SIP Authentication (network bridge) setup and configuration
FollowSIP Authentication, often referred to as network bridge, is a means of authenticating a call within the SIP dialogue. In order to set up and configure SIP Authentication, you need to:
- Allow traffic between the IPs that will communicate over this SIP trunk.
- Create credentials (username and password) and a realm, which will act as both an identifier for the calls and an FQDN.
The realm and credentials will become part of the digest authentication header used to identify and authenticate the call being placed. Not only is this helpful for segregating traffic that comes from a single source network address, but it can also add an additional layer of security to those allowed to place calls from that address.
Creating a realm
The realm serves as both an FQDN with an SRV record and the domain you’ll connect to for the call. To create it, use the following steps:
- Log in to the Bandwidth App.
- In the side navigation bar, click Account and select SIP Credentials.
Note: If you don’t see the SIP Credentials tab, please reach out to your Account Manager to enable this feature for your account. Not sure who your Account Manager is? Please open a ticket with your Bandwidth Support Team or call (855) 864-7776.
- Scroll down to the Manage Realms section and click Add.
- Give your realm a name and an optional description, and then click Add. As you type, you’ll see a preview of what the completed realm domain will look like.
Note: The Realm field supports only lowercase alphanumeric characters [a-z, 0-9]. If this is your first realm, check the Set as Default box (you can set a different realm as default later, if you’d like). Although there can only be one default realm at a time, you may use any of the realms you’ve created to complete calls.
Once created, you can use this realm to see what IPs you’ll interact with for your SIP trunking. In Windows, this can be accomplished with the “nslookup” command in a command prompt by setting your “type” to “SRV” and using the format: _sip._udp.{realm_FQDN}.
Note: If using a different protocol, like TLS, use the prefix “_sips._tcp.” instead.
Example
C:\Users\myuser> nslookup -type=SRV _sip._udp.mytestrealm-fef2f6.auth.bandwidth.com
Result
Non-authoritative answer:
_sip._udp.mytestrealm-fef2f6.auth.bandwidth.com SRV service location:
priority = 5
weight = 50
port = {port_number}
svr hostname = {server_host_name1}
_sip._udp.mytestrealm-fef2f6.auth.bandwidth.com SRV service location:
priority = 5
weight = 50
port = {port_number}
svr hostname = {server_host_name2}
{server_host_name1} internet address = {ipv4_address}
{server_host_name2} internet address = {ipv4_address}
Note: When performing SIP OPTIONS, you should use the server host name or ipv4 address of the server you’re sending the request to.
Creating SIP credentials
Now that you have a realm and the IPs your system will need to interact with, you’re ready to create credentials for the caller to enter into their phone client. To do this, use the following steps:
- Navigate to the SIP Credentials section and click Add.
- Add one set of credentials or import a bunch all at once.
Note: You can also do this programmatically via API using the SIP credentials endpoint.
To add one set of credentials
- Enter a username and password. If you wish to generate the hashes for the username/password combo yourself, leave the Username and Password fields blank and click Supply Your Own Hashes to complete additional fields.
- Select a realm from the Realm drop-down menu.
- If you’re using HTTP or programmable voice, you can also select a voice application you want to associate with this user from the Associate Application drop-down menu.
- Once you’re finished, click Add SIP Credentials.
Note: You cannot change the username once it’s been created, however, you can update the password, realm, and voice application.
To import a bunch all at once
- Click the Import with Passwords or Import with Hashes card to download the appropriate spreadsheet template based on your preference.
- Drag and drop the completed spreadsheet into the field below or click Browse to upload it.
- Once you’re finished, click Upload File.
Testing a live call
Now that everything is configured, you’re ready to test a live call. Here are the basics of what you can expect for a SIP authentication call:
- You’ll send your initial call request or INVITE addressed to the realm you’ve created. You should then be issued an auth challenge or 407 as seen above. This challenge will contain some information about how your server will authenticate the call for this session including the realm.
- In response, your application or server should return an INVITE containing the “Proxy-Authorization” header that will deliver the auth digest. If you’re troubleshooting an issue where your call is unable to authenticate during this step or receives additional auth challenge responses (407), check that the information in your Proxy-Authorization header contains a realm and username that match what’s expected for the call. Your password will be hashed and not visible in this digest response, so please confirm that it matches the one entered when the SIP credentials were created.
If you have any additional questions or issues, please open a ticket with your Bandwidth Support Team or hit us up at (855) 864-7776!
Article is closed for comments.