Securely connecting remote extensions (Sip Clients)


I’m looking for a recommended method to facilitate mobile users who have asked for SIP Clients on their smartphones. We use IP tables for allowing access to our server so putting an app on the device to register the IP is not a problem. But, I’m hesitant because I worry about SIP credentials sending in the clear. I’m not sure if TLS with Asterisk, or using a vpn to the server would be best. Can anyone refer a good working solution?

Thank you,

We are using Zoiper as a SIP/IAX2 client on our mobile phones. They also have a dynamic DNS client running.
We have IAX2 port 4569 forwarded on our firewall to our internal Asterisk and allow traffic only from known hostnames. The dynamic DNS clients on the mobile phones update the user’s hostname with the user’s current IP address whenever the IP changes.
We are using IAX2, because port forwarding is easier to manage and IAX2 is generally more reliable with firewall traversal. With SIP, we had audio issues.

We are using VPN also, but not on our mobile phones, only remote soft clients or IP phones. This is the better approach from a security point of view, but we found it was just not really practical to have a mobile phone permanently VPNed into our network, unless the mobile phone was only used for business activities.

If you live in the US, you can also look into commercial solutions, such as vmobile from Vitelity. You buy a phone from them and it comes with all the necessary software installed and the user doesn’t have to do anything. It looks pretty nice to me, and we would try it, if they were partnering with other cell carriers, not only Sprint.