We're trying to expose the CIC 4.0 SIP softphones for our employees through company VPN network. Though we already have the softphones configured and running for internal users within the company network, are there any security issues with exposing them through VPN ? We'd be using TLS as well as SRTP with the softphones. Also, please suggest if there's anything that should be considered here.

With the VPN and TLS/SRTP, you have the audio security pretty well covered. There are a few other things you'll probably run into, though. The first is provisioning - if the DHCP scope used by the remote workstation over the VPN provides option 160, provisioning may be fairly automated. Otherwise, the provisioning DNS name may need to be entered by the user in the wizard. Next is network routing to allow the SIP Soft Phone to communicate with the servers and other audio endpoints in the organization. Also, these remote users need to be aware that their audio is traveling across the public internet. Anything that compromises that audio path will result in decreased audio quality... it is just to be expected. Don't try to stream videos while on a call or download large files, etc.

Hi, We've already considered the DHCP scope 160 for the softphone provisioning and the DNS resolution therafter. Thanks again and I might need more inputs during the implementation phase.

​Hello,
we experienced a similar issue recently and determined that AV ( specifically McAfee policy) was too strict and needed to be lightened a bit to allow the SIP traffic across the VPN tunnel.

Once the policy was lightened, the traffic had no restrictions.

We also are set up with TLS/SRTP

------------------------------
Tammy Fiedler
Aurora Health Care Inc
------------------------------

Original Message:
Sent: 03-22-2018 10:44
From: Saurabh Verma
Subject: SIP Softphone Inputs

Hi,

We've already considered the DHCP scope 160 for the softphone provisioning and the DNS resolution therafter.

Thanks again and I might need more inputs during the implementation phase.

If you don't have full mesh VPN between all of the people who will use SIP Soft Phone and any other sites you have CIC phones deployed then they won't be able to talk to each other with the default setting of Dynamic audio.  Changing audio to Always In for these users is quickest way to solve that problem without modifying how your VPNs work in general.

------------------------------
Evan
------------------------------

Original Message:
Sent: 03-15-2018 16:18
From: Saurabh Verma
Subject: SIP Softphone Inputs

We're trying to expose the CIC 4.0 SIP softphones for our employees through company VPN network. Though we already have the softphones configured and running for internal users within the company network, are there any security issues with exposing them through VPN ? We'd be using TLS as well as SRTP with the softphones.

Also, please suggest if there's anything that should be considered here.