How to enable TLS on 5.2

[chrispopp]

How do I enable TLS and secure RTP on 5.2?

[Vodia PBX]

Sure. Actually it should be the default e.g. for snom phones (not sure about Polycom at that time). Make sure that the transport layer on the phone SIP registration is TLS. You might have to put the PBX certificate into the phone, so that it will trust the PBX.

[chrispopp]

It's not... that's the whole problem i'm trying to solve.

 

outbound proxy: sip:office.pbx.com:5060;transport=tcp

 

Problem is that my phones are usually off-site and don't have direct access to them. Is there a way to force or push the certificate to them? or have them push the protocol to TLS mode? Replacing the transport to TLS works fine, but I want to do it automatically. In version 4.x it was easy.

[Vodia PBX]

Well what phones are you using? Did you change the templates?

[chrispopp]

Well what phones are you using? Did you change the templates?

We're testing with 300 series and 700 series.

[Vodia PBX]

Well that should really, really work unless you have a firewall that blocks TLS.

[chrispopp]

I used mac based provisioning over WAN. If it matters. In 4.5 i know i have an option to push TLS instead of TCP/UDP. Is there any other way to ensure that all phones are working ove TLS?

[Vodia PBX]

In 5.2 you can control the outbound proxy based on the location where the phone is being provisioned. The classical use case for this is that a corporate office is using a local SIP-aware firewall that should act as proxy (so that the bandwidth can be properly allocated). More information on http://www.vodia.com/documentation/domain_settings and http://blog.vodia.com/2014/04/hosted-pbx-and-sip-alg.html

[chrispopp]

In 5.2 you can control the outbound proxy based on the location where the phone is being provisioned. The classical use case for this is that a corporate office is using a local SIP-aware firewall that should act as proxy (so that the bandwidth can be properly allocated). More information on http://www.vodia.com/documentation/domain_settings and http://blog.vodia.com/2014/04/hosted-pbx-and-sip-alg.html

 

I don't see how that would change anything over WAN. The PBX is sitting on a public IP, and we use Snom Active to provision these phones ove WAN using the Mac address... There aren't any sip aware routers, that's for sure.

[Vodia PBX]

Sorry forgot to point out that you can use that trick to set the outbound proxy for all devices. Just use 0.0.0.0/0 as the net mask and it will apply to everything.

[chrispopp]

Sorry forgot to point out that you can use that trick to set the outbound proxy for all devices. Just use 0.0.0.0/0 as the net mask and it will apply to everything.

Set this where?

[Vodia PBX]

In the outbound proxy for the domain (see above for the links).

[chrispopp]

I think i might have not explained my issue correctly. The problem I'm currently facing is that all the phones automatically provision over WAN on TCP. I want to change this to work over TLS. I know that we can log-in into every phone and modify the transport to TLS, but what I'm looking is for something similar to this feature in version 4.5. Changing the Transport Layer in the field, changes all the provisioned phones directly to TLS.

 

 

It seems this is the variable that would like to be modified to TLS:

 

[Vodia PBX]

Yes, that is what I was talking about. The "outbound-proxy" will query the domain setting I was talking about in this thread. The snom_transport can also be used, but is kind of legacy (there is no web interface to edit that parameter AFAIK). Just put "0.0.0.0/0/your-pbx-adr:5060/tcp" (replace the address with the IP address or DNS address of your PBX) into the domain's "Outbound proxy pattern" and you are all done.

[chrispopp]

Simply erasing the snom_transport, the configuration pushes the correct parameters (TLS :443). Therefore somewhere snom_transport is hard-coded to TCP. Removing it, works correctly, but I'm having a hard time deciding if this is the best course of action, in case in future versions, this will change...

[chrispopp]

Yes, that is what I was talking about. The "outbound-proxy" will query the domain setting I was talking about in this thread. The snom_transport can also be used, but is kind of legacy (there is no web interface to edit that parameter AFAIK). Just put "0.0.0.0/0/your-pbx-adr:5060/tcp" (replace the address with the IP address or DNS address of your PBX) into the domain's "Outbound proxy pattern" and you are all done.

Can you please show me a screenshot or a idiot-proof step by step instruction for this?

[Vodia PBX]

Ok here is a screen capture.

 

[chrispopp]

I tried it and still doesn't work... keeps the phone on TCP anyway.

 

I tried with

 

192.168.1.1/24/8.8.8.8:443/tls

 

where 8.8.8.8 is the hosted PBX ip, and 192.168.1.1 is the internal network

 

Edit: it worked with this: 0.0.0.0.0/0/8.8.8.8:443/tls

[Vodia PBX]

Really port 443 or did you want to use 5061?