Trusted devices / lobby bypass for Microsoft Teams and Google Meet

Trusted devices is an add-on for service gateway customers (Microsoft Teams or Google Meet) to allow lobby-bypass for SIP video endpoints that are not registered on the Pexip Service.

Without trusted devices, only video endpoints registered on the service under the same company as the CVI Service for MS Teams can bypass the Microsoft Teams lobby, and only video endpoints registered on the service can bypass the Google Meet lobby.

How it works

Pexip offers two ways to trust non-registered SIP endpoints: SIP authentication (recommended) and by IP address.

You can use a combination of both methods.

SIP authentication

When using SIP authentication:

  • The video endpoint calls from a domain that the Pexip Service is configured to challenge. After providing authentication, the call bypasses the lobby. If it does not provide authentication, the call disconnects.
  • If the call is from a domain that is not set up to be challenged, the user is placed in the lobby.

This is the most secure trust option. It requires that customer’s SBC can authenticate on behalf of its clients. (Pexip can provide the customer with a username/password to be used.)

Pexip supports multiple domains to be challenged per customer.

IP address

When using IP address authentication:

  • The endpoint is trusted if the call comes from a pre-configured list of IP addresses. This assumes that the customer's call control system is correctly configured to validate the endpoint, and that it only relays their own traffic to the Pexip Service.
  • Any calls not coming from an approved IP address are placed in the lobby.
  • You can further restrict this rule to only include endpoints coming from a specific domain. This is useful when multiple companies share one call control infrastructure.

Pexip supports multiple IP addresses / network masks.

Configuring trusted devices

Configuration and setup of trusted devices is only available via your Pexip partner.

Ensuring that your trusted devices are shown in the global directory

You can use static addresses to add unregistered endpoints to the global directory. Ask your Pexip partner for support on this feature.

Supported devices and call control systems

Any SIP (2.0) compatible system is supported.

Non-SIP calls, e.g. H.323, are not supported. Any such calls bypass any policy rules and are handled as if no rules have been set.

We have tested against self-hosted Pexip Infinity and we also expect other session border controller (SBC) systems to work successfully. Note that the Cisco Expressway is not a suitable system for use with the SIP authentication method (however, IP address trust works correctly with Expressway).