Figure 2.1, “Overview” demonstrates each of the components and how they are interconnected. The diagram includes an example of an external softphone user calling an internal softphone user, the call is setup with SIP and the RTP media streams (dotted lines) pass through the TURN server.
SIP, XMPP and WebSockets can be easily configured to run without TLS encryption. Unfortunately, doing so would lead to many of the same problems as email, including spam and impersonation.
Impersonation is even more troublesome in RTC than in an email
exchange. If a user replies to an email with a forged
From
header, the reply will go to the person
who was impersonated. The imposter is unable to receive replies to
the emails they send. If a user answers a phone call from a forged SIP
address, however, they are immediately engaged in two-way communication
with the imposter.
Therefore, when RTC protocols are used on the public Internet, TLS should always be used. Additional reasons for using TLS are discussed in the section called “Use the TLS transport for SIP signalling”.
SMTP is a much older protocol than SIP and XMPP and while it does now boast support for STARTTLS, it doesn't clearly specify a mechanism for validation of message headers against the certificates.
The SIP proxy acts as a router between the external peers, internal peers and the soft PBX. The soft PBX is typically a server running Asterisk or FreeSWITCH. It is important to note that the soft PBX does not connect directly to the public Internet and none of the internal users connect directly to the soft PBX.
SIP proxy servers are generally more stable and more secure than
soft PBXes. SIP proxy servers typically have more
connectivity options, including best-of-breed support for IPv6, TLS
and WebRTC. In particular, the Asterisk PBX advertises support for TLS
but it doesn't support mutual TLS certificate verification, something
that works seamlessly in the SIP proxy repro.
This means that Asterisk accepts TLS connections from users and other
servers but is unable to verify local devices with built-in certificates
such as Polycom phones. If Asterisk is configured to accept TLS
connections from the public Internet, Asterisk accepts any call from
the peer without validating the domain in the From
header.
Soft PBXes tend to have many more features and vastly more configuration options, this also means upgrades to the SIP proxy are relatively easy compared to upgrades of the soft PBX. Finally, some people like to be able to make configuration changes to their PBX during business hours. If users are maintaining connections and SIP registrations through the SIP proxy, they are much less likely to notice if the soft PBX is restarted or crashes.
One consequence of this design strategy is that it is usually best to install, test and configure the SIP proxy before starting a soft PBX installation. In this guide, SIP proxy installation is covered in Chapter 11, SIP proxy server installation and soft PBXes are discussed in Chapter 17, PBX Setup.