<!DOCTYPE html
SYSTEM "about:legacy-compat">
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta charset="UTF-8"><meta name="copyright" content="(C) Copyright 2023"><meta name="DC.rights.owner" content="(C) Copyright 2023"><meta name="DC.type" content="concept"><meta name="description" content="The Sentinel supports SIP over TLS. Each signaling interface listens to UDP, TCP, and TLS simultaneously. For TLS mode, it can be set up as a SIP TLS client, a TLS server or both (default)."><meta name="prodname" content="Sentinel 100 and Sentinel 400"><meta name="version" content="DGW 49.12.28842941"><meta name="platform" content="All"><meta name="DC.date.modified" content="2023-0308-2809"><meta name="DC.date.issued" content="2023-0308-2809"><meta name="DC.date.available" content="2023-0308-2809"><meta name="ChapterNumbering" content="no"><meta name="DC.format" content="HTML5"><meta name="DC.identifier" content="concept_ush_2dj_llb"><link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/commonltr.css"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/custom.css"><title>Using TLS with the Sentinel</title></head><body><header role="banner"><div class="topicmeta title">Using TLS with the Sentinel</div><div class="topicmeta date">2023-0308-28<09</div><div class="topicmeta product">Sentinel 100 and Sentinel 400</div><div class="topicmeta version">DGW 49.12.2884<2941</div><div class="topicmeta pdf"><a href="https://documentation.media5corp.com/download/attachments/45482024/Using%20TLS%20with%20the%20Sentinel.pdf" rel="nofollow">Download PDF Document</a></div><hr><span style="float: inline-end;"></span></header><nav role="toc"><ul><li><a href="#concept_ush_2dj_llb">TLS Roles for the Sentinel</a><ul><li><a href="#reference_lp2_q2j_llb">Sentinel TLS Support Level</a></li><li><a href="#reference_a3h_dqc_vlb">Certificates Required by the Sentinel SBC Used as the TLS Client</a></li><li><a href="#unique_13414300681975189829">Certificates Required by the Sentinel SBC Used as the TLS Server</a></li></ul></li><li><a href="#task_pzq_clj_llb">Setting the TLS mode used by the Network Interfaces</a></li><li><a href="#task_xyj_tjj_llb">Configuring a Call Agent to Only Use TLS Transport </a></li><li><a href="#task_a1w_xyc_vlb">Configuring a Call Agent to Use TLS and Other Transport Types</a></li><li><a href="#reference_ur5_yx3_ps">Available Documentation</a></li><li><a href="#concept_fqm_rv4_k4">Copyright Notice</a></li></ul></nav><main role="main"><article role="article" aria-labelledby="ariaid-title1"><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="nested0" aria-labelledby="ariaid-title1" id="concept_ush_2dj_llb">
<h1 class="title topictitle1" id="ariaid-title1">TLS Roles for the Sentinel</h1>
<div class="body conbody"><p class="shortdesc">The Sentinel supports SIP over TLS. Each signaling interface listens to UDP, TCP, and
TLS simultaneously. For TLS mode, it can be set up as a SIP TLS client, a TLS server or both
(default).</p>
<p class="p">The Tls mode selected for the Sentinel is configured in the <span class="keyword wintitle">Signaling Interface Configuration</span> table, under the
<span class="keyword wintitle">SBC</span>/<span class="keyword wintitle">Configuration</span>
</p>
<div class="p">the Sentinel can be used as: <ul class="ul" id="concept_ush_2dj_llb__ul_y4w_k2j_llb">
<li class="li">TLS server: <ul class="ul">
<li class="li">Secure communication with remote users</li>
<li class="li">SIP trunk to remote office (SBC as the hub) </li>
<li class="li">SIP trunk between SBC (one side to be server)</li>
</ul></li>
<li class="li">TLS Client<ul class="ul" id="concept_ush_2dj_llb__ul_ad3_42j_llb">
<li class="li">SIP trunk to provider (provider as TLS server)</li>
<li class="li">Registered SIP user clients to provider</li>
<li class="li">SIP trunk between SBC (one side to be client)</li>
</ul></li>
</ul></div>
<p class="p">For more details on Transport Layer Security (TLS), refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Transport+Layer+Security" target="_blank">DGW Configuration Guides - Transport Layer Security</a>
document published on the Media5 documentation portal at <a class="xref" href="https://documentation.media5corp.com" target="_blank">https://documentation.media5corp.com</a></p>
</div>
<hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested1" aria-labelledby="ariaid-title2" id="reference_lp2_q2j_llb">
<h2 class="title topictitle2" id="ariaid-title2">Sentinel TLS Support Level</h2>
<div class="body refbody">
<section class="section">
<ul class="ul" id="reference_lp2_q2j_llb__ul_t2r_t2j_llb">
<li class="li">SSL v3.0 is no longer supported as per version DGW v 46.0.2025</li>
<li class="li">Default is TLSv1.2 (as a client, it will offer TLSv1.2 first), but during negotiation
if the other party does not support TLSv1.2 it can be downgraded to TLS v1.1 or TLS
v1.0</li>
<li class="li">When the Sentinel is used as a TLS server, the Sentinel:<ul class="ul" id="reference_lp2_q2j_llb__ul_srs_3fj_llb">
<li class="li">will accept TLS v1.0, TLS v1.1, or TLS v1.2</li>
<li class="li">will not ask clients for its certificate, in other words, mutual TLS is not
supported in this mode</li>
</ul></li>
<li class="li">When the Sentinel is used as a TLS Client, the Sentinel:<ul class="ul" id="reference_lp2_q2j_llb__ul_fk5_ld5_ylb">
<li class="li">will accept TLS v1.0, TLS v1.1, or TLS v1.2</li>
<li class="li">will not ask clients for its certificate, in other words, mutual TLS is not
supported in this mode</li>
<li class="li">if the server asks for the SBC’s own server certificate for mutual TLS, the SBC will
comply.</li>
</ul></li>
<li class="li">Ciphers: <ul class="ul" id="reference_lp2_q2j_llb__ul_byx_5fj_llb">
<li class="li">Only SHA-2 types are supported (equivalent to CS3 in Dgw2.0 TLS cipher setting), </li>
<li class="li">SHA-1 is no longer supported.</li>
<li class="li">Certificate chain validation is up to 9 levels.</li>
</ul></li>
<li class="li">During the TLS handshake, the SBC will validate the peer’s (server’s) certificate
against its Common Name or Subject Alternate Name. This is the default behavior. This
validation can be bypassed by this
command:<pre class="pre codeblock"><code>Sbc.CertificateValidation = "NoValidation"</code></pre></li>
<li class="li">Unlike other services such as SipEp, which supports an intermediate Validation of
“TrustedCertificate”, the Sbc service has no such level. If validation is mandatory, the
certificate name must match.</li>
</ul>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested1" aria-labelledby="ariaid-title3" id="reference_a3h_dqc_vlb">
<h2 class="title topictitle2" id="ariaid-title3">Certificates Required by the Sentinel SBC Used as the TLS Client</h2>
<div class="body refbody"><p class="shortdesc">All the certificates necessary for TLS when using the Sentinel SBC used as the TLS
Client are located under <span class="keyword wintitle">Management</span>/<span class="keyword wintitle">Certificates</span> in the <span class="keyword wintitle">Other Certificates</span> table. </p>
<section class="section">As the client, the Sentinel SBC needs public CA certificates (known as the <span class="keyword wintitle">Other</span>type) of the signing authority for the
server’s certificate. CA certificates placed here are considered
<span class="keyword wintitle">trustworthy</span>. for more details on Certificates, refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Using+Trusted+CA+and+Host+Certificates" target="_blank">Technical Bulletins - Using Trusted CA and Hosted
Certificates</a> document published on the Media5 documentation portal at <a class="xref" href="https://documentation.media5corp.com" target="_blank">https://documentation.media5corp.com</a>.</section>
<section class="section">
<br><img class="image" id="reference_a3h_dqc_vlb__image_jdx_jvc_vlb" src="https://documentation.media5corp.com/download/attachments/45482024/OtherCertificates-tls.png" width="800"><br>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested1" aria-labelledby="ariaid-title4" id="unique_13414300681975189829">
<h2 class="title topictitle2" id="ariaid-title4">Certificates Required by the Sentinel SBC Used as the TLS Server</h2>
<div class="body refbody"><p class="shortdesc">To be a TLS server, the Sentinel SBC must be loaded with at least one host certificate.
The host certificate can be found under under <span class="keyword wintitle">Management</span>/<span class="keyword wintitle">Certificates</span> in the <span class="keyword wintitle">Host Certificates</span> table. </p>
<section class="section"><p class="p">The Sentinel does not generate its own private key nor CSR (Certificate Signing
Request). The certificate is created on another platform. For information on creating Host
certificates refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Creating+a+Media5+Device+Host+Certificate+with+OpenSSL" target="_blank">Technical Bulletins - Creating a Media5 Device host
Certificate with OpenSSL</a> document.</p><p class="p">A Sentinel SBC can have multiple host
certificates. Their specific usage (or association) is configurable in this section under
the same tab:The Sbc box must be checked in order for the SBC service to apply the desired
host certificate.</p><div class="p">
<br><img class="image" id="unique_13414300681975189829__image_kpx_mkl_4mb" src="https://documentation.media5corp.com/download/attachments/45482024/HostCertificateAssociation.png" width="800"><br>
</div><p class="p">If the host certificate is signed by an intermediate CA certificate, it is recommended
to have the intermediate CA certificate in the “Other” section. This way, when the client
requests the SBC for the server certificate, the intermediate CA cert will be embedded in
the certificate chain. Make sure the host certificate validity period is good. If not, the
SBC will not present the host certificate in the TLS handshake and the TLS negotiation will
fail.</p><br><img class="image" id="unique_13414300681975189829__image_k5d_mvc_vlb" src="https://documentation.media5corp.com/download/attachments/45482024/HostCertificates-TLS.png" width="800"><br>For more details on Certificates, refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Using+Trusted+CA+and+Host+Certificates" target="_blank">Technical Bulletins - Using Trusted CA and Hosted
Certificates</a> document published on the Media5 documentation portal at <a class="xref" href="https://documentation.media5corp.com" target="_blank">https://documentation.media5corp.com</a>.</section>
</div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested0" aria-labelledby="ariaid-title5" id="task_pzq_clj_llb">
<h1 class="title topictitle1" id="ariaid-title5">Setting the TLS mode used by the Network Interfaces</h1>
<div class="body taskbody">
<section id="task_pzq_clj_llb__steps_yly_2kj_llb"><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps" id="task_pzq_clj_llb__steps_yly_2kj_llb"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">SBC</span>/<span class="keyword wintitle">Configuration</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Signaling Interface Configuration</span> table, from the <span class="keyword wintitle">TLS Mode</span> selection list, for
each signaling interface, choose the TLS mode the signaling interface will use.
</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> The TLS mode selected for each signaling interface depends on the scenario
being implemented.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>When the signaling interface is used, the TLS mode will indicate if the Sentinel SBC
is used as a TLS CLient or TLS Server, and therefore indicate the certificates that are
required.<ul class="ul" id="task_pzq_clj_llb__ul_ip5_34d_vlb">
<li class="li">In Server mode, the signaling interface is used as a TLS server mode. This mode
requires a valid host certificateon the unit.</li>
<li class="li">In Client mode, the signaling interface is used as a TLS Client, if no host
certificate is enabled on the unit, only this mode is enabled.</li>
<li class="li">In the Both mode, the signaling interface can be used a TLS Server or a TLS
Client. </li>
</ul></section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested0" aria-labelledby="ariaid-title6" id="task_xyj_tjj_llb">
<h1 class="title topictitle1" id="ariaid-title6">Configuring a Call Agent to Only Use TLS Transport </h1>
<div class="body taskbody">
<section class="section context"><div class="tasklabel"><strong class="sectiontitle tasklabel">Context</strong></div>
<p class="p">Use this procedure if TLS trasnport is the only transport type used by the Call
Agent. If the Call Agent needs to use multiple Transport types, refer to <a class="xref" href="#task_a1w_xyc_vlb">Configuring a Call Agent to Use TLS and Other Transport Types</a> procedure.</p>
</section>
<section id="task_xyj_tjj_llb__steps_yly_2kj_llb"><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps" id="task_xyj_tjj_llb__steps_yly_2kj_llb"><li class="li step">
<span class="ph cmd">Go to <span class="keyword wintitle">SBC</span>/<span class="keyword wintitle">Configuration</span>.</span>
</li><li class="li step">
<span class="ph cmd">In the <span class="keyword wintitle">Call Agent Configuration</span>
table, click <img class="image" id="task_xyj_tjj_llb__image_n3v_lyc_vlb" src="https://documentation.media5corp.com/download/attachments/45482024/pencilbleu.jpg" width="15"> lcoated on the same line as the Call
Agent that must use TLS. </span>
</li><li class="li step">
<span class="ph cmd">In the <span class="keyword wintitle">Configure Call Agent</span> table,
from <span class="keyword wintitle">Force Transport</span>
selection list, choose <span class="keyword wintitle">TLS</span>.</span>
</li><li class="li step">
<span class="ph cmd">Click <span class="keyword wintitle">Save</span></span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>When the call Agent will be used to route a call, TLS transport will be used. </section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested0" aria-labelledby="ariaid-title7" id="task_a1w_xyc_vlb">
<h1 class="title topictitle1" id="ariaid-title7">Configuring a Call Agent to Use TLS and Other Transport Types</h1>
<div class="body taskbody">
<section class="section context"><div class="tasklabel"><strong class="sectiontitle tasklabel">Context</strong></div>Use this procedure if the Call Agent must support multiple SIP transports. If the
call Agent must only use TLS transport, refer to the <a class="xref" href="#task_xyj_tjj_llb">Configuring a Call Agent to Only Use TLS Transport</a> procedure.</section>
<section id="task_a1w_xyc_vlb__steps_npd_2dd_vlb"><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps" id="task_a1w_xyc_vlb__steps_npd_2dd_vlb"><li class="li step">
<span class="ph cmd">Go to <span class="keyword wintitle">SBC</span>/<span class="keyword wintitle">Rulesets</span>.</span>
</li><li class="li step">
<span class="ph cmd">In the <span class="keyword wintitle">Routing Rulesets</span> table, click <br><img class="image" id="task_a1w_xyc_vlb__image_my5_zdd_vlb" src="https://documentation.media5corp.com/download/attachments/45482024/pencilbleu.jpg" width="15"><br> on the same line as the routing ruleset
that uses the Call Agent that must use TLS Transport. </span>
</li><li class="li step">
<span class="ph cmd">Click <span class="keyword wintitle">edit</span>.</span>
</li><li class="li step">
<span class="ph cmd">In the <span class="keyword wintitle">Advanced</span>
section, check the <span class="keyword wintitle">Force Transport</span> check
box.</span>
</li><li class="li step">
<span class="ph cmd">From the selection list, choose <span class="keyword wintitle">TLS</span></span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>This allows different types of transport to be used based on specific conditions.
Therefore, when a call is routed for the specified conditions of the Routing Ruleset,
TLS will be used. </section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested0" aria-labelledby="ariaid-title8" id="reference_ur5_yx3_ps">
<h1 class="title topictitle1" id="ariaid-title8">Available Documentation</h1>
<div class="body refbody">
<section class="section">For more details, refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Latest+DGW" target="_blank">Mediatrix Documentation</a> published on the <a class="xref" href="https://documentation.media5corp.com/" target="_blank">Media5 Documentation Portal</a>.</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title9" id="concept_fqm_rv4_k4">
<h1 class="title topictitle1" id="ariaid-title9">Copyright Notice</h1>
<div class="body conbody"><p class="shortdesc">Copyright © 2023 Media5 Corporation.</p>
<p class="p">This document contains information that is proprietary to Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves all rights to this document as well as to the Intellectual Property
of the document and the technology and know-how that it includes and represents.</p>
<p class="p">This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever,
without written prior approval by Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves the right to revise this publication and make changes at any time
and without the obligation to notify any person and/or entity of such revisions and/or
changes.</p>
</div>
</article></article></main></body></html> |
