Call Encryption - TLS/SRTP - VoIP.ms Wiki

Call Encryption - TLS/SRTP

From VoIP.ms Wiki

(Difference between revisions)
Jump to: navigation, search
[draft revision][draft revision]
Line 1: Line 1:
This feature allows you to encrypt the communication between your device and our server, by using the SIP-TLS ''(Transport Layer Security)'' and SRTP ''(Secure Real-Time Transport Protocol)'' protocol.
This feature allows you to encrypt the communication between your device and our server, by using the SIP-TLS ''(Transport Layer Security)'' and SRTP ''(Secure Real-Time Transport Protocol)'' protocol.
-
This adds a security layer when the packet being transmitted between you and our server, it encapsulates and crypt the transmission. In other words, when your device is configured with this encryption method, your device asks to our server a dedicated certificate to establish a trust and fully secure communication from each part.
+
This adds a security layer when the packets are being transmitted between you and our server, it encapsulates and encrypt the transmission. In other words, when your device is configured with this encryption method, your device asks to our server a dedicated certificate to establish a trust and fully secure communication from each part.
This is ideal if you are using a softphone on a public network. ''(We strongly recommend you to use this function in this case.)''
This is ideal if you are using a softphone on a public network. ''(We strongly recommend you to use this function in this case.)''
Line 14: Line 14:
== Activate This Option on Your Main Account ==
== Activate This Option on Your Main Account ==
-
1) To active this feature go to your main account by navigating through the “'''Main Menu'''” > “'''<font color="#FF7C21">Account Settings</font>'''”
+
1) To active this feature go to your Customer portal home and click on “'''Main Menu'''” > “'''<font color="#FF7C21">Account Settings</font>'''”
Line 20: Line 20:
-
2) Once you are in the “'''Account Settings'''” section, navigate through the submenu and go to “'''<font color="#FF7C21">Advanced</font>'''” and find the field “'''<font color="red">Encrypted SIP Traffic</font>'''” to '''Yes''', and press '''Apply'''
+
2) Once you are in the “'''Account Settings'''” section, navigate through the submenu and go to “'''<font color="#FF7C21">Advanced</font>'''” and find the field “'''<font color="red">Encrypted SIP Traffic</font>'''”, set to '''Yes''' and press '''Apply'''
Line 40: Line 40:
-
2) In the column “'''<font color="#FF7C21">Actions</font>'''” click on the edit button [[File:edit_icon.png]], in a row of the sub account you need to activate this feature.  
+
2) In the column “'''<font color="#FF7C21">Actions</font>'''” click on the edit button [[File:edit_icon.png]], for the row of the sub account you need to activate this feature for.  
Line 47: Line 47:
-
3) Once you choose, your sub account or have created a new one. Find the “'''<font color="#FF7C21">Advanced Options</font>'''” and “'''Click here to display'''”. Then “'''<font color="red">Encrypted SIP Traffic</font>'''” to '''Yes''', and press '''Update Account'''
+
3) Once you are in the Edit screen, find the “'''<font color="#FF7C21">Advanced Options</font>'''” and “'''Click here to display'''”. Then set “'''<font color="red">Encrypted SIP Traffic</font>'''” to '''Yes''', and press '''Update Account'''
Line 59: Line 59:
== Configuration on SIP Client ==
== Configuration on SIP Client ==
-
Now you have activated the feature on your main account/sub account you need to configure your SIP client.
+
Once you have activated the feature on your main account/sub account, you need to configure your SIP client.
-
On some device, you will have to configure some settings to '''enable''' the TLS-SIP communication method.  
+
On some devices, you will have to configure some settings to '''enable''' the TLS-SIP communication method.  
In your settings you must select '''TLS''' as your transport protocol and activate ''media encryption or SRTP*'' as '''Mandatory'''. Without mandatory ''media encryption'', this would result in a call rejection with the SIP error 488.
In your settings you must select '''TLS''' as your transport protocol and activate ''media encryption or SRTP*'' as '''Mandatory'''. Without mandatory ''media encryption'', this would result in a call rejection with the SIP error 488.
-
'''''Some technical precisions that you need to know by using this feature.'''''  
+
'''''Some technical considerations that you need to know for using this feature.'''''  
Please take note, when using encrypted calls with a server, you must always use the server name with a '''number''' at the end.   
Please take note, when using encrypted calls with a server, you must always use the server name with a '''number''' at the end.   
For example, you must use chicago'''1'''.voip.ms instead of chicago.voip.ms.   
For example, you must use chicago'''1'''.voip.ms instead of chicago.voip.ms.   
Line 72: Line 72:
For example, you select london.voip.ms in the portal, but write london'''1'''.voip.ms when you configure your device, softphone or PBX.  
For example, you select london.voip.ms in the portal, but write london'''1'''.voip.ms when you configure your device, softphone or PBX.  
-
When you are using the TLS protocol, it is implied to using TCP as packet transport. The reason is using TLS over UDP is not supported by the TLS specification.  
+
When you are using the TLS protocol, it is implied to be using TCP as packet transport. The reason is using TLS over UDP is not supported by the TLS specification.  
-
The TLS by TCP will use the port '''5061''' instead of 5060. We also have an alternative port such as '''5081''' and 42873
+
The TLS by TCP will use the port '''5061''' instead of 5060. We also have an alternative port such as '''5081''' and '''42873'''
''*The configuration and the terminology may vary from each device/PBX.''  
''*The configuration and the terminology may vary from each device/PBX.''  
Line 81: Line 81:
To know more about that, please refer to the device configuration page or your device manual.
To know more about that, please refer to the device configuration page or your device manual.
-
== TLS/SRTP Registration state validation ==
+
== TLS/SRTP Registration Status Validation ==
When your device is fully registered by using SIP-TLS protocol, you will be able to see the registration status in the portal Home page “'''Main menu'''” > "'''Portal Home'''" for each account/sub account registered or in “'''Sub Accounts'''” > “'''Manage Sub accounts'''” tab to see all of your Sub Accounts registration status.  
When your device is fully registered by using SIP-TLS protocol, you will be able to see the registration status in the portal Home page “'''Main menu'''” > "'''Portal Home'''" for each account/sub account registered or in “'''Sub Accounts'''” > “'''Manage Sub accounts'''” tab to see all of your Sub Accounts registration status.  
-
A <font color="green">green padlock</font> [[File:green_padlock.png]] will appears on the right of registered in green. If you don’t see the padlock, you need to revalidate some configuration.
+
A <font color="green">green padlock</font> [[File:green_padlock.png]] will appears on the right of <font color="green">"Registered"</font> in green. If you don’t see the padlock, you need to revalidate some configuration.

Revision as of 18:07, 15 March 2019

This feature allows you to encrypt the communication between your device and our server, by using the SIP-TLS (Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol) protocol.

This adds a security layer when the packets are being transmitted between you and our server, it encapsulates and encrypt the transmission. In other words, when your device is configured with this encryption method, your device asks to our server a dedicated certificate to establish a trust and fully secure communication from each part.

This is ideal if you are using a softphone on a public network. (We strongly recommend you to use this function in this case.)

Once encrypted calls are enabled for your account or sub account, the SIP-TLS and SRTP must be used. Your account or sub account will no longer be able to use regular SIP communication method.


Contents


Activate This Option on Your Main Account

1) To active this feature go to your Customer portal home and click on “Main Menu” > “Account Settings


TLS-SRTP-Steps0001.png


2) Once you are in the “Account Settings” section, navigate through the submenu and go to “Advanced” and find the field “Encrypted SIP Traffic”, set to Yes and press Apply


TLS-SRTP-Steps0002.png
Note: If enabled, all the SIP traffic will be encrypted for the main account. 
      Please note that if encrypted calls are enabled then you need to configure your device to make and receive encrypted calls.

Activate This Option on Your Sub Account

1) You may also activate this feature on a sub account. You need to navigate through the navigation bar and select “Sub Accounts” > “Manage Sub accounts”.

If you don't have a sub account yet, you can create one by clicking on the tab “Create Sub Account


TLS-SRTP-Steps0003.png


2) In the column “Actions” click on the edit button Edit icon.png, for the row of the sub account you need to activate this feature for.


TLS-SRTP-Steps0004.png


3) Once you are in the Edit screen, find the “Advanced Options” and “Click here to display”. Then set “Encrypted SIP Traffic” to Yes, and press Update Account


TLS-SRTP-Steps0005.png


Note: If enabled, all SIP traffic calls will be encrypted for this sub account.  
      Please note that if encrypted calls are enabled then you need to configure your device to make and receive encrypted calls.

Configuration on SIP Client

Once you have activated the feature on your main account/sub account, you need to configure your SIP client.

On some devices, you will have to configure some settings to enable the TLS-SIP communication method. In your settings you must select TLS as your transport protocol and activate media encryption or SRTP* as Mandatory. Without mandatory media encryption, this would result in a call rejection with the SIP error 488.


Some technical considerations that you need to know for using this feature. Please take note, when using encrypted calls with a server, you must always use the server name with a number at the end. For example, you must use chicago1.voip.ms instead of chicago.voip.ms.

This also applies to cities with only one server. For example, you select london.voip.ms in the portal, but write london1.voip.ms when you configure your device, softphone or PBX.

When you are using the TLS protocol, it is implied to be using TCP as packet transport. The reason is using TLS over UDP is not supported by the TLS specification. The TLS by TCP will use the port 5061 instead of 5060. We also have an alternative port such as 5081 and 42873

*The configuration and the terminology may vary from each device/PBX.

*Take note; some SIP clients do not support the call encryption, in some cases is a paid feature, or is available only in the paid version.

To know more about that, please refer to the device configuration page or your device manual.

TLS/SRTP Registration Status Validation

When your device is fully registered by using SIP-TLS protocol, you will be able to see the registration status in the portal Home page “Main menu” > "Portal Home" for each account/sub account registered or in “Sub Accounts” > “Manage Sub accounts” tab to see all of your Sub Accounts registration status.

A green padlock Green padlock.png will appears on the right of "Registered" in green. If you don’t see the padlock, you need to revalidate some configuration.


TLS-SRTP-Steps0006.png
TLS-SRTP-Steps0007.png
Personal tools
Namespaces
Variants
Actions
VoIP.ms Wiki
VoIP.ms Blog
Configuration
Guides (English)
Guides (Français)
Guías (Español)
Toolbox