Thank you. Turns out that template was just the answer I was looking <br/>for. I don't know where Kamailio's been all my life...<br/><br/>5060 is only open to the private PBX. And I'm just using one PBX to <br/>register the mobile clients to (from there I just do wizardry to get to <br/>all the others).<br/><br/>I rolled back the hack job I did on the template and just tried your <br/>suggestion. Seems to put it in a loop which craps out after too many hops.<br/><br/>On 7/11/2025 10:43 PM, Fred Posner wrote:<br/>&gt;&gt; On Jul 11, 2025, at 10:23 PM, Jeremy Weibert via sr-users &lt;sr-users@lists.kamailio.org&gt; wrote:<br/>&gt;&gt;<br/>&gt;&gt; I'm new to Kamailio, and looking for some guidance.<br/>&gt;&gt;<br/>&gt;&gt; I have a very large global PBX network (NEC). I have mobile users, that for many years we have had connecting through VPN. This has worked fine for us until recently, various circumstances have made this unreliable. In searching for a better way to handle this, I came across Kamailio. I want the mobile users using TLS/SRTP, the NEC has various limitations on that, but more importantly, I'm not putting my PBXes on the internet. I've been at this for a few days now, learning and trying to see how I can do this with Kamailio, when I eventually came across this: https://www.fredposner.com/2309/kamailio-simple-tls-gateway/#:~:text=One%20feature%20that%20truly%20shines,aka%20to%20the%20PBX.<br/>&gt;&gt;<br/>&gt;&gt; Seems this is exactly what I need. The only difference really is that I have an additional firewall between the internet and the Kamailio server, with the external IP being NATed.<br/>&gt;&gt;<br/>&gt;&gt; In the famous last words of all users &quot;it didn't work&quot;. Specifically, registrations seem to work just fine (the NEC acts as the registrar). However, when making a call:<br/>&gt;&gt;<br/>&gt;&gt; - The original INVITE from the mobile user (port 5061, TLS) reaches Kamailio and is then proxied via UDP to the PBX.<br/>&gt;&gt; - The PBX behaves appears to behave as a B2BUA, creating a completely new INVITE with a different Call-ID and sending it back to Kamailio.<br/>&gt;&gt; - Kamailio, seeing this as a completely new INVITE coming in on UDP (not TLS), rejects it (403 Accepting TLS Only).<br/>&gt;&gt; - Likewise, if a call originates from the PBX side, same thing.<br/>&gt;&gt;<br/>&gt;&gt; I figure, if the INVITE is coming from the PBX, I can just skip the TLS check, as it's coming from a trusted IP. However, the INVITE looks like:<br/>&gt;&gt; INFO: {1 udp 1 INVITE 7776d675@PBXIP} &lt;script&gt;: {R-MAIN] Incoming request from PRIVATEIP using udp<br/>&gt;&gt;<br/>&gt;&gt; In other words, the INVITE is showing as coming from Kamailio.<br/>&gt;&gt;<br/>&gt;&gt; I can't use the alias tag that Kamailio sets initially as the PBX strips it with the new INVITE. I figure to just explicitly send it to registered client over TLS by just rewriting the destination URI, and then it goes into an infinite loop.<br/>&gt;&gt;<br/>&gt;&gt; I got a bit lost at this point and if someone could help point me in the right direction, I would be eternally grateful.<br/>&gt;&gt;<br/>&gt;<br/>&gt; That was a fun template&hellip; put up at the height of covid lock downs&hellip;<br/>&gt;<br/>&gt; It assumes, in that config, that 5060 is ONLY open to your private PBX (hence in not having an advertised address)&hellip; It also assume just one PBX.<br/>&gt;<br/>&gt; There&rsquo;s a check in there about matching the PBX IP to the known IP, in which case it forwards on&hellip;<br/>&gt;<br/>&gt; You could easily change:<br/>&gt;<br/>&gt; if ($si==&quot;PBXIP&quot;) {<br/>&gt;<br/>&gt; To<br/>&gt;<br/>&gt; If ($Rp==5060) {<br/>&gt;<br/>&gt; And have it be the same thing&hellip; assuming of course that UDP 5060 is only internal.<br/>&gt;<br/>&gt;<br/>&gt;<br/>&gt;<br/>&gt; Regards,<br/>&gt;<br/>&gt; Fred Posner<br/>&gt;<br/>&gt;<br/>