Top

TLS Roles for the Sentinel

The Sentinel supports SIP over TLS. Each signaling interface listens to UDP, TCP, and TLS simultaneously. For TLS mode, it can be set up as a SIP TLS client, a TLS server or both (default).

The Tls mode selected for the Sentinel is configured in the Signaling Interface Configuration table, under the SBC/Configuration

the Sentinel can be used as:
  • TLS server:
    • Secure communication with remote users
    • SIP trunk to remote office (SBC as the hub)
    • SIP trunk between SBC (one side to be server)
  • TLS Client
    • SIP trunk to provider (provider as TLS server)
    • Registered SIP user clients to provider
    • SIP trunk between SBC (one side to be client)

For more details on Transport Layer Security (TLS), refer to the DGW Configuration Guides - Transport Layer Security document published on the Media5 documentation portal at https://documentation.media5corp.com


Top

Sentinel TLS Support Level

  • SSL v3.0 is no longer supported as per version DGW v 46.0.2025
  • Default is TLSv1.2 (as a client, it will offer TLSv1.2 first), but during negotiation if the other party does not support TLSv1.2 it can be downgraded to TLS v1.1 or TLS v1.0
  • When the Sentinel is used as a TLS server, the Sentinel:
    • will accept TLS v1.0, TLS v1.1, or TLS v1.2
    • will not ask clients for its certificate, in other words, mutual TLS is not supported in this mode
  • When the Sentinel is used as a TLS Client, the Sentinel:
    • will accept TLS v1.0, TLS v1.1, or TLS v1.2
    • will not ask clients for its certificate, in other words, mutual TLS is not supported in this mode
    • if the server asks for the SBC’s own server certificate for mutual TLS, the SBC will comply.
  • Ciphers:
    • Only SHA-2 types are supported (equivalent to CS3 in Dgw2.0 TLS cipher setting),
    • SHA-1 is no longer supported.
    • Certificate chain validation is up to 9 levels.
  • During the TLS handshake, the SBC will validate the peer’s (server’s) certificate against its Common Name or Subject Alternate Name. This is the default behavior. This validation can be bypassed by this command:
    Sbc.CertificateValidation = "NoValidation"
  • Unlike other services such as SipEp, which supports an intermediate Validation of “TrustedCertificate”, the Sbc service has no such level. If validation is mandatory, the certificate name must match.

Top

Certificates Required by the Sentinel SBC Used as the TLS Client

All the certificates necessary for TLS when using the Sentinel SBC used as the TLS Client are located under Management/Certificates in the Other Certificates table.

As the client, the Sentinel SBC needs public CA certificates (known as the Othertype) of the signing authority for the server’s certificate. CA certificates placed here are considered trustworthy. for more details on Certificates, refer to the Technical Bulletins - Using Trusted CA and Hosted Certificates document published on the Media5 documentation portal at https://documentation.media5corp.com.



Top

Certificates Required by the Sentinel SBC Used as the TLS Server

To be a TLS server, the Sentinel SBC must be loaded with at least one host certificate. The host certificate can be found under under Management/Certificates in the Host Certificates table.

The Sentinel does not generate its own private key nor CSR (Certificate Signing Request). The certificate is created on another platform. For information on creating Host certificates refer to the Technical Bulletins - Creating a Media5 Device host Certificate with OpenSSL document.

A Sentinel SBC can have multiple host certificates. Their specific usage (or association) is configurable in this section under the same tab:The Sbc box must be checked in order for the SBC service to apply the desired host certificate.



If the host certificate is signed by an intermediate CA certificate, it is recommended to have the intermediate CA certificate in the “Other” section. This way, when the client requests the SBC for the server certificate, the intermediate CA cert will be embedded in the certificate chain. Make sure the host certificate validity period is good. If not, the SBC will not present the host certificate in the TLS handshake and the TLS negotiation will fail.



For more details on Certificates, refer to the Technical Bulletins - Using Trusted CA and Hosted Certificates document published on the Media5 documentation portal at https://documentation.media5corp.com.

Top

Setting the TLS mode used by the Network Interfaces

Steps
  1. Go to SBC/Configuration.
  2. In the Signaling Interface Configuration table, from the TLS Mode selection list, for each signaling interface, choose the TLS mode the signaling interface will use.
    Note: The TLS mode selected for each signaling interface depends on the scenario being implemented.
  3. Click Apply.
Result
When the signaling interface is used, the TLS mode will indicate if the Sentinel SBC is used as a TLS CLient or TLS Server, and therefore indicate the certificates that are required.
  • In Server mode, the signaling interface is used as a TLS server mode. This mode requires a valid host certificateon the unit.
  • In Client mode, the signaling interface is used as a TLS Client, if no host certificate is enabled on the unit, only this mode is enabled.
  • In the Both mode, the signaling interface can be used a TLS Server or a TLS Client.

Top

Configuring a Call Agent to Only Use TLS Transport

Context

Use this procedure if TLS trasnport is the only transport type used by the Call Agent. If the Call Agent needs to use multiple Transport types, refer to Configuring a Call Agent to Use TLS and Other Transport Types procedure.

Steps
  1. Go to SBC/Configuration.
  2. In the Call Agent Configuration table, click lcoated on the same line as the Call Agent that must use TLS.
  3. In the Configure Call Agent table, from Force Transport selection list, choose TLS.
  4. Click Save
Result
When the call Agent will be used to route a call, TLS transport will be used.

Top

Configuring a Call Agent to Use TLS and Other Transport Types

Context
Use this procedure if the Call Agent must support multiple SIP transports. If the call Agent must only use TLS transport, refer to the Configuring a Call Agent to Only Use TLS Transport procedure.
Steps
  1. Go to SBC/Rulesets.
  2. In the Routing Rulesets table, click

    on the same line as the routing ruleset that uses the Call Agent that must use TLS Transport.
  3. Click edit.
  4. In the Advanced section, check the Force Transport check box.
  5. From the selection list, choose TLS
Result
This allows different types of transport to be used based on specific conditions. Therefore, when a call is routed for the specified conditions of the Routing Ruleset, TLS will be used.

Top
Top

Copyright Notice

Copyright © 2020 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.