How to Configure Secure SIP â€“ TLS
Ozeki Phone System XE supports TLS in order to make the SIP communication secure. This guide will provide detailed information about how to setup Ozeki Phone System XE with Secure SIP (TLS). In this way, the SIP messaging will be encrypted. You can see how to create certificates with Simple CA, use Microsoftâ€™s inbuilt importer for trusted certificates. And finally you will see how to configure IP phones to communicate SIP securely.
First of all, download and install Ozeki Phone System XE, then download and extract SimpleCA to C:\SimpleCA\. The certification process has a time dependency, so the correct time settings need to be set in the Control Panel.
Step 1) Creating certificates and keys
Run SimpleCA with the SimpleCA.exe file. You need to set up root CA. Select your country, organization and enter the new username and password, then click OK.
Figure 1 - Set up root CA
In the Server Certificates menu choose New Server Certificate Request.
Figure 2 - New server certificate request
Enter you country, state or province name, locality name, organization, organization unit, e-mail address and set the field common name to the IP address on which Ozeki Phone System XE will listen for incoming TLS connection requests. Once done, click OK. If you provide a domain name instead of the IP address, you need to give this domain name (not the IP address) when you will register your softphone to the PBX. You will be prompted to save this (unsigned) certificate.
Figure 3 - Create new server certificate request
Then give a name for the Certificate Signing Request.
Figure 4 - Save the .csr file (Certificate Signing Request)
In the Server Certificates menu choose Sign Server Certificate Request and select the previously created .csr file.
Figure 5 - Sign server certificate request
Check the given data and click OK to proceed to the next step.
Figure 6 - Sign server certificate request
Enter the same password you used, when you created the Root CA.
Figure 7 - Enter CA key password
Simple CA will generate a pair of files, the security certificate (with .crt extension) and its decryption key (with .key extension).
Figure 8 - Created files
Step 2) Configuring Ozeki Phone System XE with TLS
After you have created the certificates, you need to allow TLS in your PBX settings and add the created certificates, as well.
First open your PBX, then select PBX Features menu from the top of the web page, and select Preferences.
Figure 9 - Open Preferences
Now, enable the checkbox belongs to Use TLS transport type, type a port number to the textbox of Secure SIP Service port on which the PBX will receive secure connections and click on OK button.
Figure 10 - Enable TLS
Now, select TLS certificates menu from the left side of the web page, then click on Add button.
Figure 11 - Select TLS certificates
Here, you need to specify an IP address on which the certificate will be used. If the ANY ADDRESS option is selected, the opened certificate will be used on every network interface where no other certificates are in use. In the .crt textbox you need the specify the path of the previously created .crt file (e.g. 192.168.115.174.crt), while in the Private key textbox the path of the .key file (e.g. 192.168.115.174.key) has to be specified.
Figure 12 - Select TLS certificates
Step 3) Configuring the client PC (on which the softphone is installed)
Now, you need to register your own phone certificate on the machine where your softphone is installed. Now, open the main directory of your simpleca software, find ca.crt file (not the 192.168.115.174.crt file) and double-click on it.
Figure 13 - Open ca.crt file
Click on Install Certificate... button to enable this certificate.
Figure 14 - Click on Install Certificate...
Click on Next button.
Figure 15 - Certificate import wizard
Then, select Place all certificates in the following store and click on Browse button.
Figure 16 - Certificate store
On the next window, select Trusted Root Certification Authorities to be used. Then click on Ok and Next buttons.
Figure 17 - Select the certificate you want to use
The certificate will be imported after you click on Finish button.
Figure 18 - Completing the Certificate Import Wizard
On the next window, click on Yes button to confirm the installation of this certificate.
Figure 19 - Security warning
Step 4) Configuring Bria and 00_OzekiDemoSoftphoneWPF to use TLS
In your Bria client go to File - > Account Settings then select an account and click Edit. On the Account tab, modify the Proxy Address. The port number should be 5061 by default.
Figure 20 - Modify proxy address
Go to Security tab and select the TLS for signaling transport. Finally click OK.
Figure 21 - Select signaling transport
The following figure shows how to setup 00_OzekiDemoSoftphoneWPF (http://www.voip-sip-sdk.com/) to use TLS. You need to provide the SIP account data, the IP address or domain name that you have provided when you created the certificate. And you need to select Tls transport type.
Figure 22 - Select signaling transport
In this guide, you could read about how to setup TLS in your Ozeki Phone System XE. You could see how to make certificates and keys, how to apply it in Ozeki PBX, and how to configure your softphone to use TLS for communication.
If you have any questions or need assistance, please contact us at firstname.lastname@example.org
People who read this also read...