PureConnect

 View Only
Discussion Thread View
  • 1.  TLS Line stops working after switchover

    Posted 02-09-2023 11:25

    Hello Team,

    I have been migrating to an all SIP line configuration, using TLS and am encountering some oddness.  I have a cert with the 'correct' chain, and both servers are named in the cert, configured for the line cert on both servers.   I have everything working on the active server, do the switchover, and the line stops working (90% of the time - my first test, the switchover worked, but then failed once I switched back to normal primary.)   I check the config, cert shows as valid, and I continue to see Server A responds correctly, Server B does not. I can do the switch over multiple times and it will continue to remain as such.  I go into the CIC and reimport the line cert on the 'Server B' that is not responding (but was working at the start of the process), and everything switches again. i.e. Server B responds, Server A does not. Does this make sense to anyone? What am I missing?  it would seem to me, once I have imported the cert on a server, and the line is working on the server, it should remain as such.  I am only reimporting the cert via the import process on tls Line tab, not physically reinstalling or copying a cert. 

    I can repeat the process, however, this will be a maintenance nightmare moving forward.  any thoughts or suggestions? 


    #Security
    #SIP/VolP
    #Unsure/Other

    ------------------------------
    Christopher Becker
    State of Michigan - Oakland County - WRC
    ------------------------------


  • 2.  RE: TLS Line stops working after switchover

    Posted 02-13-2023 08:42

    Do both of your servers have the same DNS name (duplicate A records)? This is the name that should be used for the Cert.
    Also, are you using DNS SRV? IS that correctly configured in the line?



    ------------------------------
    Paul Simpson
    Eventus Solutions Group
    ------------------------------



  • 3.  RE: TLS Line stops working after switchover

    Posted 02-14-2023 07:46

    Hello Paul,

    Hope things are well and thank you for your response.  We are not using DNS for these servers as we do not have a web server on them and they are only access via the phone.  I forwarded your question to the SIP provider (we have moved from our analog lines to a 3rd party sip provider) to see if this is something we can do.  I followed the steps in the security pdf provided by Genesys, i.e. we created a cert that has both server names and ips defined.  If you can point to any documentation related to your questions and how to configure this properly, it would be greatly appreciated.



    ------------------------------
    Christopher Becker
    State of Michigan - Oakland County - WRC
    ------------------------------



  • 4.  RE: TLS Line stops working after switchover

    Posted 02-14-2023 08:43

    Hi Christopher,

    I have never set up Switchover or TLS without DNS (it's not just for the Web! ;-) )

    Whenever I have done it (when teaching in class) it has worked if you do the following...

    1. Create 2 DNS "A" Records, same name, one pointing to each server.
    2. Create 2 DNS SRV records for the Domain (SIP / TLS) one pointing to each server
    3. Configure DHCP Option 160 to use the "A" record from Step 1. This allows phones to provision against whichever server is currently Primary.
    4. Use the "A" record from Step 1 when configuring the server name in any client connections. This allows the client to "find" the server, whichever is Primary, even if the other one is down.
    5. In the Registration Groups, configure for DNS SRV / TLS
    6. In the Line configurations, either use the "A" record from Step 1for the Domain, or the actual Domain and configure for DNS SRV (from Step 2).
    7. Regenerate and reimport certificates as necessary.
    8. Configure all external entities to use either the "A" record from Step 1, or the DNS SRV Record from Step 2.

    Then it works. I haven't ever tried this with IP addresses directly. The benefit of using DNS is that you have one name, but two addresses. Many entities can only take a single entry (which can be DNS or IP)

    HTH



    ------------------------------
    Paul Simpson
    Eventus Solutions Group
    ------------------------------



  • 5.  RE: TLS Line stops working after switchover

    Posted 02-14-2023 10:02

    Hello Paul,

    If you remember from class we have a very unique set up, i.e. we only use the attendant and custom web services.  This means we have no phones to provision. That said, we also do not have any registration groups configured as I believe these are only used with phones.  Do we need to have the registration lines configured?   I am working with our Server and Network team on the other configurations you have recommended.

    any and all information is much appreciated.

    Chris B  



    ------------------------------
    Christopher Becker
    State of Michigan - Oakland County - WRC
    ------------------------------



  • 6.  RE: TLS Line stops working after switchover

    Posted 02-14-2023 10:14

    My apologies, Christopher! As I'm sure you can appreciate, I saw a great many students in y nearly 15 years at ININ / Genesys, so I don't remember the details of everyone's setup....

    I only mentioned the Phone provisioning because you said "are only access via the phone." which I took to mean stations - my bad!

    You are correct, Registration lines and groups are not required if you don't have Stations, however for TLS to work, your Trunk lines will need to have TLS configured and my comments (above) apply. The problem is that on the line configuration, you can only specify a single identity, so you can't put the server's IP there as it will change following a Switchover. That's why you use DNS. In this way, the traffic to and from the server will have a destination and source that matches the certificate and all is good.

    HTH - let us know if it works!



    ------------------------------
    Paul Simpson
    Eventus Solutions Group
    ------------------------------



Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources