Re: [SR-Users] What is the typical network setup for kamailio?

I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this: SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS. For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged). Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external. How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.