> -----Original Message----- > From: Douglas Garstang > Sent: Friday, March 17, 2006 9:57 AM > To: [EMAIL PROTECTED] > Cc: openser > Subject: RE: [Users] Trying to find a solution to a sticky > problem here. > > > > -----Original Message----- > > From: Arek Bekiersz [mailto:[EMAIL PROTECTED] > > Sent: Friday, March 17, 2006 9:21 AM > > To: Douglas Garstang > > Cc: openser > > Subject: Re: [Users] Trying to find a solution to a sticky > > problem here. > > > > > > Hi, > > > > > > Just a first impression, after quickly reading the mail. > > May be useful. Or may be noise: > > > > I do it IP based. I use few Asterisk boxes not exactly the > > way like you, > > but I also need to talk betweeen SERs and Asterisks without > > problems. I > > just put one or more SERs as a trusted peers at all > > Asterisks. Then at > > SER I disable authentication of requests, coming for > > specified Asterisk > > addresses. > > > > When it comes to your REFER problem (or similar), I just put > > record-route to all requests flying thru SER. Then all UAs > > are obliged > > to send subsequent requests in a dialog thru proxy. This is what > > record-route is for. > Whoa! I didn't realise I could do that. Just exactly where > would I put the record_route()? I tried putting it after the > logic that tests for an INVITE... but it didn't seem to work. Hmmm. Then I tried putting a record_route() right at the beginning of the route {} block. Actually I watched the packets with ngrep and I can see a Record-Route: header with OpenSER's IP address, but refers are still being sent directly from the phone to Asterisk. Any ideas? > > > > If this is not enough, because you are outside of a dialog or have > > particularly stupid UA - my SIP routing is based on domains. > > So UAs are > > always configured to use proxy and proxy is in textual format > > of a realm > > (FQDN). Thus, they will never send any dialog initiating request > > ommiting proxy. Or they are very stupid UAs :-) > > > > Conclusion: trusted peers on (*) and IP-based policy on SER > > works well > > for me. > > > > -- > > Regards, > > Arek Bekiersz > > > > > > > > > > Douglas Garstang wrote: > > > Trying to find a solution to a sticky problem here. > > > > > > We have 3 OpenSER systems. Phones register with the OpenSER > > systems, and after they authenticate the user, pass the > > registration info using OpenSER's send() command to all > > Asterisk boxes sitting behind them. Each asterisk system then > > knows about every phone. > > > > > > For this to work, I had to turn off authentication in > > Asterisk for both registrations and invites. If it's on, > > asterisk sends a 407 Proxy Auth required to the phone in > > addition to OpenSER. This confuses the phone, as it's now > > receiving two 407 proxy auth requests, and it basically just > > drops the second request on the floor. > > > > > > This is obviously a big security problem and it can't stay > > this way. I thought maybe if authentication was on in > > Asterisk, that considering by the time it receives the > > authenticated register or invite from OpenSER, the MD5 > > password was already contained in the packet, that Asterisk > > wouldn't ask again. It does. :( > > > > > > We could use IP tables to only allow connections from the > > OpenSER systems, but that doesn't always work. When a caller > > transfers a call, the phones will send a REFER message > > directly to Asterisk, so all the phones would have to also be > > in the ip tables allow list. Not an elegent solution. > > > > > > We could run mediaproxy on OpenSER and force all RTP > > streams back through it. Might work, but it might also break > > other stuff. We could then configure ip tables to only allow > > RTP streams from the OpenSER systems. > > > > > > It might be possible to configure OpenSER to perform the > > logic necessary to make it talk to Asterisk properly, but > > it's beyond my abilities and time. > > > > > > Anyone ever done this? Anyone got any ideas? > > > > > > Doug > > > > _______________________________________________ > Users mailing list > [email protected] > http://openser.org/cgi-bin/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] http://openser.org/cgi-bin/mailman/listinfo/users
