1. Choose VoIP.
  2. Scroll to SIP Port Settings.

  3. In the UDP System Port field, enter the port(s) on which the system listens for SIP over UDP messages from SIP clients. To specify multiple UDP ports, separate each port with a comma. The default value is “5060,5070,5075.”

  4. In the REGISTER restricted to the port field, enter 0 to accept REGISTER on any configured SIP port. Or enter any UDP port number to restrict REGISTER requests to the specified port.

  5. In the UDP System Source Port field, enter a source port to use when sending SIP over UDP messages to the SIP Server. The system also listens for SIP messages on this port, similar to the Client Listening Port(s).
  6. Check the Block UDP support on WAN box so that all incoming SIP UDP messages from WAN to the UDP port of EdgeMarc are dropped.
  7. In the TCP System Port field, enter the port on which this device will listen for SIP over TCP connection requests. Enter any valid TCP port.
  8. In the TCP Connection Timeout (m) field, enter a time in minutes for this device to monitor all TCP connections. If there is no activity on any specific port for a specified amount of time, that connection is closed. The minimum value is 4 minutes.
  9. Check the Block TCP support on WAN box so that all incoming SIP TCP messages from WAN to the TCP port of EdgeMarc are dropped.
  10. In the TLS System Port field, enter the port on which this device will listen for SIP over TLS connection requests. Enter any valid TCP port. The TLS port cannot be the same as the TCP port.

  11. Select a protocol from the TLS Protocol drop-down list:

    • TLSv1—Allow TLS version 1.0 protocol only (RFC 2246)

    • TLSv1.2: Allows only TLS protocol version 1.2 (RFC 5246)
    • TLSv1.3: Allows only TLS protocol version 1.3 (RFC 8446)
  12. Check the Use only selected version box to use the selected TLS Protocol for negotiations. Note that higher versions will not be added as supported versions.
  13. In the Ciphers String field, enter a string to add or restrict the cipher suites this device offers during a TLS handshake.
  14. For certificate mutual authentication, select LAN and WAN interface policies from the following drop-down lists:
    • Certificate—The X.509 certificate for the interface in PEM format. The certificates are loaded using the Security > Certificate Store page. Make sure that the common name (CN) in the certificate matches the domain name or IP of the interface.
      The certificate can be a user-configured certificate, a hardware platform unique certificate installed at manufacturing time, or a standard certificate bundled in the VOS firmware. 

      For the hardware platform unique certificate installed at manufacturing time, the common name will be the LAN MAC of the system. 

      If the user has explicitly configured a certificate to use, this is used first. If there is no user-configured certificate, but the hardware system has a platform-unique certificate, this will be used. If there is no user-configured certificate or a unique hardware platform certificate, then the firmware common certificate is used.

    • Policy—Peer certificate verification policy:

      • No check—The peer certificate is not verified.

      • Verify if provided—Send a client certificate request to clients but continue handshake if the client does not return a certificate. Fail if the certificate is returned and the verification fails.

      • Require and Verify—Send a client certificate request to clients and continue only if the client sends a certificate and the certificate verification succeeds.

      • Require and Verify Once—Same as “Require and Verify” except that client certificate requests are not sent during renegotiation.

  15. Check the Block TLS support on WAN box so that all incoming SIP TLS messages from WAN to the TLS port of EdgeMarc are dropped.
  16. Enable Exclude sips headers for TLS Transport option to use 'sip' uri scheme in translated SIP message. This option is available only for TLS transport.
  17. Check the Set TLS source port box to initiate the TLS connection from EdgeMarc with the TLS system port as the source port. The default value is 5061.
  18. Configure LAN certificates and WAN certificates separately to efficiently manage SSL certificates for multiple WAN interfaces.
    LAN and WAN Certificates Details

    OptionDescription
    Interface

    Displays the interface name: Primary or Secondary.

    VLAN IDDisplays the VLAN ID of the VLAN. If the VLAN is not configured, this field is blank.
    CertificateDisplays the certificate type selected.
    PolicyDisplays the selected peer certificate verification policy.
  19. Click Submit. For more information on submitting your changes, refer to Submit Configuration Changes.