User`s manual
Table Of Contents
- Mediant 2000 & TP-1610 & TP-260/UNI SIP User’s Manual Version 5.0
- Table of Contents
- List of Figures
- List of Tables
- Notices
- 1. Overview
- 2. Physical Description
- 3. Installation
- 4. Getting Started
- 5. Web Management
- Computer Requirements
- Protection and Security Mechanisms
- Accessing the Embedded Web Server
- Getting Acquainted with the Web Interface
- Protocol Management
- Advanced Configuration
- Status & Diagnostic
- Software Update Menu
- Maintenance
- Logging Off the Embedded Web Server
- 6. Gateway's ini File Configuration
- Secured ini File
- Modifying an ini File
- The ini File Content
- The ini File Structure
- The ini File Example
- Networking Parameters
- System Parameters
- Web and Telnet Parameters
- Security Parameters
- RADIUS Parameters
- SNMP Parameters
- SIP Configuration Parameters
- Voice Mail Parameters
- ISDN and CAS Interworking-Related Parameters
- Number Manipulation and Routing Parameters
- E1/T1 Configuration Parameters
- Channel Parameters
- Configuration Files Parameters
- 7. Using BootP / DHCP
- 8. Telephony Capabilities
- Working with Supplementary Services
- Configuring the DTMF Transport Types
- Fax & Modem Transport Modes
- Event Notification using X-Detect Header
- ThroughPacket™
- Dynamic Jitter Buffer Operation
- Configuring the Gateway’s Alternative Routing (based on Conn
- Call Detail Report
- Supported RADIUS Attributes
- Trunk to Trunk Routing Example
- Proxy or Registrar Registration Example
- SIP Call Flow Example
- SIP Authentication Example
- 9. Networking Capabilities
- 10. Advanced PSTN Configuration
- 11. Advanced System Capabilities
- 12. Special Applications
- 13. Security
- 14. Diagnostics
- 15. SNMP-Based Management
- SNMP Standards and Objects
- Carrier Grade Alarm System
- Cold Start Trap
- Third-Party Performance Monitoring Measurements
- TrunkPack-VoP Series Supported MIBs
- Traps
- SNMP Interface Details
- SNMP Manager Backward Compatibility
- Dual Module Interface
- SNMP NAT Traversal
- SNMP Administrative State Control
- AudioCodes’ Element Management System
- 16. Configuration Files
- Appendix A. Selected Technical Specifications
- Appendix B. Supplied SIP Software Kit
- Appendix C. SIP Compliance Tables
- Appendix D. The BootP/TFTP Configuration Utility
- Appendix E. RTP/RTCP Payload Types and Port Allocation
- Appendix F. RTP Control Protocol Extended Reports (RTCP-XR)
- Appendix G. Accessory Programs and Tools
- Appendix H. Release Reason Mapping
- Appendix I. SNMP Traps
- Appendix J. Installation and Configuration of Apache HTTP Server
- Appendix K. Regulatory Information
Mediant 2000 & TP-1610 & TP-260
SIP User's Manual 290 Document #: LTRT-68805
13.2 SSL/TLS
SSL, also known as TLS, is the method used to secure the gateway's SIP Signaling
connections, Embedded Web Server and Telnet server. The SSL protocol provides
confidentiality, integrity and authenticity between two communicating applications over
TCP/IP.
Specifications for the SSL/TLS implementation:
Supports transports: SSL 2.0, SSL 3.0, TLS 1.0
Supports ciphers: DES, RC4 compatible
Authentication: X.509 certificates; CRLs are not supported
13.2.1 SIP Over TLS (SIPS)
The gateway uses TLS over TCP to encrypt SIP transport and (optionally) to authenticate
it. To enable TLS on the gateway, set the selected transport type to TLS
(SIPTransportType = 2). In this mode the gateway initiates a TLS connection only for the
next network hop. To enable TLS all the way to the destination (over multiple hops) set
EnableSIPS to 1. When a TLS connection with the gateway is initiated, the gateway also
responds using TLS regardless of the configured SIP transport type (in this case, the
parameter EnableSIPS is also ignored).
TLS and SIPS use the Certificate Exchange process described in Sections
13.2.4 and
13.2.5. To change the port number used for SIPS transport (by default 5061), use the
parameter, TLSLocalSIPPort.
When SIPS is used, it is sometimes required to use two-way authentication. When acting
as the TLS server (in a specific connection) it is possible to demand the authentication of
the client’s certificate. To enable two-way authentication on the gateway, set the ini file
parameter, SIPSRequireClientCertificate = 1. For information on installing a client
certificate, refer to Section
13.2.5 on page 293.
13.2.2 Embedded Web Server Configuration
For additional security, you can configure the Embedded Web Server to accept only
secured (HTTPS) connections by changing the parameter HTTPSOnly to 1 (described in
Table
6-3 on page 143).
You can also change the port number used for the secured Web server (by default 443) by
changing the ini file parameter, HTTPSPort (described in Table
6-3 on page 143).
13.2.2.1 Using the Secured Embedded Web Server
¾ To use the secured Embedded Web Server, take these 3 steps:
1. Access the gateway using the following URL:
https://[host name] or [IP address]
Depending on the browser's configuration, a security warning dialog may be
displayed. The reason for the warning is that the gateway initial certificate is not
trusted by your PC. The browser may allow you to install the certificate, thus skipping
the warning dialog the next time you connect to the gateway.
2. If you are using Internet Explorer, click View Certificate and then Install Certificate.
3. The browser also warns you if the host name used in the URL is not identical to the
one listed in the certificate. To solve this, add the IP address and host name
(ACL_nnnnnn where nnnnnn is the serial number of the gateway) to your hosts file,
located at /etc/hosts on UNIX or C:\Windows\System32\Drivers\ETC\hosts on
Windows; then use the host name in the URL (e.g., https://ACL_280152
).