SIP messaging can be encrypted between the endpoint and the PBX node it interacts with by using TLS (Transport Layer Security).
SIP over TLS allows you to bypass ALGs (Application Layer Gateways) and ISP Blocking. ALG works by inspecting the SIP messages and replacing local IPs with the Public IP of the Network; the local network equipment can no longer read the packets and, therefore, cannot inspect or make changes to them. Most industry standards do not require SIP over TLS at this point in time. However, it may be possible in the future.
Enabling SIP TLS support
If you're using our domains for registration (portal.luminatewholesale.com), then TLS is already enabled.
However if you wish to use to own domains for registration and provisioning you first need to make sure you have the appropriate DNS SRV records configured.
Phone Overrides
We will only Support SIP over TLS on supported phone models that have overrides listed below.
Yealink
Phones running firmware version 66.83.0.65 and above. (Substitute 'X' with the SIP Line number)
account.X.sip_server.1.transport_type="2"
static.security.default_ssl_method="5"
Polycom
VVX series phones running firmware version 5.8.0.12848 and above. (Substitute 'X' with the SIP Line number)
reg.X.server.1.port="0"
reg.X.server.1.transport="TLS"
voIpProt.SIP.outboundProxy.transport="TLS"
voIpProt.server.1.transport="TLS"
sec.TLS.SIP.strictCertCommonNameValidation="0"
Grandstream
There are three known methods for enabling TLS on Grandstream phones:
- NDP Enablement
- Phone Inventory Enablement
- P-Code Enablement
Grandstream NDP Enablement
Locate the device in NDP and then change the device's Transport value to TLS, as seen below.
Grandstream Phone Inventory Enablement
To begin this method, two UI Configs will need to be enabled, which can be achieved through a Support Request.
PORTAL_INVENTORY_PHONES_TRANSPORT_TYPE = yes
PORTAL_INVENTORY_PHONES_TRANSPORT_TYPE_TLS = yes
Once these UI Configs have been enabled, from your Portal, navigate to the Phone Inventory > Edit/Bulk Edit > Advanced where the Transport Method can be changed for either a single device or multiple devices, as seen below.
Grandstream P-Code Enablement .
Warning: The P-Code method detailed below does not work for some firmware versions.
New model Grandstream Phones (using configuration aliases) such as GRP's and WP8XX phones (Substitute 'X' with the SIP Line number).
account.X.sip.transport="TlsOrTcp"
Older model Grandstream Phones such as GXP's (Newer Grandstream Phones also support P-Codes)
Account (line):1
P130="2"
Account (line):2
P448="2"
Account (line):3
P548="2"
The number in quotes is the SIP Transport method.
0 - UDP, 1 - TCP, 2 - TLS/TCP. Default is 0.
If more P-Code overrides are needed for the rest of the accounts (lines), please download the config-templates from: http://www.grandstream.com/support/tools
Snom
For Snom devices, you must add an override as well as turn TLS on as the transport type in the PBX Portal.
Add an override to prevent the phone from verifying the FQDN against the certificate.
check_fqdn_against_server_cert="off"
Further information here:
Important Notes:
- Some devices may prefer SIP TLS over TCP as a transport option and may automatically move once the new TLS SRV record is detected. If this behaviour is not desired, manual action will need to be taken to reconfigure those devices. A list of currently known devices that will prefer TLS transport is below.
- ALGO 8301 Paging Adapter.
- While the NDP device overrides are domain/device specific the TLS SRV record that will be created applies to the entire reseller account. This means that devices in all the reseller's domains that prefer the TLS SRV record may be affected.
- TLS should NOT be turned on behind Edgemarcs.