logo.gif MCU 4210
host: pont

Configuring encryption settings

You can configure the MCU to encrypt connections to and from H.323 and SIP endpoints.

The encryption technology that the MCU uses for encryption to and from H.323 endpoints is Advanced Encryption Standard (AES).

The encryption technology that the MCU uses for encryption to and from SIP endpoints is Secure Real-time Transport Protocol (SRTP).

To use encryption, you must have the Encryption feature key present on the MCU. For information about installing feature keys, refer to Upgrading the firmware. To access encryption settings, go to Settings > Encryption.

Encryption is used where both devices in a call agree to use encryption; by default if one of the devices cannot use encryption (for example if a SIP endpoint does not support SRTP), the MCU will allow the call to be unencrypted, unless the conference configuration dictates that encryption is Required. Where encryption is required, calls that cannot used encryption will not be allowed.

When encryption is in use to and from H.323 endpoints, the MCU will encrypt audio, video, and content media. It does not encrypt control or authentication information.

When encryption is in use to and from SIP endpoints, the MCU will encrypt audio and video media using SRTP. Control or authentication information can also be encrypted using TLS. For more information refer to Using encryption with SIP, below.

You can:

Note that using encryption does not affect the number of ports that are available on the MCU.

Note that the MCU will not show thumbnail previews on the Conference participant page if encryption is required for a conference. If you have the Show thumbnail images option selected on the Settings > User interface page, thumbnail previews will be shown for conferences where encryption is optional and there are encrypted participants.

Refer to this table for assistance configuring the encryption settings. After making any configuration changes, click Apply changes.

Field Field description Usage tips
Encryption status

Whether the MCU is able to use encryption or not.

When encryption status is Enabled, the MCU advertises itself as being able to use encryption and will use encryption if required to do so by an endpoint. If this setting is Enabled, you can enable or disable the use of encryption on a per-conference basis.

If this setting is Disabled, no conference will be able to use encryption.

SRTP encryption

Select the setting for media encryption for SIP calls:

  • All transports: If encryption is used for a call, the media will be encrypted using SRTP regardless of transport mechanism used for call control messages.
  • Secure transports (TLS) only: If encryption is used for a call, the media will only be encrypted in calls that are set up using TLS.
  • Disabled: SRTP will not be used for any calls. The MCU will not encrypt media for SIP calls.

For more information refer to Using encryption with SIP, below.

When disabled, the MCU will not advertise that it is able to encrypt using SRTP. It is only necessary to disable SRTP if it is causing problems.

Using encryption with SIP

The MCU supports the use of encryption with SIP. When encryption is in use with SIP, the audio and video media are encrypted using Secure Real-time Transport Protocol (SRTP). When using SRTP, the default mechanism for exchanging keys is Session Description Protocol Security Description (SDES). SDES exchanges keys in clear text, so it is a good idea to use SRTP in conjunction with a secure transport for call control messages. You can configure the MCU to also use Transport Layer Security (TLS) which is a secure transport mechanism that can be used for SIP call control messages.

Using TLS for call setup is not sufficient for the call to be considered encrypted such that it can participate in a conference which requires encryption. Where encryption is required in the conference configuration, a SIP call must use SRTP.

To configure the MCU to use SRTP to encrypt media in calls that are set up using TLS:

  1. You must have the encryption feature key installed on your MCU.
  2. Go to Settings > Encryption and set:
    • Encryption status to Enabled.
    • SRTP encryption to Secure transports (TLS) only.
  3. Go to Settings > SIP and set Outgoing transport to TLS. To allow the MCU to accept incoming calls that use TLS, go to Network > Services and ensure that Incoming Encrypted SIP (TLS) is selected.

Note: It is possible to make encryption the default on newly created conferences by setting the Encryption field on the conference template settings to Required. Go to Conferences > Templates.

 

Related topics