Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Hello Kevin,
this is indeed a common setup to protect asterisk and to have also much greater flexibility with regards to balancing and/or SIP message adaptions.
To get some ideas, have a look to the last years conferences available here:
https://www.kamailio.org/events/
There should be some talks about using Kamailio to in front of asterisk, the talk name is usually in the file name.
I think even on this year cluecon Fred Posner did a talk about Kamailio as Edge Proxy, and also on astricon there were some talks about this scenario if I remember correctly.
You should also find in the Kamailio World or FOSDEM talks a lot of information about this scenario. You find all the talks available from Kamailio World in our youtube channel:
https://www.youtube.com/kamailioworld
Best regards,
Henning