Breadcrumbs

How to configure TLS/SRTP Outbound/Inbound


Product

  • Voice

Resolution

Media encryption

Our RTP engines support SRTP and DTLS-SRTP. We only support (as per RFC) encrypted media when the signaling is encrypted. For inbound we either offer DTLS or SDES SRTP when using SIP over TLS.

Outbound

Our outbound platforms support TLS. Connection is done via nl.voip.cm.com, which supports both DNS A- and SRV-records.

 Requirements

  • TLSv1.2 or newer is supported

  • The destination port-number is TCP 5061

  • Because TCP is used the source port is a random port number. For this reason, please configure the PBX endpoint with port 0 (any port) to successfully create the socket connection.

  • Please make sure below media subnets are whitelisted in your firewall
    85.119.48.0/21
    31.169.56.0/21
    188.94.184.0/22

  • All certificates should be valid.


image-20260506-072145.png
Figure 1: Edit your IP-endpoint on which you sent voice calls from.

Inbound

To configure this, visit the Voice Management app and select Distribution Groups. Under Distribution Groups add or edit your IP-address and/or domain on which you would like to receive voice calls:

image-20260506-072225.png
Figure 2: Edit your IP-address or Domain on which you receive voice calls

Edit your IP-address or Domain on which you receive voice calls

When adding or editing your IP address or domain, you should enable the following two options:

  • Transport: To ensure the signaling of inbound calls is encrypted, select TLS.

  • Media Encryption (TLS required): to ensure the media of inbound calls is encrypted, select SRTP under media encryption. For this, enabling the TLS in the first option is required.

image-20260506-072400.png
Figure 3: Select TLS (signaling) and SRTP (media) for encryption

Requirements

When adding or editing your IP address or domain, you should enable the following two options:

  • Transport: To ensure the signaling of inbound calls is encrypted, select TLS.

  • Media Encryption (TLS required): to ensure the media of inbound calls is encrypted, select SRTP under media encryption. For this, enabling the TLS in the first option is required.

  • Because TCP is used the source port from the CM platform is a random port number. It is advised to use the same destination port number the same as for outbound, being 5061.

  • Please make sure below media subnets are whitelisted in your firewall
    85.119.48.0/21
    31.169.56.0/21
    188.94.184.0/22

  • All certificates should be valid.