Enable TLS / SRTP encryption in 3CX
If you want to congratulate a colleague on the New Year so that it is not heard by outsiders, you should take advantage of the encryption of traffic in 3CX!
Some users have questions related to setting up secure voice transmission in the system. Let's see how quickly and simply protect voice traffic from wiretapping.
Before proceeding to the description of the system settings, let us decide what type of encryption should be used in this or that case.
1. Remote connections of individual users (outside the local network). Encryption is provided by proprietary 3CX Tunnel technology built into all 3CX software clients. Please note, 3CX Tunnel does not provide for joint work with the TLS and SRTP encryption protocols.
')
2. Connecting remote offices. Encryption is also provided by 3CX Tunnel technology integrated into the 3CX Session Border Controller utility. 3CX SBC is installed in a remote office on a constantly working computer or server. In addition to encrypting traffic, it provides proxying of voice traffic inside the office and remote auto configuration of IP phones.
3. Locally connected 3CX software clients. TLS / SRTP encryption for 3CX Client for Windows and Mac is currently supported. Encryption can be enabled centrally in the 3CX interface. However, the work of this technology will be discussed in one of the following articles.
4. Locally connected hardware IP phones. For example, consider the inclusion of encryption in popular phones Yealink.
To enable encryption, install the self-signed certificate in the 3CX Phone System. For this:
1. Go to the certificate generation site , enter in the top field the IP address of the network interface of the server that connects to the local network, and click the Generate button. For example, the local IP address of my server is 192.168.0.2
2. In the 3CX interface, go to Settings → Security → Secure SIP , check the Secure SIP / TLS checkbox and paste the Certificate and Key Key text and corresponding fields copied in step 1:
3. Click OK and restart the 3CX PhoneSystem SIP Server service.
After encryption support is enabled on the 3CX side, enable it on users' IP phones. For this:
1. In Yealink phones officially delivered to the Russian Federation, encryption is disabled in accordance with the law. Therefore, to take advantage of this opportunity, update the firmware from the official website of Yealink. For model SIP-T21, the E2 3CX recommends firmware T21P_E2-52.80.0.130.zip
2. Connect your phone to 3CX by following this guide .
3. In the phone interface in the Account section, set the TLS protocol and SIP port 5061
4. In the Advanced section, enable Encryption SRTP . If you select Required , communication will be possible only with a device on which SRTP encryption is also enabled. Otherwise, error 488 is not acceptable here
5. In the Security → Trusted Certificates section, set the Accept only trusted certificates to Disabled option.
6. The phone will reboot. The inclusion of encryption can be seen on the characteristic “lock” on the phone screen during a call
That's all. On this positive note and finish 2016!
Happy New Year and all the best to you in 2017!
Some users have questions related to setting up secure voice transmission in the system. Let's see how quickly and simply protect voice traffic from wiretapping.
General principles
Before proceeding to the description of the system settings, let us decide what type of encryption should be used in this or that case.
1. Remote connections of individual users (outside the local network). Encryption is provided by proprietary 3CX Tunnel technology built into all 3CX software clients. Please note, 3CX Tunnel does not provide for joint work with the TLS and SRTP encryption protocols.
')
2. Connecting remote offices. Encryption is also provided by 3CX Tunnel technology integrated into the 3CX Session Border Controller utility. 3CX SBC is installed in a remote office on a constantly working computer or server. In addition to encrypting traffic, it provides proxying of voice traffic inside the office and remote auto configuration of IP phones.
3. Locally connected 3CX software clients. TLS / SRTP encryption for 3CX Client for Windows and Mac is currently supported. Encryption can be enabled centrally in the 3CX interface. However, the work of this technology will be discussed in one of the following articles.
4. Locally connected hardware IP phones. For example, consider the inclusion of encryption in popular phones Yealink.
Enabling Encryption in 3CX Phone System
To enable encryption, install the self-signed certificate in the 3CX Phone System. For this:
1. Go to the certificate generation site , enter in the top field the IP address of the network interface of the server that connects to the local network, and click the Generate button. For example, the local IP address of my server is 192.168.0.2
2. In the 3CX interface, go to Settings → Security → Secure SIP , check the Secure SIP / TLS checkbox and paste the Certificate and Key Key text and corresponding fields copied in step 1:
3. Click OK and restart the 3CX PhoneSystem SIP Server service.
Enabling Encryption in Yealink Phones
After encryption support is enabled on the 3CX side, enable it on users' IP phones. For this:
1. In Yealink phones officially delivered to the Russian Federation, encryption is disabled in accordance with the law. Therefore, to take advantage of this opportunity, update the firmware from the official website of Yealink. For model SIP-T21, the E2 3CX recommends firmware T21P_E2-52.80.0.130.zip
2. Connect your phone to 3CX by following this guide .
3. In the phone interface in the Account section, set the TLS protocol and SIP port 5061
4. In the Advanced section, enable Encryption SRTP . If you select Required , communication will be possible only with a device on which SRTP encryption is also enabled. Otherwise, error 488 is not acceptable here
5. In the Security → Trusted Certificates section, set the Accept only trusted certificates to Disabled option.
6. The phone will reboot. The inclusion of encryption can be seen on the characteristic “lock” on the phone screen during a call
That's all. On this positive note and finish 2016!
Happy New Year and all the best to you in 2017!
Source: https://habr.com/ru/post/318858/
All Articles