Please note that the WebRTC server is experimental for now. WebRTC is a rapidly changing area, and so interoperability with WebRTC clients is uncertain and may be short-term as they are updated.

Installation

Enswitch can optionally have TLS/SRTP enabled for use by WebRTC clients and plain TLS/SRTP telephones. Note that SRTP must be used if WebRTC or TLS is used.

  1. Purchase a TLS certificate for the hostname that users will connect to. Put the private key in /etc/kamailio/<hostname>.key and the certificate in /etc/kamailio/<hostname>.pem. The private key must not have a password. Or, if using LetsEncrypt then find the certificate and private key files in /etc/letsencrypt/live/.
  2. Ensure that /etc/hosts on the Kamailio machine(s) has entries for the domain(s) that will be used by TLS. Kamailio will log "Bad host" and refuse the connection if this is missing.
  3. If running Kamailio 4.2 or earlier, upgrade to Kamailio 5.0 or later.
  4. If not running the latest supported version of Kamailio 5.x, upgrade it now.
  5. Install the rtpengine machine(s) using the rtpengine component.
  6. Edit /etc/kamailio/tls.cfg, and change the private_key and certificate lines to match the files mentioned above.
  7. If using WebRTC:
    1. Edit /etc/kamailio/kamailio.cfg, and add or uncomment the following lines just above the include_file line. Change them to the Kamailio IP address set in /etc/rtpengine/defaults: 
      #!define WEBSOCKET_ADDR tcp:<IP address>
#!define WEBSOCKET_TLS_ADDR tls:<IP address>
#!define RTPENGINE_DB 1
    2. Edit /etc/kamailio/kamailio.cfg and add explicit listen directives for Kamailio to listen to specific IP addresses and ports, in case these were not specified previously: 
      listen = udp:<IP address 1>:5060
listen = tcp:<IP address 1>:5060
listen = udp:<IP address 2>:5060
      etc.
    3. Ensure that TCP port 8443, optionally TCP port 8080, and UDP port range 45000 to 50000 are open in the firewall.
    4. Add any RTPengine server(s) under Global -> Machines with "RTPengine runs on this machine" enabled.
    5. Restart Kamailio using "service kamailio restart" or "pcs resource restart kamailio".
    6. Test that the TLS certificate is working correctly by going to https://<hostname>:8443/ in a web browser. You should see a blank web page, and no warnings about an insecure connection.
    7. Test WebRTC calls to port 8443 (with TLS). The web browser used for testing must be running on a different machine to the Enswitch server. If you need a test WebRTC client, try JsSIP.
  8. If using plain TLS/SRTP telephones:
    1. Edit /etc/kamailio/kamailio.cfg, and add a listen line like this: 
      listen = tls:<IP address>:5061
    2. Ensure that TCP port 5061 is open in the firewall.
    3. Restart Kamailio using "service kamailio restart" or "pcs resource restart kamailio".
    4. Register a telephone using TLS (on some telephones add ";transport=tls" to the registrar) and test inbound and outbound calls.
  9. Configure Enswitch and Kamailio appropriately for the number of TLS/WebRTC phones in use. Some example settings for 2,000 phones are:
    1. In Enswitch set "SIP proxy private memory" to 24.
    2. In Enswitch set "SIP proxy shared memory" to 8192.
    3. In Kamailio set tcp_max_connections to 32768.
    4. In Kamailio set tls_max_connections to 32000.

Copyright © Integrics Ltd., all rights reserved. Permission is granted for Enswitch partners, customers, and their resellers to copy the contents of this page into their own documentation and redistribute this to their customers.