Hello Muhammed,
If you're looking to secure the SIP connection between Genesys Cloud and Yellow.ai using TLS for signaling and SRTP for media, here's what you'll need to configure.
You'll need to make a few changes to the trunk configuration:
- Change the Protocol from UDP/TCP to TLS
- Change the Listen Port to 5061 (the standard port for SIP over TLS)
- Configure your preferred SRTP cipher suites under the Media settings. Both sides will need to support at least one common cipher suite for media encryption to work.
Genesys Cloud uses TLS 1.2 by default, although newer TLS versions can be selected where supported.
On the Yellow.ai side, they'll need to:
- Support SIP over TLS (TCP) on port 5061
- Support SRTP using one or more matching cipher suites
- Present a valid X.509 certificate signed by a supported public Certificate Authority
- Ensure their certificate chain is trusted by Genesys Cloud
One thing important note is that Genesys Cloud does not support Mutual TLS (mTLS), so only server-side certificate validation is used.
For TLS to establish successfully:
- Both systems must trust the appropriate public Certificate Authority.
- Subject name validation is enforced.
- Certificate revocation checking is performed.
- The TLS handshake must complete within the supported timeout.
A few best practices, while you're configuring the trunk, I'd also recommend:
- Restricting access with SIP Access Control and only allowing traffic from Yellow.ai's public IP addresses.
- Verifying that both sides are configured with the same SRTP cipher suites.
- If NAT is involved, review whether Far-End NAT Traversal (FENT) is needed for your deployment.
Another important requirement, both ends of the connection must use the same transport protocol. For example, if Genesys Cloud is configured for TLS but Yellow.ai is still expecting UDP or TCP, the trunk won't establish successfully.
Once both sides are set up, test both inbound and outbound calls and verify that:
- SIP signaling is using TLS
- Media is encrypted with SRTP
- There are no certificate validation or TLS handshake errors
Overall, the configuration is fairly straightforward as long as both platforms agree on the transport protocol, certificate trust, and SRTP cipher suites.
Hope this helps!
------------------------------
Cameron
Online Community Manager/Moderator
------------------------------