El Mon, 20 Feb 2023 20:08:50 +1000 Richard Edmands <[email protected]> escribió:
> Yeah, don’t trust that IP range blindly. It’s just Azure space. > The only logical approach I’ve seen appears to be certificate validation and > checking. okok. I can see that the client certificate is being validated. But that means the client certificate is valid. Doesn't mean that the certificate is microsoft. Is there a way to check the certificate owner in the config script? Or to limit the certificate to a certain "Subject Alternative Name"? Would it be nuts to limit the CA list allowed for that socket creating a custom ca list? It still would not filter just MS. In the end I guess I'll get an IP list and filter because opening two /14 nets seems crazy to me. > > > On 20 Feb 2023, at 7:00 pm, Jon Bonilla (Manwe) <[email protected]> wrote: > > > > Hi > > > > Sorry for the OT but I think here's the place where I an find a lot of Ms > > teams integrations > > > > I've been working on MS teams direct routing integration for PekePBX. It > > works. I guess I've done it as everybody else, using Henning's guide as > > base and extending it for multitenant setup (thanks Henning!) > > > > What I've realized is that the source IP address of calls coming from MS are > > not always matching dispatcher hosts. Sometimes they come from another > > source IP and failover to the dispatcher hosts when they receive no > > response. That makes some of the calls to have an additional latency > > > > Searching in the MS doc I see that they document these nets as source of > > their signaling: > > > > > > 52.112.0.0/14 > > 52.120.0.0/14 > > > > But I've seen IP addresses outside of this range as source. > > In this blog > > https://erwinbierens.com/microsoft-teams-direct-routing-ip-addresses/ > > > > The ranges are listed as > > > > > > 52.112.0.0/16 > > 52.113.0.0/16 > > 52.114.0.0/16 > > 52.115.0.0/16 > > 52.120.0.0/16 > > 52.121.0.0/16 > > 52.122.0.0/16 > > 52.123.0.0/16 > > > > which looks better but scares me out. Having no auth is it secure to bind so > > many ranges to MS? > > > > Do you use anything else than certificate verification for these calls? > > > > > > cheers, > > > > Jon > > > > > > > > -- > > PekePBX, the multitenant PBX solution > > https://pekepbx.com > > __________________________________________________________ > > Kamailio - Users Mailing List - Non Commercial Discussions > > To unsubscribe send an email to [email protected] > > Important: keep the mailing list in the recipients, do not reply only to > > the sender! Edit mailing list options or unsubscribe: > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > To unsubscribe send an email to [email protected] > Important: keep the mailing list in the recipients, do not reply only to the > sender! Edit mailing list options or unsubscribe: -- PekePBX, the multitenant PBX solution https://pekepbx.com
pgpbn8ygaWChb.pgp
Description: Firma digital OpenPGP
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
