Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1267
Views
1
Helpful
31
Replies

integrating Microsoft Teams with an ISR 4321 voice router

jaheshkhan
Level 5
Level 5

‎02-27-2025 07:32 PM

We are working on integrating Microsoft Teams with an ISR 4321 voice router, where Microsoft Teams will function as the IP PBX for certain team members.

Currently, a SIP trunk is already established between CUCM and the voice router. The router has only one interface with the IP address 192.168.10.10. The internal team plans to use the same IP address to establish a second SIP trunk with Microsoft Teams. A public IP will be NATed to this internal IP address via the firewall, meaning the voice gateway is positioned behind the firewall.

Upon review, I found that mode border-element is not enabled under voice service VoIP at the moment. In the future, they may remove the SIP trunk between CUCM and the voice gateway. The CUCM version in use is 12.5.

My Questions:

  1. Is it possible to have two SIP trunks using a single IP address? Is this considered best practice?
  2. Do we need to enable the mode border-element command, or does the router function as a CUBE by default?
  3. Is a CUBE license required in this scenario?
  4. Are there any configuration templates available?
  5. Do they need to activate the security boot level license? Currently, they only have the uck9 license.

Call Flow:

  • Microsoft Teams Cloud → SIP Trunk → Public IP → Voice Gateway (192.168.10.10)
  • CUCM → SIP Trunk → Voice Gateway (192.168.10.10)
Labels:
0 Helpful
31 Replies 31

Roger Kallberg
VIP
VIP

‎02-27-2025 09:59 PM

1. Yes it is possible, no it is not considered best practice.

2. Yes you have to enable that command 

3. Yes it is licensed

4. Direct Routing for Microsoft Phone System with Cisco Unified Border Element (CUBE) 

5. Yes you need to enable security features and it requires a license 

My recommendation would be to use another router model for this. The 4321 is not a good option for this due to the limited capacity.



Response Signature


0 Helpful

jaheshkhan
Level 5
Level 5
In response to Roger Kallberg

‎02-27-2025 11:10 PM

so license UCK9 do they cube license at the moment?
in what stage they need this license. issue here is that cucm sip  trunk will not be used later after ms teams sip trunk established. in that case how cucm sip trunk working without cube license if its not there?
Am i missing some where?
I can provide second ip but once cucm sip trunk got removed its of no use again. thats why. what will happen if we use same interface for cucm and ms teams for sip trunk?

0 Helpful

Roger Kallberg
VIP
VIP
In response to jaheshkhan

‎02-28-2025 09:53 AM

Cube function is used when there are two VoIP call legs. If you only have a SIP trunk to CM and TDM based PSTN, called POTS in the router, you do not need Cube M.



Response Signature


0 Helpful

jaheshkhan
Level 5
Level 5
In response to Roger Kallberg

‎02-28-2025 11:43 AM

i got it. but in our case we are not planning to make any calls between ms teams and cucm SIP trunks. but there is PRI line pots for PSTN calls. so is it possible to have two sip trunk without any call each other. in that case no cube required right?

0 Helpful

Roger Kallberg
VIP
VIP
In response to jaheshkhan

‎02-28-2025 12:45 PM

Yes that should be possible.



Response Signature


0 Helpful

jaheshkhan
Level 5
Level 5
In response to Roger Kallberg

‎02-28-2025 05:50 PM

still securityk9 required because of TLS , am I correct?

existing cucm - voice gateway sip trunk is without TLS, it should not get impacted.

if we enable TLS command in sip will it impact existing normal trunk?

no remote-party-id
retry invite 2
transport tcp tls v1.2
crypto signaling default trustpoint sbc

why im asking this here only one single interface available.

I found that client installed certificate without any hostname information. but SAN information has sbc1.example.com .

so from msteams it will try to reach public ip addresss with this information. is it ok certificate not mentioned any hostnam information.

 

0 Helpful

Roger Kallberg
VIP
VIP
In response to jaheshkhan

‎02-28-2025 10:18 PM - edited ‎03-01-2025 12:53 PM

I don’t know about the certificate, but for TLS and SRTP it should be doable, but you’ll need to not set it globally under sip-ua, it should be set on the dial peer or tenant level. Yes you’ll need security features.



Response Signature


0 Helpful

vishalbhandari
Spotlight
Spotlight

‎03-01-2025 08:52 AM

Yes, you can have two SIP trunks using the same IP address, but it's not considered best practice due to potential conflicts in SIP call routing and NAT traversal issues. Ideally, each trunk should have a distinct listening port or a separate IP if possible.

To use the ISR 4321 as a SIP gateway between Teams and CUCM, mode border-element must be enabled under voice service VoIP. The router does not function as a CUBE (Cisco Unified Border Element) by default; you must explicitly configure it.

A CUBE license is required to enable SIP-to-SIP call routing between Microsoft Teams and CUCM. Since you only have the uck9 license, you’ll likely need the securityk9 and CUBE licenses for full functionality.

For configuration, Cisco provides CUBE templates for integrating Microsoft Teams via Direct Routing. You can refer to Cisco’s official CUBE documentation or Teams integration guides.

Regarding the security boot level license, it may be required if your deployment involves encrypted SIP traffic or SRTP. However, basic SIP trunking can work with uck9 alone.

0 Helpful

jaheshkhan
Level 5
Level 5
In response to vishalbhandari

‎03-01-2025 11:42 PM

thank you for the reply.
please note that there is no plan to call between cucm and  ms teams. so in that case there is no need of mode border-ekenebt cinnabd right. 
PSTN line is PRI and not sip trunk.
initial stage sip trunk between cucm and voice gateway required. once the ms teams sip trunk established and if they are able to make pstn call then no need of cucm sip trunk.
so one natted IP address required in this case at the moment. 

0 Helpful

Nithin Eluvathingal
VIP
VIP

‎03-01-2025 09:45 AM

To set this up, configure CUBE on the ISR 4K. Direct Routing can coexist with your existing voice gateway—this is precisely how my customer has it deployed. Create a trunk from the CUCM to the voice gateway and a second trunk from Microsoft Teams to CUBE. Essentially, you’ll register the gateway’s public IP as an SBC in Microsoft Teams.

To add the CUBE as an SBC for Microsoft Teams, set up an A record in the public DNS that resolves to your public IP. You’ll also need to configure NAT on the firewall for traffic between Microsoft Teams and the CUBE. I’ve outlined the prerequisites for this setup on my blog.

I intended to share the configuration, but I haven’t had time to finalize it. I’ll likely publish the details in a couple of weeks.

That’s not all—Microsoft Teams uses Secure SIP, so you’ll need a publicly signed certificate. A Start certificate should be adequate.

DM me, and I can share the configuration I recently used for a similar setup with an 82K router.

You’ll also need to manage several normalizations for Microsoft Teams. As far as I know, since you’re using TLS, a security license is required on the ISR. However, with the ISR 4K past its end-of-sale date, I’m unsure how you’d obtain the licenses now. In most of my recent deployments with an 82K router, the DNA Advantage license was sufficient for this to work.

The number of licenses depends on the concurrent calls you plan to send to Teams and between CUCM and CUBE. In my deployment, I used non-secure SIP between CUCM and CUBE  and secure SIP from CUBE to Microsoft Teams.



Response Signature


0 Helpful

jaheshkhan
Level 5
Level 5
In response to Nithin Eluvathingal

‎03-01-2025 11:33 PM - edited ‎03-01-2025 11:38 PM

i too agreed. but in our case there is no plan for call between cucm and MS teams. MS teams will act as individual call controll or pbx. so in that case there is no need for cube setup right. PSTN side its PRI line.

Also SIP trunk between cucm and voice gateway will be removed later stage and only ms teams will be there. 

cucm will be used for other site voice gateways.

regarding the securityk9 license i need to check it.

0 Helpful

Nithin Eluvathingal
VIP
VIP
In response to jaheshkhan

‎03-02-2025 06:26 AM

To enable Direct Routing for Microsoft Teams, you must configure the Cisco Unified Border Element (CUBE) feature.

CUBE Details Required for the Direct routing.


• Cisco ISR 4000 series router [Any certified platform may be used]
• CUBE-Version: 12.8.0 (IOS-XE 17.2.1r) [Later releases may be used]



Response Signature


0 Helpful

jaheshkhan
Level 5
Level 5
In response to Nithin Eluvathingal

‎03-01-2025 11:46 PM

client have install public signed certificate but it doesnt contain any voice gateway hostname (VG1) in it but SAN is there. that SAN FQDN(eg: sbc1.example.com) is available in public dns record.
i think this will work in this way right. but what i have to do in this case?

0 Helpful

Nithin Eluvathingal
VIP
VIP
In response to jaheshkhan

‎03-02-2025 06:13 AM

So, essentially, it will be a star certificate, and that should suffice.

However, there are additional configuration to make this cert used and for your setup to work.

 



Response Signature


0 Helpful
Customers Also Viewed These Support Documents