[Users] Trying to find a solution to a sticky problem here.

Nathan Hawkins utsl at quic.net
Fri Mar 17 17:28:58 CET 2006


Douglas Garstang wrote:
> Trying to find a solution to a sticky problem here.
> 
> We have 3 OpenSER systems. Phones register with the OpenSER systems,
> and after they authenticate the user, pass the registration info
> using OpenSER's send() command to all Asterisk boxes sitting behind
> them. Each asterisk system then knows about every phone.
>
> For this to work, I had to turn off authentication in Asterisk for
> both registrations and invites. If it's on, asterisk sends a 407
> Proxy Auth required to the phone in addition to OpenSER. This
> confuses the phone, as it's now receiving two 407 proxy auth
> requests, and it basically just drops the second request on the
> floor.

That's about right. I ran into that too. I just chose not to tell
asterisk about the phones. Less admin hassle that way, too.

> This is obviously a big security problem and it can't stay this way.
> I thought maybe if authentication was on in Asterisk, that
> considering by the time it receives the authenticated register or
> invite from OpenSER, the MD5 password was already contained in the
> packet, that Asterisk wouldn't ask again. It does. :(
> 
> We could use IP tables to only allow connections from the OpenSER
> systems, but that doesn't always work. When a caller transfers a
> call, the phones will send a REFER message directly to Asterisk, so
> all the phones would have to also be in the ip tables allow list. Not
> an elegent solution.

I run it on localhost, and force everything through OpenSER. I use
Polycom phones, so I set OpenSer as my outbound proxy. Works great.

> We could run mediaproxy on OpenSER and force all RTP streams back
> through it. Might work, but it might also break other stuff. We could
> then configure ip tables to only allow RTP streams from the OpenSER
> systems.

Why would you want to do that? Where I work, we've been actively trying
to avoid getting anything between the phone and the media gateway. Call
quality suffers when we do.

> It might be possible to configure OpenSER to perform the logic
> necessary to make it talk to Asterisk properly, but it's beyond my
> abilities and time.
> 
> Anyone ever done this? Anyone got any ideas?

I've been working on something similar, although with only one OpenSER
and one Asterisk instance. I'm also writing a subscription server to
fill in for some functions that neither do yet. (I need to handle the
dialog event package as well as presence.)

	---Nathan




More information about the Users mailing list