26/1531-ANF 901 14 Uen S 2019-10-18 70
S
ECURITY
The administrator can choose among the following options:
• SRTP Disabled (default): IP phone generates and receives non secured RTP
calls. If the IP phone gets a call from a SRTP enabled phone, it ignores SRTP
and tries to answer the call using RTP. If the receiving phone has SRTP only
enabled, the call fails; however, if it has SRTP preferred enabled, it will accept
RTP calls.
• SRTP Preferred: IP phone generates RTP secured calls, and accepts both
secured and non-secured RTP calls. If the receiving phone is not SRTP enabled,
it sends non-secured RTP calls instead.
• SRTP Only: IP phone generates and accepts SRTP secured calls only; all other
calls are rejected (fail)
19.4 HOW TO ENABLE SECURITY ON MITEL 6900, 6970, 6800
AND 6700 TERMINALS AND ON MIVOICE MX-ONE
A number measures have to be done in MX-ONE and in the configuration file in the
phone.
There is support in MX-ONE Service Node Manager for enabling security in MX-ONE
and in the 6900/6800/6700 phones.
The steps to enable security are:
1. MX-ONE: For setup of security and security policy, see operational directions
VoIP Security (82/15431-ANF90114) in the CPI library.
2. MX-ONE: For certificate handling see operational directions Certificate Manage-
ment (132/15431-ANF90114) in the CPI library.
3. 6900/6800/6700 phones: The only certificate that is necessary is the root certifi-
cate. The key storage for MX-ONE certificates is /etc/opt/eri_sn/certs/. The root
CA is called, ca.pem. Copy CA.pem to the sw server, i.e. in the same directory
as where aastra.cfg/startup.cfg. You may set the file name of the root certificate
via MX-ONE Service Node Manager or directly in the aastra.cfg/startup.cfg.
4. Phone aastra.cfg/startup.cfg file: below is an example of the parameters:
sips persistent tls:1
sip outbound support:1
sip transport protocol:4 # 0=UDP&TCP,1=UDP,2=TCP,4=TLS
sips trusted certificates:ca.pem
sip outbound proxy:lim1.mx.example.net
sip outbound proxy port:5061
sip proxy ip:lim1.mx.example.net
sip proxy port:5061
sip registrar ip:0.0.0.0
sip registrar port:5061
sip backup outbound proxy:lim2.mx.example.net
sip backup outbound proxy port:5061
sip srtp mode: 1 #0-RTP,1-SRTP preffered,2-SRTP only
With the backup outbound parameters security is enabled towards the backup
server.
For XML keys on MX-ONE, the same CA, CA.pem is used as for sip tls. However
for accessing sw server using https another CA may have been used.
To Next Page
Loading...
