TLS for remote phones only with an ASBC

[cjjb]

Hello all,

I have a question about TLS encryption on an IPO 500vr R11.1.1.0 build 18 system. We have a customer using an ABSCE for remote phones, desktop and mobile apps only. I was wondering if you can have TLS only on the remote devices connected to the ABSCE and not the local phones? The ABSCE is not running through a firewall. Any assistance is greatly appreciated

Thanks,
CJJB

 

[IPGuru]

if I have understood the remote worker section of 70080w correctly then yes.
that is the way they set it up in their example


Do things on the cheap & it will cost you dear

ACSS

 

[derfloh]

If you enable TLS on IPO you will get a 46xxsettings.txt that will force the local phones as well to use TLS. If you have valid certificates that’s not a problem. You can enable TCP only in IPO to have the 46xxsettings.txt reflect the TCP only setting. You can use TLS as well on the ASBCE by using an individual settings file or by setting the NoUser Source Code.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[cjjb]

IPguru and derfloh,

Thanks for the response to my thread. Derlfoh, what would I enter in the NoUser Source Code to implement this?

Thanks,
Cjjb

 

[cjjb]

Derfloh,

Below are the current NoUser Source Code settings I have now. Can you tell me what I need to add in order to make this work? Again any information is greatly appreciated.

Thanks,
Cjjb

 

[derfloh]

It looks good this way. You have to check if if it’s reflected well in 46xxsetting.txt if you download it through the SBC.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[cjjb]

Derfloh,

I think I know the answer to this question already but I will ask anyway. For the local phones to grab the non TLS settings it will require a reboot?

Thanks,
Cjjb

 

[cjjb]

Defloh,

Do they have to defaulted too?

Thanks,
Cjjb

 

[derfloh]

Sadfully yes.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[cjjb]

Derfloh,

We got the local phones working on non TLS as they wanted. Now my remote devices aren't working. So probably in the asbce can you guide me where to look? I'm a novice in the asbce. I appreciate all your help.

Also there are these settings in the IPO. Will they have any effect?

Thanks,
Cjjb

 

[derfloh]

Remote Extension does not have to be enabled.

Did you set the NoUser Source Numbers as documented?

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[cjjb]

As what I posted earlier in the thread. Am I missing something else?

 

[derfloh]

If it doesn’t reflect the TLS option to the SBC clients you should either create your own settings file or you skid enable TLS for LAN clients as well (recommended).

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[cjjb]

Derfloh,

Yeah we had everything set for TLS on the LAN but since this was on their internal private network they use it to record calls. They aren't using the IPO for recording. This is a police dept and dispatch center. Even though it only for their non-emergency lines it's being recorded by third party equipment. We found out they couldn't record TLS audio after the install was completed. So that's the reason for changing to non TLS on the LAN and doing it all through the SBC. Since we have never deployed an SBC before now I don't know how to provision it. My vendor doesn't know where to go either. So I'm stuck. I really appreciate all the assistance. Would you be able to show me an example settings file to show what I need to create to make this work. Again thanks for all your help.

Cjjb

 

[jamie77]

The phones and apps don't switch between TLS/UDP/TCP. I've tried on this and never got anywhere.

What I would suggest is that the SBC has TLS on B1, but TCP/UDP on A1. Then get the apps to route to B1 from the internal network. Then you'll have TCP/UDP to the IPO for recording purposes, while still maintaining encryption over the internet.

Never done this, but started to look in to recently for the same call recording reason.

Not sure if you have 2 'external' (one public/DMZ, one inside the network) interfaces using the same A1 for the system. I can understand why routing from the LAN to a DMZ network port woudln't be great, although could be firewalled.

You'll also need to consider how manay licenses you have on the SBC.

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer

 

[cjjb]

Jamie77 thanks,

Just for clarification on my setup. They only want to record the audio from the local phones on the LAN. We don't need to record the apps or remote phones. So all we are looking to do is get TLS on the remote phones and apps to register with TLS while leaving the local phones TCP/UDP. Again I appreciate everyone's help. I just wanted to make sure we are all on the same page.

Thanks,
Cjjb

 

[derfloh]

OK, then you need two different settings files. One for internal without TLS. And another for remote users. You can use the SBCs reverse proxy to forward requests from external to 46xxsettings.txt to I.e. rwsettings.txt

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[TouchToneTommy]

What if you have the local phones connect to one of the IPO's LAN ports, with only UDP checked, and the ABSCE connect with TLS to the other LAN port?

 

[cjjb]

The other LAN port is used for a SIP trunk from the local telco.

Thanks again,
Cjjb

 

[dsm600rr]

derfloh:

I have copied the existing 46xxsettings.txt file with TLS Enabled on the IPO and renamed it rwsettings.txt and loaded it to the embedded file management.

I have then disabled TLS on the IPO (auto-generated file)

I am not sure the correct way to forward in the reverse proxy from 46xxsettings.txt to rwsettings.txt

ACSS / ACIS