To create or modify a TLS Profile:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to Security > TLS Profiles.

    TLS Profile

     

Modifying a TLS Profile

  1. Click the expand () Icon next to the entry you wish to modify.
  2. Edit the entry properties as required, see details below.

Creating a TLS Profile

  1. Click the CreateTLS Profile ( ) icon at the top of the TLS Profile page.

    Create TLS Profile

TLS Profile - Field Definitions

TLS Protocol

Specifies the TLS Protocol. Valid entries: TLS 1.0 Only, TLS 1.2 Only, or TLS 1.0 - 1.2. Once the TLS is option is selected, the Client Cipher List is automatically updated to display only the ciphers supported for the selected TLS version. 

The TLS version you choose for the SBC TLS Profile must match the TLS version configured in the SBA security for the associated SIP Server.

For TLS  Profile in SBC...Select the TLS below in SBA Security Template
TLS 1.0 OnlyTLS 1.0-1.2
TLS 1.2 Only
TLS 1.2 only or TLS 1.0-1.2
TLS 1.0 - 1.2TLS 1.0-1.2


Mutual Authentication

Enables the Mutual authentication request and verifications of the SIP peer client certificate.

This setting is part of the standard level of Mutual TLS security. Mutual Authentication includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.

Handshake Inactivity Timeout

Specifies the SIP TLS client and server handshake inactivity timeout interval.

The Inactivity Timeout terminates the TLS session if there have been no handshakes in the specified period of time.
The handshake inactivity timeout should be adjusted to 30 seconds if there are network delays and/or timeouts.

Client Cipher List

Specifies the cipher suite parameter exchanged and negotiated in the SIP TLS client handshake message. The list is automatically populated with the ciphers supported for the selected TLS Protocol.

The SBC Edge supports the following TLS cipher suites: 

Modified: for 9.0.7

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES256_CBC_SHA
  • TLS_RSA_WITH_AES128_CBC_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
Lync Cipher Incompatability

 The TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA is incompatible with Lync servers.

Verify Peer Server Certificate

Specifies whether or not to verify the identity of a peer server. Available when Mutual Authentication is disabled.

This setting is part of the standard level of Mutual TLS security. Verify Peer Server Certificate implies that Mutual Authentication is enabled first. Verify Peer Server Certificate includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.

Verify Peer Server Certificate


Validate Server FQDN

The Validate Server FQDN is an enhanced security feature of the SBC Edge, which is disabled if the common name in the certificate is an IP address ( a practice observed by some ITSP's). This field is only visible when Mutual Authentication is disabled and Validate Peer Server Certificate.

Validate Server FQDN (enabled) option allows the SBC Edge to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against the host that is configured in the SIP Server table of SBC Edge (protocol must be TLS and the Host must be in the form of FQDN).

  • SBC Edge does not validate IP addresses to identify a peer server, but only Fully Qualified Domain Names (FQDN).
  • Make sure this parameter is set to Disabled if the peer server is using an IP address.

Certificate (Client Attributes)

Specifies the certificate (primary or supplementary) that is in use and that the SBC sends when the SBC receives the certificate request from the destination endpoint during the Mutual TLS handshake process. The client attributes of the TLS profile associate with the SIP Server Table entries configured for the TLS protocol. The default is the primary certificate.

Validate Client FQDN

Specifies the reverse DNS lookup of a peer's FQDN. Used to verify the identity of the SIP peer client certificate.

This action takes place when both, Mutual Authentication and Validate Client FQDN are enabled. If Mutual Authentication is disabled, the Validate Client FQDN is also disabled. Validate Client FQDN is an enhanced security feature of SBC Edge, which could be disabled if the common name in the certificate is an IP address (some ITSP's do that). When the Validate Client FQDN is enabled, this option allows SBC Edge to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against a reverse DNS lookup of the IP address to an FQDN.

SBC Edge does not validate IP addresses to identify a peer server, but only Fully Qualified Domain Names (FQDN).

Certificate (Server Attributes)

Specifies the certificate (primary or supplementary) that is in use and that the SBC sends to the endpoint that initiates the TLS handshake process. The server attributes of the TLS profile associate with the SIP SG Listener Port entries configured for the TLS protocol. The default is the primary certificate.