IBM Support

Using the Transport Layer Security (TLS) protocol with Sametime Audio/Video in a load balancing environment

Technote (troubleshooting)


When there are multiple SIP proxies in front of a SIP Proxy/Registrar cluster, TLS cannot be used in a load balancer environment.


There are cases when the WebSphere proxy server can not use the same TLS connection initiated by the client. The WebSphere proxy server attempts to establish a new TLS connection to the Sametime client. However, since Sametime Audio/Video TLS is used with server-provided certificates, the TLS handshake will fail and as a result, the call will fail.

Resolving the problem

There are two options:

  1. Use a single WebSphere proxy, instead of multiple WebSphere proxy servers, in front of a clustered SIP Proxy/Registrar. In this case, the WebSphere proxy server has a connection to the client (associated with registrations that the client initiates). The client receives inbound traffic over the same connection, therefore, the WebSphere proxy server does not try to create a new connection to the client. Disadvantage: High availability is impacted and the WebSphere proxy server becomes a single point of failure.
  2. Use TCP instead of TLS. Disadvantage: This option requires that security be disabled (including SIP authentication).
    Disable SIP security by completing the following steps:
    1. Log in to the SIP Proxy and Registrar administrative console.
    2. Click Applications> WebSphere Enterprise Applications.
    3. Click IBM Lotus SIP Registrar .
    4. Under Detail Properties, click Security role to user/group mapping.
    5. Select the secureRole check box. Select Everyone from the Map Special Subjects down list.
    6. Click OK and save the changes.

Document information

More support for: IBM Sametime
Media Manager

Software version: 8.5.1,

Operating system(s): AIX, Linux, Windows

Reference #: 1458164

Modified date: 08 December 2015

Translate this page: