Versions Compared

Old Version 2

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
CSS Stylesheet
img.confluence-embedded-image { display: inline-block !important; }

Add_docset_workflow
AUTH1UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
DEV1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cc5207f0, userName='null'}
LDEV1UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
SVT1UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cef30cd0, userName='null'}
LSVT1UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d0003, userName='null'}
AUTHJIDSYM-20206

To create or modify a TLS Profile:

...

  1. Click the CreateTLS Profile ( ) icon at the top of the TLS Profile page.

    Panel
    borderStylenone

    Caption
    0Figure
    1Create TLS Profile

    Image Removed

    Image Added

    Anchor
    properties
    properties

...

Panel
bgColor#FAFAFA
borderStylenone

Specifies the TLS version. The Protocol. Valid entries: TLS 1.0 Only, TLS 1.2 Only, or TLS 1.0 - 1.2. Once the TLS is option is selected, the Client Cipher List is automatically updated to display only the ciphers supported for the selected TLS version. 

Note

The TLS version you choose for the SBC TLS Profile must match the TLS version configured in the SBA security for the associated SIP Server.

For TLS  Profile in SBC...Select the TLS below in SBA Security Template
TLS 1.0 OnlyTLS 1.0-1.2
TLS 1.2 Only
TLS 1.2 only or TLS 1.0-1.2
TLS 1.

...

0 - 1.2TLS 1.0-1.2

Pagebreak

Mutual Authentication

Panel
bgColor#FAFAFA
borderStylenone

Enables the Mutual authentication request and verifications of the SIP peer client certificate.

Note

This setting is part of the standard level of Mutual TLS security. Mutual Authentication includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA

When enabled, this option allows the use of a weak (older) cipher, and an additional (weak) cipher is added to the end of the client cipher list.

  • SBC as the TLS server: When the SBC acts as the server it allows older clients to authenticate using older TLS ciphers.
    • SBC as the TLS client: When the SBC acts as a client in the call, an the additional cipher added to the end of the list is offered to the server when negotiating the cipher. The ordered list of ciphers is presented to the server end with the preferred (by the SBC) cipher at the top

    .

    Handshake Inactivity Timeout

    Panel
    bgColor#FAFAFA
    borderStylenone

    Specifies the SIP TLS client and server handshake inactivity timeout interval.

    The Inactivity Timeout terminates the TLS session if there have been no handshakes in the specified period of time.
    The handshake inactivity timeout should be adjusted to 30 seconds if there are network delays and/or timeouts.

    Verify Peer Server Certificate

    ...

    .

    ...

    note

    This setting is part of the standard level of Mutual TLS security. Verify Peer Server Certificate implies that Mutual Authentication is enabled first. Verify Peer Server Certificate includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.

    ...

    Client Cipher List

    Panel
    bgColor#FAFAFA
    borderStylenone

    Specifies the cipher suite parameter exchanged and negotiated in the SIP TLS client handshake message. The list is automatically populated with the ciphers supported for the selected TLS Protocol.

    The SBC 1000/2000 The 

    Spacevars
    0product
    supports the following TLS cipher suites:

    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES256_CBC_SHA
    • TLS_RSA_WITH_AES128_CBC_SHA
    • TLS_RSA_WITH_DES_CBC_SHA
    Note
    titleLync Cipher Incompatability

     The TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA is incompatible with Lync servers.

    Verify Peer Server Certificate

    Panel
    bgColor#FAFAFA
    borderStylenone

    Specifies whether or not to verify the identity of a peer server. Available when Mutual Authentication is disabled.

    Note

    This setting is part of the standard level of Mutual TLS security. Verify Peer Server Certificate implies that Mutual Authentication is enabled first. Verify Peer Server Certificate includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.

    Pagebreak
    Caption
    0Figure
    1Verify Peer Server Certificate

    Image Added

    Validate Server FQDN

    Panel
    bgColor#FAFAFA
    borderStylenone

    The Validate Server FQDN is an enhanced security feature of the Sonus SBC 1000/2000

    Spacevars
    0product
    , which is disabled if the common name in the certificate is an IP address ( a practice observed by some ITSP's). This field is only visible when Mutual Authentication is disabled and Validate Peer Server Certificate is enabled and Mutual Authentication is disabled.

    Validate Server FQDN (enabled) option allows the Sonus SBC 1000/2000 the 

    Spacevars
    0product
    to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against the host that is configured in the SIP Server table of Sonus SBC 1000/2000 of 
    Spacevars
    0product
    (protocol must be TLS and the Host must be in the form of FQDN).

    Note
    • Spacevars
      0product
       does
    Sonus SBC 1000/2000 does
    Panel
    bgColor#FAFAFA
    borderStylenone

    Enables the Mutual authentication request and verifications of the SIP peer client certificate.

    Note
    This setting is part of the standard level of Mutual TLS security. Mutual Authentication includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.
    • not validate IP addresses to identify a peer server, but only Fully Qualified Domain Names (FQDN).

    Mutual Authentication

    • Make sure this parameter is set to Disabled if the peer server is using an IP address.

    Validate Client FQDN

    Panel
    bgColor#FAFAFA
    borderStylenone

    Specifies the reverse DNS lookup of a peer's FQDN. Used to verify the identity of the SIP peer client certificate.

    This action takes place when both, MTLS Mutual Authentication and "Validate Client FQDN" are enabled. If MTLS Mutual Authentication is disabled, the "Validate Client FQDN" is also disabled. "Validate Client FQDN" is an enhanced security feature of Sonus SBC 1000/2000

    Spacevars
    0product
    , which could be disabled if the common name in the certificate is an IP address (some ITSP's do that). "When the Validate Client FQDN" Enabled option allows Sonus SBC 1000/2000 is enabled, this option allows 
    Spacevars
    0product
    to perform an FQDN match of an incoming peer certificate common name (CN) or Subject Alternate Name (SAN) against a reverse DNS lookup of the IP address to an FQDN.

    Note

    Spacevars
    0product
     does Sonus SBC 1000/2000 does not validate IP addresses to identify a peer server, but only Fully Qualified Domain Names (FQDN).

    Pagebreak