<!DOCTYPE html
SYSTEM "about:legacy-compat">
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta charset="UTF-8"><meta name="copyright" content="(C) Copyright 2023"><meta name="DC.rights.owner" content="(C) Copyright 2023"><meta name="DC.type" content="concept"><meta name="description" content="The Transport Layer Security protocol provides data privacy and integrity for computer network communications."><meta name="prodname" content="For all Mediatrix units"><meta name="version" content="DGW 49.12.28842941"><meta name="platform" content=""><meta name="DC.date.modified" content="2023-0308-2809"><meta name="DC.date.issued" content="2023-0308-2809"><meta name="DC.date.available" content="2023-0308-2809"><meta name="ChapterNumbering" content="no"><meta name="DC.format" content="HTML5"><meta name="DC.identifier" content="concept_dwd_mz5_1x"><link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/62825785/commonltr.css"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/62825785/custom.css"><title>Transport Layer Security</title></head><body><header role="banner"><div class="topicmeta title">Transport Layer Security</div><div class="topicmeta date">2023-0308-28<09</div><div class="topicmeta product">For all Mediatrix units</div><div class="topicmeta version">DGW 49.12.2884<2941</div><div class="topicmeta pdf"><a href="https://documentation.media5corp.com/download/attachments/62825785/Transport%20Layer%20Security.pdf" rel="nofollow">Download PDF Document</a></div><hr><span style="float: inline-end;"></span></header><nav role="toc"><ul><li><a href="#concept_dwd_mz5_1x">Transport Layer Security (TLS) </a><ul><li><a href="#concept_q2d_fcj_dx">X-509 Certificates </a></li><li><a href="#concept_rrf_jjd_dx">Hypertext Transfer Protocol Secure (HTTPS) </a></li><li><a href="#concept_sfd_ljg_1r">TR-069 or CPE WAN Management Protocol (CWMP)</a></li><li><a href="#concept_tpv_m4d_dx">Authentication</a></li><li><a href="#topic_title_SIP_over_TLS_d1e19">SIP over TLS</a><ul><li><a href="#concept_ct2_ns1_bq">SIP Transport Types</a></li><li><a href="#concept_kfd_rbn_qcb">TLS Persistent Connections</a></li><li><a href="#concept_xqq_svc_dx">Unit Signaling Security </a></li><li><a href="#concept_vq5_r4w_1x">Communications Security</a></li></ul></li></ul></li><li><a href="#topic_title_Basic_Tasks_d1e24">Basic Tasks</a><ul><li><a href="#task_wwz_ckm_scb">Preparing the Unit to Use TLS for SIP </a><ul><li><a href="#task_fth_kjs_ls">Enabling Secure Signaling (TLS)</a></li><li><a href="#task_m13_gvb_bq">Selecting the Unit's Time Zone</a></li></ul></li><li><a href="#task_mfv_4qf_ms">Enabling TLS Debugging on Wireshark</a></li><li><a href="#task_v2y_34q_4cb">Selecting the SIP TLS Server Certificate Security Level</a></li></ul></li><li><a href="#topic_title_Advanced_Parameters_d1e30">Advanced Parameters</a><ul><li><a href="#reference_wp5_5dq_4cb">Transport Layer Security (TLS) Parameters</a></li></ul></li><li><a href="#reference_j4g_nbv_gfb">Online Help</a></li><li><a href="#concept_v4k_q3h_1r">DGW Documentation</a></li><li><a href="#concept_fqm_rv4_k4">Copyright Notice</a></li></ul></nav><main role="main"><article role="article" aria-labelledby="ariaid-title1"><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="nested0" aria-labelledby="ariaid-title1" id="concept_dwd_mz5_1x">
<h1 class="title topictitle1" id="ariaid-title1">Transport Layer Security (TLS) </h1>
<div class="body conbody"><p class="shortdesc">The Transport Layer Security protocol provides data privacy and integrity for computer
network communications.</p>
<div class="p">In other words, it provides <a class="xref" href="#concept_xqq_svc_dx" title="Signaling is the protocol that activates a device located in the network and establishes calls between peers.">signaling
security</a> and <a class="xref" href="#concept_vq5_r4w_1x" title="An important aspect of communications security, is that data sent and received from one endpoint to another remains secured, reliable, and private at all times.">communication
security</a>. TLS is a widely used security protocol that allows for: <ul class="ul" id="concept_dwd_mz5_1x__ul_khp_j1v_1x">
<li class="li">Server and Client authentication </li>
<li class="li">Data confidentiality </li>
<li class="li">Data integrity</li>
</ul></div>
<div class="p">TLS is used for: <ul class="ul" id="concept_dwd_mz5_1x__ul_nnq_nmn_qcb">
<li class="li">DGW Web Access</li>
<li class="li">HTTP-based Configuration/Firmware File Transfer</li>
<li class="li">802.1X</li>
<li class="li">SIP communications</li>
<li class="li">TR-069 (CWMP)</li>
</ul></div>
<div class="p">When a <a class="xref" href="#concept_q2d_fcj_dx" title="The Mediatrix unit uses digital X-509 certificates which are based on the international X.509 public key infrastructure (PKI) standard. The certificates are a collection of data used to verify the identity of individuals, computers, and other entities on a network.">certificate</a> is <a class="xref" href="#concept_tpv_m4d_dx" title="As defined in the Oxford Dictionary, authentication is the process or action of verifying the identity of a user or process.">authenticated</a>, a secure TLS
connection is established with a peer. Then <a class="xref" href="#concept_ct2_ns1_bq">SIP</a>, <a class="xref" href="#concept_rrf_jjd_dx" title="HTTPS is a transfer protocol widely used to secure communications over Internet telephony networks.">HTTPS</a>, and <a class="xref" href="#concept_sfd_ljg_1r" title="The Technical Report 069 (TR-069), also known as CWMP, is a Broadband Forum technical specification. This protocol can be used to monitor and update the Mediatrix unit configurations and firmware. In other words, when using TR-069, the Mediatrix unit can get in contact with an Auto Configuration Server (ACS) to initiate a configuration script transfer/execution and a firmware upgrade.">TR-069</a> can be used over the TLS connection.
TLS connections also prevents man-in-the-middle attacks.<div class="note important note_important"><span class="note__title">IMPORTANT:</span> The Mediatrix
unit does not support a mix of both TLS and non-TLS links. Once TLS is enabled, it is
enabled for all configured SIP gateways.</div></div>
<div class="p">Although some parameters are available through the Web GUI, many parameters are not accessible
through the Web GUI:<ul class="ul" id="concept_dwd_mz5_1x__ul_lgy_b1l_rdb">
<li class="li">
<ul class="ul" id="concept_dwd_mz5_1x__ul_dzb_k1l_rdb">
<li class="li">Cipher Suite</li>
<li class="li">TLS version</li>
<li class="li">Certificate validation and trust level</li>
</ul>
</li>
</ul></div>
<p class="p">For more details on advanced parameters, refer to <a class="xref" href="#reference_wp5_5dq_4cb">Transport Layer Security (TLS) Parameters</a>.</p>
</div>
<hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title2" id="concept_q2d_fcj_dx">
<h2 class="title topictitle2" id="ariaid-title2">X-509 Certificates </h2>
<div class="body conbody"><p class="shortdesc">The Mediatrix unit uses digital X-509 certificates which are based on the international
X.509 public key infrastructure (PKI) standard. The certificates are a collection of data used to
verify the identity of individuals, computers, and other entities on a network.</p>
<p class="p">X.509 certificates provide guaranties on confidentiality, authentication, integrity, and
non-repudiation. It is the Public Key Infrastructure (PKI) which includes hardware, procedures,
and software than manages the certificates. The PKI also provides public-key encryption.
Therefore, the Public Key Infrastructure provides information that can guaranty that the signed
certificates can be trusted. </p>
<div class="p">To enable a TLS connection on Mediatrix units, at least one CA certificate is needed to
validate that the certificate presented by the server is valid. This certificate must be uploaded
to the Mediatrix units. The Mediatrix unit then checks the server's identity by validating the
host name used to contact it against the information found in the server's certificate. If the
validation fails, the Mediatrix unit refuses the secure connection. Certificates are used to
secure the following connections:<ul class="ul" id="concept_q2d_fcj_dx__ul_i4n_mbb_br">
<li class="li">SIP</li>
<li class="li">Configuration web pages</li>
<li class="li">File transfers (scripts, firmwares, etc.) with HTTPS</li>
<li class="li">Configuration using TR-069</li>
<li class="li">Wired Ethernet Authentication with EAP (802.1x)</li>
</ul>Certificates contain:<ul class="ul" id="concept_q2d_fcj_dx__ul_wjn_v33_ns">
<li class="li">the certificate's name</li>
<li class="li">the issuer and issued to names </li>
<li class="li">the validity period (the certificate is not valid before or after this period) </li>
<li class="li">the use of certificates (TlsClient or TlsServer)</li>
<li class="li">whether or not the certificate is owned by a Certification Authority (CA)</li>
</ul>
</div>
<p class="p"> </p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title3" id="concept_rrf_jjd_dx">
<h2 class="title topictitle2" id="ariaid-title3">Hypertext Transfer Protocol Secure (HTTPS) </h2>
<div class="body conbody"><p class="shortdesc">HTTPS is a transfer protocol widely used to secure communications over Internet
telephony networks.</p>
<p class="p">HTTPS allows for communications over Hypertext Transfer Protocol (HTTP) within a connection
encrypted by <a class="xref" href="#concept_dwd_mz5_1x" title="The Transport Layer Security protocol provides data privacy and integrity for computer network communications.">Transport Layer
Security</a> (TLS). HTTPS is mainly used to secure the content of a Web site and securely
transfer files.</p>
<p class="p">A communication using HTTPS reasonably guaranties that the targeted peer is the proper one, not
an impostor, and that media cannot be read or tampered by any third-party.</p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title4" id="concept_sfd_ljg_1r">
<h2 class="title topictitle2" id="ariaid-title4">TR-069 or CPE WAN Management Protocol (CWMP)</h2>
<div class="body conbody"><p class="shortdesc">The Technical Report 069 (TR-069), also known as CWMP, is a Broadband Forum technical
specification. This protocol can be used to monitor and update the Mediatrix unit configurations
and firmware. In other words, when using TR-069, the Mediatrix unit can get in contact with an
Auto Configuration Server (ACS) to initiate a configuration script transfer/execution and a
firmware upgrade. </p>
<p class="p">The first time the Mediatrix unit is connected to the network, it will attempt to contact the
Auto Configuration Server (ACS), which is the entry point for the administrator. The Mediatrix
unit will obtain the URL of the ACS using either the DHCP server with option 43 or by retrieving
the information directly from the Customer's Profile. Therefore, upon start-up, the Mediatrix
unit will contact the ACS, which in return will send the required configuration files and
initiate, if necessary, a firmware update. This automated sequence is what is referred to as
zero-touch, as the Mediatrix unit is automatically configured by the ACS according to the
instructions given by the administrator without manual intervention on the unit.</p>
<div class="p">The administrator can determine a schedule for the Mediatrix unit to periodically contact the
ACS. These contacts will allow the Mediatrix unit to:<ul class="ul" id="concept_sfd_ljg_1r__ul_efh_f5m_1r">
<li class="li">verify if new configurations are available,</li>
<li class="li">verify if a new firmware update is available and</li>
<li class="li">send notifications for monitoring purposes.</li>
</ul></div>
<div class="p">Monitoring is achieved by regularly sending notifications to the ACS, through the mean of
"Inform" requests, which can be: <ul class="ul" id="concept_sfd_ljg_1r__ul_x24_k5m_1r">
<li class="li">Passive: the information is sent according to the schedule.</li>
<li class="li">Active: the information is sent immediately when a parameter status changes, regardless of
the periodic schedule.</li>
</ul>Because the Periodic Informs are initiated by the Mediatrix unit, they have no problem
passing through residential or enterprise NAT and firewalls. </div>
<p class="p">Furthermore, the administrator can initiate a connection to the Mediatrix unit to perform
immediate maintenance or monitoring. This will only be possible if the NAT firewall has been
configured to allow communications initiated by the ACS.</p>
<p class="p">The TR-069 protocol can be activated on units that are already deployed with a licence key (For
more details on licences refer to the<a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/How+to+Activate+a+Licence+on+a+Mediatrix+Device" target="_blank">Technical Bulletin - How to activate a licence on a Mediatrix
unit</a> published on the <a class="xref" href="https://documentation.media5corp.com/" target="_blank">Media5 Documentation Portal</a>). However, it can
be enabled/disabled for a specific configuration via the Management interface.</p>
<div class="p">TR-069 methods supported by the Mediatrix unit include:<ul class="ul" id="concept_sfd_ljg_1r__ul_b5p_hdm_1r">
<li class="li">SetParameterValues</li>
<li class="li">GetParameterValues </li>
<li class="li">AddObject </li>
<li class="li">DeleteObject</li>
<li class="li">Download </li>
<li class="li">Reboot</li>
<li class="li">Upload</li>
<li class="li">FactoryReset</li>
</ul></div>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title5" id="concept_tpv_m4d_dx">
<h2 class="title topictitle2" id="ariaid-title5">Authentication</h2>
<div class="body conbody"><p class="shortdesc">As defined in the Oxford Dictionary, authentication is the process or action of
verifying the identity of a user or process.</p>
<p class="p">In an Internet telephony network environment, authentication will allow the Mediatrix unit to
make sure the peer it is communicating with is the proper network or endpoint (unit or end-user
device). This provides a level of security for communications as no communication will be allowed
if the authentication is not confirmed. </p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic nested1 nobody" aria-labelledby="ariaid-title6" id="topic_title_SIP_over_TLS_d1e19">
<h2 class="title topictitle2" id="ariaid-title6">SIP over TLS</h2>
<article class="topic concept nested2" aria-labelledby="ariaid-title7" id="concept_ct2_ns1_bq">
<h3 class="title topictitle3" id="ariaid-title7">SIP Transport Types</h3>
<div class="body conbody">
<p class="p">You can globally set the transport type for SIP all the endpoints of the Mediatrix unit to
either UDP (User Datagram Protocol), TCP (Transmission Control Protocol), or TLS (Transport
Layer Security). </p>
<p class="p">Please note that RFC 3261 states the implementations must be able to handle messages up to
the maximum datagram packet size. For UDP, this size is 65,535 bytes, including IP and UDP
headers. However, the maximum datagram packet size the Mediatrix unit supports for a SIP
request or response is 5120 bytes excluding the IP and UDP headers. This should be enough, as
a packet is rarely bigger than 2500 bytes.</p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested2" aria-labelledby="ariaid-title8" id="concept_kfd_rbn_qcb">
<h3 class="title topictitle3" id="ariaid-title8">TLS Persistent Connections</h3>
<div class="body conbody"><p class="shortdesc">Transport Layer Security (TLS) Persistent Connections are associated with the SIP
servers (outbound proxy, registrar, and home domain proxy).</p>
<div class="p">TLS connections are currently only supported with SIP Trunk gateways. The TLS Persistent
Connections statuses are available under <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Servers</span> of the DGW Web interface. <div class="note note note_note"><span class="note__title">Note:</span> The
<span class="keyword wintitle">Status</span> table is not displayed if the
persistent connections are not activated.</div></div>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested2" aria-labelledby="ariaid-title9" id="concept_xqq_svc_dx">
<h3 class="title topictitle3" id="ariaid-title9">Unit Signaling Security </h3>
<div class="body conbody"><p class="shortdesc">Signaling is the protocol that activates a device located in the network and establishes
calls between peers. </p>
<p class="p">To provide security to signaling, the Mediatrix unit will connect to the network via SIP over
TLS. The network is then authenticated by a certificate that guaranties that the Mediatrix unit
is connected to a "safe" network.</p>
<p class="p">The network will then authenticate the device with the username and password to make sure the
device is part of the network's subscriber list. This authentication is done with the digest
authentication. The result of these authentications and verifications provides private and
reliable communications between the network and the device. Calls will be established without
leaving any possibility to a third party to identify the called or callee number, or to be able
to interfere with the communication in any way. </p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested2" aria-labelledby="ariaid-title10" id="concept_vq5_r4w_1x">
<h3 class="title topictitle3" id="ariaid-title10">Communications Security</h3>
<div class="body conbody"><p class="shortdesc">An important aspect of communications security, is that data sent and received from one
endpoint to another remains secured, reliable, and private at all times.</p>
<div class="p">When configured for complete security, signaling is performed with TLS with the use of a
certificate and the unit transports the audio and video through Secure RTP (SRTP). The Mediatrix
unit will make sure that the certificate specifically encrypted for the session and issued by the
end user is valid, e.g.:<ul class="ul" id="concept_vq5_r4w_1x__ul_uvg_t5w_1x">
<li class="li">the date and hour are not expired</li>
<li class="li">the certificate was issued by a recognised authority and configured within the unit</li>
<li class="li">the certificate was issued for the proper IP address or specific FQDN</li>
</ul>The following diagram combines several use cases of communications security.<br><img class="image" id="concept_vq5_r4w_1x__image_mmn_lf1_cx" src="https://documentation.media5corp.com/download/attachments/62825785/CommunicationSecurity.png" width="800"><br></div>
</div>
</article></article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic nested0 nobody" aria-labelledby="ariaid-title11" id="topic_title_Basic_Tasks_d1e24">
<h1 class="title topictitle1" id="ariaid-title11">Basic Tasks</h1>
<article class="topic task nested1" aria-labelledby="ariaid-title12" id="task_wwz_ckm_scb">
<h2 class="title topictitle2" id="ariaid-title12">Preparing the Unit to Use TLS for SIP </h2>
<div class="body taskbody">
<section class="section context"><div class="tasklabel"><strong class="sectiontitle tasklabel">Context</strong></div>These steps should be performed first when using Transport Layer Security (TLS) as
they are mandatory for all TLS based applications (TR-069, SIP over TLS, 802.1X, HTTPS
file transfer, etc.)</section>
<section id="task_wwz_ckm_scb__steps_btv_2km_scb"><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps" id="task_wwz_ckm_scb__steps_btv_2km_scb"><li class="li step stepexpand">
<span class="ph cmd">Make sure the unit is able to retrieve current Time/Date information from a NTP
server, either from a NTP server learnt from DHCP or static NTP servers.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Make sure the time zone of your unit is adjusted properly. Refer to <a class="xref" href="#task_m13_gvb_bq">Selecting the Unit's Time Zone</a>
</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> This step is mandatory for the unit to have the proper date/time,
otherwise the TLS communication cannot be validated.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Upload all the trusted CA certificates required for server validation. Refer to
<a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Using+Trusted+CA+and+Host+Certificates" target="_blank"> Technical Bulletin -Using Trusted CA and Host Certificates</a> published on the <a class="xref" href="https://documentation.media5corp.com/" target="_blank">Media5 Documentation Portal</a>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">If the respective pop-up message appears, click <span class="ph uicontrol">restart required services</span>.</span>
</li></ol></section>
</div>
<hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested2" aria-labelledby="ariaid-title13" id="task_fth_kjs_ls">
<h3 class="title topictitle3" id="ariaid-title13">Enabling Secure Signaling (TLS)</h3>
<div class="body taskbody">
<section class="section context"><div class="tasklabel"><strong class="sectiontitle tasklabel">Context</strong></div>.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Transport</span> tab.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Protocol Configuration</span> table,
from the <span class="keyword wintitle">TLS</span> dropbox,
select <span class="keyword wintitle">Enable</span>.</span>
<div class="itemgroup info">
<div class="note important note_important"><span class="note__title">IMPORTANT:</span> The Mediatrix unit does not support a mix of both TLS and
non-TLS links. Once TLS is enabled, it is enabled for all configured SIP
gateways</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Follow the link located at the top of the Web page to start the appropriate
service. </span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<br><img class="image" id="task_fth_kjs_ls__image_kfd_d1t_ls" src="https://documentation.media5corp.com/download/attachments/62825785/ProtocolConfiguration.png" width="800"><br>
<p class="p">The Ready LED will turn to a steady green. The SipEp Notification messages #303 and
#310 are sent once the TLS connection is established. For example:
<p class="lines"><code class="ph codeph">Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 303-TLS connection with remote host 10.5.128.14:5063 is now ready to be used for SIP gateway default.</code></p><p class="lines"><code class="ph codeph">Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 310-Server 10.5.128.14:5063 is now reachable for SIP gateway default.</code></p></p>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested2" aria-labelledby="ariaid-title14" id="task_m13_gvb_bq">
<h3 class="title topictitle3" id="ariaid-title14">Selecting the Unit's Time Zone</h3>
<div class="body taskbody">
<section class="section context"><div class="tasklabel"><strong class="sectiontitle tasklabel">Context</strong></div>Time Servers should be configured under Network/Host/SNTP Configuration. For more
details refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Configuration+Notes+-+Attachements?preview=%2F45481987%2F75009713%2FVLan+Configuration.pdf" target="_blank">DGW Configuration Guide - VLan Configuration </a>
published on the <a class="xref" href="https://documentation.media5corp.com/" target="_blank">Media5 Documentation Portal</a>.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">Network</span>/<span class="keyword wintitle">Host</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Time Configuration</span> table, in
the <span class="keyword wintitle">Static Time Zone</span>
field, specify the time zone in which the Mediatrix unit is located.</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> If preceded by a minus sign (-), the time zone is east of the prime
meridian, otherwise it is west, which can be indicated by the preceding plus
sign (+). For example, New York time is GMT 5.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<p class="p">Any DGW parameter referring to a time value will use the local time described by this
time zone reference. The<strong class="ph b"> Hoc.SystemTime</strong> will return the unit local time in
accordance with the configured time zone.</p>
</section>
</div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title15" id="task_mfv_4qf_ms">
<h2 class="title topictitle2" id="ariaid-title15">Enabling TLS Debugging on Wireshark</h2>
<div class="body taskbody">
<section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>To configure Wireshark for TLS packet capture, the private key associated with the
server certificate are needed to decrypt TLS packets.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">Edit</span>/<span class="keyword wintitle">Preferences</span>. </span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click + next to <span class="keyword wintitle">Protocols</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Select SSL.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Fill the <span class="keyword wintitle">RSA keys list</span>
field. </span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> The field specifies the binding between an IP address, a port, a protocol,
and a RSA decryption key. Enter the IP address of the server, the SIP port,
and the path to the file containing the server private key. Several such
bindings may be specified by separating them with a semi-colon
";".</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Start the Wireshark capture.</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> TLS sessions using Diffie-Hellman based ciphers (DHE, ECDH, ECDHE) cannot
be decrypted by Wireshark.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Restart the SipEp service on the Mediatrix unit or restart the unit.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Once the unit is restarted and the "Ready" LED is lit on the
Mediatrix unit, stop the packet capture.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Using the "ssl" filter in the capture should show the SIP packets
between the two endpoints. </span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<br><img class="image" id="task_mfv_4qf_ms__image_evl_mhg_ms" src="https://documentation.media5corp.com/download/attachments/62825785/PacketCapture.png" width="800"><br>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title16" id="task_v2y_34q_4cb">
<h2 class="title topictitle2" id="ariaid-title16">Selecting the SIP TLS Server Certificate Security Level</h2>
<div class="body taskbody">
<section class="section context"><div class="tasklabel"><strong class="sectiontitle tasklabel">Context</strong></div>The security level used to validate the TLS server certificate has no effect on the
TLS client authentication when the unit is acting as a TLS server. Refer to the <a class="xref" href="#reference_wp5_5dq_4cb__250120218">SipEp.InteropTlsClientAuthenticationEnable</a> parameter.<p class="p">Only the setting for
SIP over TLS transport is available over the Web GUI. For others, like file transfer
or TR-069, settings are available with the script. And the levels of support are
different. SIP over TLS security level has one more level (Trusted Certificate
level) which other services do not have.</p></section>
<section id="task_v2y_34q_4cb__steps_mhz_s4q_4cb"><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps" id="task_v2y_34q_4cb__steps_mhz_s4q_4cb"><li class="li step">
<span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Interop</span>.</span>
</li><li class="li step">
<span class="ph cmd">In the <span class="keyword wintitle">TLS Interop</span>
table, select the security level used to validate certificates. </span>
</li></ol></section>
</div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic nested0 nobody" aria-labelledby="ariaid-title17" id="topic_title_Advanced_Parameters_d1e30">
<h1 class="title topictitle1" id="ariaid-title17">Advanced Parameters</h1>
<article class="topic reference nested1" aria-labelledby="ariaid-title18" id="reference_wp5_5dq_4cb">
<h2 class="title topictitle2" id="ariaid-title18">Transport Layer Security (TLS) Parameters</h2>
<div class="body refbody">
<section class="section">
<div class="p">Although the services can be configured in great part in the Web browser, some aspects of
the configuration can only be completed with the MIB parameters by :<ul class="ul" id="reference_wp5_5dq_4cb__ul_gfn_14v_wr">
<li class="li">using a MIB browser</li>
<li class="li">using the CLI</li>
<li class="li">creating a configuration script containing the configuration parameters</li>
</ul></div>
</section>
<section class="section">For more details on the following parameters, refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Reference+Guide" target="_blank">DGW Configuration Guide - Reference
Guide</a> published on the <a class="xref" href="https://documentation.media5corp.com/" target="_blank">Media5 Documentation Portal</a>. The Reference Guide contains all the parameters
used in the DGW software with their description, default values, and
interactions. </section>
<section class="section"><h3 class="title sectiontitle">For certificate transfert</h3>
<ul class="ul" id="reference_wp5_5dq_4cb__ul_np5_blq_4cb">
<li class="li">To set the HTTPS transfer cipher suite for certificate transfer: <span class="keyword parmname">
Cert.TransferHttpsCipherSuite</span></li>
<li class="li">To set the HTTPS transfer Tls Version for certificate transfer::
<span class="keyword parmname">Cert.TransferHttpsTlsVersion</span>
</li>
<li class="li">To set the level of security to use when validating the server's
certificate when connecting to the ACS using HTTPS:
<span class="keyword parmname">Cwmp.TransportCertificateValidation
</span>
</li>
</ul>
</section>
<section class="section"><h3 class="title sectiontitle">For file transfer </h3>
<ul class="ul" id="reference_wp5_5dq_4cb__ul_qpp_cnn_qcb">
<li class="li">To set the HTTPS transfer cipher suite for file transfer:
<span class="keyword parmname">File.TransferHttpsCipherSuite</span></li>
<li class="li">To set the HTTPS transfer Tls Version configuration for file
transfer:
<span class="keyword wintitle">File.TransferHttpsTlsVersion</span></li>
</ul>
</section>
<section class="section"><h3 class="title sectiontitle">For DGW Web access </h3>
<ul class="ul" id="reference_wp5_5dq_4cb__ul_a2p_mkq_4cb">
<li class="li">To set the Https Cipher Suite for secure DGW Web access:
<span class="keyword parmname">Web.HttpsCipherSuite</span>.</li>
<li class="li">To set the Http Mode used for DGW Web access:
<span class="keyword parmname">Web.HttpMode</span></li>
<li class="li">To select the Secure Server Port used to access the DGW Web interface:
<span class="keyword parmname">Web.SecureServerPort</span></li>
<li class="li">To set the HTTPS Cipher Suite for secure DGW Web access:
<span class="keyword parmname">Web.HttpsCipherSuite</span></li>
<li class="li">To set the Tls Version used for secure DGW Web access:
<span class="keyword parmname">Web.TlsVersion</span></li>
</ul>
</section>
<section class="section"><h3 class="title sectiontitle">For SIP TLS transport</h3>
<ul class="ul" id="reference_wp5_5dq_4cb__ul_gqg_wmq_4cb">
<li class="li">To set the TLS transport cipher suite used for secure SIP
transport:
<span class="keyword parmname">SipEp.TransportTlsCipherSuite</span></li>
<li class="li">To set Transport Tls Version used for secure SIP transport:
<span class="keyword parmname">SipEp.TransportTlsVersion</span></li>
<li class="li">To set TLS client authentication: <span class="keyword parmname" id="reference_wp5_5dq_4cb__250120218">SipEp.InteropTlsClientAuthenticationEnable</span></li>
</ul>
</section>
<section class="section"><h3 class="title sectiontitle">For TR-069 (CWMP) establishment</h3>
<ul class="ul" id="reference_wp5_5dq_4cb__ul_ptl_33n_qcb">
<li class="li">To set the HTTPS transport cipher suite configuration for TR-069
(CWMP): <span class="keyword parmname">Cwmp.TransportHttpsCipherSuite
</span></li>
<li class="li">To set the HTTPS Transport Tls Version configuration for TR-069
(CWMP): <span class="keyword parmname">Cwmp.TransportHTTPSTlsVersion</span>
</li>
<li class="li">To set the level of security to use when validating the server's
certificate when connecting to the ACS using HTTPS:
<span class="keyword parmname">Cwmp.TransportCertificateValidation
</span>
</li>
</ul>
</section>
</div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested0" aria-labelledby="ariaid-title19" id="reference_j4g_nbv_gfb">
<h1 class="title topictitle1" id="ariaid-title19">Online Help</h1>
<p class="shortdesc"><span class="ph">If you are not familiar with the meaning of the fields and
buttons, click <span class="keyword wintitle">Show Help</span>, located at the upper right corner of
the Web page. When activated, the fields and buttons that offer online help will
change to green and if you hover over them, the description will bedisplayed.</span></p>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title20" id="concept_v4k_q3h_1r">
<h1 class="title topictitle1" id="ariaid-title20">DGW Documentation</h1>
<div class="body conbody"><p class="shortdesc">Mediatrix devices are supplied with an exhaustive set of documentation. </p>
<p class="p">Mediatrix user documentation is available on the <a class="xref" href="http://documentation.media5corp.com" target="_blank">Media5 Documentation
Portal</a>.</p>
<div class="p">Several types of documents were created to clearly present the information you are looking for.
Our documentation includes:<ul class="ul" id="concept_v4k_q3h_1r__ul_bqy_cjh_1r">
<li class="li"><strong class="ph b">Release notes</strong>: Generated at each GA release, this document includes the known and
solved issues of the software. It also outlines the changes and the new features the release
includes.</li>
<li class="li"><strong class="ph b">Configuration notes</strong>: These documents are created to facilitate the configuration of a
specific use case. They address a configuration aspect we consider that most users will need to
perform. However, in some cases, a configuration note is created after receiving a question
from a customer. They provide standard step-by-step procedures detailing the values of the
parameters to use. They provide a means of validation and present some conceptual information.
The configuration notes are specifically created to guide the user through an aspect of the
configuration. </li>
<li class="li"><strong class="ph b">Technical bulletins</strong>: These documents are created to facilitate the configuration of a
specific technical action, such as performing a firmware upgrade.</li>
<li class="li"><strong class="ph b">Hardware installation guide</strong>: They provide the detailed procedure on how to safely and
adequately install the unit. It provides information on card installation, cable connections,
and how to access for the first time the Management interface.</li>
<li class="li"><strong class="ph b">User guide</strong>: The user guide explains how to customise to your needs the configuration
of the unit. Although this document is task oriented, it provides conceptual information to
help the user understand the purpose and impact of each task. The User Guide will provide
information such as where and how TR-069 can be configured in the Management Interface, how to
set firewalls, or how to use the CLI to configure parameters that are not available in the
Management Interface.</li>
<li class="li"><strong class="ph b">Reference guide</strong>: This exhaustive document has been created for advanced users. It
includes a description of all the parameters used by all the services of the Mediatrix units.
You will find, for example, scripts to configure a specific parameter, notification messages
sent by a service, or an action description used to create Rulesets. This document includes
reference information such as a dictionary, and it does not include any step-by-step
procedures. </li>
</ul></div>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title21" id="concept_fqm_rv4_k4">
<h1 class="title topictitle1" id="ariaid-title21">Copyright Notice</h1>
<div class="body conbody"><p class="shortdesc">Copyright © 2023 Media5 Corporation.</p>
<p class="p">This document contains information that is proprietary to Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves all rights to this document as well as to the Intellectual Property
of the document and the technology and know-how that it includes and represents.</p>
<p class="p">This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever,
without written prior approval by Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves the right to revise this publication and make changes at any time
and without the obligation to notify any person and/or entity of such revisions and/or
changes.</p>
</div>
</article></article></main></body></html> |
