codian.gif MCU 4215
Help contents > Configuring the MCU > Configuring encryption settings

Configuring encryption settings

You can configure the MCU to encrypt connections to and from H.323 and SIP endpoints.

The encryption technology that the MCU uses for encryption to and from H.323 endpoints is Advanced Encryption Standard (AES).

The encryption technology that the MCU uses for encryption to and from SIP endpoints is Secure Real-time Transport Protocol (SRTP).

To use encryption, you must have the Encryption feature key present on the MCU. For information about installing feature keys, refer to Upgrading the firmware. To access encryption settings, go to Settings > Encryption.

Encryption is used where both devices in a call agree to use encryption; by default if one of the devices cannot use encryption (for example if SIP endpoint does not support SRTP), the MCU will allow the call to be unencrypted, unless the conference configuration dictates that encryption is Required. Where encryption is required, calls that cannot used encryption will not be allowed.

When encryption is in use to and from H.323 endpoints, the MCU will encrypt audio, video, and content media. It does not encrypt control or authentication information.

When encryption is in use to and from SIP endpoints, the MCU will encrypt audio and video media using SRTP. Control or authentication information can also be encrypted using TLS. For more information refer to Using encryption with SIP, below.

You can:

Note that using encryption does not affect the number of ports that are available on the MCU.

Note that the MCU will not show thumbnail previews on the Conference participant page if encryption is required for a conference. If you have the Show thumbnail images option selected on the Settings > User interface page, thumbnail previews will be shown for conferences where encryption is optional and there are encrypted participants.

Refer to this table for assistance configuring the encryption settings. After making any configuration changes, click Apply changes.

Field Field description Usage tips
Encryption status

Whether the MCU is able to use encryption or not.

When encryption status is Enabled, the MCU advertises itself as being able to use encryption and will use encryption if required to do so by an endpoint. If this setting is Enabled, you can enable or disable the use of encryption on a per-conference basis.

If this setting is Disabled, no conference will be able to use encryption.

Default setting for new scheduled conferences

The default encryption setting for new scheduled conferences (on the Conference list > Add conference page).

When you (or another user) create a new conference (by choosing Conferences and clicking Add new conference), you can set the encryption setting for the conference to be either Allowed or Required. This control defines which option is selected by default. However, when creating a conference this can be changed.

Encryption required for new ad hoc conferences

When enabled, this setting forces encryption to be used for new ad hoc conferences.

Changing this setting will have no effect on currently active ad hoc conferences; however, when an ad hoc conference is running, whether or not encryption is required for that conference can be configured (go to Conferences, select the conference you require and select the Configuration tab).

SRTP encryption

Select the setting for media encryption for SIP calls:

  • All transports: If encryption is used for a call, the media will be encrypted using SRTP regardless of transport mechanism used for call control messages.
  • Secure transports (TLS) only: If encryption is used for a call, the media will only be encrypted in calls that are set up using TLS.
  • Disabled: SRTP will not be used for any calls. The MCU will not encrypt media for SIP calls.

For more information refer to Using encryption with SIP, below.

When disabled, the MCU will not advertise that it is able to encrypt using SRTP. It is only necessary to disable SRTP if it is causing problems.

Using encryption with SIP

The MCU supports the use of encryption with SIP. When encryption is in use with SIP, the audio and video media are encrypted using Secure Real-time Transport Protocol (SRTP). When using SRTP, the default mechanism for exchanging keys is Session Description Protocol Security Description (SDES). SDES exchanges keys in clear text, so it is a good idea to use SRTP in conjunction with a secure transport for call control messages. You can configure the MCU to also use Transport Layer Security (TLS) which is a secure transport mechanism that can be used for SIP call control messages.

Using TLS for call setup is not sufficient for the call to be considered encrypted such that it can participate in a conference which requires encryption. Where encryption is required in the conference configuration, a SIP call must use SRTP.

To configure the MCU to use SRTP to encrypt media in calls that are set up using TLS:

  1. You must have the encryption feature key installed on your MCU.
  2. Go to Settings > Encryption and set:
    • Encryption status to Enabled.
    • Default setting for new scheduled conferences to Required.
    • SRTP encryption to Secure transports (TLS) only.
  3. Go to Settings > SIP and set Outgoing transport to TLS.

Note that to allow the MCU to accept incoming calls that use TLS, go to Network > Services and ensure that Incoming Encrypted SIP (TLS) is selected.


Related topics