This guide applies to installations on V20. If you are running on V18, follow this guide.

Configuring Microsoft Teams Direct Routing

Introduction

3CX Enterprise Edition for 16 sim calls and above offers Teams Direct Routing integration. This allows team users to call and be called by 3CX users

Step 1: Check the Requirements

  • You will need an SSL certificate from one of the Microsoft approved certificate authorities. 
  • Configured Microsoft 365 Integration.
  • Users of Microsoft 365 must have the “Office phone” number in an E.164 format.
  • Domain for Teams FQDN should be registered in Domains of the MS365 tenant.
  • *.onmicrosoft.com is not supported as the FQDN name of the SBC.
  • Port 5062 (or 5061 in some instances) must be opened on the firewall.
  • One of the following should be assigned to the MS365 users:
  • Microsoft 365 E1/E3/E5/A5/G5
  • Microsoft 365 Plan + Microsoft Phone System (add-on) or Business Voice (add-on)
  • Please check with Microsoft for latest Teams licensing rules. It differs per region and changes rapidly.

Step 2: Configure Teams FQDN

  1. Find your teams domain by accessing the Microsoft 365 admin portal center > Settings > Domains. (e.g. MS365 Domain: contoso.com, Teams FQDN can be: teams.contoso.com)
  2. Log in to your 3CX Admin Console and go to  “Integrations” > “Teams” tab and check Enable Microsoft Teams Direct Routing”.
  3. Specify a Teams FQDN that matches the email domain of MS365
  4. Navigate to your DNS provider and create a new A record to point to the static Public IP address of your 3CX installation.

Step 3: Generate a CSR key

In order to integrate 3CX with 365/Teams, Microsoft requires an SSL certificate from one of the Microsoft approved certificate authorities. To obtain a certificate you will first need to generate a CSR key, on which the SSL certificate will be created. We have created a command-line tool to ease this process for you:

  1. Download OpenSSL and install.
  2. Once installed, run our CSR batch file and fill in the following details:
  1. 3CX (Teams) FQDN (e.g. teams.example.com)
  2. Organisation Unit, (e.g. IT or Operations)
  3. Country Code (e.g. UK, US, AU, DE, FR)
  4. Area (e.g. England)
  5. City (e.g. London)
  6. Company name (e.g. Example Ltd)
  1. The tool will then generate the private key to the folder you ran the file from in both notepad format and a *.pem file. Keep this *.pem file as this will be uploaded in the ‘Private Key’ field of the 3CX admin console during step 5 of this guide.
  2. Navigate to your certificate provider of choice to get the certificate, including all intermediate certificates and private key from the certificate root authority. It must cover the Teams FQDN you specified.

Note: Some providers do not provide a single file with the Certificate including the Intermediate Certificates. In this case we have listed the steps needed in our Teams FAQ.

Step 4: Get an SSL certificate

This example utilizes SSL.com

SSL.com Certificate CSR Validation

  1. Choose the appropriate level of certificate, the Basic SSL will suffice > Add to cart
  2. Once the ‘Show order Transaction’ window appears, click on the “Click here to finish processing this certificate order” at the top of the screen.
  3. Grab the notepad file that the CSR tool generated and copy this into the CSR box.
  4. Ensure that the auto-populated common name (CN) field matches correctly and click “Next”
  5. Under the ‘Domain Validation’ stage, select the drop down boxes and choose your validation option

SSL.com Certificate Validation

  1. Navigate to the verification email and click on the link contained
  2. Enter the 20 character validation code and ensure the green validation bar appears

SSL.com Validation Confirmation

  1. Navigate back to the SSL.com Dashboard and choose the ‘Order’ tab along the top navigation bar
  2. Locate your SSL certificate and click on the magnifying glass icon to expand for more details

Download the Nginx file

  1. Click to “Download” the Nginx file. You may receive a task bar notification asking if you want to proceed, click “Keep”. Locate the file and rename from .chained to .pem

Step 5: Upload the SSL Certificate to 3CX

After you have created and downloaded the SSL certificate:

  1. If not already completed, right-click on the certificate file and rename it to be a  *.pem file type.
  2. Under “Step 2” in the 3CX admin console, upload your certificate and private key generated using the CSR generation tool in Step 3 of this guide.

Step 6: Open port 5062 on your firewall

In case your Microsoft Teams FQDN is not the same as your 3CX FQDN, then you will have to ensure port 5062 is open. For example, if you have a 3CX FQDN mycompany.3cx.us and a teams FQDN of mycompany.onmicrosoft.com then you will need to open port 5062. See this section in the Teams FAQ if you have a very restrictive firewall policy

Step 7: Configure dial plan and run script

  1. Generate the script from the 3CX Admin console.
  2. Select your country and area code in the cases that apply. The generated script will be adjusted to format the dialed numbers in scenarios like internal, national, international.
  3. Click on “Generate Dial Plan” and save the PowerShell file on your system.
  4. Start Windows Powershell as Administrator and ensure that execution policy is set to Bypass.
  5. Switch to the folder where the script “teams_dial_plan.ps1” is saved and run.
  6. You can verify that the configuration is in place and no errors occur by opening the administration portal of Microsoft Teams.

Step 8: Run scripts for users

This step must be executed each time new users are created and assigned a Teams Phone System license.

  1. Click on “Generate Users Script” and save the PowerShell file on your system.
  2. Users selected on “User Sync” that meet the requirements (license, phone number format)  and has it enabled Users > Options > M365 > Enable MS Teams Integration will be included in the generate script.
  3. Review the script for any invalid users that might be commented out. Adjust accordingly and repeat the above steps. There might be a 24 hour delay in the sync.
  4. Start Windows Powershell as Administrator and ensure that execution policy is set to Bypass by entering this command:
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
  5. Go to the folder where the script “map_users.ps1” is saved and run.

See Also

Last Updated

This document was last updated on 27 February 2024

https://www.3cx.com/docs/microsoft-teams/