The Enabling Technologies Blog

Our team of Cloud Strategy Advisors, Solution Architects, Engineers and former C-Suite Executives work diligently to provide our vistors with the most pressing information.

John Miller /

Microsoft Changes to Teams Direct Routing Sessions Border Controller Configurations - Changes needed by Jan. 3rd

 

Microsoft to stop processing SIP requests with “Replaces” Headers coming from Teams Direct Routing Session Border Controllers

Microsoft to stop processing SIP requests with “Replaces” Headers coming from Teams Direct Routing Session Border Controllers

Introduction 

  • Microsoft issued a message to all Office 365 tenants, MC299922, that they will no longer process SIP requests with “Replaces” headers coming from Teams Direct Routing Session Border Controllers (SBCs) as of January 3, 2022.  
  • Customers need to verify that their Direct Routing SBCs are properly configured for this before January 3rd.  
  • Most currently installed SBCs are probably not correctly configured for this change. This change can be made at any time before January 3rd 

Checking and Updating the Setting 

 

  1. Once signed on to the SBC, click on “Actions” 2
  2. Then Click on “Configuration File”. Follow the prompts to save the file 

Graphical user interface, application

Description automatically generated

          3. Click on “Setup” 

          4. Then “Signaling & Media” 
          5. Then “Coders & Profiles” 
          6. Click on “IP Profiles” 
          7. Click on the “Teams” IP Profile (Your profile may not be named Teams. Click on the Profile associated with the Teams “IP Group”) 
          8. Click the “Edit” button 

          9. Scroll down in the settings and look for the “SBC Forward and Transfer” section in the right column 
         10. Change the setting for “Remote Replaces Mode” to “Handle Locally”. If it is already set that way, no change is required, and you can click the “Cancel” button below 
         11. If you made the change, click the “Apply” button 
         12. The “Save” button should now have a red box around it. Click the button then click “Yes” when prompted 

Graphical user interface, application, Teams

Description automatically generated

  • The SBC does not need to be rebooted or restarted 
  • It is a good practice to back up the configuration again as described in the steps above 

Summary 

  • Microsoft will no longer support SIP requests with “Replaces” headers coming from customer owned Teams Direct Routing SBCs as of January 3, 2022 
  • Customers must verify that their SBCs are properly configured to support this change before January 3, 2022 
  • Enabling Technologies is available and ready to answer any questions that you might have. If you need help making this change, please contact us at <<please fill this in>> 

 

Microsoft Changes Certificate requirements for Teams Direct Routing Session Border Controllers 

Introduction 

  • Microsoft issued a message to all Office 365 tenants, MC299923, that as of February 1, 2022, they will: 
  • Only trust certificates coming from Teams Direct Routing Session Border Controllers (SBCs) that were signed by Certificate Authorities (CAs) that are part of the Microsoft Trusted Root Certificate Program 
  • Require that these certificates include the Extended Key Usage (EKU) on the certificate includes “Server Authentication”  
  • Customers need to verify that their Direct Routing SBCs are using a certificate issued by an issuer on the aforementioned list and that it includes the “Server Authentication” EKU before February 1, 2022.  
  • Most Teams Direct Routing SBCs should already be using a certificate that was issued by a CA that is part of the Microsoft Trusted Root Certificate Program and have the “Server Authentication” EKU 

Background 

  • To date, when requesting a certificate for a Teams Direct Routing SBC, Microsoft has required that the certificate be issued by a CA found on the “Plan Direct Routing” Microsoft web page 
  • There are twenty-eight (28) CAs listed on the page which was last updated on October 7, 2021 
  • The Microsoft Trusted Root Certificate Program list includes 514 CAs as of December 1, 2021 
  • All twenty-eight (28) of the CAs on the web page are included in the Microsoft Trusted Root Certificate Program list 
  • For most SBCs, the Certificate Signing Request is created directly from the AudioCodes SBC. These requests always include the “Server Authentication” EKU 

Checking the SBC Certificate 

  1. Sign on to the SBC, then click on “Setup” 
  2. Click on “IP Network” 
  3. Then click on “Security” 
  4. Then click on “TLS Contexts” 
    Graphical user interface, application

Description automatically generated
  5. Click on the “Teams” context. If your context is not named “Teams”, check the “Teams” SIP Interface or Proxy Set, these should be configured with the context for “Teams” 
  6. Click on “Certificate Information” 

Graphical user interface, table

Description automatically generated with medium confidence

        7. Find the Certificate Issuer. Verify that the issuing CA is listed in the Microsoft Trusted Root Certificate Program 
        8. Find the Extended Key Usages and verify that the “Server Authentication” usage is included 

Text

Description automatically generated

  • If the issuer is not on the list or the “Server Authentication” EKU is missing, you will need to replace the certificate on the SBC. Otherwise, the SBC is good to go! 

Summary 

  • Microsoft will only support Teams Direct Routing SBCs with a certificate issued by one of the CAs on the Microsoft Trusted Root Certificate Program list after February 1, 2022 
  • They will also no longer support certificates without the “Server Authentication” in the Enhanced Key Usages on the certificate as of February 1, 2022 
  • Customers must verify that their SBCs are properly configured to support this change before February 1, 2022 
  • Most Teams Direct Routing SBCs will already have compliant certificates 

Microsoft Changing TLS requirements for Teams Direct Routing Session Border Controllers 

Introduction 

  • Microsoft issued a message to all Office 365 tenants, MC297438, that as of January 3, 2022, they will: 
  • Begin retiring Transport Layer Security (TLS) version 1.0 and 1.1 
  • Begin to require the use of TLS version 1.2 for the Teams SIP interface on Direct Routing Session Border Controllers 
  • This is to ensure that “Microsoft’s service is secure by default and in alignment with the rest of Microsoft 365 services as previously communicated (MC126199 in Dec 2017, MC128929 in Feb 2018, MC186827 in July 2019, MC218794 in July 2020, MC240160 in February 2021, and MC292797 in October 2021).” 
  • Microsoft has added the requirement that the SBCs be able to connect to Teams by using one of these cipher suites: 
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 i.e. ECDHE-RSA-AES256-GCM-SHA384 
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 i.e. ECDHE-RSA-AES128-GCM-SHA256 
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 i.e. ECDHE-RSA-AES256-SHA384 
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 i.e. ECDHE-RSA-AES128-SHA256 
  • AudioCodes recommends that strict cipher suites be used. The Cipher Suite configured on the “Cipher Server” parameter of the Teams TLS context on the SBC should be set to “ECDHE:ISA”  
  • Customers need to verify that their Direct Routing SBCs are using TLS 1.2 on their Teams TLS Context on the SBC before January 3, 2022 
  •  AudioCodes and Enabling Technologies recommend that the “Cipher Server” suite on the context be updated to “ECDHE:ISA” before January 3, 2022.  
  • Very few, if any, Teams Direct Routing SBCs should not already be using TLS 1.2 
  • Most SBCs will not have the recommended setting for the “Cipher Server” setting on the Teams context 

Checking the TLS version and Cipher Suite Configuration 

  1. Once signed on to the SBC, click on “Actions” 
  2. Then Click on “Configuration File”. Follow the prompts to save the file 
    Graphical user interface, application

Description automatically generated
  3. Click on “Setup” 
  4. Click on “IP Network” 
  5. Then click on “Security” 
  6. Then click on “TLS Contexts” 

Graphical user interface, application

Description automatically generated

        7. Click on the “Teams” context. If your context is not named “Teams”, check the “Teams” SIP Interface or Proxy Set, these should be configured with the context for “Teams” 
        8. Click the “Edit” Button 

Graphical user interface, table

Description automatically generated

        9. Verify that the “TLS Version” is set to “TLS v 1.2”. If it isn’t, click the drop down and change it 
        10. Change the value of “Cipher Server” to “ECDHE:ISHA” 
        11. Click the “Apply” button 
        12. The “Save” button should now have a red box around it. Click the button then click “Yes” when prompted 

Graphical user interface, text, application, email

Description automatically generated

  • The SBC does not need to be rebooted or restarted 
  • It is a good practice to back up the configuration again as described in the steps above 

 

Summary 

  • Microsoft will begin to deprecate the use of TLS 1.0 and 1.1 on the Teams SIP Interfaces of Direct Routing SBCs and January 3, 2022, and require the use of TLS 1.2 
  • They will also require that a supported Cipher Suite be used 
  • Microsoft’s wording does not clearly state that if your SBC is not setup for TLS 1.2 by January 3, 2022, that it will stop working. Enabling Technologies recommends that customers not take chances and make sure that the context is set to TLS 1.2 before the 3rd 
  • AudioCodes and Enabling Technologies recommend using a strict cipher suite, “ECDHE:ISHA” 
  • The cipher suite should also be updated before January 3, 2022 
  • Most installed Teams Direct Routing SBCs will be configured for TLS 1.2 but will not be configured for the Cipher Suite 
  • Enabling Technologies is available and ready to answer any questions that you might have. If you need help in making these changes, please contact us at contact@enablingtechcorp.com 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

ref:_00D80KtFf._5000y1WwWQD:ref