This article describes how to change the SIP transport protocol from TCP to TLS in a PBX - SBC Edge Portfolio - MS Exchange 2007/2010 Unified Messaging Server topology.

Overview

Previously, we covered the configuration steps for PBX - SBC - MS Exchange 2007/2010 Unified Messaging Server in Downstream Deployment of SBC Edge Portfolio in a PBX-SBC-eUM Topology. That configuration allows connectivity using TCP as the SIP Transport Protocol in the topology shown below.


In this article, we change the transport protocol from TCP to TLS in order to secure the voice calls. Follow the steps below to make the necessary additional adjustments to your existing configuration.

Configuring the SBC Edge Portfolio (SBC)

Note:

Please note that this document assumes that PBX - SBC - MS Exchange 2007/2010 Unified Messaging Server settings are already completed as described in Downstream Deployment of SBC Edge Portfolio in a PBX-SBC-eUM Topology

  1. Create a new TLS profile.
    If you only want to have TLS transport protocol between SBC and UMS:
    1. Disable Mutual Authentication from the drop-down menu.

    2. Click Apply.

  2. In the left navigation pane, go to System > Node-Level Settings.

  3. Verify that SBC host name, domain name, and relevant DNS IP address are correctly configured.

  4. Verify that the SBC gateway FQDN resolves to the correct IP address in DNS level.

  5. If not, request that your domain administrator to allow the relevant name resolution in DNS level. (e.g., FQDN should resolve to IP address and IP address resolves to FQDN correctly).

  6. Generate a SBC CSR.
    1. In the left navigation pane, go to Security > Certificates > Generate SBC CSR.
      For more information see, Working with Certificates in the User's Guide.
    2. Verify that the FQDN of the gateway appears in the Common Name field.
    3. After clicking the OK button, the SBC certificate request is generated and is displayed in the lower pane of Generate Certificate Signing Request page.
    4. Copy the content of the request and save it as a text file (e.g., certRequest.txt).

    5. Email the text file (SBC certificate request file) to your Root Certificate Authority and get it signed by CA.

      After the certificate request is signed, CA administrator will provide you a signed certificate (e.g., SBCcert.p7b) file.

  7. Import this file to the SBC.
    1. In the left navigation pane, go to Security / Certificates / Server Certificates.

    2. Confirm on the screen that status of the certificate is OK.
      For more information see, Importing an SBC Edge Portfolio Primary Certificate.

  8. Verify that Trusted CA Certificate is imported.
    1. In the left navigation pane, go to Security / Certificates / Server Certificates.

    2. Verify that today's date is in the date range between the Start Validity and Expiration dates.

  9. In the left navigation pane, go to Signaling Groups > Relevant Signaling Group for the Exchange 2010 Server.

  10. Add port 5061 for TLS in the Listening Ports pane.

  11. Add the FQDN of the Exchange server in the *Federated IP/FQDN pane.
    For more information, see Creating and Modifying SIP Signaling Groups.

  12. In the left navigation pane, go to Security > Certificates > Exchange server entry.

  13. Verify that the following are present:
    1. FQDN of the Exchange server is entered in HOST field.
    2. Desired port number is set (e.g., 5061).

    3. TLS is selected in the PROTOCOL field.

  14. In the left navigation pane, go to Signaling Groups > Relevant Signaling Group for the Exchange 2010 Server.

  15. Add port 5061 for TLS in the Listening Ports pane.

  16. Add the FQDN of the Exchange 2010 server in the *Federated IP/FQDN pane.

  17. In the left navigation pane, go to Security > Certificates > Exchange 2010 server entry.
    For more information, see Creating and Modifying SIP Signaling Groups.

Configuring the Exchange Server

VoIP Security

  1. Launch Exchange Management Console on Exchange Server and navigate to Organization Configuration > Unified Messaging (in navigation pane).
  2. Open the properties of the relevant UM Dial Plan.
  3. Configure the VoIP security settings as SIP Secured in the drop-down menu.

  4. Click OK(this is necessary for TLS).

Port Settings

  1. Launch Exchange Management Shell on Exchange Server.

  2. Execute the set-UMIPgateway -identity "<Your UM IP GW ID>" -Port 5061command to set the communication port between SBC and the Exchange Server to 5061.

Upon successful completion of the steps in this procedure you should be able to make SBC ↔ Exchange UMS calls over TLS transport protocol without any issues.