How to Configure TLS with SIP Proxy

Similar documents
How to Configure TLS with SIP Proxy

Configuration of Microsoft Live Communications Server for Partitioned Intradomain Federation

Wavecrest Certificate SHA-512

How to Create a TINA VPN Tunnel between F- Series Firewalls

Using SSL to Secure Client/Server Connections

Genesys Security Deployment Guide. What You Need

Authentication, Encryption, Transport, IP Version and VPN Routing

Twilio Elastic SIP Trunk Provisioning

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

How to Set Up External CA VPN Certificates

How to Configure SSL Interception in the Firewall

Exinda How To Guide: SSL Acceleration. Exinda ExOS Version Exinda Networks, Inc.

Configure and enable syslog streaming for every Barracuda NextGen Firewall F-Series you want to include in the Splunk App.

Authentication, Encryption, Transport, and VPN Routing

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N Rev 01 July, 2012

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

How to Configure SSL Interception in the Firewall

Install the ExtraHop session key forwarder on a Windows server

VMware Horizon View Deployment

Module 9. Configuring IPsec. Contents:

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

MyPBX Security Configuration Guide

Configuring Cisco Unified MeetingPlace Web Conferencing Security Features

VMware Horizon JMP Server Installation and Setup Guide. Modified on 19 JUN 2018 VMware Horizon 7 7.5

Using SSL/TLS with Active Directory / LDAP

How to Set Up VPN Certificates

Using the Terminal Services Gateway Lesson 10

VMware Horizon JMP Server Installation and Setup Guide. 13 DEC 2018 VMware Horizon 7 7.7

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Copyright

Registration and Renewal procedure for Belfius Certificate

Enabling Secure Sockets Layer for a Microsoft SQL Server JDBC Connection

MyPBX Security Configuration Guide

Bitnami ProcessMaker Community Edition for Huawei Enterprise Cloud

Installing and Configuring vcenter Multi-Hypervisor Manager

Managing External Identity Sources

estos XMPP Proxy

INUVIKA TECHNICAL GUIDE

Registration and Renewal procedure for Belfius Certificate

Content and Purpose of This Guide... 1 User Management... 2

LAB 5 ANSWER KEY WORKING WITH FIREWALLS, ENCRYPTED FILE SYSTEMS (EFS) AND USER ACCOUNT CONTROL (UAC)

This PDF Document was generated for free by the Aloaha PDF Suite If you want to learn how to make your own PDF Documents visit:

BlackBerry UEM Configuration Guide

About the Citrix Usage Collector (versions 1.0 and 1.0.1)

VMware AirWatch Integration with SecureAuth PKI Guide

Cisco CTL Client Setup

Numerics. Index 1. SSH See SSH. connection inactivity time 2-3 console, for configuring authorized IP managers 11-5 DES 6-3, 7-3

Mobile-911 Server - Mandatory Upgrade. For Enterprise Edition Users. September 3 rd, 2014 ***** ACTION REQUIRED *****

Install the ExtraHop session key forwarder on a Windows server

Secure Web Appliance. SSL Intercept

Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

Configuration Guide. BlackBerry UEM. Version 12.9

Install the ExtraHop session key forwarder on a Windows server

Mitel MiVoice Connect Security Certificates

Bitnami Dolibarr for Huawei Enterprise Cloud

VMware Horizon Client for Chrome Installation and Setup Guide. 15 JUNE 2018 VMware Horizon Client for Chrome 4.8

Install the ExtraHop session key forwarder on a Windows server

Cisco CTL Client setup

How to Configure Office 365 for Inbound and Outbound Mail

Self-Service Password Reset

Installation Guide. Mobile Print for Business version 1.0. July 2014 Issue 1.0

VMware AirWatch Integration with RSA PKI Guide

Rocket U2 Clients and APIs

Barracuda Networks NG Firewall 7.0.0

SIP Proxy Deployment Guide. SIP Server 8.1.1

Load Balancing FreePBX / Asterisk in AWS

ms-help://ms.technet.2004apr.1033/ad/tnoffline/prodtechnol/ad/windows2000/howto/mapcerts.htm

Upgrade Instructions. NetBrain Integrated Edition 7.1. Two-Server Deployment

VII. Corente Services SSL Client

IP Office Platform R11.0

Cisco Expressway Authenticating Accounts Using LDAP

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

Ubiquity Server Manual

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

Administrator's Guide

How to Configure a Remote Management Tunnel for an F-Series Firewall

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

DINOMI Call Center Module. Quick start guide v 1.1

SCCM Plug-in User Guide. Version 3.0

Algo Lync Interface for 8180 SIP Audio Alerter User Guide

How to Configure S/MIME for WorxMail

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

VMware AirWatch Certificate Authentication for EAS with ADCS

Configuring OpenVPN on pfsense

Remote Desktop Services. Deployment Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Integrating Asterisk FreePBX with Lync Server 2010

SECURE Gateway v4.7. TLS configuration guide

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

FreeSWITCH IP PBX with Secure Twilio Elastic SIP Trunking

Best Practices for Security Certificates w/ Connect

Integrate Aventail SSL VPN

Sentry Power Manager (SPM) Software Security

Advanced Web Scanner Service

IoT Gateway PTC Inc. All Rights Reserved.

Transcription:

This article provides steps to configure SIP with TLS encryption in an example scenario where the telephone is located in a different network from that of the PBX. The Barracuda NextGen Firewall F-Series performs NAT between both networks. The SIP Proxy in the Barracuda NextGen Firewall F-Series translates the network addresses in SIP messages to allow communication between the telephone and the PBX. The example scenario is illustrated in the following diagram: For more security, configure all peers to verify the validity of the certificates and provide their own custom certificates. You can configure the peers not to verify the certificates, but this is a less secure setup. If you are testing TLS, it is recommended that you test the scenario with the highest security, because it is less faulttolerant and more likely to produce problems in case of misconfiguration. Before You Begin You must install OpenSSL to create a self-signed CA and the certificates. OpenSSL is already installed in most Linux distributions. In Windows, you must install it separately. This article provides steps for creating a self-signed root CA. If you disable the use of an external CA in the SIP Proxy, an internal root CA is generated automatically. You can use this root CA to sign the certificates for the client and the PBX instead of creating another one. The root CA environment is located in /var/phion/preserve/sipsprx/server_service/opensips/rootca/. This article provides steps for use with PhonerLite and Asterisk, but you can use any softphone or PBX that supports TLS encryption. The configuration of Asterisk, except for the TLS settings, as well as the standard configuration of the SIP Proxy are out of the scope of this article. An already working setup with SIP over UDP or TCP is assumed. Step 1. Create a Firewall Rule to Redirect the SIP/TLS Port to the SIP Proxy Create an App Redirect firewall rule to redirect the SIP port to the SIP Proxy. If you have specified SIPcf as the Service, edit the SIPcf Service Object to add TCP port 5061. If you explicitly specified the ports in your redirect rule, add TCP port 5061 so that it is also redirected. 1 / 9

Step 2. Create Private Keys and Certificates Create the private keys and certificates for the softphone, SIP Proxy, and PBX. For more information on how to create self-signed X.509 certificates, see How to Create Certificates with XCA and How to Create Certificates for the SIP Proxy. Asterisk: The certificate installed on the SIP Proxy must contain the IP address of the SIP Proxy in the common name field. Otherwise, Asterisk will refuse to authenticate. Step 3. Configure the SIP Proxy to Support TLS To configure the TLS settings for the SIP Proxy: 1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Settings. 2. In the left menu, select VoIP/SIP. 3. Expand the Configuration Mode menu and click Switch to Advanced. 4. Click Lock. 5. In the SIP Proxy TLS Settings section, select the Enable TLS Support check box. 2 / 9

6. 7. 8. 9. 10. Next to Private Key, click Ex/Import, select Import from File, and then select the sipproxyprivate.pem file that you generated. Select the Use an External CA check box. Next to External Root CA Certificate, click Ex/Import and select Import from PEM File. Browse to the rootca folder and select the cacert.pem file. In SIP Proxy Certificate, import the sipproxy-cert.pem file in the tls folder. It is recommended that you change the Certificate Security Level to High. This setting provides protection from man-in-the-middle attacks by requiring the SIP Proxy to check the validity of the certificates from the client and the server. If the certificates are invalid, they are rejected. 11. 12. Click Send Changes and Activate. To verify that the certificate file was accepted, view the log file of the SIP Proxy (Server \ FirewallService \sipproxy). The file should look similar to the following: INFO:core:check_for_krb: KRB5 cipher KRB5-DES-CBC3-MD5 found INFO:core:init_tls_domains: Processing TLS domain [0.0.0.0:0] WARNING:core:init_ssl_ctx_behavior: client verification NOT activated. Weaker security. INFO:core:init_tls_domains: Processing TLS domain [0.0.0.0:0] WARNING:core:init_ssl_ctx_behavior: server verification NOT activated. Weaker security. NOTICE:core:main: version: opensips 1.8.2-tls (x86_64/linux) Step 4. Configure Asterisk to Support TLS The following instructions are for Linux. In Windows, change the forward slash (/) path separators to backslashes 3 / 9

(\). To configure TLS settings for the Asterisk server: 1. Connect to the Asterisk server through SSH. 2. Change to the /etc/asterisk directory and create a subdirectory named tls. 3. Copy the following files into the /etc/asterisk/tls directory: The cacert.pem file from your rootca folder. The asterisk-keycert.pem file from your tls folder. 4. Change the user and group of /etc/asterisk/tls and all of its contents to the same user Asterisk uses. Then change the permissions of both files to 0400. $ cd /etc/asterisk $ chown -R asterisk:asterisk tls/ $ chmod 0400 /etc/asterisk/tls/* 5. If you are using FreePBX, open the /etc/asterisk/sip_general_custom.conf file with a text editor such as vi. 6. If you are not using FreePBX, open the /etc/asterisk/sip.conf file with a text editor such as vi and search for the [general] section. 7. Add the following lines: tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/tls/asteriskkeycert.pem tlsdontverifyserver=no ;tlscipher=des-cbc3-sha tlsclientmethod=sslv23 tlscafile=/etc/asterisk/tls/cacert.pem If you do not want Asterisk to verify the validity of the certificates, set tlsdontverifyserver to yes. 8. Change the transport protocol of your SIP peers to TLS: 1. Open FreePBX and select Applications > Extensions. 2. Edit each of your extensions. If you only want to allow your SIP peers to use TLS (which is more secure but breaks the standard), set the transport parameter to TLS Only. If you want to allow (but not force) TLS, set it to All TLS Primary. 4 / 9

9. 10. Apply the changes in FreePBX to reload the configuration. To verify that the certificate was correctly configured: 1. Connect to the Asterisk CLI. $ asterisk -r 2. Reload the configuration. $ sip reload If the certificate was correctly configured, Asterisk displays the following message: SSL certificate ok. Step 5. Import the Root CA into the Client (Windows) You must import the root CA certificate that you have created in the previous configuration. Otherwise, the client will reject the certificate of the server. To import the root CA into the client: 1. In Windows, click the Start menu and type mmc in the search field. 2. When the mmc program appears, click it. 3. Go to File > Add/Remove Snap-in. 4. In the Add/Remove Snap-in window, click Certificates from the list of available snap-ins and then click Add. 5. In the Certificates Snap-in window, select Computer account, click Next, and then click Finish. 6. Click OK. 7. In the Console window, expand Certificates (Local Computer) in the left pane. 8. Right-click Trusted Root Certification Authorities and select All Tasks > Import. 9. In the Certificate Import Wizard, click Next, click Browse, and then select the cacert.pem file from the rootca folder. If you do not see the cacert.pem file, change the file filter to All Files (*.*). 5 / 9

10. Click Next and then click Finish. Step 6. Configure PhonerLite To configure PhonerLite: 1. 2. 3. Configure the SIP account you previously created in PhonerLite as usual. Click the Configuration tab. Click the Network tab and then specify the following settings: Local port: 5061 Preferred connection type: TLS 4. Click the Certificate tab and then specify the following settings: Client certificate Click the ellipsis button ( ). Then browse to and select the clientkeycert.pem file that you previously created. check certificate from the remote site If you want PhonerLite to verify the validity of the certificates, select this check box. Load Windows CA Select this check box. 6 / 9

5. Click Save. PhonerLite should now be able to register successfully. Troubleshooting The most common issue that you might encounter is the client not being able to register into the PBX. As a workaround, you can remove the requirement for certificate verification but this does not solve the issue because your certificates might be misconfigured. Instead, it is strongly recommended you check the log file of the SIP Proxy to find the cause. The log file is located in //sipproxy. The following table describes commonly encountered issues and their solutions. Issue and Symptom Cause Solution Client Does Not Register The client does not register. The log displays one of the following error messages: ERROR:core:tls_accept: some error in SSL (ret=0, err=5, errno=0/success): ERROR:core:tls_accept: New TLS connection from : failed to accept: rejected by client Client Fails to Register The client fails to register and then quickly tries again. The log displays the following message: ERROR:core:tls_accept: New TLS connection to <ip of the PBX>:5061 failed The client does not accept the certificate of the server. There can be several causes: The PBX is not correctly configured. The PBX is switched off or not running. TLS support is not configured in the PBX. A firewall is blocking the connection. The PBX is rejecting the certificate of the SIP Proxy. Ensure that you properly configured the certificates in the client and that you imported the root CA certificate. Try the following solutions: Ensure that you have properly configured the PBX and enabled TLS support in it. The root CA certificate must be imported into the PBX. Verify that the cacert.pem file is located in /etc/asterisk/tls, and that the file is readable by Asterisk. Verify that the PBX is up and running, and that you correctly configured TLS. To verify that TLS support is enabled, run netstat -an grep 5061 in the PBX and verify that port 5061 is open. If there is another firewall between the SIP Proxy and the PBX (for example, in the operating system of the PBX host), verify that the SIP ports are open. Ensure that the root CA certificate is imported into the PBX. Verify that the cacert.pem file is located in /etc/asterisk/tls, and that the file is readable by Asterisk. 7 / 9

Client Works Properly but Error Messages are Still Displayed The client can register and works properly, but the following error messages are displayed in the log: ERROR:core:tls_connect: SSL_ERROR_SYSCALL err=success(0) ERROR:core:tls_connect: New TLS connection to :5061 failed ERROR:core:tls_connect: TLS error: 5 (ret=0) err=success(0) ERROR:core:tcp_send: failed to send Asterisk Reports Client as UNREACHABLE Asterisk reports the client as UNREACHABLE, although it should be registered. The Asterisk log file (/var/log/asterisk/full) repeatedly displays the following message: ERROR[xxxxx] tcptls.c: Certificate common name did not match () When a softphone is closed, it sends a request to unregister. However, some softphones do not wait for a response and quit immediately. The error messages indicate that the SIP Proxy is unable to contact the client because it has quit. Asterisk requires the Common Name field of the certificate for the SIP Proxy to match the host name of the SIP Proxy. Asterisk takes the IP address of the SIP Proxy that is seen as the hostname, but you have entered something else into that field. For this reason, Asterisk closes the connection with the SIP Proxy, causing the TCP send errors. You do not need to worry about these error messages unless something stops working. As of version 11.2.1, there is no way to disable this check. You must create the certificate for the SIP Proxy again. When asked to enter the Common Name, enter the IP address of the SIP Proxy that is displayed in the error message of Asterisk. After the certificate is generated, import it into the configuration of the SIP Proxy as usual. 8 / 9

Figures 9 / 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback