Reference11r1:Concept H.323 over TCP/TLS (H.460.17)

From innovaphone wiki
Revision as of 16:29, 18 February 2015 by Sga (talk | contribs) (→‎Known Issues)
Jump to navigation Jump to search

The standard H.460.17 is an extension to the H.323 standard. It defines a mode of operation to use a single TCP or TLS connection for RAS and call-control within H.323. This is done by tunneling the RAS messages within H.225 signaling messages. This simplifies or even allows different NAT or firewall traversal scenarios. This feature is available starting with version 11. In case of TLS device certificates can be used for authentication of phones at the PBX.

Configuration

Two new protocol selections are available on the phones and in gateway configuration: H.323/TCP and H.323/TLS.

On the PBX incoming H.460.16 registrations are accepted default. There is a new checkmark on devices 'TLS only' which can be used to only allow H.323/TLS registrations.

In case of TLS, the device certificate is used. If a registration with hardware id is done, the name of the device certificate is checked against the registration name. This way the phone can be authenticated towards the PBX without the need to configure any credentials on the phone.

Homeoffices without VPN

Together with ICE, this feature allows the use of phones in home offices without the need of a VPN connection. Even the PBX may be located inside a private network, provided there is a single mapping on the NAT router to map incoming TCP connections to port 1300 (the well-known port for H.323 over TCP) to the PBX.

Known Issues

  • Certificate based authentication only works if the PBX trusts the certificate presented by the phone. Some very old innovaphone phones use a self-signed certificate instead of one that is derived from the innovaphone Device Certification Authority. Such certificates will usually not be accepted. You can check the device certificate by looking at the Device certificate in General/Certificates. If it shows C=DE, O=innovaphone, OU=innovaphone Device Certification Authority as Issuer, it is a valid certificate. If it shows itself as Issuer (that is, if Subject and Issuer are equal), it is a self-signed certificate.
  • The PBX must have the "innovaphone Device Certification Authority" - certificate in its Trust-list, otherwise it will reject the phone certificates signed by it. As explained above, some very old innovaphone device might miss this certificate. To solve the problem, you can download the certificate from another device and upload it in the trust-list of the device running the PBX.

See also

Reference11r1:Concept Using PBX services from public internet

Retrieved from "https://wiki.innovaphone.com/index.php?title=Reference11r1:Concept_H.323_over_TCP/TLS_(H.460.17)&oldid=36795"