Using the Transport Layer Security (TLS) protocol with Sametime Audio/Video in a load balancing environment

Technote (troubleshooting)


TLS can't be used in a load balancer environment, when there are multiple SIP proxies in front of a SIP Proxy/Registrar cluster.


There are cases when the WebSphere proxy server can not use the same TLS connection initiated by the client. The WebSphere Proxy server will try to establish a new TLS connection to the Sametime client. However, since in Sametime Audio/Video TLS is used with server-provided certificates, the TLS handshake will fail and as a result, the call will fail.

Resolving the problem

There are two options:

  1. Use a single WebSphere proxy (instead of multiple) in front of a clustered SIP Proxy/Registrar. In this case the WebSphere proxy has a connection to the client (associated with registrations that the client initiates). The client receives inbound traffic over the same connection and therefore, the WebSphere proxy does not try to create a new connection to the client. Disadvantage: Affects high availability, WebSphere proxy becomes a single point of failure.
  2. Use TCP instead of TLS. Disadvantage: this option requires to disable security (including SIP authentication). Follow the instructions below to disable the SIP security
    1. Log in to the SIP Proxy and Registrar administrative console.
    2. Click Applications> WebSphere Enterprise Applications.
    3. Click IBM Lotus SIP Registrar .
    4. Under Detail Properties, click Security role to user/group mapping.
    5. Select secureRolecheck box. Select Everyone from the Map Special Subjects down list.
    6. Click OK and save the changes

Document information

More support for:

IBM Sametime
Media Manager

Software version:


Operating system(s):

AIX, Linux, Windows

Reference #:


Modified date:


Translate my page

Content navigation