RemoteProv Yealink3

Select the phone again and select “Sign in a user”, if it shows up with the device is still setting up, wait a few more minutes.

RemoteProv Yealink4

Lastly, follow the prompts to sign the device in:

Picture1

The device will then finish its sign in process and be available for use.

Yealink+Provisioned

CONCLUSION

The SIP Gateway is a good way to re-use old fleets of IP Phone handsets; however you do lose a lot of functionality compared to a Teams Certified IP Phone handsets, and with no support for Call Queues being a deal breaker for a number of scenarios. For cases like common areas that do not require full Teams functionality the SIP gateway would be a low cost way to reuse existing phones, and with DECT Phones being supported this opens up a number of use cases that didn’t have ideal solutions previously. I am interested to see what additional devices will end up being supported for the Microsoft Teams SIP gateway in the future, as I see a lot of potential for the platform if devices like analogue telephony adapters become certified for use.

Related Posts

Handpicked content
Want to go deeper? Talk to one of the Rapid Circle team

Wilco Turnhout

Co-Founder (NL/EU)

Andrew Fix

Chief Technology Officer (AU/NZ)