[SR-Users] What is the typical network setup for kamailio?
ko at sv01.de
Mon Aug 20 13:22:30 CEST 2018
I browsed the files but was unable to find one using Kamailio as SBC
without exposing the Asterisk core.
Most examples indeed expose the node and let media flow directly (
- interesting solution with e/iBGP which we would also be able to deploy).
There was just a single presentation that I was able to locate that had the
proxy only on the edge:
At least it looks like they are located behind the SBC.
After the research my impression is, that co-locating the B2BUA with the
Edge-Proxy and firewall-ing it, seems best practice.
We will try to add some security by bridge-firewalling and BGP.
If anyone has a hint for a presentation with high-security edge-proxy, I
would appreciate it. Thank you.
Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt <
hw at kamailio.org>:
> Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
> > I am working successfully with Kamailio in my lab setup where Kamailio is
> > the SBC for Asterisk.
> > The network layout is looking like this:
> > SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
> > <== PUBLIC NET ==> Carrier
> > Each public network is reachable from the internet and has a local
> > with IP whitelists.
> > The internal SIP transactions are UDP-only but for external phones I
> > like to also listen for TCP/TLS.
> > For this layout to work with rtpproxy (before we move on to RTPengine),
> > have to enable mhomed in Kamailio.
> > We also have some routing issues with packets leaving with the wrong IP
> > rtpproxy (when call between carrier and external phone needs to be
> > Most examples show that Asterisk is deployed on the same network as the
> > external interface of Kamailio (-> Asterisk exposed to the public
> > In our tests, this works much better but I have great security concerns
> > because this Asterisk instance itself does not need to be reachable from
> > external.
> > How do other users deploy Kamailio in front of Asterisk or similar as SBC
> > to secure internals?
> > There is lot of docs for Kamailio's config but IMHO less for the setup as
> > DMZ (SBC) proxy.
> Hello Kevin,
> this is indeed a common setup to protect asterisk and to have also much
> greater flexibility with regards to balancing and/or SIP message adaptions.
> To get some ideas, have a look to the last years conferences available
> There should be some talks about using Kamailio to in front of asterisk,
> talk name is usually in the file name.
> I think even on this year cluecon Fred Posner did a talk about Kamailio as
> Edge Proxy, and also on astricon there were some talks about this
> scenario if
> I remember correctly.
> You should also find in the Kamailio World or FOSDEM talks a lot of
> information about this scenario. You find all the talks available from
> Kamailio World in our youtube channel:
> Best regards,
> Henning Westerholt
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the sr-users