...
The following diagram shows the scenario:
As we can see:
...
All external Voice traffic is secure and encrypted (TLS/SRTP)
All Internal Voice traffic is standard (SIP/UDP)
We will show transcoding between GSM and G711 for Smartphone users
Users in Branch office / Customer office will have local survivability, using the local SMB-SBC as a secondary registrar.
...
First we will create 2 Sip Profiles in our Access SBC, one internal, in the Private Subnet, facing the IPPBX/Softswitch located at 10.0.1.252.
...
The External Sip (10.0.0.30) profile will be used to receive upper registrations for end points coming from branch offices, via the local SMB-SBC.
Note the following attributes:
We are going to use a non standard listening port for UDP and TCP (15060).
We will see also that we will use 15061 for TLS.
The only reason we are enabling TCP and UDP in addition to TLS is for testing purposes.
We recommend to change to TLS only once everything has been tested and we are going on production.
The Internal Sip (10.0.1.30) profile, listening on standard port will face the Softswicth/IPPBX
...
At this point is importnt to note that the domaing is a full FQDN alse which resolves the public IP of the SBC in the internet. We will autodiscover that IP by using the prefix "host:" in the Sip Profile. Please note:
...
Note we are using host:mydemopbx.ddns.net for external IP address for signaling and RTP
Interop section will have default values, as well as timing section
For TLS we will use previously loaded self signed certificates
We will enable also SRTP Encryption and enforce it for any inbound invite in this profile.
...
Now, we need to configure the Internal Profile, which will deliver calls to the PBX coming from Extensions at customer's premises, and receive calls from the IPPBX going out to those extensions.
...
This profile is alocated at the eth1 interface IP 10.0.1.30
No need to reference any external IP address for translation
Transport is UDP
Standard port is used
Now profiles with non default values:
...
Will accept blind authentication as this interface is never exposed and is in a secure Data center private network
Will associated a Routing Plan that we will describe later (Outbound_All_Extensions)
Will do a header manipulation previous to routing on calls landing on this profile (Domain_Routing_Header)
...
Now let's see the Routing Plan "Outbound_All_Extensions":
Notice:
...
We are assiging kdomain to the channel variable domain_name
We are enforcing SRTP on the b leg when the call will be bridged
We are enforcing TLS on the bridge application
In case you are doing test with UDP or TCP you can comment the current bridge sentence and uncomment the one not enforcing TLS
...
Will look like this:
Notice:
...
We are enforcing SRTP via the "sip_secure_media=true"
We are checking call is coming from an extension via caller_id_number="^5.." <-- this could be just deleted to make it more generic
We are enforcing sip domain name in the bridge as well as TLS in Leg B via Externa_to_Carrier profile
...
Now, let's present what to do with the external profile:
...
Transport protocol will be TLS
Associated to external interface 192.168.200.250
External public IP address will be announced for signaling and RTP
...
TLS will use a selfsigned certificate
SRTP is enabled and enforced for all inbound trafic on this profile
...
NAT is not eneabled except for RTP Adjust to avoid certain cases where audio in one side will not wait for the other side.
A Dial plan as been associated for incoming calls to the profile (Inbound_Dialplan)
...
This new profile will have the following configuration:
...
...
Routing rules associated to this profile is the ona named Local_Calls, which will look like this:
...