Jump to content
Vodia PBX forum
chrispopp

How to enable TLS on 5.2

Recommended Posts

Sure. Actually it should be the default e.g. for snom phones (not sure about Polycom at that time). Make sure that the transport layer on the phone SIP registration is TLS. You might have to put the PBX certificate into the phone, so that it will trust the PBX.

Share this post


Link to post
Share on other sites

It's not... that's the whole problem i'm trying to solve.

 

outbound proxy: sip:office.pbx.com:5060;transport=tcp

 

Problem is that my phones are usually off-site and don't have direct access to them. Is there a way to force or push the certificate to them? or have them push the protocol to TLS mode? Replacing the transport to TLS works fine, but I want to do it automatically. In version 4.x it was easy.

Share this post


Link to post
Share on other sites

I used mac based provisioning over WAN. If it matters. In 4.5 i know i have an option to push TLS instead of TCP/UDP. Is there any other way to ensure that all phones are working ove TLS?

Share this post


Link to post
Share on other sites

In 5.2 you can control the outbound proxy based on the location where the phone is being provisioned. The classical use case for this is that a corporate office is using a local SIP-aware firewall that should act as proxy (so that the bandwidth can be properly allocated). More information on http://www.vodia.com/documentation/domain_settings and http://blog.vodia.com/2014/04/hosted-pbx-and-sip-alg.html

Share this post


Link to post
Share on other sites

In 5.2 you can control the outbound proxy based on the location where the phone is being provisioned. The classical use case for this is that a corporate office is using a local SIP-aware firewall that should act as proxy (so that the bandwidth can be properly allocated). More information on http://www.vodia.com/documentation/domain_settings and http://blog.vodia.com/2014/04/hosted-pbx-and-sip-alg.html

 

I don't see how that would change anything over WAN. The PBX is sitting on a public IP, and we use Snom Active to provision these phones ove WAN using the Mac address... There aren't any sip aware routers, that's for sure.

Share this post


Link to post
Share on other sites

Sorry forgot to point out that you can use that trick to set the outbound proxy for all devices. Just use 0.0.0.0/0 as the net mask and it will apply to everything.

Share this post


Link to post
Share on other sites

Sorry forgot to point out that you can use that trick to set the outbound proxy for all devices. Just use 0.0.0.0/0 as the net mask and it will apply to everything.

Set this where?

Share this post


Link to post
Share on other sites

I think i might have not explained my issue correctly. The problem I'm currently facing is that all the phones automatically provision over WAN on TCP. I want to change this to work over TLS. I know that we can log-in into every phone and modify the transport to TLS, but what I'm looking is for something similar to this feature in version 4.5. Changing the Transport Layer in the field, changes all the provisioned phones directly to TLS.

 

image.png

 

It seems this is the variable that would like to be modified to TLS:

 

image.png

Share this post


Link to post
Share on other sites

Yes, that is what I was talking about. The "outbound-proxy" will query the domain setting I was talking about in this thread. The snom_transport can also be used, but is kind of legacy (there is no web interface to edit that parameter AFAIK). Just put "0.0.0.0/0/your-pbx-adr:5060/tcp" (replace the address with the IP address or DNS address of your PBX) into the domain's "Outbound proxy pattern" and you are all done.

Share this post


Link to post
Share on other sites

Simply erasing the snom_transport, the configuration pushes the correct parameters (TLS :443). Therefore somewhere snom_transport is hard-coded to TCP. Removing it, works correctly, but I'm having a hard time deciding if this is the best course of action, in case in future versions, this will change...

Share this post


Link to post
Share on other sites

Yes, that is what I was talking about. The "outbound-proxy" will query the domain setting I was talking about in this thread. The snom_transport can also be used, but is kind of legacy (there is no web interface to edit that parameter AFAIK). Just put "0.0.0.0/0/your-pbx-adr:5060/tcp" (replace the address with the IP address or DNS address of your PBX) into the domain's "Outbound proxy pattern" and you are all done.

Can you please show me a screenshot or a idiot-proof step by step instruction for this?

Share this post


Link to post
Share on other sites

I tried it and still doesn't work... keeps the phone on TCP anyway.

 

I tried with

 

192.168.1.1/24/8.8.8.8:443/tls

 

where 8.8.8.8 is the hosted PBX ip, and 192.168.1.1 is the internal network

 

Edit: it worked with this: 0.0.0.0.0/0/8.8.8.8:443/tls

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...