In Part 4, we discussed and walked through how to connect the SBC up between the PSTN and Skype for Business using simple unencrypted signalling and media. In this article we will discuss how to create a secure connection to Skype for Business and encrypt the media traffic between them.
The first thing we must do is request and install an SSL certificate on the SBC. This can be from either a trusted SSL provider (if you are connecting to external services over TLS too) or from your internal PKI system, if you are encrypting internal traffic only.
- In the settings tab > security > SBC certificate > generate Sonus CSR fill out the request form providing the correct information
- Copy the CSR output to notepad and save as the file as SBC.req
- Process the CSR against your internal / external CA and obtain a valid certificate. The certificate must be in either X.509 or PCKS file format
- To install the certificate, you must first import the root certificate of the CA that issued you the cert. Click on trusted CA certificates and upload the root certificate to the SBC
- Next install the certificate supplied to the SBC from the CA, by clicking on the Sonus Certificates menu item and uploading your certificate
- Now reboot the Sonus SBC for the certificate to come into effect.
- After the reboot the first configuration item we need to create is a Media Crypto Profile. This profile dictates what algorithms are supported for encrypting the media. From the media > media crypto profiles menu create a new profile called Skype Crypto Profile. Change the operation from supported to required and change the Key identifier length from 1 to 0
- Edit your Skype Media list and change the Crypto Profile ID to Skype Crypto Profile and apply the change
- Next we need to create a TLS profile. From the security > tls profiles menu create a new TLS profile called Skype TLS Profile. Change the TLS protocol to TLS 1.0 only and disable client validation
- Now you will have to mark the Skype Signalling group as inactive and remove the federated IP/FQDN of the Skype Mediation Server from the Signalling group.
- Once you have done this, go to SIP > SIP Server Tables > Skype Mediation Servers
- Change the listening port of the Mediation servers to 5067 and the protocol to TLS and choose the Skype TLS Profile
- Now go back to the Signalling group for Skype and change the listen port from TCP 5068 to TLS 5067 and choose the Skype TLS Profile
- Bring your signalling group back online and you now have a secure connection to Skype for Business using TLS.
- Edit the Skype for Business trunk configuration to require encryption and restart the mediation service
- To test if media is being encrypted between endpoints, you can run wireshark or view the logs from the SBC / Skype for Business to prove TLS (I just haven’t had the time yet to put it here).
Part 6 >> Getting Around NAT
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale