3Com® VCX V7111 VoIP Gateway User Guide 333SIP Over TLS (SIPS)The V7111 gateway uses TLS over TCP to encrypt SIP transport and (optionally) toauthenticate it. To enable TLS on the V7111 gateway, set the selected transport type to TLS(SIPTransportType = 2). In this mode the gateway initiates a TLS connection only for thenext network hop. To enable TLS all the way to the destination (over multiple hops) setEnableSIPS to 1. When a TLS connection with the gateway is initiated, the gateway alsoresponds using TLS regardless of the configured SIP transport type (in this case, theparameter EnableSIPS is also ignored).TLS and SIPS use the Certificate Exchange process described in Server CertificateReplacement and Client Certificates. To change the port number used for SIPS transport (bydefault 5061), use the TLSLocalSIPPort parameter.When SIPS is used, it is sometimes required to use two-way authentication. When acting asthe TLS server (in a specific connection) it is possible to demand the authentication of theclient’s certificate. To enable two-way authentication on the V7111 gateway, set the ini fileparameter, SIPSRequireClientCertificate = 1. For information on installing a client certificate,see Client Certificates.Embedded Web Server ConfigurationFor additional security, you can configure the Embedded Web Server to accept only secured(HTTPS) connections by changing the parameter HTTPSOnly to 1 (described in Table 64).You can also change the port number used for the secured Web server (by default 443) bychanging the ini file parameter, HTTPSPort (described in Table 69 ).Using the Secured Embedded Web ServerTo use the secured Embedded Web Server:1 Access the V7111 gateway using the following URL:https://[host name] or [IP address]2 Depending on the browser's configuration, a security warning dialog may be displayed.The reason for the warning is that the V7111 gateway initial certificate is not trusted byyour PC. The browser may allow you to install the certificate, thus skipping the warningdialog the next time you connect to the V7111 gateway.3 If you are using Internet Explorer, click View Certificate and then Install Certificate.4 The browser also warns you if the host name used in the URL is not identical to the onelisted in the certificate. To solve this, add the IP address and host name (ACL_nnnnnnwhere nnnnnn is the serial number of the V7111 gateway) to your hosts file, located at/etc/hosts on UNIX or C:\Windows\System32\Drivers\ETC\hosts on Windows; then usethe host name in the URL (for example, https://ACL_280152).The figure below is anexample of a host file: