ClearIP TLS enablement

Most ClearIP customers connect their telecom network to ClearIP using TCP. Some may want to use TLS for the additional encryption security it provides.

Here are options for TLS (Transport Layer Security) enablement:

  1. Our preferred recommendation is that you use the TLS capabilities available in your telecom network equipment and software.
  2. If your network equipment does not support TLS, we encourage you to consider telecom network solutions from our interop technology partners that do.
  3. If circumstances do not allow you to obtain a TLS-ready solution at this time, you can use the ClearIP TLS Proxy. This software will enable you to connect a UDP (User Datagram Protocol) or TCP network to ClearIP using TLS.

ClearIP TLS Proxy installation

  1. Create Virtual Machines (VMs) inside your private network with 4 GB of RAM and 2 cores running CentOS 7.x or Redhat 7.x.
    1. The VMs must have access to the internet.
    2. The VMs should not have public IP addresses. We recommend that you set up them up with Network Address Translation (NAT) through a firewall.
    3. No ports should be opened for external access.
    4. All connections to ClearIP from your network will be initiated through proxies running in the VMs. They will connect to ClearIP using TLS 1.2, so all traffic will be encrypted.
    5. The proxies will accept SIP messages on all interfaces via UDP (5060), TCP (5060), and TLS 1.2 (5061).
    6. Only trusted devices should be able to send SIP messages to the proxies. If untrusted devices exist on the same network as the proxies, you must use a firewall to limit access.
    7. The proxy starts when installed and whenever its VM is rebooted. There is no starting/stopping or further configuration required.
  2. To install the proxy on each VM, run this command:
  3. curl | sh -s

  4. When you send call traffic to ClearIP, the software will use the SIP INVITE and perform the services configured.
    1. If the ClearIP services don’t result in a block or diversion and routing was not requested, then ClearIP will return a SIP 404 Not Found message. Your telecom network will then route-advance to the next destination in your routing table and send the call.
    2. If routing is enabled or a service initiates a diversion, ClearIP will return a SIP 302 Moved Temporarily to redirect the call to specific routes or divert it (e.g., to the CAPTCHA gateway, which prompts for human response).
    3. If a ClearIP service initated a block, ClearIP will return a SIP 603 Decline message. The telecom system will then decline the call.