Using the Transport Layer Security (TLS) protocol with Sametime Audio/Video in a load balancing environment

Technote (troubleshooting)


Problem

When there are multiple SIP proxies in front of a SIP Proxy/Registrar cluster, TLS cannot be used in a load balancer environment.

Cause

There are cases when the WebSphere proxy server can not use the same TLS connection initiated by the client. The WebSphere proxy server attempts to establish a new TLS connection to the Sametime client. However, since Sametime Audio/Video TLS is used with server-provided certificates, the TLS handshake will fail and as a result, the call will fail.

Resolving the problem

There are two options:

  1. Use a single WebSphere proxy, instead of multiple WebSphere proxy servers, in front of a clustered SIP Proxy/Registrar. In this case, the WebSphere proxy server has a connection to the client (associated with registrations that the client initiates). The client receives inbound traffic over the same connection, therefore, the WebSphere proxy server does not try to create a new connection to the client. Disadvantage: High availability is impacted and the WebSphere proxy server becomes a single point of failure.
  2. Use TCP instead of TLS. Disadvantage: This option requires that security be disabled (including SIP authentication).
    Disable SIP security by completing the following steps:
    1. Log in to the SIP Proxy and Registrar administrative console.
    2. Click Applications> WebSphere Enterprise Applications.
    3. Click IBM Lotus SIP Registrar .
    4. Under Detail Properties, click Security role to user/group mapping.
    5. Select the secureRole check box. Select Everyone from the Map Special Subjects down list.
    6. Click OK and save the changes.

Document information


More support for:

IBM Sametime
Media Manager

Software version:

8.5.1, 8.5.1.1

Operating system(s):

AIX, Linux, Windows

Reference #:

1458164

Modified date:

2015-12-08

Translate my page

Content navigation