...
Similarly, the remote system's CA certificate must be imported into sipXecs. This is done on the Certificate Authorities panel under System -> Certificates. It may be necessary to restart the bridge as indicated on the screen but as this will be done after the next step, the message can be ignored here.
Configure TLS ports
Basic TLS interop (through a bridge) is ready to go now - just Now set the Gateway transport to TLS and change the port to match the remote TLS port (often 5061; for sipXecs to sipXecs, use 5081). . It is necessary to restart the bridge as indicated on the screen.
Note that the remote system may need to be configured to send to port 5081 (the TLS port of a sipXbridge gateway). It is necessary to restart the bridge as indicated on the screen.
Configure TLS Peer permissions (if desired)
An additional advantage of using TLS for remote gateways is that users of the remote system can be mapped to a sipXecs user, and may then use resources which require permissions (e.g. ITSP gateways, etc). To enable this mapping, add a TLS Peer under the Users menu, using as the TLS Peer Name the identity which the remote system presents in the SubjAltName field of its certificate (usually the SIP Domain or FQDN of the remote system). You can then specify permissions to be applied when any users from that system dial.
If no matching TLS Peer is configured, then a warning message will be logged in sipxbridge.log, containing the list of identities which were in the certificate: "No matching TLS Peer found for <list of identities in the certificate>.
...