Setting up Teams Direct Routing has a couple difficult portions, especially when trying to get the TLS SIP trunk up and responding. After working to get Teams Direct Routing up, here are some of the pitfalls I had to crawl out of.
First, we needed to figure out which Certificate Authorities were allowed and that Microsoft Teams would support. My google-fu must have been failing, because it took me forever to find the list of Microsoft trusted Certificate Authorities. But since I found it, I will link to it here.
Here is the list of root CA Microsoft Allows:
- AddTrust External CA Root
- Baltimore CyberTrust Root
- Class 3 Public Primary Certification Authority
- Comodo Secure Root CA
- Deutsche Telekom
- DigiCert Global Root CA
- DigiCert High Assurance EV Root CA
- Go Daddy
- Verisign, Inc.
- Symantec Enterprise Mobile Root for Microsoft
- Thawte Timestamping CA
- T-Systems International GmbH (Deutsche Telekom)
Which of course was one of my problems. As I was working in a lab and trying to use the free CA: https://letsencrypt.org/. Let’s Encrypt is a great free public certificate authority, but the only issue is their certificates are only for a really short time period. This makes them great for Labs and proof of concepts, but not perfect for a production use–unless you like swapping certificates every couple months or having outages.
The other major ‘gotcha’ I found is you have to import the certificate for the Microsoft root certificate. This was also problematic for me to find, but eventually I found it here.
Once I used a trusted certificate authority and loaded the Omniroot CA certificate, my TLS SIP trunk came up. I could then see the SIP options being passed from one gateway to the other.
Jason Howe, Senior Network Engineer