Please note that you need to use the premium version of Zoiper as it supports Encrypted SIP.
You will need to allow port 5061 (TCP, encrypted SIP) to the unit, along with SRTP ports 10000-20000 (UDP.) The unit will also need the “External IP address for SIP-over-NAT” option configured if the unit doesn’t live on a public IP address.
Encrypted SIP on our system has a much narrower profile of things that it will accept - namely pre-configured handsets with randomised passwords, which also have the explicit “Softphone - TLS” or “Zoiper TLS” type. Normal SIP handset credentials won’t work on 5061, and only SIP trunk credentials if specifically enabled (the default is off.)
Because it’s encrypted, there is much more overhead in terms of effort and bandwidth for the attacker. The SRTP ports are the same as the RTP ports, but the ‘S’ stands for secure; again, it’s encrypted so there is more overhead.
Auto provisioning for Zoiper’s Android and iOS apps was introduced in IPCortex software version 6.2. This is done via a QR code on the user’s page.
- Buy a copy of Zoiper premium from the app store and install it on the phone.
- Assign a softphone of the type “Zoiper TLS” to the user.
- Have the user log in to PBX, go to “Settings”, select Zoiper QR code, and follow the instructions in Zopier app to provision using QR code.
From time to time, we have seen Zoiper introduce bugs that affect our auto provisioning mechanism. In these cases, you can provision the app manually:
Host: <pabx hostname> Username: <sip username> Password: <sip password> Encryption settings: Enable SRTP, Disable ZRTP