Topic
  • 2 replies
  • Latest Post - ‏2011-05-06T17:37:47Z by cheungda
dacheung
dacheung
3 Posts

Pinned topic JSR289 and secure transport chain

‏2011-05-06T14:50:13Z |
Hi,

In our WebSphere deployment, we have defined a loopback alias to allow our application to bind to a virtual IP address, port 5060 for UDP/TCP and 5061 for TLS. When we initiate a request to our call server using TLS, the SIP headers use the virtual IP, but at the IP layer, the source address is the physical IP address of the machine.

However, if the request is initiated with UDP transport, the virtual IP is used at the IP layer. I have verified this using wireshark. Any ideas why the behavior is different?
Updated on 2011-05-06T17:37:47Z at 2011-05-06T17:37:47Z by cheungda
  • jlawwill
    jlawwill
    1 Post

    Re: JSR289 and secure transport chain

    ‏2011-05-06T17:31:26Z  
    Hi,

    I have a few questions.
    1. Is your AppServer fronted by a SIP Proxy?
    2. Your client is making a TLS connection to the virtual IP address right? It isn't using the machine IP address.
    3. If you are using a Load Balancer, do you see the initial TCP request (SYN) sent to the virtual IP address? If so, is the LB forwarding it to the SIP machine using the virtual IP address?

    Thanks,
    Jim Lawwill
    WebSphere SIP Proxy Development
  • cheungda
    cheungda
    20 Posts

    Re: JSR289 and secure transport chain

    ‏2011-05-06T17:37:47Z  
    • jlawwill
    • ‏2011-05-06T17:31:26Z
    Hi,

    I have a few questions.
    1. Is your AppServer fronted by a SIP Proxy?
    2. Your client is making a TLS connection to the virtual IP address right? It isn't using the machine IP address.
    3. If you are using a Load Balancer, do you see the initial TCP request (SYN) sent to the virtual IP address? If so, is the LB forwarding it to the SIP machine using the virtual IP address?

    Thanks,
    Jim Lawwill
    WebSphere SIP Proxy Development
    Hi,

    1. We don't have a SIP proxy.

    2. When the call server wants to initiate a request back to our servlet, it will use the virtual IP address, as referenced in the Contact header of a previous outgoing request from our servlet. The TLS connection is setup properly, certificates exchanged etc, and then all requests from our servlet start using that connection on the virtual IP.

    3. We don't have a load balancer. Our setup is not using the recommended IBM deployment because of the extra box needed for the LB.

    Darryl