Microsoft Teams Direct Routing Audiocodes SBC Certificates Explanation

Object

This post is to explain the certificates used in Audiocodes SBC when you are configuring with Microsoft Teams Directing. Certificate configuration is essential for a secure SIP TLS connection between Microsoft Teams and your local SBC in both directions, as the “Phone System Direct Routing” interface allows ONLY TLS connections for SIP traffic from and to Microsoft Server.

Important notes

Microsoft starts to decommission TLS1.0 and TLS1.1 for Office 365 (M365) from 2022, and it is simply NOT secure to implement TLS1.0 and TLS1.1 nowadays. Please see the below 2 useful links for that topic:

https://docs.microsoft.com/en-gb/microsoft-365/compliance/tls-1.0-and-1.1-deprecation-for-office-365?view=o365-worldwide

Checking some of our Audiocodes SBC deployments, we are already on TLS1.2 but the Cipher setting is in various combinations, it either TLS1.2 with specific Ciphers like RC4:AES128 or default Cipher like below:

To Ensure it has no impact on production next year, we contacted Audiocodes Support, their answer is as below:

Are we OK after Microsoft next year’s change?

Answer: Yes.

Cipher Server: This is the string used when the device is acting as the recipient of a connection request for TLS. A web browser requesting access to the AudioCodes device web GUI will send a Client Hello that contains a list of ciphers that must be in the Cipher Server suite to enable communication with the device web page.

Cipher Client: This is what the device will use when making an outgoing TLS/SSL request such as for secure SIP TLS connections to another device at session initiation.

List of acceptable ciphers

https://www.openssl.org/docs/man1.1.1/man1/ciphers.html

If we need to update the Cipher settings, can you please let us know the procedure?
Answer :

Refer to acceptable ciphers from https://www.openssl.org/docs/man1.1.1/man1/ciphers.html

Cipher Server/Client in SBC = DEFAULT (means all acceptable ciphers from openssl.org)

Cipher Server in SBC = RC4:AES128 (means only RC4 and AES128 cipher strings are accepted)

Certificate Components

Trust Root CA Certificate

By installing the Trust Root CA certificate, you are telling SBC that “I am going to trust the certificate issued by it”. In Audiocodes SBC with Direct Routing configured, you generally require at least 2 Trust Root CA certificates, first is the one you purchased for your own domain, such as a certificate with CN “SBC01.ictfella.com”, let’s “assume” it is from Godaddy here and highlighted in RED, the second is Microsoft Trust Root CA certificate and highlighted in BLUE.

Important note: If you are importing a .PFX format certificate bundle, you will OVERRIDE all Trust Root CA certificates in the SBC stores, so the recommendation is to do your certificate for your own domain first, then import the 2nd Trust Root CA Certificate from Microsoft:

https://www.digicert.com/kb/digicert-root-certificates.htm

Server Certificate

check-installed-certificate-on-audiocodes-sbc
check-installed-certificate-on-audiocodes-sbc

Note: If you want to renew your certificate, download your certificate from your provider such as Godaddy, then click “Change Certificate” then Choose the Certificate and click “Load File”, then Save the configuration.

Private Key

Private key generally is stored in the source machine where you generate the CSR file. If you generate the CSR from Audiocodes SBC, it will be in SBC but you CANNOT export it out (if you find the way, please let me know ), when you have multiple SBCs and you want to use the “multi-SAN” certificate, I would recommend you generate your CSR from a Window Machine so you can export it out easily.

Useful Link

Connecting Audiocodes SBC to Microsoft Teams Direct Routing Enterprise Model

https://www.audiocodes.com/media/13253/connecting-audiocodes-sbc-to-microsoft-teams-direct-routing-enterprise-model-configuration-note.pdf

11 thoughts on “Microsoft Teams Direct Routing Audiocodes SBC Certificates Explanation”

  1. Motorradauswahl

    whoah this blog is magnificent i like studying your articles.
    Keep up the great work! You understand, a lot of
    persons are searching around for this information, you could aid them greatly.

  2. Greetings! Very useful advice in this particular post!
    It’s the little changes that will make the greatest changes.
    Thanks a lot for sharing!

  3. It’s a pity you don’t have a donate button!
    I’d most certainly donate to this fantastic
    blog! I suppose for now i’ll settle for bookmarking
    and adding your RSS feed to my Google account. I look forward to brand new updates
    and will share this site with my Facebook group.
    Talk soon!

  4. I believe this is among the most significant information for me.
    And i am satisfied studying your article. But want to observation on few general things, The site taste is wonderful, the articles is truly excellent : D.
    Excellent job, cheers

Leave a Comment

Your email address will not be published. Required fields are marked *