Hello,
not to comment on the specific error, but the correct way to support multiple MS Teams endpoints is to use the carrier model of the MS Teams SBC architecture with sub-domains.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
From: Nick Digalakis via sr-users <sr-users@lists.kamailio.org>
Sent: Sonntag, 4. August 2024 09:56
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Cc: Nick Digalakis <ntg_13@hotmail.com>
Subject: [SR-Users] Multiple TLS connections to the same IP:Port
Hello everyone,
I am trying to use a single Kamailio server to register to multiple MS Teams Direct Routing endpoints.
The config snippet I am using is this:
sht_iterator_start("i1", "teams-endpoints");
while(sht_iterator_next("i1")) {
$var(teams_endpoint) = $shtitkey(i1);
$xavp(tls=>server_name) = $var(teams_endpoint);
$xavp(tls[0]=>server_id) = $var(teams_endpoint);
$uac_req(method)="OPTIONS";
$uac_req(ruri)="sip:sip.pstnhub.microsoft.com:5061;transport=tls";
$uac_req(furi)="sip:" + $var(teams_endpoint);
$uac_req(turi)="sip:sip.pstnhub.microsoft.com:5061;transport=tls";
$uac_req(hdrs)="Contact: <sip:" + $var(teams_endpoint) + ":" + "5061" + ";transport=tls>\r\n";
### Create a unique Call-ID based on the Timestamp and the Message Body in MD5
$var(unhashed_cid) = $TV(Sn) + $mb + "";
$uac_req(callid)=$(var(unhashed_cid){s.md5});
uac_req_send();
}
sht_iterator_end("i1");
When the HTable has only one endpoint, everything works fine.
When I add a second endpoint, the first one continues to work but the second one failing with the error from Microsoft:
Q.850;cause=63;text="85babcde-e0b5-4a85-8f4a-12345678c9ae;SBC certificate is not issued correctly. Provided trunk FQDN 'endpoint-02.domain.com' is not included in certificate's CN or SAN list. Certificate allows following FQDNs only: endpoint-01.domain.com.
After some digging around, I realized that all endpoint after the first fail because Kamailio is re-using the same TLS connection for all subsequent OPTIONS as well, but of course the connection has been established with the certificate of the first endpoint.
I have tested the certificates by switching around the first endpoint, so that shouldn't be a problem.
Is there any way I can force it to establish a new TCP/TLS connection for each subsequent request?
Any help would be much appreciated, I have been pulling my hair out with this one!
Best regards,
Nick