Call Encryption - TLS/SRTP - VoIP.ms Wiki

Call Encryption - TLS/SRTP

From VoIP.ms Wiki

Jump to: navigation, search

This feature allows you to encrypt the communication between your device and our server, by using the SIP-TLS (Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol) protocol.

This adds a security layer when the packets are being transmitted between you and our server, it encapsulates and encrypt the transmission. In other words, when your device is configured with this encryption method, your device asks to our server a dedicated certificate to establish a trust and fully secure communication from each part.

This is ideal if you are using a softphone on a public network. (We strongly recommend you to use this function in this case.)

Once encrypted calls are enabled for your account or sub account, the SIP-TLS and SRTP must be used. Your account or sub account will no longer be able to use regular SIP communication method.

Call Encryption - TLS/SRTP is currently only available for SIP protocol. IAX is not supported.

Contents


Activate This Option on Your Main Account

1) To active this feature go to your Customer portal home and click on “Main Menu” > “Account Settings


TLS-SRTP-Steps0001.png


2) Once you are in the “Account Settings” section, navigate through the submenu and go to “Advanced” and find the field “Encrypted SIP Traffic”, set to Yes and press Apply


TLS-SRTP-Steps0002.png
Note: If enabled, all the SIP traffic will be encrypted for the main account. 
      Please note that if encrypted calls are enabled then you need to configure your device to make and receive encrypted calls.

Activate This Option on Your Sub Account

1) You may also activate this feature on a sub account. You need to navigate through the navigation bar and select “Sub Accounts” > “Manage Sub accounts”.

If you don't have a sub account yet, you can create one by clicking on the tab “Create Sub Account


TLS-SRTP-Steps0003.png


2) In the column “Actions” click on the edit button Edit icon.png, for the row of the sub account you need to activate this feature.


TLS-SRTP-Steps0004.png


3) Once you are in the Edit screen, find the “Advanced Options” and “Click here to display”. Then set “Encrypted SIP Traffic” to Yes, and press Update Account


TLS-SRTP-Steps0005.png


Note: If enabled, all SIP traffic calls will be encrypted for this sub account.  
      Please note that if encrypted calls are enabled then you need to configure your device to make and receive encrypted calls.

Configuration on SIP Client

Once you have activated the feature on your main account/sub account, you need to configure your SIP client.

On some devices, you will have to configure some settings to enable the SIP-TLS communication method. In your settings you must select TLS as your transport protocol and activate media encryption or SRTP* as Mandatory*. Without mandatory media encryption*, this would result in a call rejection with the SIP error 488.


Some technical considerations that you need to know for using this feature. Please take note, when using encrypted calls with a server, you must always use the server name with a number at the end. For example, you must use chicago1.voip.ms instead of chicago.voip.ms.

This also applies to cities with only one server. For example, you select the POP server london.voip.ms in the portal, but write london1.voip.ms when you configure your Devices, Softphones or PBXs.

When you are using the TLS protocol, it is implied to be using TCP as packet transport. The reason is using TLS over UDP is not supported by the TLS specification. The TLS by TCP will use the port 5061 instead of 5060. We also have an alternative port such as 5081 and 42873

*The configuration and the terminology may vary from each device/PBX.

*Take note; some SIP clients do not support the call encryption, in some cases is a paid feature, or is available only in the paid version.


Some old systems/devices require to configure the certificate manually. In case is needed, please contact technical support via live chat or email to support@voip.ms (from the email address associated to your account), requesting the client certificate and advising the SIP server.

NOTE: The certificate expires every 90 days, so requesting a new one every period will be necessary to keep call encryption working under these circumstances

To know more about that, please refer to the device configuration page or your device manual.

TLS/SRTP Registration Status Validation

When your device is fully registered by using SIP-TLS protocol, you will be able to see the registration status in the portal Home page “Main menu” > "Portal Home" for each account/sub account registered or in “Sub Accounts” > “Manage Sub accounts” tab to see all of your Sub Accounts registration status.

A green padlock Green padlock.png will appears on the right of "Registered" in green. If you don’t see the padlock, you need to revalidate some configuration.


TLS-SRTP-Steps0006.png
TLS-SRTP-Steps0007.png


Notes

Personal tools
Namespaces
Variants
Actions
VoIP.ms Wiki
Configuration
Guides (English)
Guides (Français)
Guías (Español)
Toolbox