Configuring TLS

Secure data transfer using TLS is now supported between SIP Server and Active-Active Resource Managers in IP Address Takeover and Windows NLB Cluster high-availability deployments. TLS is also supported between SIP Server and all SIP devices, including SBCs, Media Gateways, and SIP phones.

The integration solution described in this section makes the following assumptions:

• TLS transport is used for SIP signaling
• SIP Server performs load balancing between an Active-Active Resource Manager pair

Configuration Steps

1. Provision SSL certificates for workstations hosting SIP Servers, RM, and MCP applications. Refer to the ''Genesys 8.1 Security Deployment Guide''.
2. Configure SIP Server to use TLS data transfer. Refer to the Transport Layer Security for SIP Traffic section in the ''Framework 8.1 SIP Server Deployment Guide''.
3. Configure Resource Managers in an Active-Active high-availability cluster. Refer to the Genesys Voice Platform Integration section in the ''Framework 8.1 SIP Server Deployment Guide''.

To configure TLS data transfer between Genesys Media Server components, refer to the ''Genesys Media Server 8.1 Deployment Guide''.

SIP Phones

To use TLS data transfer between SIP Server (IP Address Takeover and Windows NLB HA configurations) and SIP Endpoints, complete these additional steps:

1. Create an additional certificate for a FQDN that corresponds to the IP address specified in the sip-address option (Virtual IP address) of the SIP Server application. Install this certificate on both hosts on which the primary and backup SIP Servers run.
2. Make sure that the following conditions exist, as appropriate:
   • On Windows, the sip-tls-cert option is set to the thumbprint obtained from the certificate generated in Step 1, above.
   • On UNIX, the sip-tls-cert option is set to the path and filename of the .pem encoded file that contains the host certificate created in Step 1, above.