Hooking up Twilio SIP to Skype for Business

If you’ve never heard of Twilio before, you’d be surprised to learn that they are the largest backend for services around automated calling services, text messaging (and verification), and are pioneering Software Defined Telephony by use of APIs to route and handle texts/calls/faxes. Is your Uber driver calling you now? That’s Twilio… Got a text from Netflix for a password reset? Yup, that’s Twilio… PagerDuty sending you a SMS alert? You guessed it!

There are MANY things you can build with Twilio, but you can also use its simple services to set up PSTN origination/termination with your Skype for Business infrastructure. Why?

  • Fast and easy provisioning of trunks and numbers. No contracts, and you pay for what you use. Buy a number and it’s ready to use in less than a minute!
  • Crazy scalable. If large companies rely on Twilio for their backend integrations, why wouldn’t you?
  • Support for SIPS and SRTP, which means encrypted, secure calls over that internet trunk
  • Record calls and pull them from the Twilio portal or over API. Need recording for certain Response Groups? Done.
  • Failover mechanisms that can use preference/weight to balance call targets, or set up a script that can at least give callers a notice that your phones are down, or route them somewhere else, automatically
  • Use add-ons to do fancy things like transcribe calls with speaker recognition, translate calls then play them using text-to-speech, or even cleanse call recordings of sensitive PCI data. Yes. I know. It’s crazy.
  • Entire platform is built on top of AWS and globally scaled, so you know it’s good…

In this post I’ll guide you on setting up a trunk over the internet between a SfB infrastructure and Twilio’s Elastic SIP Trunking service, and you can start using it as a failover, aggregate, or maybe a conferencing bridge number so you’re not limited by your PRIs.

First, Sign up for Twilio

Obvious step here, you have to go here and sign up for an account.

Load it with some of your cash, which you can source from a Credit Card or over PayPal. You could use Twilio’s free test features, but if you want to call real numbers you need to have some money loaded there.

Create and configure a Twilio Elastic SIP Trunk

Now that you have an account with some moolah, it’s time to make that SIP trunk. Go on Elastic SIP Trunking (if you don’t see it, hit the “…” button) then Create new SIP Trunk

Give it a friendly name.

Then go on Termination and enter a Termination SIP URI. You’ll use this when creating the PSTN Gateway in Skype or Lync (or your favorite SBC). Don’t worry about call recording or encryption yet, you can play with that stuff later.

Then under Authentication, create an ACL and add the IP addresses of your mediation boxes. If you’re NATted outbound then use that, but in order to receive calls you’ll need to have inbound NAT or a public IP assigned.

Now save your Trunk by hitting Save at the bottom.

Next we will configure origination, so we can receive PSTN calls over the SIP trunk.

Configure an Origination URI, and set it in the format shown. ;transport=tcp will force Twilio’s edge to use TCP instead of the default UDP transport, still over 5060. If you want a different port, just use sip:IPADDR:PORT;transport=tcp. This is very similar if not exactly to how Flowroute’s inbound routes work. If you’ve got multiple servers, you can play with priorities and weights… but that’s out-of-scope for now.

Next, you can assign numbers for your DID’s.  If you don’t, you can still make outbound calls and mask caller ID as anything you want, but for receiving calls you need a PSTN number…

You can probably figure out the rest, but the basics are done. Let’s move to SfB now.

Configure Lync / Skype for Business Trunk

Remember that Termination SIP URI? We need it now. So we start by creating a new PSTN Gateway in the topology and using it as the FQDN.

Then we use 5060 as ports and TCP as the protocol. If we were using TLS, we can change that to 5061.

Publish the topology and then start using your new root trunk in your voice routes for outbound calls. That’s pretty much it! (assuming you’ve got the networking done right, either NAT or Public with dual-home).

To secure your edge you can use Twilio’s public IP list to make sure you’re not getting unauthorized SIP requests. You can get that here:

Test and smile

Since we’re not encrypting SIP traffic, and it’s flowing over 5060, we can fire up Wireshark and start looking at dialogs. Even with no calls flowing, we should be seeing OPTIONS requests roughly every 60 seconds sourcing from the Skype servers that have the trunk attached.

Making an inbound call we see the INVITE sourcing from Twilio.

And making an outbound call we see the call outgoing:

Also, Twilio has built-in pcaps that you can use to troubleshoot the remote-end of the trunk. Think of this as having Wireshark running on Twilio’s edge. VERY COOL!

Important note for NAT and non-SIP-aware edge

If you’re using a Mediation server, either dedicated or collocated, and use RFC1918 private IPs on your inside network, you have to do NAT to translate a public address to the inside IP and get calls flowing.

The issue this introduces is it’s not a supported configuration with Skype because the Contact header (and many others) will have the server’s internal IP, when it really should have the external, public IP. That’s why when doing Direct SIP with certified providers, you need to use the Edge server with a Public IP.

Some providers like IntelePeer will happily mangle SIP headers to make sure they have your external IP in there, and everything is well. In my case, using a NAT address kills some functionality, specifically:

  • Some calls tend to hang up after 30 seconds
  • Calls can’t be put on hold for longer than 30 seconds
  • When hanging up the call on the far end, the out-of-dialog BYE message coming from Twilio goes to the contact IP, so you never get it… and the call hangs up after 30 seconds anyway

Using a Session Border Controller to trunk to Twilio is one answer. Using a SIP-aware firewall or edge device is another, but most can’t do SIP over TCP, and definitely not SIP over TLS… so what then?

There’s a bit of a hack, and it involves setting the EnableSessionTimer to $True, RTCPActiveCalls to $False and RTCPCallsOnHold to $False, like so:

Not ideal, but gets the job done. The SessionTimer will check every 30 seconds for an active RTP session, regardless of whether RTCP “control” packets were received or not. This is why calls hang up after 30 seconds, because of no RTCP from Twilio since it goes to the Contact IP.

This hack is probably best if done as a MUST, and no other solutions are viable. My recommendation would be to use use Public IP with proper edge security (limiting to Twilio’s service addresses) or using an SBC or B2BUA.

Hope you enjoyed this post!!! Please leave a comment!!!

Is your Lync/SfB starved for memory?

Let’s say it was totally underprovisioned at some point. Just bumping up the RAM won’t give you the performance you expect. Here’s why:

You deploy a Server 2012 R2 template with 2GB RAM using your favorite hypervisor and just roll with the Skype for Business or Lync deployment without even thinking about it. Or… let’s say you ask for a VM to be provisioned so you can roll out SfB, and it’s underprovisioned from the start, but changing the resources would take too long so you go ahead with the deployment anyway and just wait for resources to be added later on. No time wasted. How many times has that happened? Plenty to me…

Down the road, whether it’s a reactive need for more memory, or you just realized the VM’s were completely underprovisioned and not up to those 32GB RAM Microsoft really asks for… What then? Just bump up the RAM, right?

Not quite…

Do that, and your SQL instances RTCLOCAL and LYNCLOCAL will just daydream about those sweet 32GB you allocated… Let’s take a look at a VM with only 4GB on it:

2016-06-28 13_28_33 2016-06-28 13_28_06

Pretty sad, right? at no point in time can both SQL instances consume more than 941MB. What if you add RAM you say? The Minimum and Maximum Server Memory stay the exact same!!!

If you want to go ahead and change these values, you’re open to do so, but it’s not technically supported. Don’t care? then pick values for 6%-8% of your total RAM for LYNCLOCAL, and 12%-15% for RTCLOCAL. Care? Then:

  1. Open the Deployment Wizard, Install or Update, and run Step 1 again. Go grab a coffee while RTCLOCAL gets pimped out with more RAM.
  2. Then run Step 2 again. If done with coffee, get a new one while LYNCLOCAL gets a memory makeover.

You can verify the added memory now. Big difference. But, because these instances actually run on SQL Express, they won’t be able to address more than 1GB each (or 1400MB depending on who you ask). The difference between a max 327MB and 1GB is quite substantial, so this change will still make a difference.

2016-06-28 13_56_112016-06-28 13_55_56

7/28/2016 Edit: Looks like Tom Pacyk wrote a better post over two years ago, and also points out the SQL Express limit of 1GB per instance.

Skype for Business preview for Android

A few hours ago I received an e-mail from Microsoft inviting me and some of my coworkers to the Skype for Business Mobile Preview program, with instructions on how to get the Android app installed.

So far the app is very well made, with a less “beta” sense than many other products. I dare to say this preview app feels more reliable than the Lync 2013 app. Some screenshots that give you an idea of what it’s like:

Screenshot_2015-10-07-19-07-09 Screenshot_2015-10-07-19-07-46 Screenshot_2015-10-07-21-58-22 Screenshot_2015-10-07-19-09-17 Screenshot_2015-10-07-21-59-11 Screenshot_2015-10-07-21-58-33 Screenshot_2015-10-07-21-58-39 Screenshot_2015-10-07-22-06-12

Some nice changes/additions:

  • Ability to manage your contact list from the app. Add, remove and move contacts within groups
    Screenshot_2015-10-07-22-05-51 Screenshot_2015-10-07-22-06-15
  • Shake your phone for feedback to the developers (can see this getting removed in GA, but it’s pretty nice)
  • Improved integration into the Android OS (missed calls, missed IM’s and active calls, but Lync 2013 had similar integration)
  • Call Forwarding settings now let you apply settings outside business hours (like the Desktop client)
    Screenshot_2015-10-07-22-08-08 Screenshot_2015-10-07-22-08-17

Tomorrow when the greater part of my colleagues are actually awake, it will be time to run conferences and view content. So far so good. Great job Microsoft!

Skype for Business Prerequisites one-liner

Technet has a PowerShell one-liner but it’s missing .NET 3.5 and the Windows Identity Foundation, which you need anyway. Here’s the one-liner that includes them (and assumes your media is on D:)

Install-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client, Net-Framework-Core, Net-HTTP-Activation, Windows-Identity-Foundation -Source D:\Sources\SxS

Music on Hold issue with AudioCodes and VVX

After a few hours of headscratching and a support ticket with AudioCodes I’ve resolved an issue that VVX phones have with Music on Hold through an AudioCodes gateway. All VVX phones are running UC firmware, and someone else out there is having the exact same issue, but turns out the suggested fix of using voIpProt.SIP.useSendonlyHold=”0″ does not actually work in the 5.2 firmware.

For a bit of background, what’s happening is the VVX sends a=sendonly in the SDP when a call gets put on hold, but Lync clients send a=inactive. The AudioCodes will play MOH when a=inactive is in the SDP, but not with sendonly, and there is only one behavior that can be configured.

2015-01-21 13_18_09

Setting the SendonlyHold flag in the config files did not make a difference, and the VVX’s were still sending the undesired SDP parameter, so the fix was to use a message manipulation rule on the AudioCodes to change it.

Going to VoIP > SIP Definitions > Msg Policy & Manipulation > Message Manipulations then creating the following is the first step:

2015-01-21 13_12_00

  • Manipulation Name: VVX Hold
  • Manipulation Set ID: 1
  • Message Type: reinvite.request
  • Condition: param.message.sdp.rtpmode==’sendonly’
  • Action Subject: param.message.sdp.rtpmode
  • Action Type: Modify
  • Action Value: ‘inactive’

Then if you’re using SBC, you’ll need to apply the Manipulation Rule to the IP Group and call it a day… But in my case I’m using GW as the setup is from Lync to a PRI, and I could not associate the rule to the IP group for Lync. This was the difficult part because nothing I did applied that manipulation rule to Lync… then Janiel from AudioCodes came to the rescue with instructions:

Open the INI parameters from the Admin Page (http://x.x.x.x/AdminPage), then enter GWINBOUNDMANIPULATIONSET with a value of 1 (or whichever Set ID you used for your Manipulation rule)

2015-01-21 13_16_19

Once this was done, all reinvites back from Mediation with a=sendonly (call on hold) get translated to a=inactive and the gateway queues Kenny G or AC/DC. We can confirm the rule is applied and the RTP mode gets changed.

2015-01-21 13_22_31




Lync Quality of Service (QoS) with Sophos UTM

Since version 8.2, when Sophos UTM was called Astaro Security Gateway, the firewall distribution has the ability to filter by application instead of just ports, making it what marketing loves to call a “next-generation firewall”. Sophos calls this Application Control, Palo Alto Networks calls this App-ID, and other vendors have different names for it, but the underlying technology is similar to how an IDS would detect attacks by using signatures. In simple terms, the firewall identifies traffic based on application signatures and takes actions based on that.

The neat thing with Sophos UTM is that you can leverage this Application Control to select traffic and give it priority or throttle down the speed. When using Lync, it’s important to prioritize your media traffic at the edge so calls and sharing for external users or federated users gets the bandwidth it needs. Or perhaps you use Sophos UTM at home (because why not? it’s free), and want to make sure your calls get the right amount of bandwidth. Here’s how to do it:

  1. Set your interface bandwidths properly and turn on QoS on each. You can leave Automatic QoS checked (it’ll use WRED to balance your traffic nicely).
    2014-10-24 11_19_01
  2. Create a Traffic Selector by going to Interfaces & Routing > Quality of Service (QoS) > Traffic Selectors > New Traffic Selector.
    2014-10-24 11_16_18
  3. Pick the selector type as Application Selector, with source Any, destination Any, and browse for the Lync application objects. Note there are many, and we’re interested in the real time audio/video ones. Pick them, then hit Apply, then save the Traffic Selector.
    2014-10-24 11_17_04
  4. Next move to Bandwidth Pools, pick your external interface, and then New Bandwidth Pool.
  5. Pick a name for it, a “reserve” bandwidth, and then select your Traffic Selector created earlier. The bandwidth setting should be the maximum Lync will get if your upload is completely saturated. For example, if you’ve got a 10 megabit line, and reserve 2048 kilobits, then Lync will be guaranteed 2 megabits even when the connection is being used 100%.
    2014-10-24 11_27_10
  6. Save the rule and then turn it on.

You can also create the same rule on the inside interfaces to make sure your traffic gets priority on the way back as well. Note that you can really only control how you send packets, not how you receive them.

Hope this is helpful! Feel free to drop a comment!

This Just In: Lync 2013 CU5 Has Been Released!

LyncFix: This Just In: Lync 2013 CU5 Has Been Released!.

Lync 2013 Contact Backup and Restore Tool (GUI)

My good colleague Anthony Caragol wrote a nice Lync tool to backup and restore contacts in Lync 2013. Check it out!

Lync 2013 Contact Backup and Restore Tool (GUI).

Non-E.164 voice gateway trunk into Lync 2013

While doing an integration with a Cisco CallManager cluster that was on version 6.1, I realized why Microsoft only supports CUCM 7.0 and above. Earlier versions do not handle E.164 and so calls through the SIP trunk into the Lync mediation pool would not have the nice “+” on the SIP Invites. Fortunately, Lync 2013 lets you do inbound and outbound translations to overcome these situations, although you’d still be running on an unsupported Voice gateway.

To handle Inbound SIP without E.164 prefix, you can create a Pool Dial Plan for the SIP trunks (PstnGateway) you’ll need to handle, and then create normalization rules to prefix a + and remove any other numbers. You can also do it at a Global level, but I like to keep things separate, and in my case CUCM integration is only temporary until all sites are on Lync.


2014-06-05 16_38_49-MobaXterm Professional

To handle Outbound SIP, you can use Calling and Called Number Rules under Trunk Configuration, and add/remove prefixes to be passed over to the voice gateway. In my case, I’m removing the + and prefixing a 7 to test outbound PSTN calling.


2014-06-05 16_39_45-MobaXterm Professional

Lync Comfort Noise with Cisco router or AudioCodes

Lync uses a feature called Comfort Noise that reduces network traffic in moments of silence, but still allows the voice gateways to generate some white noise to avoid the “hello? are you still there?” conversations. If your gateway is not configured to support Comfort Noise, then Lync will throw Event ID 25073 on your calls, saying The Mediation Server service has received a call that does not support comfort noise […] The Trunk does not support comfort noise.

Comfort Noise

If you’re using a Cisco router as your voice gateway, you can enable Comfort Noise support by using the following command under your voip dial-peer connecting into Lync:

rtp payload-type comfort-noise 13

Or if you’re using an AudioCodes gateway, you can find the options under VoIP > Media > RTP/RTCP Settings, but make sure you’re using the Full menu set.

2014-06-11 14_55_36-AudioCodes - Internet Explorer

After enabling Comfort Noise support, you can run a packet capture and notice the RTP packets showing support

Comfort Noise 2