TLS can't be used in a load balancer environment, when there are multiple SIP proxies in front of a SIP Proxy/Registrar cluster.
There are cases when the WebSphere proxy server can not use the same TLS connection initiated by the client. The WebSphere Proxy server will try to establish a new TLS connection to the Sametime client. However, since in Sametime Audio/Video TLS is used with server-provided certificates, the TLS handshake will fail and as a result, the call will fail.
Resolving the problem
There are two options:
- Use a single WebSphere proxy (instead of multiple) in front of a clustered SIP Proxy/Registrar. In this case the WebSphere proxy has a connection to the client (associated with registrations that the client initiates). The client receives inbound traffic over the same connection and therefore, the WebSphere proxy does not try to create a new connection to the client. Disadvantage: Affects high availability, WebSphere proxy becomes a single point of failure.
- Use TCP instead of TLS. Disadvantage: this option requires to disable security (including SIP authentication). Follow the instructions below to disable the SIP security
- Log in to the SIP Proxy and Registrar administrative console.
- Click Applications> WebSphere Enterprise Applications.
- Click IBM Lotus SIP Registrar .
- Under Detail Properties, click Security role to user/group mapping.
- Select secureRolecheck box. Select Everyone from the Map Special Subjects down list.
- Click OK and save the changes