Reference13r3:Concept Third Party Phones
innovaphone phones use ICE and DTLS-SRTP for direct media compatibility with WebRTC. This way media can be exchanged directly between the phones and a Browser, which offloads the PBX from media forwarding. Many third party phones do not support ICE or DTLS-SRTP, for this reason a configuration which includes media relay in the PBX for these phones is recommended. The configuration for third party phones consists of the following components:
- Media Relay set for the device
- Optionally a TURN Server within the private network
- Port forwarding from the NAT-Router to the internal TURN Server or to the PBX
Phones within the same Network as the PBX
For phones within the same network as the PBX, it is sufficient to configure Media Relay at the device settings for the phones. This way normal media negotiation happens between the Phone and the PBX and the RTP data is exchanged between phone and PBX. The PBX forwards the RTP data to the other endpoint. This elimnates media negotiation compatibilty issues of theses phones with any other endpoint within the system.
On the other hand it create additional CPU load on the PBX for the forwarding. Esspecially decryption and encryption of the forwarded RTP data creates some load. This is needed, because WebRTC endpoints or innovaphone phones use DTLS-SRTP for encryption, which is in this case terminated within the PBX.
Phones from outside the PBX network
For phones from outside the PBX network several issues have to be addressed: Registration to the PBX, RTP NAT traversal and security.
Registration
To forward the registration from the outside network to the PBX is done by the innovaphone reverse proxy. Just port forwarding from the firewall or the NAT router is not good enough, because the information that the registration is forwarded from outside is needed for the media mechanisms. SIP TCP or TLS has to be used for the registration, because UDP is not supported by the innovaphone reverse proxy.
To save public IP addresses, the reverse proxy can be placed within the PBX network. In this case port forwarding to the reverse proxy has to be configured on the firewall or NAT router. The port forwarding is needed for SIP(S), HTTP(S), H323(s) and LDAP(s).
On the PBX the reverse proxy or the reverse proxies must be configured, so that the PBX knows, that the registration is received from the outside and can adjust the media negotiation accordingly. If TLS authentication shall be used, the certificate names of the reverse proxies need to be configured as well. The reverse proxy checks that the certificate matches with the registration name and the PBX checks the certificate of the reverse proxy.
RTP NAT traversal
NAT traversal needs to be solved at two places: The firewall / NAT router of the PBX network and the firewall / NAT router of the phone.
PBX Network
RTP data has to be sent from the phone to the PBX or the internal TURN server. This can be achieved by providing the public IP address of the firewall or NAT router to the phone within the SDP. For this reason this address can be configured at the PBX. On the firewall / NAT router a UDP port forwarding to the PBX or the internal TURN server has to be configured for the RTP port range configured on the PBX or the TURN server.
Phone Network
The phone provides an internal IP address with the SDP to receive RTP. To this IP address no RTP can be sent from the outside. So to be able to send to the phone an algorithm called RTP latching is implemented on the PBX and on the TURN server. This algorithm simply changes the destination address for SDP to the address from which RTP data from the phone is received. This is the public IP address and NAT port of the NAT router of the phone network. The NAT on this router forwards the RTP to the phone.
Security
To avoid that data can be sent directly to the PBX a TURN server can be used internally. The security issue here is a potential denial of service attack by sending a lot of data to the PBX. To use a TURN server the TURN checkmark has to be set on the PBX config page. If the firewall of the PBX network has denial of service protection on these ports which are forwarded to the PBX, the TURN server is not needed for this purpose.