Securing the signaling of VoIP links is necessary when SRTP is enabled and is a security measure in itself: It should be enabled when the SIP registrar or H323 Gatekeeper is exposed on a public interface, with the other unsecure options disabled.

The security mechanism is dependent upon the type of link:

For SIP extensions, the relevant LAN's SIP registrar layer 4 protocol setting should be configured to enable the TLS protocol. SIP-TLS requires the administration of certificates; see Certificates and Trust.

For SIP or SM lines, the Line's transport setting should be configured to use the TLS protocol and certificate checks enabled. A further consideration is the use of the SIPS URI scheme as defined by RFC 3261 and RFC 5630. Enabling the SIPS URI Type setting will cause all sessions originated from the trunk to use SIPS, indicating the requirement for secure SIP links for the call. The system setting System > VoIP > VoIP Security > Strict SIPS when active, causes IP Office to reject any call to a SIP or SM Line that is not configured for SIP-TLS and the SIPS URI Scheme. When not set, IP Office permits the 'downgrading' of a SIP-TLS call to an unsecure SIP call.

Care should be taken when using SIPS URI scheme and Strict SIPS, as support by both Avaya clients and ITSPs is varied which could result in failed calls. This is of high importance for emergency call planning.

Current SIPS support of Avaya clients is covered in IP Office VoIP Endpoint Security.

For information on 9608, 9611, 9621 and 9641 H323 secure phone provisioning, see Secure Provisioning of 9600 Series H.323 Phones.

For further details, see the relevant client documentation.