To create or modify a TLS Profile:
In the left navigation pane, go to Security > TLS Profiles.
Click the CreateTLS Profile ( ) icon at the top of the TLS Profile page.
Specifies the TLS Protocol. Valid entries: TLS 1.0 Only, TLS 1.2 Only, or TLS 1.0 - 1.2. Once the TLS is option is selected, the Client Cipher List is automatically updated to display only the ciphers supported for the selected TLS version.
The TLS version you choose for SBC TLS Profile must match the TLS version configured in the SBA security for the associated SIP Server.
For TLS Profile in SBC... | Select the TLS below in SBA Security Template |
---|---|
TLS 1.0 Only | TLS 1.0-1.2 |
TLS 1.2 Only | TLS 1.2 only or TLS 1.0-1.2 |
TLS 1.0 - 1.2 | TLS 1.0-1.2 |
Enables the Mutual authentication request and verifications of the SIP peer client certificate.
This setting is part of the standard level of Mutual TLS security. Mutual Authentication includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.
Specifies the SIP TLS client and server handshake inactivity timeout interval.
The Inactivity Timeout terminates the TLS session if there have been no handshakes in the specified period of time.
The handshake inactivity timeout should be adjusted to 30 seconds if there are network delays and/or timeouts.
Specifies whether or not to verify the identity of a peer server. Available when Mutual Authentication is disabled.
This setting is part of the standard level of Mutual TLS security. Verify Peer Server Certificate implies that Mutual Authentication is enabled first. Verify Peer Server Certificate includes a check on the certificate dates for certificate validity and whether the certificate is signed by a local trusted root CA.
Specifies the cipher suite parameter exchanged and negotiated in the SIP TLS client handshake message. The list is automatically populated with the ciphers supported for the selected TLS Protocol.
The
The TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA is incompatible with Lync servers.
The Validate Server FQDN is an enhanced security feature of the
Validate Server FQDN (enabled) option allows the
Specifies the reverse DNS lookup of a peer's FQDN. Used to verify the identity of the SIP peer client certificate.
This action takes place when both, MTLS and "Validate Client FQDN" are enabled. If MTLS is disabled, the "Validate Client FQDN" is also disabled. "Validate Client FQDN" is an enhanced security feature of