When there are multiple SIP proxies in front of a SIP Proxy/Registrar cluster, TLS cannot be used in a load balancer environment.
There are cases when the WebSphere proxy server can not use the same TLS connection initiated by the client. The WebSphere proxy server attempts to establish a new TLS connection to the Sametime client. However, since Sametime Audio/Video TLS is used with server-provided certificates, the TLS handshake will fail and as a result, the call will fail.
Resolving the problem
There are two options:
- Use a single WebSphere proxy, instead of multiple WebSphere proxy servers, in front of a clustered SIP Proxy/Registrar. In this case, the WebSphere proxy server has a connection to the client (associated with registrations that the client initiates). The client receives inbound traffic over the same connection, therefore, the WebSphere proxy server does not try to create a new connection to the client. Disadvantage: High availability is impacted and the WebSphere proxy server becomes a single point of failure.
- Use TCP instead of TLS. Disadvantage: This option requires that security be disabled (including SIP authentication).
Disable SIP security by completing the following steps:
- Log in to the SIP Proxy and Registrar administrative console.
- Click Applications> WebSphere Enterprise Applications.
- Click IBM Lotus SIP Registrar .
- Under Detail Properties, click Security role to user/group mapping.
- Select the secureRole check box. Select Everyone from the Map Special Subjects down list.
- Click OK and save the changes.