Genesys Cloud - Main

 View Only

Sign Up

  • 1.  Genesys Cloud External SIP Trunk Encryption (TLS/SRTP) – Configuration Recommendations

    Posted 20 days ago

    Dear Community,

    We have an External SIP Trunk in Genesys Cloud that is connected to Yellow.ai. Calls are transferred from Yellow.ai to Genesys Cloud whenever a customer requests live agent support.

    The customer now wants to enable encryption for both SIP signaling and media between Yellow.ai and Genesys Cloud.

    Could anyone advise on the following:

    1. What changes are required on the Genesys Cloud External SIP Trunk to enable secure signaling (TLS) and media encryption (SRTP)?

    2. Are there any specific certificate requirements or configurations that need to be completed on the Genesys Cloud side?

    3. What information and configuration changes should be shared with the Yellow.ai team so they can update their side accordingly?

    4. Are there any common issues, prerequisites, or best practices to consider when enabling TLS/SRTP between Genesys Cloud and a third-party SIP platform?

    Any suggestions, recommendations, or implementation experiences would be greatly appreciated.

    Thank you in advance for your support.


    #Outbound

    ------------------------------
    Muhammed Shaibant
    x
    ------------------------------


  • 2.  RE: Genesys Cloud External SIP Trunk Encryption (TLS/SRTP) – Configuration Recommendations

    Posted 20 days ago
    Edited by Breno Canyggia Ferreira Marreco 20 days ago

    Hi Mudammed, you need to change the External SIP Trunk to use TLS, because SIP signaling encryption depends on TLS transport and not UDP/TCP.
    Doc: https://help.genesys.cloud/articles/external-trunk-settings/
    Doc: https://help.genesys.cloud/articles/tls-trunk-transport-protocol-specification/

    You need to enable SRTP / Secure Media, because TLS only protects SIP signaling; RTP media will only be encrypted if SRTP is negotiated between Provider and Genesys Cloud. SDP/SRTP compatibility should be validated on both sides.
    You need to validate the TLS certificates, because Provider must trust the public certificate chain used by the Genesys Cloud BYOC endpoints, and the Provider endpoint must also present a valid public certificate trusted by Genesys Cloud. The Provider certificate should have a SAN/CN matching the FQDN configured on the Genesys trunk.
    You need to share with Provider the Genesys Inbound SIP Termination FQDN, TLS port, SRTP requirement, codecs, DTMF method, and required IP ranges, because they will need to update their SIP destination, trust store, firewall/ACL rules, and media negotiation settings.
    You need to validate TLS versions and cipher suites, because a cipher mismatch or the use of deprecated ciphers can prevent the TLS handshake from completing.
    You should test this in a controlled maintenance window before production, because common issues include incorrect certificate SAN, incomplete certificate chain, untrusted CA, blocked port 5061, missing IPs in SIP Access Control, and RTP/SRTP mismatch in SDP.



    ------------------------------
    Att,
    Breno Canyggia Ferreira Marreco
    ------------------------------



  • 3.  RE: Genesys Cloud External SIP Trunk Encryption (TLS/SRTP) – Configuration Recommendations

    Posted 20 days ago
    Edited by Cameron Tomlin 20 days ago

    Hello Muhammed, 

    If you're looking to secure the SIP connection between Genesys Cloud and Yellow.ai using TLS for signaling and SRTP for media, here's what you'll need to configure.

    You'll need to make a few changes to the trunk configuration:

    - Change the Protocol from UDP/TCP to TLS
    - Change the Listen Port to 5061 (the standard port for SIP over TLS)
    - Configure your preferred SRTP cipher suites under the Media settings. Both sides will need to support at least one common cipher suite for media encryption to work.

    Genesys Cloud uses TLS 1.2 by default, although newer TLS versions can be selected where supported.

    On the Yellow.ai side, they'll need to:

    - Support SIP over TLS (TCP) on port 5061
    - Support SRTP using one or more matching cipher suites
    - Present a valid X.509 certificate signed by a supported public Certificate Authority
    - Ensure their certificate chain is trusted by Genesys Cloud

    One thing important note is that Genesys Cloud does not support Mutual TLS (mTLS), so only server-side certificate validation is used.

    For TLS to establish successfully:

    - Both systems must trust the appropriate public Certificate Authority.
    - Subject name validation is enforced.
    - Certificate revocation checking is performed.
    - The TLS handshake must complete within the supported timeout.

    A few best practices, while you're configuring the trunk, I'd also recommend:

    - Restricting access with SIP Access Control and only allowing traffic from Yellow.ai's public IP addresses.
    - Verifying that both sides are configured with the same SRTP cipher suites.
    - If NAT is involved, review whether Far-End NAT Traversal (FENT) is needed for your deployment.

    Another important requirement, both ends of the connection must use the same transport protocol. For example, if Genesys Cloud is configured for TLS but Yellow.ai is still expecting UDP or TCP, the trunk won't establish successfully.

    Once both sides are set up, test both inbound and outbound calls and verify that:

    - SIP signaling is using TLS
    - Media is encrypted with SRTP
    - There are no certificate validation or TLS handshake errors

    Overall, the configuration is fairly straightforward as long as both platforms agree on the transport protocol, certificate trust, and SRTP cipher suites.

    Hope this helps!



    ------------------------------
    Cameron
    Online Community Manager/Moderator
    ------------------------------