In this section:
Modified: for 6.1.4
These instructions include how to convert a CCE from using TCP to using TLS communications within the SBC.
The following Prerequisites are required before re-configuring the CCE for TLS:
You must disable AutoUpdate.
If you are in a time window dedicated to the Auto-Update, use the command Set-CsHybridPSTNSite to set EnableAutoUpdate to $False. Replication of the information may take up to 30 minutes.
Failure to update the SBC to the latest firmware (6.1.4 or later) could lead to deployment failure.
Refer to the SBC Edge Release Information for instructions on obtaining the latest firmware.
Configure the CCE for TLS as follows:
Click the link Click to re-configure CCE application.
Re-configure CCE Application
From the Raw (INI) Config drop down box, select Edit.
Edit CCE Screen
View the CCE Configuration INI File window; this window enables editing of the CCE Configuration File.
CCE Configuration INI File
CCE Configuration INI File - Gateway Section
Click OK.
Update Port and Protocol Fields
Click Click to re-prepare the CCE.
Re-Prepare the CCE
Scroll to the bottom of the window and click Prepare CCE.
Prepare CCE
Enter the CCE VM Password and click OK.
Enter VM Password
Click Apply.
Remote Desktop to the ASM
Configure the SBC for TLS as follows:
Access the WebUI.
Click Settings > Media > Media Crypto Profile.
Create a Crytpo Profile with the settings below.
Click OK.
Create Crypto File
From the desired Crypto Profile ID drop down list, select the desired profile (the newly created Crypto Profile).
Media DSCP Option
Media List Configuration
Click Settings > Security > TLS Profiles.
Create a TLS profile with the following settings.
TLS Protocol = TLS 1.2 Only
Mutual Authentication = Enabled
Handshake Inactivity Timeout = 30 secs
Include all Client Ciphers
Validate Server FQDN = Enabled
Validate Client FQDN = Disabled
Click OK.
Validate Client FQDN must be set to DISABLED.
Create TLS Profile
Edit the applicable CCE Signaling Group to add Listen Ports with the following parameters: Protocol: TLS, Port: 5067, and the TLS Profile created in the previous step.
Edit Signaling Group
Edit the applicable SIP Server Table to use the following parameters: Protocol: TLS, Port: 5067 and the applicable CCE TLS Profile.
Edit SIP Server Table
For Mutual TLS Authentication to function between two devices, both devices must share their Trusted Root CA Certificates with each other. Before attempting to perform the Certificate exchange, insure that the SBC contains a Trusted Root CA Certificate. The following link details how to verify the SBC has a Trusted Root CA Certificate and if necessary how to obtain a new one from a Standalone Windows Certificate Authority.
Refer to Importing Trusted Root CA Certificates.
The CCE requires that the Trusted Root CA Certificate be in .p7b format.
Remote desktop to the CCE.
Execute the following Powershell command to Export the Root CA certificate: Export-CcRootCertificate -Path C:\UX\PUBLIC\XFER
Use Powershell
Copy the CCE Root Certificate file to where it will be easily accessible to the SBC WebUI.
Copy CCE Root Certificate
Import the CCE Root CA certificate into the SBC.
Trusted CA Certificate Table
Import Trusted CA Certificate
View the two Trusted CA Certificates (the SBC certificate and the certificate copied from the CCE).
Trusted CA Certificates Listed
Obtain a Trusted Root CA Certificate from the same Issuer that provided the original SBC Certificate. The CCE requires that the Trusted Root CA Certificate be in .p7b format.
Obtain Trusted Root CA Certificate
The Certificate Service downloads a file that contains the Trusted Root CA. Take note of filename and location location of the Certificate. The Certificate must be in p7b format and the filename extension must be ".p7b". The following example is for demonstration purposes only and your Certificate Services system may generate a different filename.
Sample Certificate
Remote Desktop to the CCE and copy the New Trusted Root CA file to the folder C:\UX\PUBLIC\XFER.
Copy New Trusted Root CA File
In CCE, execute the following Powershell command to Import the New Trusted Root CA file:
Set-CcExternalCertificateFilePath - Path C:\UX\PUBLIC\XFER\certnew.p7b -Target MediationServer -Import
Substitute your own file name for the "certnew.p7b" shown in the example.
Execute Powershell Command