IMPLEMENTING TLS WITH SANGOMA SBC

USING SIMPLE AUTHORITY CA TOOLS

(A STEP BY STEP USEFULL GUIDE FOR TESTING ENVIRONMENTS)

Draft version 0.2

March 2016

INTRODUCCTION AND PURPOSE:

The purpose of this guide is to provide step by step, quick and easy way to deploy TLS. You will learn
how to issue and install certificates for a scenario like this one:

Will show how to configure TLS on the SBC in the right side of the figure and enable TLS on the
phones (endpoints).
To do this we are using Free version of Simple Authority CA management tool you ca get from here:

http://simpleauthority.com/download.html

CONFIGURING YOUR CA & ISSUING CERTIFICATES

Before issuing any certificate and hopefully before creating the CA for the first time define your
default options:

Select Default

Default Certificate type will be SSL

Complete the remaining data as your own convenience:

Make sure you enable All Options for File identities:

If you dont have a CA created, you can do so with the following steps:
Select New CA

If this is the first time using SimpleAuthority, this will be your first CA, but if you already have a CA
created, you will lose control over all certificates issued before. So make sure you know what you
are doing at this point.

Complete the information for your CA organization similar to this:

Random move of the cursor will be requested to generate random key.

A Password will be requested to secure CA access:

CA has been generated and used from this point on to sign new issued certificates.

TLS (SSL) in our typical scenarios with SBCs will be used to secure establish calls between The SBC
and end points (most likely using the SBC for Upper Registration to an IPPBX/Softswitch behind).

There are more than one way to establish SSL session between SBC and Endpoint. We will start from
the simplest case where none of them will validate the CA (Certification Authority).
Lets then create a Server SSL certificate to be used in the SBC.
First lets create a user in Simple Authority to associate certificates for this Session Border Controller:
Edit User Information:

Assign a name using the FQDN or IP of your SBC (In this case will be sip21.sangomamiami.com)
Adjust the remaining parameter, but in any case will be inherit from the initial options default values
you created.
It will look like this:

Now we will proceed to generate Server Certificate to be used on the SBC:

CA Password needs to be provided:

New certificate is generated and store in SimpleAuthority default folder:

Notice the certificate here in the GUI:

You will need to export the certificate with key to a personal folder for further use with the SBC. Use
the option export identity by right click on the certificate recently generated:

Select PEM (no password) format:

Now we will export the CA certificate to be loaded in the SBC as a trusted CA using tools menu:

Select PEM format

Select and save in your personal folder:

Now, we will need to load CA and Server certificates in our SBC:

Select Certificates Option in the SBC Configuration Manu:

Lets add a CA:

It should look like this:

Lets now load the Server Certificate with Key:

Now it should look like this:

Lets now apply / restart for this new certificate configuration to take place in the SBC. Select rstart
button:

Now we need to associate Server Certificate to be used when negotiating a SSL/TLS session on the
external sip profile where TLS will be used with EndPoints. Go and edit the sip profile and make sure:
1) TLS is a valid transport protocol:

2) Select the Server Certificate recently loaded:

Make sure also, disable Date verification and policy verification. Those two will accent any
certificate sent by the end point as valid, no matter who issued and what is the expiration
date.
Please notice we are using port 15061 for TLS listening on this SBC
Make sure you apply and reload the changes:

Now we will need endpoints properly configured to support TLS and accept SBC certificates even
they are not issued by a Trusted CA.
I will use examples with 4 different phone brands.

Sangoma IP Phone model S700:

Primary Sip Server must be the domain name used for upper registration in the SBC (same domain
name you created in the SBC)
Outbound proxy must be the FQDN or IP and Port pointing to the SBC TLS listening address.
Make sure transport protocol selected is TLS.
Now select management and Trusted CA in the S700 Configuration GUI:

Make sure you have selected to trust any CA:

(Select All Certificates)

Reboot the phone after saving configuration.

SNOM 870:
SNOM Phones usually dont have a way to allow any CA. It manages unknown CAs as an exception.
So, when a certificate issued by an unknown authority is received, it shows a message on the screen
informing about it and you can add the exception in the GUI.
Make sure TLS is properly configured as this:

Notice outbound proxy parameter shows: sip21.sangomamiami.com:15061;transport=tls and

registrar point to the domain name

If the exception message is not showing up, reboot the phone and some time you might need to
reboot the SBC too.
Here is what you will see in the Phone Screen:

Go to Certificates Menu and see the exception:

Press Add exception and reboot the phone

It will be working correctly then.

Yealink T28P
Make sure you have the extension properly configured for TLS and the right values for Sip Server
Host (this will be your domain) and outbound proxy (This will be your SBC).

Now you need to make sure the phone will accept any certificate:
Go to Security Menu, and select trusted certificates.

Make sure you disabled Only Accept Trusted Certificates as well as Common Name Validation.
Select CA Certificates to All Certificates
Confirm Setting.
It should be working!!

BRIA 4:
Here well show how to configure TLS with Bria 4:

First lets configure the account:

Make sure Domain point to the domain defined in the SBC: freepbx.sangomamimi.com and the
outbound proxy to the FQDN and port of the sbc: sip21.sangomamiami.com:15061:

Now lets configure transport like this. Notice we are selecting TLS transport and disable Certificate
Validation:

This will be enough to make registration work on TLS.

FINAL REMARKS:
Submit any questions, comments and suggestions to ecasas@sangoma.com

We hope this is a helpful piece of information for you.

We will be updating this document in the next weeks to include additional steps to add trusted CAs
or even to become your own Trusted CA authority for your own TLS Voip infrastructure.