Thank you Henning! 

Actually the endpoints might not be in the same sub-domains, my example might have been misleading in that sense, but thanks for the tip! 

If you have any other ideas or a different approach I could try, I'd be grateful. 

On Aug 5, 2024 12:50, Henning Westerholt <hw@gilawa.com> wrote:

Hello,

 

not to comment on the specific error, but the correct way to support multiple MS Teams endpoints is to use the carrier model of the MS Teams SBC architecture with sub-domains.

 

Cheers,

 

Henning

 

--

Henning Westerholt – https://skalatan.de/blog/

Kamailio services – https://gilawa.com

 

From: Nick Digalakis via sr-users <sr-users@lists.kamailio.org>
Sent: Sonntag, 4. August 2024 09:56
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Cc: Nick Digalakis <ntg_13@hotmail.com>
Subject: [SR-Users] Multiple TLS connections to the same IP:Port

 

Hello everyone,

 

I am trying to use a single Kamailio server to register to multiple MS Teams Direct Routing endpoints.

 

The config snippet I am using is this:

 

 

sht_iterator_start("i1", "teams-endpoints");

 

while(sht_iterator_next("i1")) {

 



 

    $var(teams_endpoint) = $shtitkey(i1);

 



 

    $xavp(tls=>server_name) = $var(teams_endpoint);

 

    $xavp(tls[0]=>server_id) = $var(teams_endpoint);

 



 

    $uac_req(method)="OPTIONS";

 

    $uac_req(ruri)="sip:sip.pstnhub.microsoft.com:5061;transport=tls";

 

    $uac_req(furi)="sip:" + $var(teams_endpoint);

 

    $uac_req(turi)="sip:sip.pstnhub.microsoft.com:5061;transport=tls";

 

    $uac_req(hdrs)="Contact: <sip:" + $var(teams_endpoint) + ":" + "5061" + ";transport=tls>\r\n";

 



 

    ### Create a unique Call-ID based on the Timestamp and the Message Body in MD5

 

    $var(unhashed_cid) = $TV(Sn) + $mb + "";

 

    $uac_req(callid)=$(var(unhashed_cid){s.md5});

 



 

    uac_req_send();

 

}

 

sht_iterator_end("i1");

 



When the HTable has only one endpoint, everything works fine.

When I add a second endpoint, the first one continues to work but the second one failing with the error from Microsoft:

 

Q.850;cause=63;text="85babcde-e0b5-4a85-8f4a-12345678c9ae;SBC certificate is not issued correctly. Provided trunk FQDN 'endpoint-02.domain.com' is not included in certificate's CN or SAN list. Certificate allows following FQDNs only: endpoint-01.domain.com.

 

 

After some digging around, I realized that all endpoint after the first fail because Kamailio is re-using the same TLS connection for all subsequent OPTIONS as well, but of course the connection has been established with the certificate of the first endpoint.

I have tested the certificates by switching around the first endpoint, so that shouldn't be a problem.

 

Is there any way I can force it to establish a new TCP/TLS connection for each subsequent request?

 

 

Any help would be much appreciated, I have been pulling my hair out with this one!

 

 

Best regards,

Nick

 

Virus-free.www.avg.com