Trying to find a solution to a sticky problem here.
We have 3 OpenSER systems. Phones register with the OpenSER systems, and after they authenticate the user, pass the registration info using OpenSER's send() command to all Asterisk boxes sitting behind them. Each asterisk system then knows about every phone.
For this to work, I had to turn off authentication in Asterisk for both registrations and invites. If it's on, asterisk sends a 407 Proxy Auth required to the phone in addition to OpenSER. This confuses the phone, as it's now receiving two 407 proxy auth requests, and it basically just drops the second request on the floor.
This is obviously a big security problem and it can't stay this way. I thought maybe if authentication was on in Asterisk, that considering by the time it receives the authenticated register or invite from OpenSER, the MD5 password was already contained in the packet, that Asterisk wouldn't ask again. It does. :(
We could use IP tables to only allow connections from the OpenSER systems, but that doesn't always work. When a caller transfers a call, the phones will send a REFER message directly to Asterisk, so all the phones would have to also be in the ip tables allow list. Not an elegent solution.
We could run mediaproxy on OpenSER and force all RTP streams back through it. Might work, but it might also break other stuff. We could then configure ip tables to only allow RTP streams from the OpenSER systems.
It might be possible to configure OpenSER to perform the logic necessary to make it talk to Asterisk properly, but it's beyond my abilities and time.
Anyone ever done this? Anyone got any ideas?
Doug
Hi,
Just a first impression, after quickly reading the mail. May be useful. Or may be noise:
I do it IP based. I use few Asterisk boxes not exactly the way like you, but I also need to talk betweeen SERs and Asterisks without problems. I just put one or more SERs as a trusted peers at all Asterisks. Then at SER I disable authentication of requests, coming for specified Asterisk addresses.
When it comes to your REFER problem (or similar), I just put record-route to all requests flying thru SER. Then all UAs are obliged to send subsequent requests in a dialog thru proxy. This is what record-route is for.
If this is not enough, because you are outside of a dialog or have particularly stupid UA - my SIP routing is based on domains. So UAs are always configured to use proxy and proxy is in textual format of a realm (FQDN). Thus, they will never send any dialog initiating request ommiting proxy. Or they are very stupid UAs :-)
Conclusion: trusted peers on (*) and IP-based policy on SER works well for me.
Douglas Garstang wrote:
Trying to find a solution to a sticky problem here.
We have 3 OpenSER systems. Phones register with the OpenSER systems, and after they authenticate the user, pass the registration info using OpenSER's send() command to all Asterisk boxes sitting behind them. Each asterisk system then knows about every phone.
For this to work, I had to turn off authentication in Asterisk for both registrations and invites. If it's on, asterisk sends a 407 Proxy Auth required to the phone in addition to OpenSER. This confuses the phone, as it's now receiving two 407 proxy auth requests, and it basically just drops the second request on the floor.
That's about right. I ran into that too. I just chose not to tell asterisk about the phones. Less admin hassle that way, too.
This is obviously a big security problem and it can't stay this way. I thought maybe if authentication was on in Asterisk, that considering by the time it receives the authenticated register or invite from OpenSER, the MD5 password was already contained in the packet, that Asterisk wouldn't ask again. It does. :(
We could use IP tables to only allow connections from the OpenSER systems, but that doesn't always work. When a caller transfers a call, the phones will send a REFER message directly to Asterisk, so all the phones would have to also be in the ip tables allow list. Not an elegent solution.
I run it on localhost, and force everything through OpenSER. I use Polycom phones, so I set OpenSer as my outbound proxy. Works great.
We could run mediaproxy on OpenSER and force all RTP streams back through it. Might work, but it might also break other stuff. We could then configure ip tables to only allow RTP streams from the OpenSER systems.
Why would you want to do that? Where I work, we've been actively trying to avoid getting anything between the phone and the media gateway. Call quality suffers when we do.
It might be possible to configure OpenSER to perform the logic necessary to make it talk to Asterisk properly, but it's beyond my abilities and time.
Anyone ever done this? Anyone got any ideas?
I've been working on something similar, although with only one OpenSER and one Asterisk instance. I'm also writing a subscription server to fill in for some functions that neither do yet. (I need to handle the dialog event package as well as presence.)
---Nathan
-
Arek Bekiersz -
Douglas Garstang -
Nathan Hawkins