Microsoft Teams Direct Routing and Mutual TLS Authentication

Introduction

Microsoft Teams Direct Routing AudioCodes Session Border Controllers (SBCs) have usually been setup using one-way TLS (Transaction Layer Security) authentication. Enabling mutual TLS authentication has always been an option. Enabling Technologies (a division of eGroup) has two (2) primary mantras when it comes to application and device security:

  1. Trust no one!
  2. Harden everything!

In that spirit, Enabling Technologies is recommending that mutual authentication be enabled on all Teams Direct Routing Session Border Controllers.

The instructions for enabling mutual authentication on AudioCodes SBCs have been available in their Teams Direct Routing deployment guides for several years. To enable mutual TLS, you had to download the “Baltimore CyberTrust Root” Certificate into the “Trusted Root Certificate” store of the “TEAMS” TLS Context before you could “flip the switch” to turn it on. This certificate will expire in May of 2025.

Microsoft recently announced the availability of new Trusted Root certificate chains that will ultimately replace the expiring certificate. There are three (3) new chains. The “DigiCert Global Root G2” chain will be used to replace the “Baltimore CyberTrust Root” on SBCs when it expires. Microsoft started to configure their cloud-based services to support both chains this past January. By October all services should support both chains.

  • If your Teams Direct Routing SBC is not setup to support TLS Mutual Authentication, we recommend that you set it up to support TLS Mutual Authentication!
    • Please follow the instructions in the “Setting up TLS Mutual Authentication on AudioCodes SBCs” section below. If you are not using AudioCodes SBCs, follow your manufacturer’s guidance.
  • If TLS Mutual Authentication is already configured on your SBC, you will need to verify that you have the new chain installed on the SBC.
    • Instructions for this can be found in the “What do you need to do if you already have Mutual Authentication Setup” towards the end of this document.

What is TLS Mutual Authentication?

  1. Servers and devices using Transaction Layer Security (TLS) to encrypt their communications over the TCP protocol. Before starting inter-device communication, the two (2) parties perform a TLS handshake to agree on how they are going to encrypt the traffic between each other.

  2. Authentication between the devices is optional during the TLS handshake but is almost always used. The authentication can be one-way or mutual.

  3. In one-way authentication, usually the client device will have “presented” its fully qualified domain name (FQDN) to the server device. The client device will then present a public certificate with the FQDN in the Subject Name field or a wildcard certificate to the server device.

  4. If the server device trusts the Certificate Authority that issues the client device’s certificate, it will authenticate the client device and will let the rest of the TLS handshake complete.

  5. In Teams Direct Routing the default is to use one-way authentication between the SBC and Teams during the TLS handshake. The SBC authenticates itself to Teams using one-way TLS authentication.

  6. The SBC must present a certificate that was signed by (acquired from) a Certificate Authority that is part of the Microsoft Trusted Root Certificate Program

  7. Organizations can optionally enable two-way TLS authentication between a Direct Routing SBC and Microsoft Teams.

  8. Enabling Technologies recommends that all Direct Routing Session Border Controllers be configured to support Mutual TLS Authentication.

Setting up TLS Mutual Authentication on AudioCodes SBCs

Here are the high-level steps for setting up TLS mutual authentication on an AudioCodes Direct Routing SBC. The entire process should take about fifteen (15) minutes to complete. These instructions are the same for firmware versions 7.2.X and 7.4.X for all models of AudioCodes SBCs:

  1. Download the “Baltimore CyberTrust Root” certificate” that is valid until 5/12/2025 with a serial number of 33554617. The certificate needs to be downloaded in PEM format.
  2. Download the “DigiCert Global Root G2” certificate that is valid until 1/15/2038 with a serial number of 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5. This certificate also needs to be in PEM format.
  3. Backup the SBC’s configuration.
  4. Import both certificates as Trusted Root Certificates into the “TEAMS” TLS Context on the SBC.
  5. Enable “TLS Mutual Authentication” on the “TEAMS” SIP interface.
  6. Execute your SBC test plan to verify that all call flows across the SBC are working properly.

 

What do you need to do if you already have Mutual Authentication Setup

If you already have TLS Mutual Authentication setup on your SBC:

    1. Backup the SBC’s configuration.
    2. If you are missing either of the root chains, install them.
    3. Execute your SBC test plan to verify that all call flows across the SBC are working properly.

Summary

  • Enabling Technologies (a division of eGroup) recommends enabling TLS Mutual Authentication on Teams Direct Routing SBCs.
  • If it is already enabled, you will need to make sure that both required root chains have been installed on the SBC.
John Miller

John Miller

Cloud Solutions Architect- Enabling Technologies an eGroup Company

Last updated on July 31st, 2023 at 01:02 pm