How to Configure Security on a Unified Messaging Dial Plan
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic explains how to use the Exchange Management Shell to enable Voice over IP (VoIP) security for a Unified Messaging (UM) dial plan. By default, when a Unified Messaging dial plan is created, it will use unsecured mode or no encryption. Therefore, when an incoming call is received from an IP gateway, the Session Initiation Protocol (SIP) traffic will not be encrypted by using Mutual Transport Layer Security (MTLS). You can use the Set-UMDialPlan cmdlet to enable VoIP security on the UM dial plan so that SIP traffic will be encrypted.
Before you enable VoIP security on a dial plan, you must verify that the IP gateways and IP PBXs support VoIP security and that the IP gateways, IP PBXs, and Unified Messaging servers contain the correct certificates to enable MTLS and allow the SIP traffic to be encrypted. After you have used the VoIPSecurity parameter on the Set-UMDialPlan cmdlet to enable VoIP security on the UM dial plan, all Unified Messaging servers that are associated with the UM dial plan will encrypt the VoIP traffic. For more information about how to import and export certificates, see Importing and Exporting Certificates.
A Unified Messaging server can be associated with a single or multiple UM dial plans. However, if you are configuring a dial plan to operate in a secure mode and to have VoIP security enabled, all the Unified Messaging servers that are associated with the dial plan must be configured to operate in secure mode. A single Unified Messaging server can use SIP over MTLS (secured) or TCP (unsecured), but not both.
If you change the VoIP security settings on a dial plan, all Unified Messaging servers in the dial plan must be restarted.
You must follow these steps to enable VoIP security and use MTLS for encrypting SIP traffic:
Install the Unified Messaging server role.
Create a UM dial plan and configure the UM dial plan to use VoIP security.
Associate the Unified Messaging servers with the UM dial plan.
Export and import the required certificates to allow the Unified Messaging servers, IP gateways, IP PBXs, and other servers that are running Microsoft Exchange Server 2007 to use MTLS.
Configure the UM IP gateways that are used with a fully qualified domain name (FQDN).
To enable MTLS between a UM IP gateway and a UM dial plan that is operating in secure mode, you must first configure the UM IP gateway with an FQDN and configure it to listen on port 5061. To configure a UM IP gateway, run the following command: Set-UMIPGateway -identity MyUMIPGateway -Port 5061. You must also verify that any IP gateways or IP PBXs have also been configured to listen on port 5061 for MTLS.
- For more information about VoIP security with Unified Messaging, see Understanding Unified Messaging VoIP Security.
New in Service Pack 1 (SP1)
Unified Messaging servers that have SP1 installed can communicate with IP gateways, IP PBXs, and other Exchange 2007 computers in Unsecured, SIP Secured, or Secured mode depending on how the UM dial plan is configured.
A Unified Messaging server can operate in any mode that is configured on a dial plan because the Unified Messaging server is configured to listen on TCP port 5060 for unsecured requests and TCP port 5061 for secured requests at the same time.
A Unified Messaging server can be associated with a single or multiple UM dial plans and can be associated with dial plans that have different VoIP security settings.
A single Unified Messaging server can be associated with dial plans that are configured to use a combination of Unsecured, SIP Secured, or Secured mode.
You can configure the VoIP security mode when you are creating a new dial plan or after you have created a dial plan by using the Exchange Management Console or the Set-UMDialPlan cmdlet. When you configure the UM dial plan to use SIP Secured or Secured mode, the Unified Messaging servers that are associated with the UM dial plan will encrypt the SIP signaling traffic or the Realtime Transport Protocol (RTP) media channels and the SIP signaling traffic.
Before You Begin
To perform the following procedure, the account you use must be delegated the Exchange Organization Administrator role.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Also, before you perform this procedure, confirm the following:
- A UM dial plan has been created.
Exchange 2007 SP1
To use the Exchange Management Console to configure VoIP security on a Unified Messaging dial plan
In the console tree of the Exchange Management Console, expand Organization Configuration, and then expand Unified Messaging.
On the UM Dial Plans tab, select the UM dial plan that you want to manage, and then click Properties in the action pane.
On the dial plan properties page, click the General tab.
Click the drop-down list next to VoIP security, and then select one of the following options:
Click OK to save your changes.
To use the Exchange Management Shell to configure VoIP security on a Unified Messaging dial plan
Run the following command:
Set-UMDialPlan -identity MySecureDialPlan -VoIPSecurity Secured
For more information about syntax and parameters, see Set-UMDialplan.
Exchange 2007 RTM
To use the Exchange Management Shell to enable VoIP security on a Unified Messaging dial plan
Run the following command:
Set-UMDialPlan -identity MySecureDialPlan -VoIPSecurity SIPSecured
For more information about syntax and parameters, see Set-UMDialplan (RTM).