Premium SIPStation SIP Trunking encrypts SIP and RTP with TLS and SRTP between your PBX site and Sangoma's Data Centers. This feature is presently under BETA testing. If you would like to be part of the testing, please complete this short survey first → https://www.surveymonkey.com/r/Y2JCDS9

Prior to using this page as a guide, our technical staff have to enable the feature in our back office systems.


Overview

This document will guide you through the process of configuring the Session Border Controllers to work with Premium SIPStation.  This document describes the configuration of the requirement to connect SIPSTation SIP Trunking with the SBC.  This document does will describe SIPStation Premium Service, the Standard SIPStation Service is located in another document.

Introduction

For Trunking solutions, Premium SIPStation can provide SIP Trunks to a SBC over the Internet, the SBC relays calls to the PBX.  The connection to the Premium SIPStation Service is over TLS and SRTP.   This document provides detailed information about the configuration requirements in the SMB SBC, Vega SBC, Netborder SBC and the Software VM SBC over TLS/SRTP.  A typical deployment connects SIPStation across Internet into the SBC, where the SBC provides Security, Routing, Interoperability and more, then delivers the SIP Trunk call to the IP-PBX.   The SBC will use SIP Protocol over TLS and RTP over SRTP to the SIPStation, the SBC and the IP-PBX will also create a Trunk together.


SIP Trunking

Bringing SIP Trunks from SIPStation into the SBC and then deliver the SIP Trunk calls to the IP-PBX.


IP-PBX: 192.168.77.112
SBC LAN IP: 192.168.77.124
SBC DMZ IP: 10.10.32.170
SBC Public WAN IP: 104.145.12.182
ITSP FQDN: premiumtrunk1.freepbx.com, premiumtrunk2.freepbx.com


Note:  In the following configuration example, this is a DMZ-LAN setup of the SBC, and the IP-PBX is located on a Private LAN.  This is one of many different network topologies that the SBC supports.  Not all network topologies will be documented in the document, please consult other Wikis for slight changes in deployment styles of the SBC.   Slight changes in configuration from this example to other network topologies are expected.

SIPStation Configuration

General Configuration

SIPStation is a SIP Trunking Service offered by Sangoma, A customer purchases the SIP Trunking Service and then can being to make calls from their SBC/IP-PBX to the SIPStation Service.  SIPStation uses FQDNs as the SIP Server address.  In this configuration we are purchasing the SIPStation service, finding out where the SIPStation Trunk attributes are located for provisioning in the SBC.  Once the SBC is configured, the SBC will REGISTER with SIPStation and be allowed to make Outgoing Calls and Incoming Calls.

SIPStation Purchase

There are Wikis to step through purchasing SIPStation DIDs.  This document will simply overview the highlights.

https://wiki.sangoma.com/display/ST/SIPStation+and+FAXStation


NOTE:  Premium SIPStation is still in Beta.  Option to buy is not yet available on the SIPStation Portal.  Once available, this next instruction will indicate how to purchase Premium SIPStation trunks.


Login into www.sipstation.com, begin to purchase your Inbound Numbers.  Proceed to Checkout and complete the purchase.



Once purchased, go to My Account | Trunk Groups and record the following information:




SBC Configuration

General Configuration

The following configuration will focus on the SIPStation to SBC requirements.  It is only half of the configuration needed for proper operation, as the SIP-PBX will also need to be configured with a SIP Trunk to the SBC and related configuration.  The document will reference the IP-PBX but not show how to configure the IP-PBX.  But generally, the IP-PBX setup is a simple SIP Trunk to the SBC LAN IP Address.  There are other Wiki's that document how to configure SIP Trunking with SBC with a FreePBX/PBXact.




IP-PBX IP: 192.168.77.112
SBC LAN IP: 192.168.77.124
SBC DMZ IP: 10.10.32.170
SBC Public IP: 104.145.12.182
ITSP FQDN: premiumtrunk1.freepbx.com, premiumtrunk2.freepbx.com


Note:  In the following configuration example, this is a DMZ-LAN setup of the SBC, and the IP-PBX is located on a Private LAN.  This is one of many different network topologies that the SBC supports.  Not all network topologies will be documented in the document, please consult other Wikis for slight changes in deployment styles of the SBC.   Slight changes in configuration from this example to other network topologies are expected.



IP Settings | Network

The default IP Address of the SBC is 192.168.168.2  root/sangoma   The IP Address needs to be changed and a new admin user created.


Go to Configuration | IP Settings | Network

Press "Add" to add a DMZ IP Address

Press Save


Press "Add" to add a LAN IP Address

Press Save


Once completed you will now have an IP address on eth0 for LAN and eth1 for DMZ.

Press "Edit" to configure the Default Gateway and Hostname


Configure the Network



Apply Network

Restart Network

At this point you can access the SBC from the New LAN IP Address.


IP Settings | Media Interfaces

Go to Configuration | IP Settings | Media Interfaces

Click Edit.


Ensure the Transcoding Mode is to Hardware Hidden mode for all Vega SBC and Netborder SBC. Then click Save. 

Note:  For SMB SBC and Software VM SBC the Transcoding Mode is to Software.  The click Save.



Next click Detect Modules. Once you modules are detected click OK to continue.



IP Settings | Access Control Lists

Go to Configuration | IP Settings | Access Control Lists

Access Control Lists are a list of IP Address(es) that can have an Allow or Deny policy.  Typical practice is to have a Default Policy to Deny all traffic, then Allow specific Hosts and Subnets.  Both local trusted LAN traffic and Internet WAN traffic need to be defined separately.

Default



Local LAN Internal Network ACL

Within the ACL box, click Add.

Give the ACL a name.


Set the Default Policy to Deny.  Press Save


Within the ACL Box, press Add


Add the local Subnet, where the IP-PBX resides.  Add any additional networks within the LAN environment.



Internet WAN External Network ACL

Within the ACL box, click Add.

Give the ACL a name.


Set the Default Policy to Deny.  Press Save



Within the ACL Box, press Add


Add the local Subnet, where the SIPStation resides.  Add any additional networks within the LAN environment.






Creating a Server Cert for TLS

There are two methods for creating a CA and Server Cert for the SBC

  1. Using a Certificate Authority (Verisign, GoDaddy, and others)
    https://wiki.sangoma.com/display/SBC/How+to+create+SSL+Certificates+for+your+TLS+support+on+Sangoma+SBC
  2. Using Simple Authority
    https://wiki.sangoma.com/display/SBC/SBC+TLS+Certificates+using+Simple+Authority


Pick one of the two methods, and the end result of either method will be a CA Root Cert and a Server Cert in a PEM format

For Example: 

CA Root Cert - Sangoma 20181029_cert.pem

Server Cert - sbc1.domain.net 20181029_key.pem


Security | Certificates

Now load the CA Root Cert and Server Cert onto the SBC.

Under CA menu, Press Add


Browse to the CA Cert created earlier.


Select and install the CA Cert.


Under the Server menu, press Add, Browse to the Server Cert and install.


Download and install the SIPStation GoDaddy CA Root Cert

We need to install the SIPStation CA Root Cert.

Go the following Website.

https://certs.godaddy.com/repository


Download the GoDaddy Secure Server Certificate (Intermediate Certificate) - G2  - gdig2.crt.pem (pem) file.


Security | Certificates

Now load the CA Root Cert and Server Cert onto the SBC.


Go to  Configuration | Security | Certificates

Under CA menu, Press Add


Browse to the the GoDaddy Secure Server Certificate (Intermediate Certificate) - G2  - gdig2.crt.pem (pem) file.  And Install.


Note:  Pay attention to the Expires Dates.  TLS stops working when the Dates expire.



Signaling | SIP Profile

Two SIP Profiles are needed.  One for the LAN side - for 'Internal' communications with the IP-PBX and another for the WAN side - for 'External' communication with SIPStation.


Go to Configuration | Signaling | SIP Profiles

A default "internal" SIP Profile will be present.  You can Delete it - then Add a new Profile  OR  Modify it.


Setup an Internal SIP Profile

Click Modify next to the default internal SIP profile.



This SIP Profile is used for assigning the SBC's LAN IP to a SIP Profile.  This is where the IP-PBX will communicate with the SBC.  IP Address. Port. Transport and other interop settings are defined here.  Not all SIP Profile settings are required. here are the highlights.


Press Save


Setup an External SIP Profile

Click Add to create a New SIP profile for the External SIP communications.



This SIP Profile is used for assigning the SBC's DMZ IP to a SIP Profile - the WAN IP address of the Firewall will be NAT'd through to the DMZ IP of the SBC.  This is where the SIPStation will communicate with the SBC over TLS.  IP Address. Port. Transport and other interop settings are defined here.  Not all SIP Profile settings are required. here are the highlights.



Press Save


 

Signaling | SIP Trunks

Two SIP Trunks Profiles are needed.  One for the IP-PBX and another for the SIPStation.  SIP Trunks Profile is where the Peer attributes are configured.


Setup the IP-PBX in a SIP Trunk Profile

Go to Configuration -> Signaling -> SIP Trunks

Click Add

The following parameters define the location and behavior specific to the IP-PBX;


 


Press Save

 

Setup the SIPStation in a SIP Trunk Profile

Go to Configuration -> Signaling -> SIP Trunks

Click Add

The following parameters define the location and behavior specific to SIPStation;



Press Save

 

Media | Media Profiles

Premium SIPStation offers a greater variety of Codecs. Premium SIPStation Codecs include;

In the following section, select the Codec you wish to use.


Go to Configuration | Media | Media Profiles

Standard SIPStation supports only G711 and G729.  The SBC appliances by default has many codecs available to transcode.


Edit the 'default' Media Profile.


Press Save


Note:  If you want the SBC to Transcode different Codecs on the LAN side, Add a new Media Profile, with the required Codecs and assign it to the IP-PBX_Internal SIP Profile.  For example if the IP-PBX wants to use G722 and SIPStation wants G711, then the new Media Profile for the IP-PBX_Internal SIP Profile should have G722 as the Codec #1.



Routing | Call Routing

The SBC will require two Call Route Dial Plans.  One Dial Plan to send calls from the IP-PBX to SIPStation, and another Dial Plan to send calls from the SIPStation to the IP-PBX.


Go to  Configuration | Routing | Call Routing


Outbound Calling

Click the Add button in the Basic Call Routing section to add a new routing plan.


Give the Dial Plan a name.  Outbound_Calling - then click Add. 


Basic Call Routing Setup



Once in the new routing plan click Add to add a new rule. 


This very next Dial Plan Rule is a redundant Dial Plan, when ACL is in place.   But this shows some extra flexibility in the Dial Plan to check various attributes of a call that are not related to the SIP Protocol.  This example is a Check IP Address.  If the IP Address does not match, the SBC will respond with a 403 Forbidden.  And then not process any remaining rules in the Dial Plan.


Press Save

 


Once "Check IP" in saved, click Add to insert another Dial Plan Rule.




This next Dial Plan Rule is most important, as it 'bridges' the Outbound Call from the IP-PBX to the SIPStation - SIP Trunk Profile that was defined earlier.



Press Save

 

Your Call Routing should now look like this for Outbound Calls to SIPStation.





Inbound Calling

Click the Add button in the Basic Call Routing section to add a new routing plan.


Give the Dial Plan a name.  Inbound_Calling - then click Add. 


Basic Call Routing Setup



Once in the new routing plan click Add to add a new rule. 




This very next Dial Plan Rule is a redundant Dial Plan, when ACL is in place.   But this shows some extra flexibility in the Dial Plan to check various attributes of a call that are not related to the SIP Protocol.  This example is a Check IP Address.  If the IP Address does not match, the SBC will respond with a 403 Forbidden.  And then not process any remaining rules in the Dial Plan.




Press Save

 

Once "Check IP" in saved, click Add to insert another Dial Plan Rule.


This next Dial Plan Rule is most important, as it 'bridges' the Inbound Call from SIPStation to the IP-PBX - SIP Trunk Profile that was defined earlier.



Press Save

 

Your Call Routing should now look like this for Inbound Calls to the IP-PBX.




Signaling | SIP Profile

Two SIP Profiles were created earlier.  We need to go back and assign the appropriate Call Routing Dial Plan to the correct SIP Profile.  The Inbound_Calling Dial Plan is assigned to the SIPStation_External SIP Profile, as calls from the SIPStation will will be going Inbound_Calls to bridge to the IP-PBX.  And the other direction, the IP-PBX will call the IP-PBX_Internal SIP Profile which will go to the Outbound_Calling Dial Plan, which will bridge the call to the SIPStation.


IP-PBX_Internal SIP Profile

Now that both routing plans are made go to Configuration | Signaling | SIP Profiles and modify the IP-PBX_Internal SIP profile. 

Under Session Routing change the Routing Plan to Outbound_Calling. Then click Save to continue. 


SIPStation_External SIP Profile

Modify the SIPStation_External SIP profile. 

Under Session Routing change the Routing Plan to Inbound_Calling. Then click Save to continue.


Apply Configuration

You are Done.  Time to save your efforts.


Or Here



Finalizing the Installation

Starting the SBC application and other useful features on the SBC.


Go to Overview -> Dashboard -> Control Panel and Start the following services.



Enable all IDS rules by going to Configuration -> Security -> Intrusion Detection and ensuring all are checked. Once done click Update to apply the changes.


Next go to System -> Server -> Web and change the Network Interface from All interfaces to only the internal network interface.


In this example eth1 is the internal network interface. Once done click Save.


Next go to System -> Server -> Web and change the Network Interface from All interfaces to only the internal network interface. Now both the web server and SSH will only be available on your internal network.


Since the configuration is now completed get a backup. Go to System -> Management -> Backup-Restore and click Backup.


Name the file accordingly and click backup to download a copy. Ensure you keep this safe somewhere and always take a new backup after each change made to the SBC.