Teams Direct Routing Session Border Controller Certificate Support Change

Introduction

On Tuesday, October 3, 2023, at 10:00 AM (UTC – 5:00 AM EST), all Microsoft SIP endpoints will be gradually switched over to use certificates based on the “DigiCert Global Root G2” Certificate Authority (CA).

Your Teams Direct Routing Session Border Controllers (SBCs) may stop sending and
receiving phone calls if they do not have this root chain installed!

Organizations that are using Teams Direct Routing should check their Session Border Controllers (SBCs) and remediate as needed. The instructions for checking and fixing AudioCodes SBCs are detailed below.

Background

  • The root chain, Baltimore CyberTrust Root Thumbprint (SHA1), Microsoft has been supporting on its SIP endpoints will expire in May 2025.
  • In March 2022 Microsoft first announced (TM674073) that the “DigiCert Global Root G2” root chain be replacing the Baltimore chain.
  • They had sent additional notifications through the Message Center and Service Health incidents in the Microsoft 365 Admin Portals to all Direct Routing customers (MC540239, TM614271, MC663640, MC674729).
  • Microsoft conducted two (2) 24-hour tests on Tuesdays, September 5, and September 19th where they temporarily switched from the Baltimore to the DigiCert chain on all their SIP endpoints. During the tests, thousands of Teams Direct Routing SBCs “broke” because they did not have the DigiCert chain.
  • Following the second test, Microsoft install the new chain an all their SIP endpoints on Tuesday, October 3, 2023 at (UTC – 5:00 AM EST).

What Do You Need To Know NOW?

  • Check that your Teams Direct Routing SBCs have the DigiCert root chain.
  • If they don’t, refer to your SBC vendors documentation and install it NOW!
How Do You Install the New Root Chain?
  • The instructions for AudioCodes SBCs are provided below.
  • Consult your SBC’s manufacturer’s documentation for non-AudioCodes SBCs.
Where Can I Download the Root Chain From?
  • Before you can download the chain, you need to know what format, Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules (DER/CRT) your SBC requires and supports.
  • AudioCodes SBCs support/require PEM.
  • Check the SBCs documentation to determine the appropriate format.
  • If your SBC requires a format other than PEM or DER/CRT, you will have to perform a conversion.

1. Browse to “DigiCert Trusted Root Authority Certificates”.

2. Click on “Other root certificates”.

3. Locate the “DigiCert Assured ID Root G2” certificate.

4. If you have AudioCodes SBCs, click the “Download PEM” button and save the file in a location where you can access it and the SBC from your browser. For other SBCs, refer to the documentation to determine the correct format to download.

How Do You Install the Root Chain on an AudioCodes SBC?
  • These instructions can also be found in our previously posted blog article, Microsoft Teams Direct Routing and Mutual TLS Authentication.
  • We encourage you to review this article and recommend that at some point you enable Mutual TLS Authentication on your AudioCodes SBCs. For now, just install the DigiCert chain to avert the immediate risk to your SBCs.

1. Login to the SBC

2. Click the drop-down arrow next to “Actions”.

3. Click on “Configuration File”.

4. In the “INI File” section, click the “Save INI File” button to save the SBCs running configuration.

5. Click on “IP Network”.

6. Click on “Security”.

7. Click on “TLS Contexts”.

8. Click on the “TEAMS” TLS Context. Your “Teams” TLS context may have a different name.

9. Click the “Trusted Root Certificates” button. You may have to scroll your screen down to see the button.

10. If the “DigiCert Global Root G2” certificate is not listed, click the “Import” button.

a. If you have the “Baltimore CyberTrust Root” certificate, do not remove it!

b. If you do not have the “Baltimore CyberTrust Root”, you don’t need it at this point!

11. Click the “DigiCertGlobalRootG2.crt.pem” file.

12. Click the “Open” button.

13. Once the file has been successfully loaded, click the “Close” button.

14. Click the “Save” button.

15. Click the “Yes” button.

16. Make some inbound test calls to Teams users from the Public Switched Telephony Network (PSTN).

17. Make some outbound test calls from Teams users to the PSTN.

18. Make test calls to verify that all other call flows traversing the SBC are working correctly.

Summary

  • Microsoft is changing the Certificate root chain on their SIP endpoints on Tuesday, October 3, 2023.
  • If your Session Border Controllers (SBCs) do not have the “DigiCert Global Root G2” installed, they may stop working.

If you have any questions about this process or need help in its implementation, no matter what manufacturers SBC you own, please contact our team of Cloud Computing Consultants or email us at info@eGroup-us.com!

John Miller

John Miller

Cloud Solutions Architect - eGroup | Enabling Technologies

Learn more about AudioCodes SBCs

Interested in learning more about AudioCodes Session Border Controllers and how to implement them?

Contact our team of experts to get started today!