Certificate Requirements Teams Direct Routing SBC

-
Running Microsoft Teams with Direct Routing for Cloud Voice, you have to deploy a certificate on your SBC. This certificate is used for encryption with TLS. Often there is the question how the certificate must be configured.

SBC Public Certificate Requirements




 All deployed SBCs must have a public certificate from a trusted/supported Public CA, there are 3 options to create a certificate.

 Security Note:
When generating the CSR, the private key size should be at least 2048.

 Support Note:
onmicrosoft.com domain for certificates is not support.

Option 1 - Single SBC

A certificate with a single SBC FQDN.
The SBC FQDN must be in the subject, common name and the Subject Alternate name.


SN/CN
SAN
{Public FQDN of SBC }
 {Public FQDN of SBC }
 


Option 2 - Multiple SBC

A certificate with a multiple SBC FQDN’s.
The SBC FQDN must be in the subject, common name and the Subject Alternate name, which includes the additional SBCs too.


SN/CN
SAN
{Public FQDN of SBC }
{Public FQDN of SBC },
{Public FQDN of Additional SBC },
{Public FQDN of Additional SBC }
 


Option 3 – Single/ Multiple SBCs with wildcard

A Wildcard certificate with a any FQDN in the common name and Subject Alternative Name (SAN), including the wildcard and SBC FQDN


SN/CN
SAN
{Public FQDN of SBC }
{ wildcard },
{Public FQDN of SBC }




Note: If you have an wildcard certificate with wildcard in the CN/SN and or only a wildcard in the SAN it will work, but it is NOT supported.


Supported Public CA


Microsoft currently supports the following Public CA’s only.  Signing a certificate therefore, is only valide by the following external Trusted root CA's
  • AffirmTrust
  • AddTrust External CA Root
  • Baltimore CyberTrust Root
  • Buypass
  • Cybertrust
  • Class 3 Public Primary Certification Authority
  • Deutsche Telekom
  • DigiCert Global Root CA
  • Entrust
  • GlobalSign
  • Go Daddy
  • GeoTrust
  • Verisign, Inc.
  • Starfield
  • Symantec Enterprise Mobile Root for Microsoft
  • SwissSign
  • Thawte Timestamping CA
  • Trustwave
  • TeliaSonera
  • T-Systems International GmbH (Deutsche Telekom)
  • QuoVadis

Comments

  1. JSKYFebruary 17, 2020 at 10:55 PM

    Can you clarify option3? Particularly the NOTE. You said..."If you have an wildcard certificate with wildcard in the CN/SN and or only a wildcard in the SAN it will work, but it is NOT supported."

    I'm confused by this because MS states they support RFC2818 and provide a link to section 3.1 on their documentation. https://tools.ietf.org/html/rfc2818#section-3.1

    The RFC states *.sub1.mydomain.com as a CN/SN would work just fine. Are you suggesting to create a CSR with sbc.sub1.mydomain.com and include a dnsName in the SAN for *.sub1.mydomain.com?

    Can you show me where you got the the information to substantiate your "supportability" comment?

    Thanks!

    ReplyDelete

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

-
Image
How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL. Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day. Since the Exchange Online attribute  msExchHideFromAddressList s is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.   Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system We direct modify the AD hide at
Read more

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, unique FQDN fo
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more