What prompts this article is the recent feature enhancement from VOIP.MS namely the opportunity to provide encryption on the signaling and voice traffic for SIP trunks through VOIP.MS (VOIP.MS wiki article). To do this, you configure both ends of a SIP trunk for encryption. At the server end, this requires just one mouse click. But at the client end, you have to figure out how to configure the client device accordingly so that both the signaling traffic and the voice traffic will get encrypted in cooperation with the VOIP.MS server. The steps to do this would, of course, be different depending upon the particular client device being used.
This article focuses on the Grandstream UCM series of IP PBXs. The UCM PBX is a widely used and extremely reliable PBX. We use this at OPLF. Until now you might used one or more SIP trunks with VOIP.MS to support incoming or outgoing calls to or from the PBX. Such a connection would have used UDP (not TCP and not TLS) for the SIP signaling, and thus would have been at risk of eavesdropping. Likewise such a connection would not have used SRTP for the voice traffic, and thus would have been at risk of eavesdropping for that traffic as well.
Now comes the opportunity to encrypt both the signaling traffic and the voice traffic with your VOIP.MS service. This article assumes several things:
- You are familiar with the VOIP.MS wiki article about the new encrypted SIP traffic feature (in beta test).
- You already know how to configure the SIP trunk at the server end for TLS/SRTP (click on advanced options, select “yes” for “encrypted SIP traffic”).
- You already know that if the POP you were using did not contain a numerical digit, you are going to have to insert a numerical digit or switch to a POP in that city that has a numerical digit.
- You already know how to log into the administrative interface of your Grandstream UCM PBX.
- You have already configured one or more SIP trunks at the PBX that connect to VOIP.MS POPs.
- You have already tested the connections through the SIP trunks for incoming and/or outgoing calls as appropriate and you already know that they work just fine.
- Each SIP trunk PBX that is connected to a VOIP.MS trunk shows a status of “registered” in the PBX dashboard.
- Each SIP trunk from the PB shows a status of “registered” in the registration status screens of VOIP.MS.
With all of these assumptions in place, it will be appreciated that all that you really need to accomplish is turning on TLS for the SIP connection, and turning on SRTP. In the Grandstream PBX this is actually quite easy. Here are the steps, which you would repeat one by one for each of the SIP trunks in the PBX that are connected to VOIP.MS.
In the PBX, go to Extensions/Trunk and go to VoIP Trunks. Look down the list of your active trunks and find the one that connects to VOIP.MS and that you will want to migrate to this encrypted status. You will readily recognize the VOIP.MS trunks because in the “hostname/IP” column it will list a POP such as “denver.voip.ms”. Click the “edit” icon for that trunk.
You will now see an “edit SIP trunk” screen with two tabs — “basic settings” and “advanced settings”. You will be making changes in both tabs.
- In the “basic settings” tab, change the “transport” from UDP to TLS.
- In the “host name” field, change the host name to say “:5061” after the domain name.
- In the “advanced settings” tab, change the SRTP setting from “disabled” to “enabled and forced”.
Now click “SAVE” to save the new settings for the SIP trunk. Once the settings have been saved, then click “Apply Changes”.
Now at the VOIP.MS account or subaccount, configure for “encrypted SIP traffic”. This only requires one mouse click!
Now check the registration status at VOIP.MS which should be green with a padlock icon indicating a secure connection. And check the registration status in the PBX desktop which should say “registered”.