Using TLS with an Audiocodes SBC and Skype for Business

This post will be a quick guide on how to setup a TLS trunk between an Audiocodes SBC and Skype for Business.

Since it is a quick guide it will not cover in detail all of the different available settings within an Audiocodes SBC or really explain what the settings I am changing actually do (I have a post on this coming soon).

The setup is fairly straight-forward and the steps are as follows:

  1. Generate a CSR from the SBC
  2. Download the root certificate (I’m using an internal CA, but public is fine)
  3. Request the certificate for the device and download it
  4. Import both certificates to the SBC
  5. Build out the trunk to the Skype Front End/Servers servers using TLS
  6. Add the new trunk in the Skype for Business topology and publish it

On a side note: people might think it’s weird that I don’t block out FQDNs, I show CSRs, I show ports, IPs, etc.. I do this because this is essentially a disposable lab environment which is entirely self-contained. There is no public DNS pointing to this lab, I destroy the VMs all the time, and really just don’t have to worry about putting this information out there. I’m also too lazy to edit all of these pictures.

Installing the Certificate on the Audiocodes SBC

The first thing we need to do is get the certificate installed. In order to do this, we’ll need to generate a CSR from the SBC to get the device certificate and we’ll need to grab the root certificate as well (I’ll be using an internal CA for this).

Generating the CSR

Now we’ll generate the CSR which will be used for requesting the device certificate.

Underneath Setup, go to IP Network=>Security=>TLS Contexts

Near the bottom, click Change Certificate

maintlsviewedit

Now you need to fill out the CSR (only the Subject Name and algorithm name are required). I did SHA-2 for the algorithm and gave it a name which is configured in DNS (this is the name you will need to use in the topology later).

filloutcsr

Then click Create CSR. This will generate the text used for making the device certificate request. Copy everything in blue and save it for later.

actualCSR

Getting the Root and Device Certificates from an Internal CA

*If you already know how to do this, then you can skip to the next section. It just involves a certificate request and downloading the root, both as base 64 encoded*

Now we need to obtain the root and device certificates. If you are using an internal CA, you need to make sure that it has been deployed properly and that you can use the web interface to download certificates.

Open a browser and go to https://<your_CA_FQDN>/certsrv

ca

To download the root certificate, click on Download a CA certificate, certificate chain, or CRL

Next you want to choose a valid CA from the list and click Download CA certificate

root

This will result in a .cer file which you will need in later steps.

And since we are already here, let’s grab the device certificate too. Go back to the main page, https://<your_CA_FQDN>/certsrv, and choose Request a certificate. Click on advanced certificate request

adv

At the next screen you need to paste in the CSR text you obtained earlier. Make sure to set the certificate template to Web Server

requestOnce you submit it choose base 64 encoded and then Download certificate

download

This will result in another .cer file. At this point we have both the root and device certificates which we can then import.

Importing the Certificates

Now we can go back to the SBC and import the root certificate. Go back to IP Network=>Security=>TLS Contexts

Near the bottom of the page, click Trusted Root Certificates. At the Trusted Certificates table, click Import and choose the root certificate that was just downloaded.

After this you will see an entry in the table which contains the information for your root CA

root_info

Now we need to import the device certificate. Go back to the TLS Contexts menu and choose Change Certificates. Near the bottom of this page click Choose File under “Send Device Certificate from your computer…” Once you choose it, click load file

device_cert

A message right below will show up in blue if there were no issues with the import. Logout of the SBC and log back in. You should now see that the HTTPS session is secure and the certificate chain should show the device and root certificates.

Setting up the Trunk to Skype for Business

In this section I will be going through the configuration of the Skype for Business facing trunk. My networking is already setup and I have my SIP trunk configured with my SIP trunk provider (Flowroute). All that I need to do at this point is setup the logical trunk and configure it to talk to Skype for Business.

If I look at the Topology View (the home button right above Core Entities), this is what it currently looks like

initial_topology

Upstream is all good but I don’t have anything setup downstream (the LAN side), which in this case will be a Skype for Business Front End pool. To setup the TLS trunk I’ll need to do the following (in order):

  1. Add a new SIP interface
  2. Add a new Media Realm (technically this is optional)
  3. Add a new Proxy Set
  4. Add a new IP group

Since the networking is already done on this SBC (my IP Group, Ethernet Device, and IP interfaces are setup) I can just skip right to the Signaling & Media section te begin configuring each of these items. Essentially you just work your way down the left navigation bar under Core Entities.

Go to SIP Interfaces. Click +New and change the settings to the following (any fields with the yellow shading means the fields were changed from the defaults):

SIP_IF

Notice that I did not change the TLS Context for the SIP Interface. This is because I added the certificates to the existing default TLS Context. If I would have made a new TLS Context and placed the certs there instead, I would need to change this to point to the new Context.

Now I will add the Media Realm which will determine the port range used for media. It’s important to make sure that the range is big enough so that you do not run out of available ports.

MR

And we will now define the endpoints which we are building the trunk with (the Skype servers) by adding a new Proxy Set

proxy

Once the settings for the Proxy Set are defined, we’ll need to actually add the proxy addresses by clicking on the Proxy Address table

pa_table-edited.png

I’ll add each of my 3 Front End/Mediation servers as separate proxy entries in this table

pa_entry1

Quick note: Since I don’t differentiate between listening and destination port for this trunk, I don’t need to specify the port at the end of the proxy as I do here (I do it out of habit).

After I add the other 2 servers I will have these entries in the table

all_proxies

My last step on the SBC is to build out the IP Group

IPG

There is one more option that needs to be set for the IP Group, but I couldn’t fit it in this screenshot. Further down in the IP Group options, under SBC General, set Classify By Proxy Set to Enable. While technically not best practice, it will be fine for now (you should really have more strict rules for defining/classifying traffic).

And that’s it!

Save the configuration and then click on Topology View to see what you built out. You will notice that while the topology looks good, you still see a red ‘x’ downstream

downsteambad.png

This is because we enabled keep alive to the servers in that IP group (the Skype for Business servers) and they are not responding. They are not responding simply because this SBC and trunk have not yet been added to the topology so they are not accepting connections from this SBC (or at least from this SBC on port 5067).

Enabling SRTP

If you are using TLS for signaling, there is a good chance that you also want to enable SRTP for media as well. If that’s the case, you just need to change a couple of settings.

Under Signaling & Media, go to Media=>Media Security. Modify each of the fields which have been modified (fields with yellow background) to be exactly what is shown here

srtp

Keep in mind that any field with the lightning bolt on it requires a reboot of the SBC to take effect. So after changing the settings make sure to reset the device (and save to flash!).

In Skype for Business, the default global trunk configuration is SRTP is required (though in the background I believe this setting is ignored if the trunk is configured as a TCP trunk in topology). If you have changed this then you may need to go to the Skype for Business Control Panel and make a new trunk configuration change for this new trunk, setting the Encryption support level to Required. 

You can also make it so that the SBC will require SRTP by going to Media=>Media Security and setting Media Security Behavior to Mandatory.

Adding the Gateway and Trunk to the Topology

Open up topology builder and go to Shared Components. If the SBC has not yet been added as a PSTN gateway then you need to add it by right-clicking PSTN gateways and choosing to add a new one.

From here, enter the DNS name of the SBC (this must match the subject name on the certificate) and choose next.

add_gw

On the next screen, even though it depends on you particular network setup, you will likely want to just leave the default option and Enable IPv4 and using all configured IP addresses.

And finally you will be at the trunk configuration window. Remember how the SIP Interface on the SBC was configured for TLS 5067 and the proxies were all explicitly sending to TLS 5067 — this is the point where those settings are used.

The Listening port for IP/PSTN gateway is the port which the SBC is listening on (the destination port to from SfB to the SBC) and the Associated Mediation Server port is the port which the Front End/Mediation servers are listening on (the destination port from the SBC to SfB servers).

Since we did 5070 both ways on the SBC I’ll do the same in Skype for Business

trunk_set

Click finish and then publish the topology.

After waiting a couple of minutes for replication, go back to the SBC and check the topology view again and you should see a green check mark downstream

yay.png

And that completes the trunk setup.

Fin

As mentioned at the beginning of the post, I neglected to add a lot of important information. I didn’t explain the WAN configuration, the networking side, the required IP routes, or really explain what most of these settings do.

I have a lot more posts coming on Audiocodes SBCs and will be covering each of these items.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s