cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3312
Views
10
Helpful
8
Replies

Secure trunk (TLS) between CUCM and Microsoft Lync

b.paik
Level 1
Level 1

Hi,

I am trying to get CUCM 11.0 and Microsoft Lync 2013 working with direct SIP trunk over TLS and sRTP. it's working fine without the TLS configuration but as soon as i try to secure the signalling and media i get certificate error in wireshark from CUCM to Lync "unsupported certificate" and they are both from same enterprise CA using SHA256 hash (not SHA1).

just wondering if anyone has successfully got this configuration working?

CUCM -------------(SIP TRUNK-TLS)----------LYNC_2013

Thanks in advance :)

8 Replies 8

Md Hasan
Cisco Employee
Cisco Employee

Please check in the wireshark about ciphersuit from Lync and from CUCM. It might to something is different between the two servers and could point to the 'issue'

Below is the security guide, based on what was found in wireshark can be matched if any information of support on those cipher suit.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_0_1/secugd/CUCM_BK_C1A78C1D_00_cucm-security-guide-1101.pdf

Thanks Md,

Resolved the issue, I was missing an attribute on the CUCM Certificate, once i requested a new cert with the right attribute, everything started working ok :)

Thanks for your reply.

Regards,

B

Hello!

I have a similar problem. When you configure trunk between CUCM 11.0.1.21900-11 and Skype for business I get the following error:

Microsoft.Rtc.Signaling.TlsFailureException:An unknown error occurred while processing the certificate ---> Microsoft.Rtc.Internal.Sip.TLSException: outgoing TLS negotiation failed; HRESULT=-2146893017

I'm using certificate from my corporate CA RSA with SHA 384 

 what are the attributes you added in the certificate?

Hi Alekov,

in my case I was missing the Client / Server authentication attribute. I have attached the image, hope it will help. if you can send me the certificate attributes I can check to see if they are correct.

Hope this helps,

Regards,

B

Thank you for your reply.

I added an Application Certificate Policy: Client Authentication in my certificate template and create csr form CUCM, but the problem persists. I get the error in event viewer:

Log name: Lync Server

Source: LS Mediation Server

Event ID: 25051

The Trunk, cucm-test-city.domain.local;trunk=cucm-test-city.domain.local, is not responding to an OPTIONS request sent by the Mediation Server service.
DNS Resolution Failure: False
Exception: ErrorCode=-2146893017
FailureReason=Other
LocalEndpoint=10.200.2.51:50164
RemoteEndpoint=10.50.251.7:5061
RemoteCertificate=<null>
Microsoft.Rtc.Signaling.TlsFailureException:An unknown error occurred while processing the certificate ---> Microsoft.Rtc.Internal.Sip.TLSException: outgoing TLS negotiation failed; HRESULT=-2146893017

Hi Alekov,

sounds to me like there is no Root certificate on the Lync machine. have you uploaded the root cert on the Lync computer store aswell as CallManager-trust ??

Can you upload your root cert? and the certificate you have used on the Lync and CUCM?

Hello b.paik, thank you for your reply.

I just added the Application Certificate Policy: Client Authentication in the certificate template for Skype for business (and for CUCM), not sure is correct, but it works for me.

BUT I have another problem - the calls are held, but voice communication no. As I understand it, doesn't work SRTP. Errors in the log Skype for business:

If call form CUCM tot SfB:

SDP negotiation failed with the Trunk.

Trunk FQDN cucm-test-city.domain.local;trunk=cucm-test-city.domain.local, Reason Gateway did not offer SRTP keys which is required by Mediation Server.
Cause: The Trunk is either not configured correctly, incompatible with Mediation Server, or not certified.
Resolution:
Check that the Mediation server and Trunk are configured correctly.

If call from SfB to CUCM:

SDP negotiation failed with the Trunk.

Trunk FQDN cucm-test-city.domain.local;trunk=cucm-test-city.domain.local, Reason RTP/SRTP mismatch between transport profiles
Cause: The Trunk is either not configured correctly, incompatible with Mediation Server, or not certified.
Resolution:
Check that the Mediation server and Trunk are configured correctly.

what settings SRTP may not be the same?

I have the same issue when i called from CUCM to Skype for Business 2015.

I get the error message :

gateway did not offer srtp keys which is required by mediation server

Any new