This is a complete guide that will provide detailed information on how to:
1. Setup 3CX Phone System with Secure SiP (TLS) (In this way the SiP messaging will be encrypted and therefore more secure)
2. Create certificates with Simple CA.
3. Use Microsoft’s inbuilt importer for trusted certificates and
4. Configure IPPhones to communicate SiP securely. Phones mentioned in this article will be 3CXPhone, Eyebeam and Snom
- Download SimpleCA from here.
Extract the contents of the SimpleCA ZIP file to “C:\SimpleCA\” Note: Due to known issues with this software, it is recommended that this program runs from the root directory in this case the c:\ drive.
- Make sure that the time and date on the server are correct so check time and regional settings in control panel before you proceed. The certification process has a time dependency therefore the correct time settings need to be set.
Configuring 3CX Phone System with TLS
PART1 – Preparing Certificates and Keys for security
Step1: Run SimpleCA – Since you are running this first time, you will need to create a Root Certificate Authority, and Simple CA will pop up the “Set Up Root CA” dialog.
The most important field for our configuration is the “Common Name”. Set the Common Name to 3CXPHONE. Press OK
Step2: A ca.crt file in “C:\SimpleCA” will be created. This is the Root CA, and it will be required by any TLS client (soft phone or hard phone) to be able to establish a TLS connection to the specified PBX. Create a copy of this file and rename it to “root_cert_3CXPHONE.pem”. Keep this file handy for further use. This will be used for the 3CXPhone and is described later on..
PART2 – Create the 3CX Phone System Server Certificate:
Step1: Click on “Server Certificates” menu and choose “New Server Certificate Request”:
In this way, you are about to create a certificate which will be installed later on the specified 3CX Phone System to validate TLS requests coming to a specific network interface.
Step2: Set the field Common Name to the IP address on which 3CX Phone System will listen for incoming TLS connection requests. Once done, click OK.
You will be prompted to save this (unsigned) certificate.
Step3: Signing a Server Certificate
Click on “Server Certificates” menu and choose “Sign Server Certificate Request”.
This will prompt you to select the desired certificate to be signed – select the one you just created. After that, SimpleCA will display as “read-only” the certificate information, asking you to confirm signing.
Step4: Security confirmation
Click OK. You will be prompted to enter the same password as you used when you created the Root CA. Enter a password then click OK. Simple CA will generate a pair of files, the signed certificate (with .cer extension) and its decryption key (with .key extension).
Step5: Locating security files
Open “C:\SimpleCA\certificates”. The files which we are interested on are the (.crt) and (.key). These are the files we are going to need in the next step.
Step6: Generating 3CX IP PBX Certification
Open the Management Console and click on Settings / Advanced section and click on the security tab.
Open the .crt file with a text editor. Select the whole text content and copy & paste it into the “Certificate” column text box.
Open the .key file with a text editor, select the whole content and copy & paste into the “Key” field section. Click the Enable Secure SIP button, followed by Apply and OK
Note: If your 3CX Phone System Server has more than one network card: The interface IP Address used to generate the certificates must match the interface selected in the Security tab Select Interface field so traffic is secured on the proper interface.
Step7: Restart the 3CX Phone System by clicking on “Services Status” section, and restart the 3CX Phone System service. At this point, the 3CX Phone System is configured and ready to accept incoming TLS connection..\
Configuring IP PHONES with TLS
Configuring the 3CX Phone with Secure SiP
Step1: In the 3CXPhone, create and register a normal connection to the PBX.
Step2: Right click on the 3CXPhone, click on Accounts, and double click on the account you want to enable secure sip on.
In the “My Location” section, enter the IP Address of the 3CX Phone System server followed by TLS port example 10.172.0.15:5061
Click on “Advanced Settings”
Change SIP transport to TLS.
Step3: Click on Certificates and Import. You need to import the following file “root_cert_3CXPHONE.pem”. This is the file you created in Part 1, step2.
A message box will appear that the certificate has been imported. Press OK and 3CXPhone will reconnect this time using TLS.
Configuring Counter Path’s Eyebeam to use TLS
Eyebeam uses Windows Certificate store, so we have to register our phone certificate accordingly.
Step1: On the machine where Eyebeam is installed, open Internet Explorer, click on Tools / Internet Options / the Content tab / certificates and the certificates manager dialog will be displayed. Click on the Import button and the Import Certificate wizard will open.
Step2: Import certificate
Import the certificate “root_cert_3CXPHONE.pem” and click next. This is the file generated and renamed in Part 1, Step2.
Step3: Select Certificate Store
Select the option “Place all certificates in the following store”. Click browse and select “Trusted Root Certification Authorities”. Click OK.
Click finish to complete the certification wizard. The certificate will be imported in the Windows certificates store ready for use by Eyebeam.Step4:
- Start Eyebeam and go to SiP Account Settings
- Select the account you want to configure secure SiP on and click properties
- Change the Domain field to the ip address of the 3CX Phone System:5061. Example 192.168.1.20:5061. This is the default port for TLS connections.
- Click on the Security Tab and Change Signalling Transport to TLS and choose the Media Encryption. (Default option is Make unencrypted calls, accept all calls). Click OK.
- Eyebeam will start and will register to the 3CX Phone System using a TLS secure connection.
Configuring Snom Phones to use TLS
Step1: Open Snom Phone’s web interface.
Step2: Go to Setup > Trusted Certificates. Click the “Browse” button and upload the client certificate “root_cert_3CXPHONE.pem”
Step3: Go to the “Setup->Identity 1” link and in the “Account” field enter the Extension Number (Eg: “107”). In the “Password” field enter the Authentication Password for the Extension (Eg: “107”) and in the “Registrar” field, enter the IP Address of the 3CX Phone System machine example 192.168.1.20
Step4: In the “Outbound Proxy” field, enter “x.x.x.x:5061;transport=tls”, where x.x.x.x is the IP Address of the 3CX Phone System machine (Eg: “192.168.1.20:5061;transport=tls”)
Step5: In the “Authentication Username” field, enter the Authentication ID for the Extension (Eg: “107”)
Step6: Click the “Save” button at the bottom of the page. Click the “Re-Register” button at the bottom of the page. The Snom phone is now registered to the 3CX Phone System and will use TLS transport for SiP communications.
Configuring Yealink Phones to use TLS
Step1: Open Yealink’s Web interface
Step2: Go to Security > Trusted Certificates. Click the “Browse” button and upload the client certificate “root_cert_3CXPHONE.pem”
Step3: Go to the “Account” link and in the “Label”, “Display Name” and “User Name” field enter the Extension Number (Eg: “163”). In the “Register Name” field enter the Authentication ID (Eg. “id163”). In the “Password” field enter the Authentication Password for the Extension (Eg: “pw163”) and in the “Sip Server” field, enter the IP Address of the 3CX Phone System machine example 192.168.1.20. Set the “Port” to 5061.
Step4: Set the Transport to TLS. Press Confirm at the bottom of the page. The Yealink phone is now registered to the 3CX Phone System and will use TLS transport for SiP communications.
Configuring IP Phones with Secure RTP
Configuring Yealink Phones to use Secure RTP
Step1: Open Yealink’s Web interface
Step2: Go to Account > Advanced: Set the Option “Voice Encryption (SRTP)” to ON.
Step3: Press Confirm at the bottom of the Page. The Yealink phone will now use Secure RTP..
Configuring Snom Phones to use Secure RTP
Step1: Open Snom Phone’s web interface.
Step2: Go to the “Setup->Identity 1” link Click on “RTP”: Set the Option “RTP Encryption” to ON
Step3: Press Save. The Snom phone will now use Secure RTP
Configuring 3CX Phone to use Secure RTP
Step1: Go to the 3CX Phone’s Account Page
Step2: Select the Account you require and press Edit
Step3: Click on Advanced Settings and Set “RTP Mode” to: “Allow Secure” > This will allow Secure RTP and Non Secure RTP, or “Only Secure” > This will ONLY allow Secure RTP Connections
Step4: Press OK Until you get to the VoIP phone Main Screen. The 3CX VoIP phone will now use Secure RTP.