Kaj.Noppen Posted April 20, 2009 Report Share Posted April 20, 2009 Hello everybody, At the moment we have setup a nice testing environment with OCS R2, integrated with Exchange UM. Everything was working fine with TCP transport. However we want to step up the security a notch and are trying to get TLS transport working. However, I seem to have gotten the settings correct for TLS, but calling to OCS does not work. Calling from OCS is working fine. Calling to OCS (from PSTN for example) however is not. As far as I can see the TLS handshake fails, which is odd, because it does work the other way. What I am wondering, is there anyone else who has been able to set up pbxnsip to OCS with TLS? If that's the case, we'll be trying to get some real certs instead of the one's from our own enterprise-CA. Thanks! Kaj Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted April 20, 2009 Report Share Posted April 20, 2009 If that's the case, we'll be trying to get some real certs instead of the one's from our own enterprise-CA. This should be a certificate problem. IF you get one, make sure that you use a 1024-bit certificate. I remember there was an issue using more than 1024 bits. Quote Link to comment Share on other sites More sharing options...
Kaj.Noppen Posted April 20, 2009 Author Report Share Posted April 20, 2009 This should be a certificate problem. IF you get one, make sure that you use a 1024-bit certificate. I remember there was an issue using more than 1024 bits. I did do that. It looks like the pbxnsip does not accept the certificate presented by the Mediation server. So it is possible? Have you had any experience doing this? Quote Link to comment Share on other sites More sharing options...
Jan Boguslawski Posted April 20, 2009 Report Share Posted April 20, 2009 Hello Kaj, Hello pbxnsip, I guess we can find the solution for this challenge in this AudioCodes Document about: Configuring AudioCodes Gateways to Operate in TLS Transport Mode with Microsoft™ Mediation Server In step II it tells about the Mediations Server Preparation, and a hotfix for this TLS Setup. (it is not MTLS like normal between all OCS Roles) My verdict is, in your case: 1. OCS is doing an outbound call and presenting its certificate. Pbxnsip is simply accepting it. Does it make an crl (Certificate Revocation List) check to the rootCA? I guess not. 2. But OCS is not accepting the certificate presented by pbxnsip. Maybe the hotfix will ease this. Please give the AudioCodes document a try. btw: I am sure you dont need to buy a commercial certificate! If it does not work with the windows CA, it will never work with a payed one! Lets save the money Best regards, Jan Quote Link to comment Share on other sites More sharing options...
Kaj.Noppen Posted April 21, 2009 Author Report Share Posted April 21, 2009 Hello Kaj, Hello pbxnsip, I guess we can find the solution for this challenge in this AudioCodes Document about: Configuring AudioCodes Gateways to Operate in TLS Transport Mode with Microsoft™ Mediation Server In step II it tells about the Mediations Server Preparation, and a hotfix for this TLS Setup. (it is not MTLS like normal between all OCS Roles) This is for OCS - non R2 We're working with R2. My verdict is, in your case: 1. OCS is doing an outbound call and presenting its certificate. Pbxnsip is simply accepting it. Does it make an crl (Certificate Revocation List) check to the rootCA? I guess not. 2. But OCS is not accepting the certificate presented by pbxnsip. Maybe the hotfix will ease this. Please give the AudioCodes document a try. btw: I am sure you dont need to buy a commercial certificate! If it does not work with the windows CA, it will never work with a payed one! Lets save the money Best regards, Jan 1. I guess this is a question towards pbxnsip, I have no clue. Sounds plausible. But isn't crl the base of secure communications? 2. I could give it a try, but it doesn't state the R2. I would image that MS has included the hotfix in R2. Anyways, I'll try to do some more magic with the certificates. Perhaps I'm missing a step somewhere. I'll try to get a nice wireshark trace as well. Thanks for the help! Kaj Edit: Is it possible to somehow alter the port to which pbxnsip sends the TLS traffic to? It looks like it is sending it to port 5061, but this is the wrong port, since OCS wants internal TLS traffic on 5061, external (whatever type of transport) on port 5060. The audiocodes manual Jan referred to also states that they change the TLS port to 5060. Also: The cert has to be valid, since when I go to https://url-of-pbxnsip/ on the mediation server it says the cert is valid. Quote Link to comment Share on other sites More sharing options...
pbx support Posted April 21, 2009 Report Share Posted April 21, 2009 This is for OCS - non R2 We're working with R2. 1. I guess this is a question towards pbxnsip, I have no clue. Sounds plausible. But isn't crl the base of secure communications? 2. I could give it a try, but it doesn't state the R2. I would image that MS has included the hotfix in R2. Anyways, I'll try to do some more magic with the certificates. Perhaps I'm missing a step somewhere. I'll try to get a nice wireshark trace as well. Thanks for the help! Kaj Edit: Is it possible to somehow alter the port to which pbxnsip sends the TLS traffic to? It looks like it is sending it to port 5061, but this is the wrong port, since OCS wants internal TLS traffic on 5061, external (whatever type of transport) on port 5060. The audiocodes manual Jan referred to also states that they change the TLS port to 5060. Also: The cert has to be valid, since when I go to https://url-of-pbxnsip/ on the mediation server it says the cert is valid. TLS port setting is in Admin->Settings->Ports page Quote Link to comment Share on other sites More sharing options...
Kaj.Noppen Posted April 27, 2009 Author Report Share Posted April 27, 2009 TLS port setting is in Admin->Settings->Ports page At the moment I have tried editing the settings, renewing the certs and creating the config on a windows and linux machine. However I am still unable to get it to work. I'm trying to get in touch with an SSL / windows cert expert, but no luck so far Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.