How to Integrate a PBX/IP PBX phone system with O365 Exchange UM online


The Purpose of this Post is to provide some guidance to customers who use a PBX/IP-PBX based phone system and wish to Integrate it with Microsoft O365 Exchange UM Online for Voice mail.

Below is a High level Architecture of UM Online looks like for a Customer with a Single Site Integrated with O365 for UM through an ON Premise SBC

Pic1

Call Flow for Voice Mail – How does it work

  • User A uses his PBX phone to call User B on his PBX phone
  • User B does not answer the phone
  • Call then goes back to the PBX/Phone System and the Phone system has to decide what to do with this call.
  • The Phone system should be configured to send this call to the On Premise SBC (Session Border Controller). SO the call will now be sent to SBC
  • The SBC should be configured to send the call to the Forwarding Address that is obtained from the UM IP Gateway field in the O365 Portal
  • The SBC will First Encrypt the call using the Certificate that is installed on the SBC and will then send the call to the Forwarding address (UM Online SBC)
  • The UM online SBC will receive the call and it will deduce the Exchange Tenant information from the Forwarding address and will send the call to the correct Exchange servers in the Back End
  • When the Exchange Servers receive the call they will use the information within the call and find out the extension of the user who did not answer the call.
  • Exchange will then try to locate if a Valid UM enabled user exists with that extension and if there is then exchange will take the Voice Mail.

 

In Order to successfully Integrate your On Premise PBX/IP PBX phone system to work with Exchange UM online you have to perform the following actions;

A. Purchase Pre Requisite Hardware and Certificates that are Mandatory for the Configuration

B. Configure UM settings on the O365 Portal

C. Configure your On Premise Phone system to send Voice Mail calls your On Premise SBC

D. Configure your On Premise SBC to forward these Voice Mail calls to O365 Exchange UM online.

The Section below lists the details on each of the above

 

A. Purchase Pre Requisite Hardware and Certificates that are Mandatory for the Configuration

 

Purchase a Supported Session Border Controller (SBC)

O365 Exchange UM online has ONLY been tested and Supported to work with specific Session Border Controllers. If you want to Integrate your On Premise PBX/IP-PBX with O365 Exchange UM online then you will have to route your Voice Mail calls From your On Premise PBX/IP-PBX to O365 through a Supported Session Border Controller.

Pic2

The Table Above lists the Different SBC Devices that are Supported and Tested to work with O365 Exchange UM Online. A more accurate/updated list can be found here – https://technet.microsoft.com/en-us/library/jj673565(v=exchg.150).aspx

For More Information on Supported Devices and how to choose which one is right for you please refer guidelines listed here – https://technet.microsoft.com/en-us/library/jj673565(v=exchg.150).aspx

 

Do NOT install a Firewall in Front of the SBC

SBCs are designed to sit on the network edge, they also function as a firewall. If you set up an SBC behind your organization’s firewall, it can cause configuration problems and is unsupported for connecting to Office 365 as Per Microsoft Documentation.

This is Documented here – https://technet.microsoft.com/en-us/library/jj673565(v=exchg.150).aspx

 

Obtain a Public Certificate for The External FQDN of your SBC

Any Traffic Between your On Premise SBC and O365 UM online has to be Encrypted. For this reason you have to Purchase and Install a Public Certificate on your On Premise SBC.

Before Purchasing a Public Certificate for Your SBC you may first have to assign a unique FQDN to the Public/External Interface of your SBC. Example mysbc.mydomain.com

You need to Ensure that this FQDN can be resolved Publicly using a Public DNS server to a correct IP address.

The Subject Name and the Subject Alternative name on the Public Certificate should have the EXACT EXTERNAL FQDN of your On Premise SBC. The Subject name is Case-Sensitive hence it is important to make sure that SN and SAN entered on the Certificate Matches exactly with the External FQDN of your SBC. This is the FQDN that you will Enter on the O365 Portal under IP gateway Tab. (This is discussed further Under B. Configure UM settings on the O365 Portal)

There are Only Certain CA’s that are supported with O365. Below is a List of CA’s that are Supported with O365.

  • AddTrust External CA Root
  • DigiCert Assured ID Root CA
  • DigiCert Global Root CA
  • DigiCert High Assurance EV Root CA
  • Entrust Root Certification Authority – G2
  • Entrust Root Certification Authority
  • Entrust.net Certification Authority (2048)
  • Entrust.net Secure Server Certification Authority
  • GeoTrust Global CA 2
  • GeoTrust Global CA
  • GeoTrust Primary Certification Authority – G2
  • GeoTrust Primary Certification Authority – G3
  • GeoTrust Primary Certification Authority
  • GeoTrust Universal CA 2
  • GeoTrust Universal CA
  • Go Daddy Class 2 Certification Authority
  • Go Daddy Root Certificate Authority – G2
  • GTE CyberTrust Global Root
  • Network Solutions Certificate Authority
  • RSA Security 2048 V3
  • thawte Primary Root CA – G2
  • thawte Primary Root CA – G3
  • thawte Primary Root CA
  • VeriSign Class 1 Public Primary Certification Authority
  • VeriSign Class 3 Public Primary Certification Authority – G2
  • VeriSign Class 3 Public Primary Certification Authority – G2
  • VeriSign Class 3 Public Primary Certification Authority – G3
  • VeriSign Class 3 Public Primary Certification Authority – G4
  • VeriSign Class 3 Public Primary Certification Authority – G5
  • VeriSign Class 3 Public Primary Certification Authority
  • VeriSign Class 4 Public Primary Certification Authority – G2
  • VeriSign Class 4 Public Primary Certification Authority – G2
  • VeriSign Class 4 Public Primary Certification Authority – G3
  • VeriSign Universal Root Certification Authority

For a More accurate List and Other details related to Certificates for O365 UM online Refer https://msdn.microsoft.com/en-us/library/gg702672(v=exchsrvcs.149).aspx (This list is currently being updated to reflect all the above certificates)

 

B. Configure UM settings on the O365 Portal

A O365 account with Enterprise E3 or E4 plan,  Educational A3 or A4 Plan, or Government E3 Plan , or a la cart Exchange Online Plan 2 Is Required. 

For Users to have Voice Mail in the cloud you have to do the following on the O365 Portal

Step 1 – Create a UM Dial Plan

To create a UM dial Plan

Login to the O365 Portal

On the Top right Hand corner click the drop down box where it says Admin

Select Exchange from the List

Then on the following Page select Unified Messaging at the bottom left Hand Corner

pic3

On the resulting page click on UM dial plans Tab at the top

Click the “+” Sign to create a New Dial plan

The New UM dial plan window now opens

On this window enter the details of the Dial Plan

Name – You can enter any name you want, some special Characters like ” / \ [ ] : ; | = , + * ? < > are not allowed.

Extension Length – Enter the number of Digits you use for extension number for your users ON Premise

Dial Plan Type – Telephone Extension and E.164 are the only supported Dial plan types for Integrating UM online with PBX/IP PBX.

VoIP Security Mode – Unsecured and cannot be changed

Audio Language – English (depends on your preference)

Country/Region Code – “1” for United States

Click Save

Your Dial Plan is now Created.

pic4

Every time you create a New UM Dial Plan a default Mailbox policy is created Automatically that is associated with this dial Plan.

Take a Note of what mailbox policy is Associated with your Dial plan. You can use the below steps to check what Mailbox policy is associated with your dial Plan.

How to check what Mailbox policy is associated with your dial Plan.

Login to the O365 Portal

On the Top right Hand corner click the drop down box where it says Admin

Select Exchange from the List

Then on the following Page select Unified Messaging at the bottom left Hand Corner

On the resulting page Double click on UM dial plan you created

You will be able to see what Mailbox Policy is associated with your UM Dial Plan as shown in the below screen shot,

pic5

You can find more detailed explanation on Each of the above properties and UM Dial Plans here – http://technet.microsoft.com/en-us/library/bb123819(v=exchg.150).aspx

 

Step 2 – Create a UM IP gateway

A UM IP gateway on the O365 Portal represents your On Premise SBC (basically it is the Public/External FQDN of your on premise SBC). You have to create an IP gateway in O365 to tell exchange Online that THIS device (On Premise SBC) will send Voice Mail calls to exchange online.

Below are the steps to create a UM IP Gateway

Login to the O365 Portal

On the Top right Hand corner click the drop down box where it says Admin

Select Exchange from the List

Then on the following Page select Unified Messaging at the bottom left Hand Corner

pic6

On the resulting Page

Click UM IP Gateway

Click the “+” sign

A new window named “New UM IP Gateway opens up” on this window Enter the following details

Name – You can provide any name you like for reference purpose

Address – You need to enter the External/Public FQDN of your On Premise SBC

Click Browse

pic7

On the resulting Page you have to select the Dial plan that you created in Step 1 (create a UM dial plan) previously in this article.

pic8

On the resulting Screen you will now see the UM Dial plan value populated.

Click save.

pic9

Once you click save you will now see a UM IP gateway created under the UM IP gateway Tab on the O365 portal.

pic10

You have Now Successfully Created a UM IP gateway

For More details refer http://technet.microsoft.com/en-us/library/bb123890(v=exchg.150).aspx

 

Step 3 – Obtain Forwarding address from the O365 Portal

Once you create the IP gateway you will get A FORWARDING ADDRESS from the O365 portal.

This FORWARDING ADDRESS is actually the Public FQDN of the Microsoft UM Online SBC

You have to configure YOUR On premise SBC to send the calls to this Forwarding address that you get from the O365 portal for Voice Mail to work.

To Obtain the Forwarding address follow the below steps on the O365 Portal

On the O365 Portal, Go to Exchange Admin Center –> Unified Messaging –> UM IP Gateway

Select the UM IP gateway you created in Step 2

Click Edit

The Resulting Window will have the Forwarding Address Displayed.

Note Down this Forwarding address. As mentioned earlier, You have to configure YOUR On premise SBC to send the calls to this Forwarding address that you get from the O365 portal for Voice Mail to work.

See Screen shot below for reference

pic11

Your Step 3 is now complete.

 

Step 4 – Enable O365 Users for Unified messaging

Follow the Below steps to enable a User for UM online on the O365 Portal;

Login to the O365 Portal

Got to the Exchange Admin Center

On the Left Select Recipients

Search the user you want to enable for Unified Messaging

ON the Extreme right hand side Click on Enable under PHONE AND VOICE FEATURES –> Unified Messaging as shown below,

pic12

On the resulting Page Click BROWSE

Select the UM Mailbox policy from the List that you want to use for your User

Click OK

Refer Screen shot below for reference

pic13

This will take you back to the Enable UM Mailbox Page, Click Next here

On the resulting page, Enter an extension for the user (his extension should be the same as what he uses On his On Premise phone system, The extension and it has to be Unique for every user)

Click Finish

pic14

Your User is now Enabled for UM in O365.

 

NOTE: In this scenario we Enabled the user for UM on the O365 Portal itself. This was because I created My user directly on the O365 portal and My user was previously NOT enabled for UM. If you are in a scenario where you are Migrating your User from Exchange On Premise to Exchange Online and if the User is already enabled for UM in your On Premise environment then to Enable him for UM in O365 you have two options.

Option 1: You can disable UM for the User on the ON Premise Exchange server and then Move his mailbox to O365 and then Enable him again For UM on the O365 Portal following the same instructions as described above.

Option 2: If you Do not wish to Disable and Re-enable the user for UM and would instead like him to stay UM Enabled while you are moving the users Mailbox then to do this you have to create the same Dial plan and Mailbox policies as you use on the ON Premise Exchange UM set up in O365 and then you can move the User with his UM settings to O365. The procedure for this is described very well here – https://msdn.microsoft.com/en-us/library/hh552484(v=exchsrvcs.149).aspx This way his UM extension and Pin will remain the same.

You still will need to provide a Unique Subscriber Access number to your O365 Dial plan if you want your users to be able to call and Check their Voice mails from PSTN or use OVA.

When the User is moved to O365 they will receive an automated email indicating they are enabled for UM and this email will contain the new SA number they can now use for OVA.

 

C. Configure your On Premise Phone system to send Voice Mail calls your On Premise SBC

When a User A in your Company Calls User B and if User B does not answer the Phone, It is then the responsibility of your Phone system to decide what to do with this call.

You will have to configure your Phone system to forward this call to your On Premise SBC.

You may have to Refer Documentation provided by your Phone system Vendor in order to configure your phone system to achieve that

Please refer the below articles for more details

http://technet.microsoft.com/en-us/library/jj673558(v=exchg.150).aspx

http://technet.microsoft.com/en-us/library/ee364753(v=exchg.150).aspx

http://technet.microsoft.com/en-us/library/ee681657(v=exchg.150).aspx

 

D. Configure your On Premise SBC to forward these Voice Mail calls to O365 Exchange UM online.

Once you have configured your Phone system/PBX to send Voice mail calls to your On Premise SBC. You then have to configure your SBC to send calls to UM online .

You have to configure your On Premise SBC to Send Voice Mail Calls to the FORWARDING ADDRESS of Microsoft UM online SBC that you obtained in Step 3 (Step 3 – Obtain Forwarding address from the O365 Portal) of this article above (Below is the list of Supported SBC’s with UM online and the corresponding links to their configuration documents)

http://technet.microsoft.com/en-us/library/jj673565(v=exchg.150).aspx

You also have to configure a Certificate for the new On premise SBC to encrypt the traffic between the SBC and UM online which travels over the Internet. The details around this were covered earlier in this article (Under the section – Obtain a Public Certificate for The External FQDN of your SBC) Below is a link that lists the Third Party Public CA’s that are supported for UM online.

http://msdn.microsoft.com/en-us/library/gg702672(v=exchsrvcs.149).aspx

 

Once you have completed Steps A, B, C and D you have successfully Integrated your On Premise PBX/IP-PBX to work with Microsoft O365 Exchange UM Online.

 

 

 

 

 

 

Comments (2)

  1. Jop Gommans says:

    Great article, very helpful in our migration scenario. There is a small issue with the link in the “Option 2” part. The link has the first word of the next sentence attached to it, can be a small fix 🙂
    Additionally, I find/found it very hard to find the ports required to make all this magic happen. From what I can find from the SBC to O365 should be SIP only traffic (so range 5060 to 5070, to have all SIP and Secure SIP ports to be safe), but in practice we found that the traffic could be initiated from both sides (SBC and Exchange Online UM), for the MWI for example.
    So simply put: The only ports that are required to be opened for this scenario are SIP ports (5060 to 5070) Can you confirm that?
    If so, it might be a good addition to the article, since this information is still somewhat hard to find.

    1. Thank you for your Feedback Jop.
      I have correct the Link in option 2 🙂
      With Regards to your question around ports. There are two parts to a UM Call. SIP Signaling and Media.
      For Sip signaling the ports that ideally should be needed are 5061, 5063, 5066 and 5068. The traffic between SBC on UMO is supposed to work on TLS and these are the TLS ports normally configured on Exchange UM. However it may be a good idea to Open the range from 5060 to 5070. I don’t however think its needed. Have you seen SIP traffic to and From UM on any other ports in your traces?
      For Media the Ports are normally advertised in the SDP both in the SIP Invite and the 200 ok. I have seen the ports to range from anywhere between 1024 to 65K for UDP.
      I agree with you as i don’t seem to recall a Public KB that lists the Ports for UMO when integrating it with a PBX.
      I shall try to get a more confirmed answer and will update that information in the Blog.

Skip to main content