What prompts this article is the recent feature enhancement from VOIP.MS namely the opportunity to provide encryption on the signaling and voice traffic for VOIP calls through VOIP.MS (VOIP.MS wiki article). To do this, you configure both ends of a SIP trunk for encryption. At the server end, this requires just one mouse click. But at the client end, you have to figure out how to configure the client device accordingly so that both the signaling traffic and the voice traffic will get encrypted in cooperation with the VOIP.MS server. The steps to do this would, of course, be different depending upon the particular client device being used.
This article focuses on the Grandstream HT503 Analog Telephone Adapter. (The instructions provided here would apply mutatis mutandis to Grandstream’s other ATAs.)
The HT503 is a widely used and extremely reliable single-line VOIP telephone adapter. Until now you might have been using an HT503 to provide one analog telephone line from VOIP.MS service. Such a connection would have used UDP (not TCP and not TLS) for the SIP signaling, and thus would have been at risk of eavesdropping. Likewise such a connection would not have used SRTP for the voice traffic, and thus would have been at risk of eavesdropping for that traffic as well.
Now comes the opportunity to encrypt both the signaling traffic and the voice traffic with your VOIP.MS service. This article assumes several things:
- You are familiar with the VOIP.MS wiki article about the new encrypted SIP traffic feature (in beta test).
- You already know how to configure the SIP trunk at the server end for TLS/SRTP (click on advanced options, select “yes” for “encrypted SIP traffic”).
- You already know that if the POP you were using did not contain a numerical digit, you are going to have to insert a numerical digit or switch to a POP in that city that has a numerical digit.
- You already know how to log into the administrative interface of your Grandstream HT503 ATA.
- You have already configured the ATA to connect via a SIP trunk to a VOIP.MS POP
- You have already tested the connection through the SIP trunk for incoming and/or outgoing calls as appropriate and you already know that it works just fine.
- The telephone line in the ATA that is connected to a VOIP.MS trunk shows a status of “registered” in the ATA.
- The SIP trunk shows a status of registered in the registration status screens of VOIP.MS.
With all of these assumptions in place, it will be appreciated that all that you really need to accomplish is turning on TLS for the SIP connection, and turning on SRTP. This article explains how to do this with the HT503.
In the ATA, log in at the administrative interface, and go to FXS port:
- Change the SIP Transport from UDP to TLS
- Change the SRTP Mode and set it to “Enabled and forced”
- Go to Primary SIP Server. If it contains a numerical digit, no action required. If it does not, change it to a POP that contains a numerical digit (see the VOIP.MS wiki article). If you make a change, you will also need to update the “outbound proxy” setting in the ATA. If you make a change, you may need to make a corresponding change at VOIP.MS in the relevant DID function such as a DID or ring group.
Scroll to the bottom and click “Apply”. You will have to wait a minute or two for the ATA to reboot.
Now at the VOIP.MS account or subaccount, configure for “encrypted SIP traffic”. This only requires one mouse click!
Now check the registration status at VOIP.MS which should be green with a padlock icon indicating a secure connection.
In the ATA, click on “Status”. Look at the “Port Status” table in the row labeled “FXS”. The registration status should be “Registered”.
Place incoming and outgoing test calls at the ATA as appropriate.