Interoperability between two domains

Last modified by François Grisez on 2022/09/14 15:19

Requirement : Flexisip 2.1 or later.

Overview

This documentation explain how to set Flexisip instances from distinct domains in order to interoperate between each other. Thus, any customer registered on mydomain1.com SIP service is able to call, chat and make group chats with customers from mydomain2.com.

It assumes you have a working deployment for each domain and TLS transport enabled on each side. See this guide to perform such installation.

In all this guide, mydomain1.com designate the domain of the instance your are setting up whereas mydomain2.com and mydomain3.com are the domains with which you will interoperate. They have also denominated as tier domains or foreign domains.

Flexisip configuration

1. Enable TLS authentication in order to authorize any request coming from a proxy which have provided a valid client certificate.

[global]

# Make Flexisip requires a client certificate, but fallbacks
# on digest authentication if the client doesn't provide any
# certificate.
# When a Flexisip instance is required a client certificate,
# it uses the one in agent.pem
transports=sips:mydomain1.com:5061;tls-verify-incoming=1;tls-allow-missing-client-certificate=1 sip:127.0.0.1:5060;transport=tcp


# Set the Authentication module to accept communications
# from tier domain proxies by checking the subject of the
# client certificate.
[module::Authentication]

# All tier domain must be listed here or they
# will be rejected automatically.
auth-domains=mydomain1.com mydomain2.com mydomain3.com

# Subject's CN of tier server must match the following
# regular expression or they will not be able to interoperate.
tls-client-certificate-required-subject=mydomain1\.com|mydomain2\.com|mydomain3\.com

2. Optionaly, if some client certificates are signed by a private CA, you have to add the CA certificate in /etc/flexisip/tls/cafile.pem in order the chain of trust be valid.

3. Set up the RegEvent server in order conference servers of tier domains be notified on user registration update.

[regevent-server]
transport=sip:127.0.0.1:6065;transport=tcp

[module::RegEvent]
enabled=true

# Only subscriptions for our domain must enter
# the RegEvent module. Requests for other domains
# will be forwarded to the proxy in charge of the
# destination domain.
filter=to.uri.domain == 'mydomain1.com'

regevent-server=sip:127.0.0.1:6065;transport=tcp

LIME server configuration (optional)

1. Set Apache/httpd in order to require a client certificate. The client certificate is optional to allow SIP user agents to authenticate by digest.

SSLCACertificateFile /etc/flexisip/tls/cafile.pem
SSLVerifyClient optional
SSLVerifyDepth  10

2. Enable TLS authentication by the LIME server.

/* ### Foreign domain ### */                                                                                        
// Define everything needed to communicate with foreign domains:
// The domain name, the url to connect to and the path to the associated client certificate used to log in.
// Here, we use the certificate of Flexisip as client certificate.
define("FOREIGN_DOMAINS", array(
   "mydomain2.com" => array("https://mydomain2.com/lime-server/lime-server.php", "/etc/flexisip/agent.pem"),
   "mydomain3.com" => array("https://mydomain3.com/lime-server/lime-server.php", "/etc/flexisip/agent.pem"),                                                                
));

// Define the cafile used to authenticate foreign domain servers certificate.                                         
define("FOREIGN_DOMAINS_CAFILE", "/etc/flexisip/tls/cafile.pem");                                       

// A list of foreign domains we accept to answer a key bundle request
define("FOREIGN_DOMAINS_USERNAME", array("mydomain2.com", "mydomain3.com"));

3. Restart Apache/httpd

systemctl restart httpd24-httpd

Start the service

The RegEvent server must be started in addition to the services you were running before:

systemctl start flexisip-{proxy,presence,conference,regevent}