OCS <TLS> pbxnsip

[Kaj.Noppen]

Hello everybody,

 

At the moment we have setup a nice testing environment with OCS R2, integrated with Exchange UM. Everything was working fine with TCP transport. However we want to step up the security a notch and are trying to get TLS transport working. However, I seem to have gotten the settings correct for TLS, but calling to OCS does not work. Calling from OCS is working fine. Calling to OCS (from PSTN for example) however is not. As far as I can see the TLS handshake fails, which is odd, because it does work the other way.

 

What I am wondering, is there anyone else who has been able to set up pbxnsip to OCS with TLS?

 

If that's the case, we'll be trying to get some real certs instead of the one's from our own enterprise-CA.

 

Thanks!

 

Kaj

[Vodia PBX]

If that's the case, we'll be trying to get some real certs instead of the one's from our own enterprise-CA.

 

This should be a certificate problem. IF you get one, make sure that you use a 1024-bit certificate. I remember there was an issue using more than 1024 bits.

[Kaj.Noppen]

This should be a certificate problem. IF you get one, make sure that you use a 1024-bit certificate. I remember there was an issue using more than 1024 bits.

 

I did do that. It looks like the pbxnsip does not accept the certificate presented by the Mediation server. So it is possible? Have you had any experience doing this?

[Jan Boguslawski]

Hello Kaj, Hello pbxnsip,

 

I guess we can find the solution for this challenge in this AudioCodes Document about:

 

Configuring AudioCodes Gateways to Operate in TLS Transport Mode with Microsoft™ Mediation Server

 

In step II it tells about the Mediations Server Preparation, and a hotfix for this TLS Setup. (it is not MTLS like normal between all OCS Roles)

 

My verdict is, in your case:

 

1. OCS is doing an outbound call and presenting its certificate. Pbxnsip is simply accepting it. Does it make an crl (Certificate Revocation List) check to the rootCA? I guess not.

 

2. But OCS is not accepting the certificate presented by pbxnsip. Maybe the hotfix will ease this.

 

Please give the AudioCodes document a try. btw: I am sure you dont need to buy a commercial certificate! If it does not work with the windows CA, it will never work with a payed one! Lets save the money

 

Best regards,

Jan

[Kaj.Noppen]

Hello Kaj, Hello pbxnsip,

 

I guess we can find the solution for this challenge in this AudioCodes Document about:

 

Configuring AudioCodes Gateways to Operate in TLS Transport Mode with Microsoft™ Mediation Server

 

In step II it tells about the Mediations Server Preparation, and a hotfix for this TLS Setup. (it is not MTLS like normal between all OCS Roles)

 

This is for OCS - non R2 We're working with R2.

 

 

My verdict is, in your case:

 

1. OCS is doing an outbound call and presenting its certificate. Pbxnsip is simply accepting it. Does it make an crl (Certificate Revocation List) check to the rootCA? I guess not.

 

2. But OCS is not accepting the certificate presented by pbxnsip. Maybe the hotfix will ease this.

 

Please give the AudioCodes document a try. btw: I am sure you dont need to buy a commercial certificate! If it does not work with the windows CA, it will never work with a payed one! Lets save the money

 

Best regards,

Jan

 

1. I guess this is a question towards pbxnsip, I have no clue. Sounds plausible. But isn't crl the base of secure communications?

 

2. I could give it a try, but it doesn't state the R2. I would image that MS has included the hotfix in R2.

 

Anyways, I'll try to do some more magic with the certificates. Perhaps I'm missing a step somewhere. I'll try to get a nice wireshark trace as well.

 

Thanks for the help!

 

Kaj

 

Edit: Is it possible to somehow alter the port to which pbxnsip sends the TLS traffic to? It looks like it is sending it to port 5061, but this is the wrong port, since OCS wants internal TLS traffic on 5061, external (whatever type of transport) on port 5060. The audiocodes manual Jan referred to also states that they change the TLS port to 5060.

 

Also: The cert has to be valid, since when I go to https://url-of-pbxnsip/ on the mediation server it says the cert is valid.

[pbx support]

This is for OCS - non R2 We're working with R2.

 

 

 

 

1. I guess this is a question towards pbxnsip, I have no clue. Sounds plausible. But isn't crl the base of secure communications?

 

2. I could give it a try, but it doesn't state the R2. I would image that MS has included the hotfix in R2.

 

Anyways, I'll try to do some more magic with the certificates. Perhaps I'm missing a step somewhere. I'll try to get a nice wireshark trace as well.

 

Thanks for the help!

 

Kaj

 

Edit: Is it possible to somehow alter the port to which pbxnsip sends the TLS traffic to? It looks like it is sending it to port 5061, but this is the wrong port, since OCS wants internal TLS traffic on 5061, external (whatever type of transport) on port 5060. The audiocodes manual Jan referred to also states that they change the TLS port to 5060.

 

Also: The cert has to be valid, since when I go to https://url-of-pbxnsip/ on the mediation server it says the cert is valid.

 

TLS port setting is in Admin->Settings->Ports page

[Kaj.Noppen]

TLS port setting is in Admin->Settings->Ports page

 

At the moment I have tried editing the settings, renewing the certs and creating the config on a windows and linux machine. However I am still unable to get it to work. I'm trying to get in touch with an SSL / windows cert expert, but no luck so far