Certificates for mTLS Authentication on Teams Direct Routing AudioCodes Session Border Controllers

Introduction

The most recent What’s new in Direct Routing article from Microsoft includes information on a need for some organizations to check the installed root certificate chains on their Teams Direct Routing Session Border Controllers (SBCs). Some organizations have received direct communication from Microsoft regarding this change.

The direct communication warns that Microsoft will start to implement the mTLS change in March 2026. Microsoft advises that if remediation is required that it be completed by the end of February 2026.

In a nutshell:

1. This note applies to Teams Direct Routing SBCs where Mutual TLS authentication (mTLS) has been enabled.
2. If the firmware on your AudioCodes SBC is at least 7.4.600, you just need to enable a parameter on the SBC.
3. If it isn’t, you will need to either update the firmware or manually install at least two (2) root chains and turn the aforementioned switch on.

The information in this article applies to AudioCodes Teams Direct Routing SBCs. If you are using another manufacturer’s SBC, please check their support pages or contact their service department for guidance.

Does this apply to our SBCs?

• Microsoft’s announcement infers that this applies to all Teams Direct Routing SBCs.
• The AudioCodes technical note MC1213773 ACTION REQUIRED: TEAMS DIRECT ROUTING CHANGE (this can only be accessed if you have an AudioCodes support account) states that the Microsoft note only applies to AudioCodes Teams Direct Routing-enabled SBCs where mutual TLS authentication has been enabled on the SIP interface associated with the Teams Proxy Set.
• To determine if mutual TLS has been enabled for Teams:
  • Sign on to your SBC.
  • Navigate to the SIP Interfaces table at Setup->Signaling & Media ->Core Entities->SIP Interfaces.
  • Click on the “Teams” SIP interface.
    • If the interface is not named “Teams”, go to Setup->Signaling & Media->Core Entities->Proxy Sets and find the “Teams” Proxy Set. The associated “SIP Interface” can be found in the “SBC IPv4 SIP Interface” field.

What is TLS Mutual Authentication?

Under standard transaction layer security (TLS) authentication, only the server is authenticated. In Mutual TLS or mTLS, both the client and server must present and verify their respective certificates.

The previous eGroup blog article, Microsoft Teams Direct Routing and Mutual TLS Authentication, describes how to set this up and includes our recommendation to enable mTLS on Teams Direct Routing SBCs.

We are using mTLS for Teams on an AudioCodes Teams Direct Routing-enabled SBC, now what?

You will first need to verify that a parameter on the Teams TLS context is properly configured and that all seven (7) of the Microsoft-provided certificate root chains are installed on the SBC.

Teams TLS Context Setting

1. Backup the SBC’s configuration.
2. Navigate to Setup->IP Network->Security->TLS Contexts on your SBC.
3. Click on the context you are using for Teams; it will usually be named “Teams”.
   1. If you aren’t sure which one it is, you can look at the “TLS Context Name” field on the Teams Proxy Set.
   1. The context used by Teams should only be used for Teams Direct Routing. It should only be assigned to the Teams Proxy Set. Your SBC should have at least two (2) TLS contexts: “Default” and “Teams”. Please contact us if you do not have both!
4. The value of the “Use default CA Bundle” will probably be blank. Change it to “Enable”.
   1. If you do not see the “Use default CA Bundle” option, you will need to update the firmware on the SBC.
5. Click the “Apply” button, then save the configuration.
6. The SBC will not require a restart after making this change.
7. You should not change this setting on the “default”, or any other TLS contexts that you may have on your SBC.

Verifying that you have all the Certificates based on the SBC’s firmware

After turning on the default CA Bundle on the SBC, you can determine if you have all the certificates based on the currently running firmware:

1. Your SBC has all the certificates if you are running at least either version 7.4.600 or 7.6.
2. If your SBC is running a version between 7.4.300 and 7.4.500 you can use either of these options:
   • a) Add these two (2) certificates to your SBC. Follow the instructions in the next section to add these:

• b. Update the firmware on the SBC.
  • Do not upgrade from a 7.4 version to 7.6 to add the certificates. Upgrading from 7.4 to 7.6 constitutes a major upgrade to the SBC. We recommend against doing this upgrade solely to ensure that all the certificates are installed on your SBC.AudioCodes has a “Long Term Support (LTS)” and “Latest Release (LR)” version of the 7.4 firmware available for download (there is currently only an LR of the 7.6 available)
  • At eGroup, we advise our clients to only upgrade their SBCs with the LTS version. We also tell our clients to only install an LR version if directed to do so by AudioCodes or us. This is one of those rare occasions where we tell our customers to go ahead and install the current LR version of the 7.4 firmware to get the certificates onto their SBCs.
• c. If the SBC is running a version older than 7.4.300, you can use either of these options:
  • Add all seven (7) certificates to your SBC (see below).
    • Update the firmware on the SBC.
    • If you are running a flavor of the 7.2 firmware older than 7.20A.204.549, you must follow the guidance in the AudioCodes SBC Version 7.2 to 7.4 Upgrade Procedure document.

Checking for the Required Root Chains

Here is the list of Root chains that must be installed on the SBCs:

The links in the table will allow you to download the certificate chains. Please note that these are “.CRT” files. They will have to be converted to PEM/ASCII format. You may be able to convert these using the “SSL Converter” tool on the SSL Shopper website; otherwise, use your tool of choice.

To “visually” check to see if you have all these root chains:

1. On the SBC, navigate to Setup->IP Network->Security->Default CA Bundle.
2. Scroll through the list to locate the certificate by its “Subject Name”.
3. Once you’ve found it, verify that the serial number matches the number in the table above.
4. Note all root chains that you are missing.

Importing missing Root Certificates

1. The SBC will not require a restart after importing the certificate.
2. Backup the SBC’s configuration.
3. Navigate to the Teams TLS Context and click on “Trusted Root Certificates” at the bottom of the page.
4. Click the “Import” button.
5. Select the “PEM/ASCII” formatted certificate file.
6. Follow the prompts.
7. The SBC will not require a restart after importing the certificate.
8. Install additional certificates as needed.

Summary

Starting in March 2026, Microsoft is requiring that Teams Direct Routing SBCs have seven (7) root certificate chains installed. AudioCodes has reduced this requirement to SBCs using mTLS to connect to Teams for Direct Routing. eGroup recommends that all Teams Direct Routing SBCs should have mTLS enabled on the Teams SIP interface. Clients with mTLS enabled on their SBCs for Teams should ensure that all the certificates are installed by the end of February 2026. Failure to do so may prevent your Direct Routing SBC from being able to communicate with Teams.

eGroup|Enabling Technologies is available and ready to answer any questions that you might have about Microsoft Teams, Teams Voice, and Teams Devices.

Ensure Your Teams Direct Routing Environment Is Ready

Validate your AudioCodes SBC configuration and certificate chains to avoid service disruption when Microsoft enforces new mTLS requirements.