Using a free Lets Encrypt SSL for your 3CX Teams Direct Routing deployment
By Christopher Talke Buscaino at
Prerequisites
If you're reading this, you may have already spent some time reviewing Microsoft's documentation on setting up Teams Direct Routing. If not, it would be a good idea to read through it before continuing. Below is a link to the SSL/TLS documentation, which is relevant to the information in this post.
Before continuing, it's important to note that the SSL/TLS documentation provided by Microsoft is essential reading for anyone setting up Teams Direct Routing. By familiarizing yourself with this information, you'll be better prepared to configure and manage your Teams Direct Routing setup. So, if you haven't done so already, take the time to review the documentation before proceeding.
Microsoft Teams - Planning Direct RoutingLearn how Microsoft Direct Routing lets you connect a supported customer-provided Session Border Controller (SBC) to Phone System.
... In addition to this, you will also have a deployed 3CX Instance with your Office 365 Integration connected already. If you have not done this, well... please go follow those steps first (see below).
3CX - Microsoft 365 IntegrationSetup Microsoft integration to sync users, enable SSO and contact/calendar sync depending on Microsoft subscription and 3CX Edition.
... and lastly you should be following the steps provided by the folks over at 3CX for setting up Teams Direct Routing, and using this post on the side to accompany you as you walk through the steps (see below).
3CX - Configuring Microsoft Teams Business VoiceConfigure your MS teams business voice with 3CX. Call via 3CX SIP Trunks and benefit from a full-featured PBX with contact center features.
Generating the SSL Certificate
To make the process of setting up Teams Direct Routing as easy as possible, we will be using a tool created by Robert at punchsalad.com (see link below). While it may be tempting to use the command line interface (CLI) or a tool like Certify The Web, this tool simplifies the process and is recommended for those who are not familiar with the CLI or advanced certificate management tools. If you are comfortable with those tools, feel free to use them instead. However, for the purpose of this tutorial, we will be using Robo's tool.
PunchSalad - Free SSL Certificate GeneratorCreate a Free Let's Encrypt SSL Certificate in a few minutes (including Wildcard SSL).
Now that we have the necessary certificates, let's move on to the next step in the process of setting up Teams Direct Routing.
Navigate to the SSL Certificate Generator (linked above)
- Enter the domain: teams.xyz.com.au
- Enter the email address: example@xyz.com
- Select the DNS Verification option
- Check the Lets Encrypt Agreement checkbox
Click Submit
- At this point, you will be given a DNS TXT record to add to your DNS provider. Go to the provider who manages your DNS and add the DNS TXT record, then wait approximately 5-10 minutes before proceeding.
Once ready, click Verify and wait.
You will now be shown two text boxes, the first box is the Certificate + CA Bundle and the other is the Private Key.
- Save the first box as a text file somewhere secure and name it cert.pem, ensuring that you are using the .pem file extension.
- Save the second box as private.pem, again ensuring that you are using the .pem file extension.
You have successfully generated the required certificates!
Uploading the SSL Certificate
Now you should be all good to go with uploading the SSL Certificate to your 3CX Instance.
- Navigate to your
3CX Administration
portal - Click on
Settings
- Click on
Microsoft 365
- Click on
Teams Direct Routing (Alpha)
- Go to
Step 1
and enter the domain we used to generate the certificate earlierteams.xyz.com.au
. - Go to
Step 2
and upload the two files we created earlier. - Go to
Step 3
&Step 4
, and generate the two Powershell Scripts you'll need to run. - Click
Save
once you've uploaded the new files.
Once these have been uploaded, make sure to keep note of the Expiration Date
which is shown directly underneath the Certificate
input field.
At this point, if you're going to keep this instance running for a long period of time, set a reminder in whatever tool you prefer (i.e. Outlook/Google Calendar). This way you won't find yourself troubleshooting and wasting time in a few months when your generated certificate expires!
Running the Powershell Scripts
Please refer to the 3CX Guide linked earlier for setting up Microsoft Teams Business Voice with 3CX (Direct Routing), otherwise, please see below extract from the relevent section:
- Review the script for any invalid users that might be commented out. Adjust accordingly and repeat the above steps.
- Start Windows Powershell as Administrator and ensure that execution policy is set to Bypass by entering this command:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
- Go to the folder where the script “map_users.ps1” is saved and run.
At this point you should be all good to move onto testing, and making sure the SSL Certificate worked.
Testing Teams Direct Routing
Before you start testing if the SSL Certificate has worked, you should probably wait a moment to ensure the two systems. As stated by 3CX "... the integration might take up to 24 hours to be fully functional.", however, if you don't see any explicit SSL/TLS Errors on either end (i.e. in 3CX or in Microsoft Teams) then you should be all good.
Once you've waited sufficent time, try make some outbound calls and also try make some calls inbound to your phone system.
Hopefully everything worked as expected!
Resource Recap
Microsoft Teams - Planning Direct RoutingLearn how Microsoft Direct Routing lets you connect a supported customer-provided Session Border Controller (SBC) to Phone System.
3CX - Microsoft 365 IntegrationSetup Microsoft integration to sync users, enable SSO and contact/calendar sync depending on Microsoft subscription and 3CX Edition.
3CX - Configuring Microsoft Teams Business VoiceConfigure your MS teams business voice with 3CX. Call via 3CX SIP Trunks and benefit from a full-featured PBX with contact center features.
PunchSalad - Free SSL Certificate GeneratorCreate a Free Let's Encrypt SSL Certificate in a few minutes (including Wildcard SSL).