18.5.4. Certificates and Security on vHFA and WAN Interfaces 
vHFA
SPE certificate configured on vHFA WBM is used for TLS connection
to its IP address.
- TLS ports on vHFA are opened only if SPE is enabled and certificates are loaded (all on vHFA works as before WAN introducing)
- SPE certificate on vHFA is used just for "local" connection.
- SPE certificate on vHFA is not necessary if SPE is disabled or TLS is not required for local connections.
WAN Interface
SPE certificate configured on OpenScape 4000 SoftGate WBM is used
for TLS connection to WAN IP address.
- SRTP is always used on WAN regardless of security settings
- TLS ports on WAN are opened if certificate is configured regardless SPE is enabled or disabled.
- WAN interface requires SPE certificate because only TLS is allowed on WAN.
- WAN interface always uses TLS and SRTP regardless of SPE settings.
- If SPE is enabled the phone on WAN is reported to system as secure using TLS.
- If SPE is disabled the phone on WAN is reported to system as insecure using TCP (regardless it uses TLS).
- If SPE is disabled then mobile HFA between WAN and local interfaces works with TCP on local and TLS on WAN connections.
- if SPE is enabled and mobile HFA is required for some subscriber than this subscriber have to use TLS also on local connection (otherwise mobile HFA from WAN can not be canceled on local phone because TCP can not override TLS)