MyPBX Security Configuration Guide(Part 5)--How to Use TLS in MyPBX

1. How to register IP phones to MyPBX via TLS
MyPBX is working as a SIP server, IP phones register to MyPBX as extensions via TLS.

1.1 Enable TLS in MyPBX’s Web interface

Click ‍“PBX--SIP settings--General” to get the settings about TLS, which is disabled by default.

·TLS Port
Port used for Sip registrations. The default is 5061.
·TLS Verify Server
When using MyPBX as a TLS client, whether or not to verify server’s certificate. It is ‍“No” by default.
·TLS Verify Client
When using MyPBX as a TLS server, whether or not to verify client’s certificate. It is ‍“No” by default.
·TLS Ignore Common Name
Set this parameter as ‍“No”, then common name must be the same with IP or domain name.
·TLS Client Method
When using MyPBX as a TLS client, specify the protocol for outbound TLS connections. You can select it as tlsv1, sslv2 or sslv3.

Note:

      1. For security reason, we recommend enabling ‍“TLS Verify Client” and disabling ‍“TLS Ignore Common Name”, in which case, MyPBX will verify IP phone’s Certificate, the common name inside CA should be the same with its IP or domain name.
      2. TLS Client Method: it’s the TLS method of IP phone; you can contact the manufacturer of the IP phone to get that.
      3. You need to reboot MyPBX to take effect after enabling TLS.

1.2. Prepare the whole certificates for TLS

Here are the certificates of MyPBX and IP phones for TLS registry as the screen shot above:
MyPBX’s CA: CA.crt.
MyPBX’s server certificate: asterisk.pem.
IP phone’s CA: CA.crt or CA.csr.
IP phone’s server certificate: client.pem.

The certificate is generated via the toolkit OpenSSL, you can compile the source package from http://www.openssl.org/, or download the tool used here, download link: www.yeastar.com/download/tools/TLS_CA_Tool.rar
You can find the files inside the package like these:

Ca.bat: Make the CA.crt for IP phone and MyPBX
Client.bat: make the ‍“client.pem”, it’s the ‍“IP phone’s server certificate”.
Server.bat: make the ‍“asterisk.pem”, it’s the ‍“MyPBX’s server certificate”.
Below are the steps to make all the certificates.

Step1. Prepare MyPBX’s CA: CA.crt         

Double click ca.bat

Just follow the guide to input the information of MyPBX step by step.
In this example, MyPBX’s IP address is 192.168.4.142.

This ca.crt is the same as the one in folder /TLS_CA_Tool/ca/trusted/.

MyPBX’s CA: CA.crt is generated successfully.

Step2 Prepare ‍“asterisk.pem”, ‍“MyPBX’s server certificate”

We need the CA.crt and CA.key to make the server certificate.
Double click ‍“server.bat”.

Follow the guide to input information step by step, and make sure the information you have input matches the one you have input in Step1.


Check the whole information then input “y” to continue. When done, you can find the asterisk.pem as the following picture shows.

asterisk.pem, the ‍“MyPBX’s server certificate” is generated successfully.

Note: We can copy the asterisk.pem, ca.crt to another folder before making the IP phone’s certificate.

Step3. Prepare the IP phone’s certificate, ca.crt

Double click ‍“ca.bat”, input the information of IP phone step by step.

In this example, the IP phone’s IP address is 192.168.4.71.

When done, we can find the ca.crt in this folder.

The ca.crt in folder /TLS_CA_Tool/ca/trusted is the same as the above one.

The IP phone’s certificate is finished.

Note: If you have got your own CA for IP phone, you can rename it to CA.crt and copy it to folder ‍“/TLS_CA_Tool/ca/trusted” before making the ‍“client.pem”.

Step4. Prepare ‍“client.pem”, the ‍“IP phone’s server certificate”.

Double click ‍“client.bat”.



Input the IP phone’s information step by step in this script; make sure the content is the same as Step3.


Confirm all the information we input before clicking “y” to finish this guide.

The ‍“IP phone’s server certificate” is ready.

Note: We can copy the client.pem, ca.crt to another folder before uploading.

All the certificates are prepared.

1.3. Upload certificates

1.3.1 Upload IP phone’s certificates
In this example, IP phone’s model is Yealink T28.

Step1. Upload ‍“IP phone’s server certificate” (client.pem).

Click ‍“Security--Server Certificates” to upload client.pem

Click ‍“Choose File” and upload IP phone’s server certificate. IP phone will reboot by itself when upload finishes.


When IP phone boots up again, we can check the certificate status.


Step2. Upload the trusted certificate.

The trusted certificate is the ca.crt of MyPBX. It will be sent to MyPBX during the registry process for authorization.
Click ‍“Security--Trusted Certificates”, upload MyPBX’s ca.crt.
 

When done, we can check the content of CA.crt like the picture shown below.

The certificates in IP phone side are well uploaded.

1.3.2 Upload MyPBX’s certificates
In this example, the model of MyPBX is MyPBX U200 (firmware version: 15.18.0.22)

Step1. Upload MyPBX’s server certificate (asterisk.pem)

Click ‍“PBX->Advanced Settings->Certificates”, then click ‍“Upload Certificates”, choose ‍“PBX Certificates” in Type windows, then upload the asterisk.pem.


Click Save to upload, you will need to reboot MyPBX to take effect.


Click ‍“Reboot Now” to reboot MypBX. When done, we can move to Step 2.

Step2. Upload the trusted certificate.

The trusted certificate in MyPBX should be the ca.crt of IP phone.
Click ‍“Upload Certificates” and choose ‍“Trusted Certificates” in Type windows, then upload the IP phone’s ca.crt.


Click ‍“Save” to upload, then click ‍“Apply Changes”.

The certificates in MyPBX side are well uploaded.

1.4. Register IP phone to MyPBX via TLS

Before registering IP phone to MyPBX, we need to create a SIP extension in MyPBX side in advance, or edit the existing one. In this example, extension number is 303.
We need to set TLS protocol in this page, click save and ‍“Apply Changes”.


Open IP phone’s configuration page, input the registry information of extension 303.

Click ‍“Confirm” to apply the changes, then extension 303 is registered via TLS.
We can also check the status in ‍“Extension Status” page of MyPBX.


If you have any problems about extension’s registry, please run a packet trace in ‍“Reports--System Logs--Packet Capture Tool”, input IP phone’s IP address, choose the eth port, then click ‍“Start”. You can register the IP phone again, then click ‍“Stop” and download the package to analyze via Wireshark. You can also send it to us for analyzing.


2. How to register SIP trunk to VoIP provider via TLS

If you have got the SIP trunk from provider that is using TLS, we can configure it in MyPBX and choose TLS within the trunk, here are two examples for you.
VoIP trunk:


Service provider trunk (P-P).

If you have got problem when registering to provider via TLS, you can also run a packet trace in ‍“System Log” page using ‍“Packet Capture Tool”, then send it to the provider or to us for analysise.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.