Trying to find a solution to a sticky problem here.
We have 3 OpenSER systems. Phones register with the OpenSER systems, and after
they authenticate the user, pass the registration info using OpenSER's
send() command to all Asterisk boxes sitting behind them. Each asterisk system
then knows about every phone.
For this to work, I had to turn off authentication in Asterisk for both
registrations and invites. If it's on, asterisk sends a 407 Proxy Auth
required to the phone in addition to OpenSER. This confuses the phone, as
it's now receiving two 407 proxy auth requests, and it basically just drops
the second request on the floor.
This is obviously a big security problem and it can't stay this way. I
thought maybe if authentication was on in Asterisk, that considering by the time
it receives the authenticated register or invite from OpenSER, the MD5 password
was already contained in the packet, that Asterisk wouldn't ask again. It
does. :(
We could use IP tables to only allow connections from the OpenSER systems, but
that doesn't always work. When a caller transfers a call, the phones will
send a REFER message directly to Asterisk, so all the phones would have to also
be in the ip tables allow list. Not an elegent solution.
We could run mediaproxy on OpenSER and force all RTP streams back through it.
Might work, but it might also break other stuff. We could then configure ip
tables to only allow RTP streams from the OpenSER systems.
It might be possible to configure OpenSER to perform the logic necessary to make
it talk to Asterisk properly, but it's beyond my abilities and time.
Anyone ever done this? Anyone got any ideas?