Reference11r1:Concept H.323 over TCP/TLS (H.460.17)

From innovaphone wiki
Revision as of 11:14, 5 April 2016 by Afi (talk | contribs) (→‎See also)
Jump to navigation Jump to search

The standard H.460.17 is an extension to the H.323 standard. It defines a mode of operation to use a single TCP or TLS connection for RAS and call-control within H.323. This is done by tunneling the RAS messages within H.225 signaling messages. This simplifies or even allows different NAT or firewall traversal scenarios. This feature is available starting with version 11. In case of TLS device certificates can be used for authentication of phones at the PBX.

Configuration

Two new protocol selections are available on the phones and in gateway configuration: H.323/TCP and H.323/TLS.

On the PBX incoming H.460.17 registrations are accepted default. There is a new checkmark on devices 'TLS only' which can be used to only allow H.323/TLS registrations.

In case of TLS, the device certificate can be used for authentication, instead of the password. If a registration with Hardware ID is done, the CN of the device certificate is checked against the registration name. This way the phone can be authenticated towards the PBX without the need to configure any credentials on the phone.

Homeoffices without VPN

Together with ICE, this feature allows the use of phones in home offices without the need of a VPN connection. Even the PBX may be located inside a private network, provided there is a single mapping on the NAT router to map incoming TCP connections to port 1300 (the well-known port for H.323 over TLS) to the PBX. If you use H.323/TCP and not H.323/TLS the port to be mapped on the NAT router it's 1720.

Known Issues

  • Certificate based authentication only works if the PBX trusts the certificate presented by the phone. Some very old innovaphone phones use a self-signed certificate instead of one that is derived from the innovaphone Device Certification Authority. Such certificates will usually not be accepted. You can check the device certificate by looking at the Device certificate in General/Certificates. If it shows C=DE, O=innovaphone, OU=innovaphone Device Certification Authority as Issuer, it is a valid certificate. If it shows itself as Issuer (that is, if Subject and Issuer are equal), it is a self-signed certificate.
  • The PBX must have the "innovaphone Device Certification Authority" - certificate in its own Trust-list, otherwise it will reject the phone certificates signed by it. When a device starts up, it will examine its own device certificate and and put all certificates found in the certificate chain in to its own trust list. As explained above, some very old innovaphone device might miss the proper device certificate. As a result, the certificates in the trust list will be missing too. To solve the problem, you can download the certificate from another device and upload it in the trust-list of the device running the PBX.
  • The innovaphone Softwarephone and innovaphone myPBX for Android when installed they generate a self-signed certificate that it's not "issued" by the "innovaphone Device Certification Authority" (for security reasons) because of that the PBX will reject the softwarephone/myPBX Android certificate signed by it. To overcome this it's necessary that the self-signed certificate by the "endpoint" be added to the trust-list of the PBX or we assign a new certificate to the "endpoint" issued by an CA that it's trusted by the PBX. It's recommended that the CN value for the certificate must be always unique to avoid issues of duplicate HW-IDs on the PBX what it's not possible.
  • In the case of the innovaphone myPBX for Android the certificate needs to be copied to the PBX another time if myPBX Android was de-installed and re-installed because then myPBX Android starts with a clean vars directory and the certificate is generated freshly with random numbers. This doesn't apply to the innovaphone Softwarephone since it will keep the same CN value (MAC of the PC).
  • The Gatekeeper Discovery can not be used with TCP/TLS - you must define the Gatekeeper Address in order to get H.323 Registration via TCP/TLS working.

See also

Retrieved from "https://wiki.innovaphone.com/index.php?title=Reference11r1:Concept_H.323_over_TCP/TLS_(H.460.17)&oldid=41040"