Object
This post is to explain the certificates used in Audiocodes SBC when you are configuring with Microsoft Teams Directing. Certificate configuration is essential for a secure SIP TLS connection between Microsoft Teams and your local SBC in both directions, as the “Phone System Direct Routing” interface allows ONLY TLS connections for SIP traffic from and to Microsoft Server.
Important notes
Microsoft starts to decommission TLS1.0 and TLS1.1 for Office 365 (M365) from 2022, and it is simply NOT secure to implement TLS1.0 and TLS1.1 nowadays. Please see the below 2 useful links for that topic:
Checking some of our Audiocodes SBC deployments, we are already on TLS1.2 but the Cipher setting is in various combinations, it either TLS1.2 with specific Ciphers like RC4:AES128 or default Cipher like below:
To Ensure it has no impact on production next year, we contacted Audiocodes Support, their answer is as below:
Are we OK after Microsoft next year’s change?
Answer: Yes.
Cipher Server: This is the string used when the device is acting as the recipient of a connection request for TLS. A web browser requesting access to the AudioCodes device web GUI will send a Client Hello that contains a list of ciphers that must be in the Cipher Server suite to enable communication with the device web page.
Cipher Client: This is what the device will use when making an outgoing TLS/SSL request such as for secure SIP TLS connections to another device at session initiation.
List of acceptable ciphers
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
If we need to update the Cipher settings, can you please let us know the procedure?
Answer :
Refer to acceptable ciphers from https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
Cipher Server/Client in SBC = DEFAULT (means all acceptable ciphers from openssl.org)
Cipher Server in SBC = RC4:AES128 (means only RC4 and AES128 cipher strings are accepted)
Certificate Components
Trust Root CA Certificate
By installing the Trust Root CA certificate, you are telling SBC that “I am going to trust the certificate issued by it”. In Audiocodes SBC with Direct Routing configured, you generally require at least 2 Trust Root CA certificates, first is the one you purchased for your own domain, such as a certificate with CN “SBC01.ictfella.com”, let’s “assume” it is from Godaddy here and highlighted in RED, the second is Microsoft Trust Root CA certificate and highlighted in BLUE.
Important note: If you are importing a .PFX format certificate bundle, you will OVERRIDE all Trust Root CA certificates in the SBC stores, so the recommendation is to do your certificate for your own domain first, then import the 2nd Trust Root CA Certificate from Microsoft:
https://www.digicert.com/kb/digicert-root-certificates.htm
Server Certificate
Note: If you want to renew your certificate, download your certificate from your provider such as Godaddy, then click “Change Certificate” then Choose the Certificate and click “Load File”, then Save the configuration.
Private Key
Private key generally is stored in the source machine where you generate the CSR file. If you generate the CSR from Audiocodes SBC, it will be in SBC but you CANNOT export it out (if you find the way, please let me know ), when you have multiple SBCs and you want to use the “multi-SAN” certificate, I would recommend you generate your CSR from a Window Machine so you can export it out easily.
Useful Link
Connecting Audiocodes SBC to Microsoft Teams Direct Routing Enterprise Model
whoah this blog is magnificent i like studying your articles.
Keep up the great work! You understand, a lot of
persons are searching around for this information, you could aid them greatly.
Thanks for the comment, I am glad you like the articles.
Greetings! Very useful advice in this particular post!
It’s the little changes that will make the greatest changes.
Thanks a lot for sharing!
I am glad it helped.
I was just trying to renew my existing GoDaddy cert, you provided the “how to” in simple form! Thanks!
Good to know it helped.
Muchos Gracias for your blog article. Much obliged.
It’s a pity you don’t have a donate button!
I’d most certainly donate to this fantastic
blog! I suppose for now i’ll settle for bookmarking
and adding your RSS feed to my Google account. I look forward to brand new updates
and will share this site with my Facebook group.
Talk soon!
Thanks Shayne, donate button added 🙂
I believe this is among the most significant information for me.
And i am satisfied studying your article. But want to observation on few general things, The site taste is wonderful, the articles is truly excellent : D.
Excellent job, cheers
Thanks for the kind words!