This is a complete guide that will provide detailed information on how to:
- Setup 3CX Phone System with Secure SIP (TLS). In this way, the SIP messaging will be encrypted and therefore more secure.
- Create certificates with Simple CA.
- Use Microsoft’s inbuilt importer for trusted certificates.
- Configure IP phones to communicate SIP securely. We’ll be using 3CXPhone for Windows, Eyebeam, and snom phones.
- Download SimpleCA from here.
Extract the contents of the SimpleCA zip file to “C:\SimpleCA\” Note: due to known issues with this software, it is recommended that this program runs from the root directory – in this case, the c:\ drive.
- Make sure that the time and date on the server are correct, so check time and regional settings in your Control Panel before proceeding. The certification process has a time dependency, therefore the correct time settings need to be set.
Configuring 3CX Phone System with TLS
Part 1 – Preparing Certificates and Keys for Security
Step 1: Run SimpleCA – Since you are running this for the first time, you will need to create a Root Certificate Authority, and Simple CA will pop up the “Set Up Root CA” dialog.
The most important field for our configuration is the “Common Name”. Set the Common Name to 3CXPHONE and click OK.
Step 2: A ca.crt file in “C:\SimpleCA” will be created. This is the Root CA, and it will be required by any TLS client (softphone or hard phone) to be able to establish a TLS connection to the specified PBX. Create a copy of this file and rename it to “root_cert_3CXPHONE.pem”. Keep this file handy for further use. This will be used for 3CXPhone for Windows and is described later on..
Part 2 – Create the 3CX Phone System Server Certificate:
Step 1: Click on the “Server Certificates” menu and choose “New Server Certificate Request”:
In this way, you are about to create a certificate which will be installed later on the specified 3CX Phone System to validate TLS requests coming to a specific network interface.
Step 2: Set the field Common Name to the IP address on which 3CX Phone System will listen for incoming TLS connection requests. Once done, click OK. You will be prompted to save this (unsigned) certificate.
Step 3: Signing a Server Certificate
Step 4: Security Confirmation
You will be prompted to enter the same password you used when you created the Root CA. Enter a password then click OK. Simple CA will generate a pair of files, the signed certificate (with .cer extension) and its decryption key (with .key extension).
Step 6: Generating 3CX IP PBX Certification
Open the 3CX Management Console and click on the Settings/Advanced section and click on the security tab. Open the .crt file with a text editor. Select all the content and copy & paste it into the “Certificate” column text box.
Configuring IP Phones with TLS
Configuring 3CXPhone for Windows with Secure SiP
Step 2: Right click on 3CXPhone for Windows, click on Accounts, and double click on the account you want to enable secure SIP on.
In the “My Location” section, enter the IP address of the 3CX Phone System machine, followed by the TLS port, for example 10.172.0.15:5061
Click on “Advanced Settings”
Change SIP transport to TLS.
Step 3: Click on Certificates and Import. You’ll need to import the following file “root_cert_3CXPHONE.pem”. This is the file you created in Part 1, step 2.
A message box will appear that the certificate has been imported. Press OK and 3CXPhone for Windows will reconnect this time using TLS.
Configuring Counter Path’s Eyebeam to Use TLS
Step 1: On the machine where Eyebeam is installed, open Internet Explorer, click on Tools > Internet Options > the Content tab > certificates and the certificates manager dialog will be displayed. Click on the Import button and the Import Certificate wizard will open.
Step 2: Import Certificate
Import the certificate “root_cert_3CXPHONE.pem” and click next. This is the file generated and renamed in Part 1, Step 2.
Step 3: Select Certificate Store
Select the option “Place all certificates in the following store”. Click browse and select “Trusted Root Certification Authorities” and click OK.
- Start Eyebeam and go to the SIP Account Settings
- Select the account where you want to configure secure SIP on and click properties
- Change the Domain field to the IP address of 3CX Phone System:5061. Example 192.168.1.20:5061. This is the default port for TLS connections.
- Click on the Security tab and change Signalling Transport to TLS and choose the Media Encryption. (Default option is Make unencrypted calls, accept all calls). Click OK.
- Eyebeam will start and will register 3CX Phone System using a TLS secure connection.
Configuring snom Phones to use TLS
Step 1: Open the snom phone’s web interface.
Step 2: Go to Setup > Trusted Certificates. Click the “Browse” button and upload the client certificate root_cert_3CXPHONE.pem
Step 3: Go to the Setup >Identity 1 link and in the “Account” field enter the Extension Number (E.g.: 107). In the Password field, enter the Authentication Password for the Extension (Eg: 107) and in the Registrar field, enter the IP address of the 3CX Phone System machine, for example 192.168.1.20
Step 4: In the Outbound Proxy field, enter x.x.x.x:5061;transport=tls, where x.x.x.x is the IP address of the 3CX Phone System machine (E.g.: 192.168.1.20:5061;transport=tls)
Step 5: In the Authentication Username field, enter the Authentication ID for the Extension (E.g.: 107)
Step 6: Click the Save button at the bottom of the page. Click the Re-Register button at the bottom of the page. The snom phone is now registered to 3CX Phone System and will use TLS transport for SIP communications.
Configuring Yealink Phones to use TLS
Step 1: Open Yealink’s Web interface
Step 2: Go to Security > Trusted Certificates. Click the Browse button and upload the client certificate root_cert_3CXPHONE.pem
Step 3: Go to the Account link and in the Label, Display Name and User Name field, enter the Extension Number (E.g.: 163). In the Register Name field, enter the Authentication ID (E.g. id163). In the Password field, enter the Authentication Password for the Extension (e.g.: pw163) and in the SIP Server field, enter the IP address of the 3CX Phone System machine, for example 192.168.1.20. Now set the Port to 5061. Set the Transport to TLS. Press Confirm at the bottom of the page.
Step 4: If you are using Firmware x.71.x.x then you also need to go to the “Security” tab, select “Trusted Certificates” from the menu on the left, and at the CA Certificates field select “All Certificates” from the drop down list. Press “Confirm” at the bottom of the page. The Yealink phone will reboot and register to 3CX Phone System and will use TLS transport for SIP communications.
Configuring IP Phones with Secure RTP
Configuring Yealink Phones to Use Secure RTP
Step 1: Open Yealink’s Web interface.
Step 2: Go to Account > Advanced: Set the Option Voice Encryption (SRTP) to ON.
Step 3: Press Confirm at the bottom of the Page. The Yealink phone will now use Secure RTP.
Configuring snom Phones to Use Secure RTP
Step 1: Open snom Phone’s web interface.
Step 2: Go to Setup >Identity 1 link and click on RTP: Set the Option RTP Encryption to ON.
Step 3: Press Save. The snom phone will now use Secure RTP.
Configuring 3CX Phone to Use Secure RTP
Step 1: Go to the 3CXPhone for Window’s Account Page.
Step 2: Select the Account you require and press Edit.
Step 3: Click on Advanced Settings and Set RTP Mode to: Allow Secure. This will allow Secure RTP and Non Secure RTP, or Only Secure. This will ONLY allow Secure RTP Connections.
Step 4: Press OK until you get to the VoIP phone main screen. 3CXPhone for Windows will now use Secure RTP.