Trusted devices / lobby bypass for Microsoft Teams and Google Meet

The Trusted devices and Teams Meetings lobby bypass licenses are optional add-ons for customers with Microsoft Teams CVI or Google Meet interoperability that allows lobby-bypass for SIP video endpoints that are not registered to the service — this enables them to join the interop meeting directly and not have to wait to be admitted by the meeting host.

Video endpoints that are registered on the Pexip Service under the same company that has the Teams CVI / Google Meet interop service do not need a trusted device license — they are automatically treated as trusted and can bypass the Teams / Google Meet lobby.

Trusted device add-on license

With the Trusted device add-on, lobby-bypass can be enabled for:

  • Endpoints that are not registered on the Pexip Service.
  • Endpoints that are registered on the Pexip Service, but are part of a different company (for example where a large organization is managed as different companies within the Pexip Service).

Teams Meetings lobby bypass add-on license

The Teams Meetings lobby bypass license is an add-on to the Connect for Zoom Rooms license that specifically enables lobby bypass for your Zoom Rooms into your Teams meetings.

Join workflow

The following images show a comparison of a trusted v non-trusted join workflow.

Trusted devices join workflow:

Non-trusted devices join workflow:

How it works

Each type of trust method works in different ways.

Non-registered SIP endpoints

Pexip offers two ways to trust non-registered SIP endpoints: SIP authentication (recommended) and by IP address.

You can use a combination of both methods.

SIP authentication

When using SIP authentication:

  • The video endpoint calls from a domain that the Pexip Service is configured to challenge. After providing authentication, the call bypasses the lobby. If it does not provide authentication, the call disconnects.
  • If the call is from a domain that is not set up to be challenged, the user is placed in the lobby.

This is the most secure trust option. It requires that customer’s SBC can authenticate on behalf of its clients. (Pexip can provide the customer with a username/password to be used.)

Pexip supports multiple domains to be challenged per customer.

IP address

When using IP address authentication:

  • The endpoint is trusted if the call comes from a pre-configured list of IP addresses. This assumes that the customer's call control system is correctly configured to validate the endpoint, and that it only relays their own traffic to the Pexip Service.
  • Any calls not coming from an approved IP address are placed in the lobby.
  • You can further restrict this rule to only include endpoints coming from a specific domain. This is useful when multiple companies share one call control infrastructure.

Pexip supports multiple IP addresses / network masks.

Registered SIP endpoints with a different company

To trust endpoints that are registered on the Pexip Service but belong to a different company, Pexip simply needs to know which (one or more) companies should be trusted when the company with the Teams / Google Meet interop license has a Teams / Google Meet meeting. All of the registered endpoints with those associated companies will then bypass the Teams / Google Meet lobby.

Zoom Rooms

To trust Zoom Rooms, Pexip needs to know your Zoom Account Number, so that it can identify your Zoom Rooms and provide trusted lobby bypass (a signed hash of the associated Zoom account number is included in the request to Pexip when a Zoom Room attempts to join a Teams meeting).

Note that lobby bypass only works for Zoom Rooms that are integrated with the Calendar Service.

Configuring trusted devices / lobby bypass

Configuration and setup of trusted devices / lobby bypass is only available via your Pexip partner. When you contact your partner please inform them of the trust methods you want to use.

Ensuring that your trusted devices are shown in the global directory

You can use static addresses to add unregistered endpoints to the global directory. Ask your Pexip partner for support on this feature.

Supported devices and call control systems

Any SIP (2.0) compatible system is supported.

Non-SIP calls, e.g. H.323, are not supported. Any such calls bypass any policy rules and are handled as if no rules have been set.

We have tested against self-hosted Pexip Infinity and we also expect other session border controller (SBC) systems to work successfully. Note that the Cisco Expressway is not a suitable system for use with the SIP authentication method (however, IP address trust works correctly with Expressway).