<div dir="ltr">Hi Henning,<div><br></div><div>I browsed the files but was unable to find one using Kamailio as SBC without exposing the Asterisk core.</div><div>Most examples indeed expose the node and let media flow directly (<a href="https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Building-A-Global-VoIP-Network.pdf">https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Building-A-Global-VoIP-Network.pdf</a> - interesting solution with e/iBGP which we would also be able to deploy).</div><div><br></div><div>There was just a single presentation that I was able to locate that had the proxy only on the edge:</div><div><a href="https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-Anti-Fraud-With-HTables.pdf">https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-Anti-Fraud-With-HTables.pdf</a><br></div><div>At least it looks like they are located behind the SBC.</div><div><br></div><div>After the research my impression is, that co-locating the B2BUA with the Edge-Proxy and firewall-ing it, seems best practice.</div><div>We will try to add some security by bridge-firewalling and BGP.</div><div><br></div><div>If anyone has a hint for a presentation with high-security edge-proxy, I would appreciate it. Thank you.</div><div><br></div><div>Kind regards,</div><div>Kevin</div><div><br><br><div class="gmail_quote"><div dir="ltr">Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt <<a href="mailto:hw@kamailio.org">hw@kamailio.org</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:<br>
> I am working successfully with Kamailio in my lab setup where Kamailio is<br>
> the SBC for Asterisk.<br>
> The network layout is looking like this:<br>
> <br>
> SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk<br>
> <== PUBLIC NET ==> Carrier<br>
> <br>
> Each public network is reachable from the internet and has a local firewall<br>
> with IP whitelists.<br>
> The internal SIP transactions are UDP-only but for external phones I would<br>
> like to also listen for TCP/TLS.<br>
> <br>
> For this layout to work with rtpproxy (before we move on to RTPengine), we<br>
> have to enable mhomed in Kamailio.<br>
> We also have some routing issues with packets leaving with the wrong IP via<br>
> rtpproxy (when call between carrier and external phone needs to be bridged).<br>
> <br>
> Most examples show that Asterisk is deployed on the same network as the<br>
> external interface of Kamailio (-> Asterisk exposed to the public network).<br>
> In our tests, this works much better but I have great security concerns<br>
> because this Asterisk instance itself does not need to be reachable from<br>
> external.<br>
> <br>
> How do other users deploy Kamailio in front of Asterisk or similar as SBC<br>
> to secure internals?<br>
> There is lot of docs for Kamailio's config but IMHO less for the setup as<br>
> DMZ (SBC) proxy.<br>
<br>
Hello Kevin,<br>
<br>
this is indeed a common setup to protect asterisk and to have also much <br>
greater flexibility with regards to balancing and/or SIP message adaptions.<br>
<br>
To get some ideas, have a look to the last years conferences available here:<br>
<br>
<a href="https://www.kamailio.org/events/" rel="noreferrer" target="_blank">https://www.kamailio.org/events/</a><br>
<br>
There should be some talks about using Kamailio to in front of asterisk, the <br>
talk name is usually in the file name.<br>
<br>
I think even on this year cluecon Fred Posner did a talk about Kamailio as <br>
Edge Proxy, and also on astricon there were some talks about this scenario if <br>
I remember correctly.<br>
<br>
You should also find in the Kamailio World or FOSDEM talks a lot of <br>
information about this scenario. You find all the talks available from <br>
Kamailio World in our youtube channel: <br>
<br>
<a href="https://www.youtube.com/kamailioworld" rel="noreferrer" target="_blank">https://www.youtube.com/kamailioworld</a><br>
<br>
Best regards,<br>
<br>
Henning<br>
<br>
-- <br>
Henning Westerholt<br>
<a href="https://skalatan.de/blog/" rel="noreferrer" target="_blank">https://skalatan.de/blog/</a><br>
</blockquote></div></div></div>