Reconfiguring the CCE for TLS

These instructions include how to convert a CCE from using TCP to using TLS communications within the SBC.

Prerequisites

The following Prerequisites are required before re-configuring the CCE for TLS:

• CCE has been previously deployed and is operating with the SBC using TCP (for details about initial deployment with TCP, refer to Configuring the SBC Edge for a Single CCE).
• For Mutual TLS authentication to function between two devices, both devices must share their Trust Root CA Certificates with each other. By default, the SBC Edge is pre-configured with a Self-signed Server Certificate. The following procedure must be followed to obtain a Trusted Root CA Certificate: Managing Server Certificates.

Configure the CCE

Configure the CCE for TLS as follows:

1. Access the WebUI.
2. Click Tasks > Setup Cloud Connector Edition > Configure CCE.

3. Click the link Click to re-configure CCE application.
   
   

   Re-configure CCE Application

    
   
   
   

4. From the Raw (INI) Config drop down box, select Edit.
   
   
   

   Edit CCE Screen

    
   
   
   

5. View the CCE Configuration INI File window; this window enables editing of the CCE Configuration File.

   CCE Configuration INI File

    

6. In the INI file, scroll down to the section marked Gateway.

    

   CCE Configuration INI File - Gateway Section

   

7. Change the Port to 5067 and Protocol to TLS.

8. Click OK.

   Update Port and Protocol Fields

   

9. Click Tasks > Setup Cloud Connector Edition > Prepare CCE.

10. Click Click to re-prepare the CCE.

    Re-Prepare the CCE

    

11. Scroll to the bottom of the window and click Prepare CCE.

    Prepare CCE

     

12. Enter the CCE VM Password and click OK.

    Enter VM Password

    

13. Remote desktop to the ASM (refer to Enabling and Disabling Remote Desktop on the ASM).
14. Run the Sonus CloudLink Deployer application from the icon on the desktop.
15. Click on the first three check boxes:
    
    • Transfer Credentials from SBC: Imports the password that has been set during Preparing the CCE.
    • Register Appliance: Registers this new appliance on your Office365 tenant.
    • Install Appliance: Deploys the CCE.

16. Click Apply.

    Remote Desktop to the ASM

    

Configure the SBC

Configure the SBC for TLS as follows:

1. Access the WebUI.

2. Click Settings > Media > Media Crypto Profile.

3. Create a Crytpo Profile with the settings below.

4. Click OK.

    

   Create Crypto File

   

5. Click Media > Media List.
6. Select the desired Media List used by the CCE Signaling Group.

7. From the desired Crypto Profile ID drop down list, select the desired profile (the newly created Crypto Profile).
   
   

   Media DSCP Option

   

   Media List Configuration

   

8. Click Settings > Security > TLS Profiles.

9. Create a TLS profile with the following settings.
   

   TLS Protocol = TLS 1.2 Only

    Mutual Authentication = Enabled

    Handshake Inactivity Timeout = 30 secs

    Include all Client Ciphers

    Validate Server FQDN =  Enabled

    Validate Client FQDN = Disabled

   
   

10. Click OK.

    Validate Client FQDN must be set to DISABLED.

     

    Create TLS Profile

    

11. Access Settings > Signaling Groups.

12. Edit the applicable CCE Signaling Group to add Listen Ports with the following parameters: Protocol: TLS, Port: 5067, and the TLS Profile created in the previous step.

    Edit Signaling Group

     

13. Access Settings > SIP Server Tables.

14. Edit the applicable SIP Server Table to use the following parameters: Protocol: TLS, Port: 5067 and the applicable CCE TLS Profile.

    Edit SIP Server Table

    

Exchange Certificates Between CCE and SBC

For Mutual TLS Authentication to function between two devices, both devices must share their Trusted Root CA Certificates with each other.  Before attempting to perform the Certificate exchange, insure that the SBC contains a Trusted Root CA Certificate.  The following link details how to verify the SBC has a Trusted Root CA Certificate and if necessary how to obtain a new one from a Standalone Windows Certificate Authority.

Refer to Importing Trusted Root CA Certificates.

1. Remote desktop to the CCE.

2. Execute the following Powershell command to Export the Root CA certificate: Export-CcRootCertificate -Path C:\UX\PUBLIC\XFER

   Use Powershell

   

3. Copy the CCE Root Certificate file to where it will be easily accessible to the SBC WebUI.

   Copy CCE Root Certificate

   

4. Import the CCE Root CA certificate into the SBC.

   Trusted CA Certificate Table

   

   Import Trusted CA Certificate

    
   
   
   

5. View the two Trusted CA Certificates (the SBC certificate and the certificate copied from the CCE).

   Trusted CA Certificates Listed

    

6. Obtain a Trusted Root CA Certificate from the same Issuer that provided the original SBC Certificate. The CCE requires that the Trusted Root CA Certificate be in .p7b format.

   Obtain Trusted Root CA Certificate

    
   
   
   

7. The Certificate Service downloads a file that contains the Trusted Root CA. Take note of filename and location location of the Certificate. The Certificate must be in p7b format and the filename extension must be ".p7b". The following example is for demonstration purposes only and your Certificate Services system may generate a different filename.

   Sample Certificate

    

8. Remote Desktop to the CCE and copy the New Trusted Root CA file to the folder C:\UX\PUBLIC\XFER.

   Copy New Trusted Root CA File

   

9. In CCE, execute the following Powershell command to Import the New Trusted Root CA file:
   
   Set-CcExternalCertificateFilePath - Path C:\UX\PUBLIC\XFER\certnew.p7b -Target MediationServer -Import

   Substitute your own file name for the "certnew.p7b" shown in the example.

   Execute Powershell Command