IMG 1010 - TLS - Configuration

Overview:

License Installation.

To configure TLS, a new license file must be copied into the license directory. This license file must include a Secure Communications license. Copy and paste the new license file into /opt/dialogic/common/license directory.

Create Logical and Physical IMG.

  • Right Click on IMG EMS and select New Logical IMG. Click on IMG 1010 - Logical IMG link for more information.

  • Right Click on Logical IMG and select New Physical IMG. Click on IMG 1010 - Physical IMG link for more information. 

Create VoIP Interfaces and Facilities:

  • Right Click on the Physical IMG created IMG Name: and select New Network. See link for more information

  • Right Click on IP Network and select New IP Address. This will be the VoIP interface for the VoIP modules. See IMG 1010 - Configuring VoIP link for more information.

  • Right Click on the Physical IMG again and select New Facility. See IMG 1010 - Facility link for more information.

  • Right Click on the Facility object and select New Bearer - IP. This will create the VoIP ports connected to the VoIP module created above. See IMG 1010 - Configuring VoIP link again for bearer-ip information.

Create a Certificate Database which will contain the TLS Certificate Entries:

  • Right Click on the IMG EMS object and select New Certificate Database. This will be the Database that will contain the individual Certificate Entries or Trust ID's. See Certificate Database link for more information.

  • Right Click on Certificate Database object and select New Certificate Entry. There should be a separate Certificate Entry for each entity using different TLS credentials. For example, two external gateways belonging to the same carrier could share the same TLS credentials. See IMG 1010 - Certificate Entry link for more information.

The Certificate Entry is also referred to as the Trust ID.

 Create the Secure Profiles, IP Profiles, and SIP SGP Profile:

Creating the Secure Profile will allow you to assign a Trust ID to a remote IP element such as a Gateway

  • Right Click on IMG EMS and select New Profiles. This will create a database that will contain the different secure profiles that will get created.

  • Right Click on Profiles object and select New Secure Profile. 


    In the pane that appears you will be able to select which Certificate Entry will be assigned to this Secure Profile. Select the number of the Trust ID from the Trust ID field drop down menu. Click on (Secure Profile Pane). For more information on Secure Profiles click on the following link IMG 1010 - Secure Profile

  • Create the IP Bearer profiles that the channel groups will use. Right Click on Profiles Object and select New IP Bearer Profile. See the Link for more information on configuring this pane.

  • Create the SIP SGP Profile by right clicking on the Profiles object and selecting New SIP SGP. If configuring TLS and want to either enable or disable SIPS, select True or False from the drop down menu in the SIPS field:

Create the SIP Signaling Object and assign Secure Profiles etc:

  • Right click on the Physical IMG object in the object tree and select New Signaling. A signaling pane will appear. See IMG 1010 - Signaling Object for more information

  • Right Click on The Signaling object and select New SIP. A SIP Signaling Pane will appear. Optionally in the Default Transport Type field, select TLS from the drop down menu. This transport type is used when the current IMG is used as an external gateway by another IMG. Once TLS is selected, this will highlight the Secure Profile field. Select from drop down menu which Secure Profile that will be used:

  • The Default port that the IMG will use to communicate withe the external gateways when TLS is enabled will be 5061 as shown in the 'Local TLS Port' field of the SIP signaling object. The port number can be changed by clicking in the Local TLS Port field and entering a different port number.

  • The Default Secure Profile field is used when a SIP call comes in over the Secure Profile Port but the external gateway sending the call is not using TLS security. If the field is set to 'Not Used' the call will be rejected. There is a drop down menu of all the secure profiles created in this field as well. Select a profile so the calls will not get rejected. See the IMG 1010 - SIP Signaling Object Link for more information on the SIP Signaling Pane.

Create SIP Channel Group and assign.

  • Right Click on IMG EMS and select New Routing Configuration. The Channel Groups can be created under this object. See IMG 1010 - Routing Configuration Object link for more information.

  • Right Click on Routing Configuration and select New Channel Groups. This creates a database which will hold all channel groups created. See IMG 1010 - Channel Groups link for more information.

  • Right Click on the Channel Group object just created and select New Channel Group. Enter a unique name to identify this Channel Group. Select SIP from the Signaling Type Field drop down menu. See the IMG 1010 - Channel Group Link for more information on Channel Group Pane.

Create External Gateways:

Create external gateways that will communicate with the IMG using TLS security.

  • Right Click on IMG EMS and select New External Network Elements. Under this object the external Gateways can get created. See IMG 1010 - External Network Elements link for more information on this object.

  • Right Click on External Gateways object and select New External Gateways. This object will create a database of all the gateways configured. See IMG 1010 - External Gateways link for more information.

  • Right Click on External Gateways link and select New External Gateway. In the Name field give this gateway a unique name that identifies it. See IMG 1010 - External Gateway link for more information.

  • In the Gateway Signaling Field select SIP from the Drop Down Menu.

  • If the IMG will be communicating using TLS, select TLS from the drop down menu in the Gateway Transport Type field. At this point a new Secure Profile field will appear. Select the Secure Profile that will be used to communicate with this specific gateway:

  • You can create multiple gateways communicating with IMG using TLS and each gateway can have a different Secure Profile.

Configuring SIPS (Optional):

SIPS is configured using the SIP SGP Profile. Once SIPS is configured in the SIP SGP Profile, the profile can then be assigned to a specific gateway.

  • To configure SIPS you must first have a SIP SGP profile configured. The SIP SGP profile was already configured above under the heading "Create the Secure Profiles, IP Profiles, and SIP SGP Profile:"

  • To enable SIPS on this individual profile, scroll down to the Enable SIPS field. Click in the field and a drop down menu will offer the selections True and False. The Default is True. See IMG 1010 - SIP Profile - 10.5.3 link for more information. 

Configure Routing:

Configure Routing and Translations as needed to route gateways to IMG.

Troubleshooting Section:

The simple troubleshooting tips below solve some problems that could arise during the configuration of TLS over SIP. Read through the list below and verify each bulleted item has been executed and is configured correctly. If the list below doesn't solve your issue, Sangoma Support Personnel can assist you to get your configuration working.

  • TLS is supported in Software 10.5.1+.

  • The use of certificates requires that the clock on the IMG be synchronized with the network time to ensure proper validation of certificates. To configure clock see IMG 1010 - Configure SNTP on GCEMS Server

  • If self signed certificate is created, all clients that connect over an SSL connection to the server that the certificate is loaded be configured to trust the signer of this certificate. Because the signature is self signed, the signature is not likely to be in the clients trust file so it must be added.

  • If a certificate expires while a call is in progress this will have no impact on the call answered state. When call is released a BYE will be rejected and call will remain in answered state. The SIP session timers would need to be configured to release the call.

  • When an outbound call fails to establish a TLS session a cause code of 41 will be returned to the outbound leg.

  • Verify the port configured in the SIP signalling pane is correct. Default = Port 5061

  • When creating an external gateway, the Remote Port in the Remote Port Field defaults to Port 5060. This can be modified as needed.

Return to Documentation Home I Return to Sangoma Support