When setting dial plan security to Secured, SRTP is enabled and is required by Exchange UM. In this case, the Office Communicator 2007 R2 client encryption level must be set to either optional or required.
Media Gateway Security
Media flowing both directions between the Mediation Server and Communications Server network is encrypted using SRTP. Organizations that rely on IPsec for packet security are strongly advised to create an exception on a small media port range if they are to deploy Enterprise Voice. The security negotiations required by IPsec work for normal UDP or TCP connections, but they can slow call setup to unacceptable levels.
Because a media gateway receives calls from the PSTN that can present a potential security vulnerability, the following are recommended mitigation actions:
Enable TLS on the link between the gateway and the Mediation Server. This will assure that signaling is encrypted end to end between the gateway and your internal users.
Physically isolate the media gateway from the internal network by deploying the Mediation Server on a computer with two network adapters: the first accepting traffic only from the internal network, and the second accepting traffic from a media gateway. Each card is configured with a separate listening address so that there is always clear separation between trusted traffic originating in the Communications Server network and untrusted traffic from the PSTN.
The internal edge of a Mediation Server should be configured to correspond to a unique static route that is described by an IP address and a port number. The default port is 5061.
The external edge of a Mediation Server should be configured as the internal next-hop proxy for the media gateway. It should be identified by a unique combination of IP address and port number. The IP address should not be the same as that of the internal edge, but the default port is 5060.