The big picture

Figure 2.1. Overview

Figure 2.1, “Overview” demonstrates each of the components and how they are interconnected. The diagram includes an example of an external softphone user calling an internal softphone user, the call is setup with SIP and the RTP media streams (dotted lines) pass through the TURN server.

TLS is essential

SIP, XMPP and WebSockets can be easily configured to run without TLS encryption. Unfortunately, doing so would lead to many of the same problems as email, including spam and impersonation.

Impersonation is even more troublesome in RTC than in an email exchange. If a user replies to an email with a forged From header, the reply will go to the person who was impersonated. The imposter is unable to receive replies to the emails they send. If a user answers a phone call from a forged SIP address, however, they are immediately engaged in two-way communication with the imposter.

Therefore, when RTC protocols are used on the public Internet, TLS should always be used. Additional reasons for using TLS are discussed in the section called “Use the TLS transport for SIP signalling”.

SMTP is a much older protocol than SIP and XMPP and while it does now boast support for STARTTLS, it doesn't clearly specify a mechanism for validation of message headers against the certificates.

All SIP connectivity through a SIP proxy

The SIP proxy acts as a router between the external peers, internal peers and the soft PBX. The soft PBX is typically a server running Asterisk or FreeSWITCH. It is important to note that the soft PBX does not connect directly to the public Internet and none of the internal users connect directly to the soft PBX.

SIP proxy servers are generally more stable and more secure than soft PBXes. SIP proxy servers typically have more connectivity options, including best-of-breed support for IPv6, TLS and WebRTC. In particular, the Asterisk PBX advertises support for TLS but it doesn't support mutual TLS certificate verification, something that works seamlessly in the SIP proxy repro. This means that Asterisk accepts TLS connections from users and other servers but is unable to verify local devices with built-in certificates such as Polycom phones. If Asterisk is configured to accept TLS connections from the public Internet, Asterisk accepts any call from the peer without validating the domain in the From header.

Soft PBXes tend to have many more features and vastly more configuration options, this also means upgrades to the SIP proxy are relatively easy compared to upgrades of the soft PBX. Finally, some people like to be able to make configuration changes to their PBX during business hours. If users are maintaining connections and SIP registrations through the SIP proxy, they are much less likely to notice if the soft PBX is restarted or crashes.

One consequence of this design strategy is that it is usually best to install, test and configure the SIP proxy before starting a soft PBX installation. In this guide, SIP proxy installation is covered in Chapter 11, SIP proxy server installation and soft PBXes are discussed in Chapter 17, PBX Setup.