AudioCodes Mediant 500 E-SBC User Manual page 90

When the device establishes a TLS connection (handshake) with a SIP user agent (UA),
the TLS Context is determined as follows:

Incoming calls:
1. Proxy Set: If the incoming call is successfully classified to an IP Group based on
Proxy Set (i.e., IP address of calling party) and the Proxy Set is configured for
TLS ('Transport Type' parameter is set to TLS), the TLS Context assigned to the
Proxy Set is used. For configuring Proxy Sets, see Configuring Proxy Sets on
page 270.
2. SIP Interface: If the Proxy Set is either not configured for TLS (i.e., the 'Transport
Type' parameter is set to UDP) or not assigned a TLS Context, and/or
classification to a Proxy Set fails, the device uses the TLS Context assigned to
the SIP Interface used for the call. For configuring SIP Interfaces, see Configuring
SIP Interfaces on page 256.
3. Default TLS Context (ID 0): If the SIP Interface is not assigned a TLS Context or
no SIP Interface is used for the call, the device uses the default TLS Context.

Outgoing calls:
1. Proxy Set: If the outgoing call is sent to an IP Group associated with a Proxy Set
that is assigned a TLS Context and the Proxy Set is configured for TLS (i.e.,
'Transport Type' parameter is set to TLS), the TLS Context is used. If the
'Transport Type' parameter is set to UDP, the device uses UDP to communicate
with the proxy and no TLS Context is used.
2. SIP Interface: If the Proxy Set is not assigned a TLS Context, the device uses the
TLS Context assigned to the SIP Interface used for the call.
3. Default TLS Context (ID 0): If the SIP Interface is not assigned a TLS Context or
no SIP Interface is used for the call, the device uses the default TLS Context.
Notes:
•
If the TLS Context used for an existing TLS connection is changed during the call
by the user agent, the device ends the connection.
•
The device does not query OCSP for its own certificate.
•
Some PKIs do not support OCSP, but generate Certificate Revocation Lists
(CRLs). For such scenarios, set up an OCSP server such as OCSPD.
TLS Context certification also enables employing different levels of security strength (key
size) per certificate. This feature also enables the display of the list of all trusted certificates
currently installed on the device. For each certificate, detailed information such as issuer
and expiration date is shown. Certificates can be deleted or added from/to the Trusted
Root Certificate Store.
You can also configure TLS certificate expiry check, whereby the device periodically
checks the validation date of the installed TLS server certificates and sends an SNMP trap
event if a certificate is nearing expiry. This feature is configured globally for all TLS
Contexts. For configuring TLS certificate expiry check, see 'Configuring TLS Server
Certificate Expiry Check' on page 100.
The following procedure describes how to configure a TLS Context in the Web interface.
You can also configure this using the table ini file parameter, TLSContexts or CLI
command, configure system > tls <ID>.
User's Manual 90
Mediant 500 E-SBC
Document #: LTRT-10427