Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-07-21
This topic explains how to use the Exchange Management Shell to enable Voice over IP (VoIP) security for a Unified Messaging (UM) dial plan. By default, when a Unified Messaging dial plan is created, it will use unsecured mode or no encryption. Therefore, when an incoming call is received from an IP gateway, the Session Initiation Protocol (SIP) traffic will not be encrypted by using Mutual Transport Layer Security (MTLS). You can use the Set-UMDialPlan cmdlet to enable VoIP security on the UM dial plan so that SIP traffic will be encrypted.
Before you enable VoIP security on a dial plan, you must verify that the IP gateways and IP PBXs support VoIP security and that the IP gateways, IP PBXs, and Unified Messaging servers contain the correct certificates to enable MTLS and allow the SIP traffic to be encrypted. After you have used the VoIPSecurity parameter on the Set-UMDialPlan cmdlet to enable VoIP security on the UM dial plan, all Unified Messaging servers that are associated with the UM dial plan will encrypt the VoIP traffic. For more information about how to import and export certificates, see Importing and Exporting Certificates.
A Unified Messaging server can be associated with a single or multiple UM dial plans. However, if you are configuring a dial plan to operate in a secure mode and to have VoIP security enabled, all the Unified Messaging servers that are associated with the dial plan must be configured to operate in secure mode. A single Unified Messaging server can use SIP over MTLS (secured) or TCP (unsecured), but not both.
|If you change the VoIP security settings on a dial plan, all Unified Messaging servers in the dial plan must be restarted.|
You must follow these steps to enable VoIP security and use MTLS for encrypting SIP traffic:
- Install the Unified Messaging server role.
- Create a UM dial plan and configure the UM dial plan to use
- Associate the Unified Messaging servers with the UM dial
- Export and import the required certificates to allow the
Unified Messaging servers, IP gateways, IP PBXs, and other servers
that are running Microsoft Exchange Server 2007 to
- Configure the UM IP gateways that are used with a fully
qualified domain name (FQDN).
Important: To enable MTLS between a UM IP gateway and a UM dial plan that is operating in secure mode, you must first configure the UM IP gateway with an FQDN and configure it to listen on port 5061. To configure a UM IP gateway, run the following command: Set-UMIPGateway -identity MyUMIPGateway -Port 5061. You must also verify that any IP gateways or IP PBXs have also been configured to listen on port 5061 for MTLS.
New in Service Pack 1 (SP1)
- Unified Messaging servers that have SP1 installed can
communicate with IP gateways, IP PBXs, and other Exchange 2007
computers in Unsecured, SIP Secured, or
Secured mode depending on how the UM dial plan is
- A Unified Messaging server can operate in any mode that is
configured on a dial plan because the Unified Messaging server is
configured to listen on TCP port 5060 for unsecured requests and
TCP port 5061 for secured requests at the same time.
- A Unified Messaging server can be associated with a single or
multiple UM dial plans and can be associated with dial plans that
have different VoIP security settings.
- A single Unified Messaging server can be associated with dial
plans that are configured to use a combination of Unsecured,
SIP Secured, or Secured mode.
- You can configure the VoIP security mode when you are creating
a new dial plan or after you have created a dial plan by using the
Exchange Management Console or the Set-UMDialPlan cmdlet.
When you configure the UM dial plan to use SIP Secured or
Secured mode, the Unified Messaging servers that are
associated with the UM dial plan will encrypt the SIP signaling
traffic or the Realtime Transport Protocol (RTP) media channels and
the SIP signaling traffic.
Before You Begin
To perform the following procedure, the account you use must be delegated the Exchange Organization Administrator role.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Also, before you perform this procedure, confirm the following:
- A UM dial plan has been created.
Exchange 2007 SP1
To use the Exchange Management Console to configure VoIP security on a Unified Messaging dial plan
In the console tree of the Exchange Management Console, expand Organization Configuration, and then expand Unified Messaging.
On the UM Dial Plans tab, select the UM dial plan that you want to manage, and then click Properties in the action pane.
On the dial plan properties page, click the General tab.
Click the drop-down list next to VoIP security, and then select one of the following options:
- SIP secured
- Unsecured (default)
- SIP secured
Click OK to save your changes.
To use the Exchange Management Shell to configure VoIP security on a Unified Messaging dial plan
Run the following command:
Set-UMDialPlan -identity MySecureDialPlan -VoIPSecurity Secured
For more information about syntax and parameters, see Set-UMDialplan.
Exchange 2007 RTM
To use the Exchange Management Shell to enable VoIP security on a Unified Messaging dial plan
Run the following command:
Set-UMDialPlan -identity MySecureDialPlan -VoIPSecurity SIPSecured
For more information about syntax and parameters, see Set-UMDialplan (RTM).
For More Information
- For more information about UM dial plans, see the following
Unified Messaging Dial Plans
- Understanding Unified
Messaging Dial Plans