Trusted devices / lobby bypass for Microsoft Teams and Google Meet

Trusted devices is an add-on for service gateway customers (with Microsoft Teams CVI or Google Meet interoperability) to allow lobby-bypass for SIP video endpoints so that they can join the interop meeting directly and not have to wait to be admitted by the meeting host.

Without trusted devices, only video endpoints that are registered on the service under the same company that has the Teams CVI / Google Meet interop service can bypass the Teams / Google Meet lobby.

With trusted devices, lobby-bypass can be enabled for:

  • Endpoints that are not registered on the Pexip Service.
  • Endpoints that are registered on the Pexip Service, but are part of a different company (for example where a large organization is managed as different companies within the Pexip Service).

How it works

Each type of trust method works in different ways.

Non-registered SIP endpoints

Pexip offers two ways to trust non-registered SIP endpoints: SIP authentication (recommended) and by IP address.

You can use a combination of both methods.

SIP authentication

When using SIP authentication:

  • The video endpoint calls from a domain that the Pexip Service is configured to challenge. After providing authentication, the call bypasses the lobby. If it does not provide authentication, the call disconnects.
  • If the call is from a domain that is not set up to be challenged, the user is placed in the lobby.

This is the most secure trust option. It requires that customer’s SBC can authenticate on behalf of its clients. (Pexip can provide the customer with a username/password to be used.)

Pexip supports multiple domains to be challenged per customer.

IP address

When using IP address authentication:

  • The endpoint is trusted if the call comes from a pre-configured list of IP addresses. This assumes that the customer's call control system is correctly configured to validate the endpoint, and that it only relays their own traffic to the Pexip Service.
  • Any calls not coming from an approved IP address are placed in the lobby.
  • You can further restrict this rule to only include endpoints coming from a specific domain. This is useful when multiple companies share one call control infrastructure.

Pexip supports multiple IP addresses / network masks.

Registered endpoints with a different company

To trust endpoints that are registered on the Pexip Service but belong to a different company, Pexip simply needs to know which (one or more) companies should be trusted when the company with the Teams / Google Meet interop license has a Teams / Google Meet meeting. All of the registered endpoints with those associated companies will then bypass the Teams / Google Meet lobby.

Configuring trusted devices

Configuration and setup of trusted devices is only available via your Pexip partner. When you contact your partner please inform them of the trust methods you want to use.

Ensuring that your trusted devices are shown in the global directory

You can use static addresses to add unregistered endpoints to the global directory. Ask your Pexip partner for support on this feature.

Supported devices and call control systems

Any SIP (2.0) compatible system is supported.

Non-SIP calls, e.g. H.323, are not supported. Any such calls bypass any policy rules and are handled as if no rules have been set.

We have tested against self-hosted Pexip Infinity and we also expect other session border controller (SBC) systems to work successfully. Note that the Cisco Expressway is not a suitable system for use with the SIP authentication method (however, IP address trust works correctly with Expressway).