> -----Original Message----- > From: Arek Bekiersz [mailto:[EMAIL PROTECTED] > Sent: Friday, March 17, 2006 9:21 AM > To: Douglas Garstang > Cc: openser > Subject: Re: [Users] Trying to find a solution to a sticky > problem here. > > > Hi, > > > Just a first impression, after quickly reading the mail. > May be useful. Or may be noise: > > I do it IP based. I use few Asterisk boxes not exactly the > way like you, > but I also need to talk betweeen SERs and Asterisks without > problems. I > just put one or more SERs as a trusted peers at all > Asterisks. Then at > SER I disable authentication of requests, coming for > specified Asterisk > addresses. > > When it comes to your REFER problem (or similar), I just put > record-route to all requests flying thru SER. Then all UAs > are obliged > to send subsequent requests in a dialog thru proxy. This is what > record-route is for. Whoa! I didn't realise I could do that. Just exactly where would I put the record_route()? I tried putting it after the logic that tests for an INVITE... but it didn't seem to work.
> > If this is not enough, because you are outside of a dialog or have > particularly stupid UA - my SIP routing is based on domains. > So UAs are > always configured to use proxy and proxy is in textual format > of a realm > (FQDN). Thus, they will never send any dialog initiating request > ommiting proxy. Or they are very stupid UAs :-) > > Conclusion: trusted peers on (*) and IP-based policy on SER > works well > for me. > > -- > Regards, > Arek Bekiersz > > > > > Douglas Garstang wrote: > > Trying to find a solution to a sticky problem here. > > > > We have 3 OpenSER systems. Phones register with the OpenSER > systems, and after they authenticate the user, pass the > registration info using OpenSER's send() command to all > Asterisk boxes sitting behind them. Each asterisk system then > knows about every phone. > > > > For this to work, I had to turn off authentication in > Asterisk for both registrations and invites. If it's on, > asterisk sends a 407 Proxy Auth required to the phone in > addition to OpenSER. This confuses the phone, as it's now > receiving two 407 proxy auth requests, and it basically just > drops the second request on the floor. > > > > This is obviously a big security problem and it can't stay > this way. I thought maybe if authentication was on in > Asterisk, that considering by the time it receives the > authenticated register or invite from OpenSER, the MD5 > password was already contained in the packet, that Asterisk > wouldn't ask again. It does. :( > > > > We could use IP tables to only allow connections from the > OpenSER systems, but that doesn't always work. When a caller > transfers a call, the phones will send a REFER message > directly to Asterisk, so all the phones would have to also be > in the ip tables allow list. Not an elegent solution. > > > > We could run mediaproxy on OpenSER and force all RTP > streams back through it. Might work, but it might also break > other stuff. We could then configure ip tables to only allow > RTP streams from the OpenSER systems. > > > > It might be possible to configure OpenSER to perform the > logic necessary to make it talk to Asterisk properly, but > it's beyond my abilities and time. > > > > Anyone ever done this? Anyone got any ideas? > > > > Doug > _______________________________________________ Users mailing list [email protected] http://openser.org/cgi-bin/mailman/listinfo/users
