CHAPTER14 Security
Mediant 1000 Gateway & E-SBC | User's Manual
■ Online Certificate Status Protocol (OCSP). Some Public-Key Infrastructures (PKI) can revoke
a certificate after it has been issued. You can configure the device to check whether a peer's
certificate has been revoked, using the OCSP. When OCSP is enabled, the device queries the
OCSP server for revocation information whenever a peer certificate is received (TLS client
mode, or TLS server mode with mutual authentication).
● The device does not query OCSP for its own certificate.
● Some PKIs do not support OCSP, but generate Certificate Revocation Lists
(CRLs). For such scenarios, set up an OCSP server such as OCSPD.
■ Private key - externally created and then uploaded to device.
■ Different levels of security strength (key size) per TLS certificate.
■ X.509 certificates - self-signed certificates or signed as a result of a certificate signing request
(CSR).
■ Trusted root certificate authority (CA) store (for validating certificates).
To use a TLS Context for SIPS, assign it to a Proxy Set and/or SIP Interface associated with the IP
Group for which you want to employ TLS certificates. When the device establishes a TLS
connection (handshake) with a SIP user agent (UA), the TLS Context is determined as follows:
■ Incoming calls:
a. Proxy Set: If the incoming call is successfully classified to an IP Group based on Proxy
Set (i.e., IP address of calling party) and the Proxy Set is configured for TLS ('Transport
Type' parameter is set to TLS), the TLS Context assigned to the Proxy Set is used. To
configure Proxy Sets, see Configuring Proxy Sets.
b. SIP Interface: If the Proxy Set is either not configured for TLS (i.e., the 'Transport Type'
parameter is set to UDP) or not assigned a TLS Context, and/or classification to a Proxy
Set fails, the device uses the TLS Context assigned to the SIP Interface used for the call.
To configure SIP Interfaces, see Configuring SIP Interfaces.
c. Default TLS Context (ID 0): If the SIP Interface is not assigned a TLS Context or no SIP
Interface is used for the call, the device uses the default TLS Context.
■ Outgoing calls:
a. Proxy Set: If the outgoing call is sent to an IP Group associated with a Proxy Set that is
assigned a TLS Context and the Proxy Set is configured for TLS (i.e., 'Transport Type'
parameter is set to TLS), the TLS Context is used. If the 'Transport Type' parameter is set
to UDP, the device uses UDP to communicate with the proxy and no TLS Context is
used.
b. SIP Interface: If the Proxy Set is not assigned a TLS Context, the device uses the TLS
Context assigned to the SIP Interface used for the call.
c. Default TLS Context (ID 0): If the SIP Interface is not assigned a TLS Context or no SIP
Interface is used for the call, the device uses the default TLS Context.
The following procedure describes how to configure a TLS Context through the Web interface. You
can also configure it through ini file [TLSContexts] or CLI (configure system > tls).
➢ To configure a TLS Context:
1. Open the TLS Contexts table (Setup menu > IP Network tab > Security folder > TLS
Contexts).
2. Click New to add a new TLS Context or Edit to modify the default TLS Context at Index 0; the
following dialog box appears:
- 124 -
To Next Page
Loading...
Need help?
General
