Skip to end of metadata
Go to start of metadata

This article describes how to change the SIP transport protocol from TCP to TLS in a PBX - Sonus SBC 1000/2000 - MS Exchange 2007/2010 Unified Messaging Server topology.

Overview

Previously, we covered the configuration steps for PBX - Sonus SBC 1000/2000 - MS Exchange 2007/2010 Unified Messaging Server in Downstream Deployment of a Sonus SBC 1000-2000 in a PBX-SBC-eUM Topology. That configuration allows connectivity using TCP as the SIP Transport Protocol in the topology shown below.

Topology

In this article, we change the transport protocol from TCP to TLS in order to secure the voice calls. Follow the steps below to make the necessary additional adjustments to your existing configuration.

Configuring the Sonus SBC 1000/2000

Note:

Please note that this document assumes that PBX - Sonus SBC 1000/2000 - MS Exchange 2007/2010 Unified Messaging Server settings are already completed as described in Downstream Deployment of a Sonus SBC 1000-2000 in a PBX-SBC-eUM Topology

  1. Create a new TLS profile.
    If you only want to have TLS transport protocol between Sonus SBC 1000/2000 and UMS:
    1. Disable Mutual Authentication from the drop-down menu.
    2. Click Apply.

  2. In the left navigation pane, go to System > Node-Level Settings.
  3. Verify that Sonus SBC 1000/2000 host name, domain name, and relevant DNS IP address are correctly configured.

  4. Verify that the Sonus SBC 1000/2000 gateway FQDN resolves to the correct IP address in DNS level.
    If not, request that your domain administrator to allow the relevant name resolution in DNS level. (e.g., FQDN should resolve to IP address and IP address resolves to FQDN correctly).

  5. Generate a Sonus SBC 1000/2000 CSR.
    1. In the left navigation pane, go to Security > Certificates > Generate Sonus SBC 1000/2000 CSR.
      For more information see, Working with Certificates in the User's Guide.
    2. Verify that the FQDN of the gateway appears in the Common Name field.
    3. After clicking the OK button, the Sonus SBC 1000/2000 certificate request is generated and is displayed in the lower pane of Generate Certificate Signing Request page.
    4. Copy the content of the request and save it as a text file (e.g., certRequest.txt).
    5. Email the text file (Sonus SBC 1000/2000 certificate request file) to your Root Certificate Authority and get it signed by CA.

      After the certificate request is signed, CA administrator will provide you a signed certificate (e.g., Sonus SBC 1000/2000cert.p7b) file.

  6. Import this file to the Sonus SBC 1000/2000.
    1. In the left navigation pane, go to Security / Certificates / Server Certificates.
    2. Confirm on the screen that status of the certificate is OK.
      For more information see, Importing a Sonus SBC 1000-2000 Server Certificatein the User's Guide.

  7. Verify that Trusted CA Certificate is imported.
    1. In the left navigation pane, go to Security / Certificates / Server Certificates.
    2. Verify that today's date is in the date range between the Start Validity and Expirationdates.

  8. In the left navigation pane, go to Signaling Groups > Relevant Signaling Group for the Exchange 2010 Server.
  9. Add port 5061 for TLS in the Listening Ports pane.
  10. Add the FQDN of the Exchange server in the *Federated IP/FQDN pane.
    For more information, see Creating and Modifying SIP Signaling Groups in the User's guide.
  11. In the left navigation pane, go to Security > Certificates > Exchange server entry.
  12. Verify that the following are present:
    1. FQDN of the Exchange server is entered in HOST field.
    2. Desired port number is set (e.g., 5061).
    3. TLS is selected in the PROTOCOLfield.

  13. In the left navigation pane, go to Signaling Groups > Relevant Signaling Group for the Exchange 2010 Server.
  14. Add port 5061 for TLS in the Listening Ports pane.
  15. Add the FQDN of the Exchange 2010 server in the *Federated IP/FQDN pane.
  16. In the left navigation pane, go to Security > Certificates > Exchange 2010 server entry.
    For more information, see Creating and Modifying SIP Signaling Groupsin the User's guide.

Configuring the Exchange Server

VoIP Security

  1. Launch Exchange Management Console on Exchange Server and navigate to Organization Configuration > Unified Messaging (in navigation pane).
  2. Open the properties of the relevant UM Dial Plan.
  3. Configure the VoIP security settings as SIP Secured in the drop-down menu.
  4. Click OK(this is necessary for TLS).

Port Settings

  1. Launch Exchange Management Shell on Exchange Server.
  2. Execute the set-UMIPgateway -identity "<Your UM IP GW ID>" -Port 5061command to set the communication port between Sonus SBC 1000/2000 and the Exchange Server to 5061.

Upon successful completion of the steps in this procedure you should be able to make Sonus SBC 1000/2000 <--> Exchange UMS calls over TLS transport protocol without any issues.