For network connections, the TLS (Transport Layer Security) support feature provides for secure signaling based on TCP and the TLS protocols.
Lotus Sametime Unified Telephony optionally supports TLS with mutual authentication to protect the SIP signaling stream between the Telephony Control Server and other SIP servers. TLS with mutual authentication should be used if the enterprise security policy requires strong authentication and/or encryption of the SIP signaling stream between SIP servers.
TLS with mutual authentication is used to protect a SIP signaling interface between the following:
Two Lotus Sametime Unified Telephony systems to protect the SIP or SIP-Q interface.
Lotus Sametime Unified Telephony and the to protect the SIP-Q interface.
Lotus Sametime Unified Telephony and a third-party trusted host or peer server that is not bound to a known Lotus Sametime Unified Telephony element type.
Optionally instead of IPsec: External Telephony Control Server Assistant and MetaManagement application to secure OAM&P (Operation, Administration, Maintenance and Provisioning) functions that are performed using SOAP (Simple Object Access Protocol)
Optionally: Subscriber EP (Endpoint) devices and soft clients (such as OpenStage 15/20/20E/40/60/80, optiPoint 410 S, optiPoint 420 S, optiClient 130 S, AP1120 IAD (Integrated Access Device)) to secure the SIP signaling stream
RG 2700 survivable media gateway
RG 8700 survivable media gateway
Survivable branch offices using Branch
Session border controllers (such as Acme Packet Net-Net 2600 series, Acme Packet Net-Net OS-E)
Other Lotus Sametime Unified Telephony clusters (networked)
Lotus Sametime Xpressions server for unified messaging
If TLS transport is in use to any SIP phones or endpoints, all endpoints (telephones and softclients) must configured to register to node 1 of the cluster. This means that the system is operated in an active-standby configuration, with node 1 as the active node and node 2 as the standby node. This operation is distinct from that of an active-active configuration, in which gateways can be configured to register at either node 1 or node 2 during normal operation.
Server authentication takes place when the TLS connection is established. Lotus Sametime Unified Telephony and the interface partner authenticate each other using certificates, which are verified as being valid against a set of pre-stored root certificates.
After authentication is successful, subsequent communication may done over an encrypted connection if confidentiality of the SIP signaling is required. If only strong authentication is required, null encryption is also an alternative.
With mutually authenticated TLS protection of SIP signaling, both interface partners support the role of a TLS client and TLS server. If the TLS connection fails, whichever side detects the failure can re-establish the connection.
Parent topic: TLS (Transport Layer Security) Support