Configuring TLS for Secured SIP

The device uses TLS over TCP to encrypt and optionally, authenticate SIP messages. This is referred to as SIP Secure (SIPS). SIPS uses the X.509 certificate exchange process. For configuring TLS (TLS Context), see Configuring TLS Certificates.

To use a TLS Context for SIPS, you need to assign it to a Proxy Set or SIP Interface (or both) that is associated with the IP Group for which you want to employ TLS. When the device establishes a TLS connection (handshake) with a SIP user agent (UA), the TLS Context is determined as follows:

■

Incoming calls:

Proxy Set: If the incoming call is successfully classified to an IP Group based on Proxy Set (i.e., IP address of calling party) and the Proxy Set is configured for TLS ('Transport Type' parameter is set to TLS), the TLS Context assigned to the Proxy Set is used. To configure Proxy Sets, see Configuring Proxy Sets.

SIP Interface: If the Proxy Set is either not configured for TLS (i.e., the 'Transport Type' parameter is set to UDP) or not assigned a TLS Context, and/or classification to a Proxy Set fails, the device uses the TLS Context assigned to the SIP Interface used for the call. To configure SIP Interfaces, see Configuring SIP Interfaces.

Default TLS Context (Index #0): If the SIP Interface is not assigned a TLS Context or no SIP Interface is used for the call, the device uses the default TLS Context.

■

Outgoing calls:

Proxy Set: If the outgoing call is sent to an IP Group associated with a Proxy Set that is assigned a TLS Context and the Proxy Set is configured for TLS (i.e., 'Transport Type' parameter is set to TLS), the TLS Context is used. If the 'Transport Type' parameter is set to UDP, the device uses UDP to communicate with the proxy and no TLS Context is used.

SIP Interface: If the Proxy Set is not assigned a TLS Context, the device uses the TLS Context assigned to the SIP Interface used for the call.

Default TLS Context (Index #0): If the SIP Interface is not assigned a TLS Context or no SIP Interface is used for the call, the device uses the default TLS Context.

●

When a TLS connection with the device is initiated by a SIP client, the device also responds using TLS, regardless of whether or not TLS was configured.

●

The device regulates the number of new concurrent TLS connections that can be established per second. This protects the device from flooding (avalanches) of new TLS connections which may be caused from TLS-based malicious attacks or distributed denial-of-service (DDoS) attacks.

●

To configure two-way (mutual) TLS authentication, see TLS for SIP Clients.

➢

To configure SIPS:

Configure a TLS Context (see Configuring TLS Certificate Contexts).

Assign the TLS Context to a Proxy Set or SIP Interface (see Configuring Proxy Sets and Configuring SIP Interfaces, respectively).

Configure the SIP Interface with a TLS port number.

Configure various SIPS parameters in the Security Settings page (Setup menu > IP Network tab > Security folder > Security Settings). For a description of the below TLS parameters, see TLS Parameters.

By default, the device initiates a TLS connection only for the next network hop. To enable TLS all the way to the destination (over multiple hops), open the Transport Settings page (Setup menu > Signaling & Media tab > SIP Definitions folder > Transport Settings), and then configure the 'SIPS' [EnableSIPS] parameter to Enable: