On Nov 07, 2003 at 12:46, Tristan Colgate <tristan(a)inuxtech.co.uk> wrote:
Hi,
I am currently setting up a SER platform and would like to use Asterisk for
pstn and voicemail. I have three hosts, one machine has the mysql db and a dns
with an enum zone. I then have the main sip registrar/proy and the final box is
the asterisk server.
My intention is to have an instance of ser running on the asterisk server to
verify authentication and check users priviledges for access to the
pstn/voicemail and to enforce the Remote Party ID, this will then nat the connection to
the asterisk process' sip channel (either running 127,0.0.1.
You want to authenticate twice? Once on the "main" proxy on once on the
asterisk box?
It's easier just to trust you "main" proxy (leave auth. to it) and drop
all connections comming from different ips on the asterisk box. TLS
would also help a lot, but it's not freely available.
So is this theoretically sound? And can I have the SER proxy and the SER
instance on the * both talking to the same mysql DB?
Yes, you could use the same db for the auth. stuff, but in your place I
would run only one ser doing the auth.
If you want to use 2 sers and auth. to both (not recommended since it's
easier to trust the main ser ip), it will work if both of them accept
the same nonce and you don't have any consume_credentials in your
script. To have the same nonce you will have to set the secret parameter
of the auth module to the same thing on both sers (if you don't set it
it would be random and they will expect different nonces). Also the
clocks should be synchronized.
This is if you use same auth. db and auth. realm on both of them. If you
want to use different realms then make sure your UAs support this and
disregard the stuff about nonces.
Andrei