Will show how to configure TLS on the SBC in the right side of the figure and enable TLS on the
phones (endpoints).
To do this we are using Free version of Simple Authority CA management tool you ca get from here:
http://simpleauthority.com/download.html
Select Default
If you dont have a CA created, you can do so with the following steps:
Select New CA
If this is the first time using SimpleAuthority, this will be your first CA, but if you already have a CA
created, you will lose control over all certificates issued before. So make sure you know what you
are doing at this point.
CA has been generated and used from this point on to sign new issued certificates.
TLS (SSL) in our typical scenarios with SBCs will be used to secure establish calls between The SBC
and end points (most likely using the SBC for Upper Registration to an IPPBX/Softswitch behind).
There are more than one way to establish SSL session between SBC and Endpoint. We will start from
the simplest case where none of them will validate the CA (Certification Authority).
Lets then create a Server SSL certificate to be used in the SBC.
First lets create a user in Simple Authority to associate certificates for this Session Border Controller:
Edit User Information:
Assign a name using the FQDN or IP of your SBC (In this case will be sip21.sangomamiami.com)
Adjust the remaining parameter, but in any case will be inherit from the initial options default values
you created.
It will look like this:
You will need to export the certificate with key to a personal folder for further use with the SBC. Use
the option export identity by right click on the certificate recently generated:
Now we will export the CA certificate to be loaded in the SBC as a trusted CA using tools menu:
Lets now apply / restart for this new certificate configuration to take place in the SBC. Select rstart
button:
Now we need to associate Server Certificate to be used when negotiating a SSL/TLS session on the
external sip profile where TLS will be used with EndPoints. Go and edit the sip profile and make sure:
1) TLS is a valid transport protocol:
Make sure also, disable Date verification and policy verification. Those two will accent any
certificate sent by the end point as valid, no matter who issued and what is the expiration
date.
Please notice we are using port 15061 for TLS listening on this SBC
Make sure you apply and reload the changes:
Now we will need endpoints properly configured to support TLS and accept SBC certificates even
they are not issued by a Trusted CA.
I will use examples with 4 different phone brands.
Primary Sip Server must be the domain name used for upper registration in the SBC (same domain
name you created in the SBC)
Outbound proxy must be the FQDN or IP and Port pointing to the SBC TLS listening address.
Make sure transport protocol selected is TLS.
Now select management and Trusted CA in the S700 Configuration GUI:
SNOM 870:
SNOM Phones usually dont have a way to allow any CA. It manages unknown CAs as an exception.
So, when a certificate issued by an unknown authority is received, it shows a message on the screen
informing about it and you can add the exception in the GUI.
Make sure TLS is properly configured as this:
If the exception message is not showing up, reboot the phone and some time you might need to
reboot the SBC too.
Here is what you will see in the Phone Screen:
Yealink T28P
Make sure you have the extension properly configured for TLS and the right values for Sip Server
Host (this will be your domain) and outbound proxy (This will be your SBC).
Now you need to make sure the phone will accept any certificate:
Go to Security Menu, and select trusted certificates.
Make sure you disabled Only Accept Trusted Certificates as well as Common Name Validation.
Select CA Certificates to All Certificates
Confirm Setting.
It should be working!!
BRIA 4:
Here well show how to configure TLS with Bria 4:
Make sure Domain point to the domain defined in the SBC: freepbx.sangomamimi.com and the
outbound proxy to the FQDN and port of the sbc: sip21.sangomamiami.com:15061:
Now lets configure transport like this. Notice we are selecting TLS transport and disable Certificate
Validation:
FINAL REMARKS:
Submit any questions, comments and suggestions to ecasas@sangoma.com
We will be updating this document in the next weeks to include additional steps to add trusted CAs
or even to become your own Trusted CA authority for your own TLS Voip infrastructure.