ICMPR V2.01 Features
Download
Report
Transcript ICMPR V2.01 Features
NS1000
ICMPR V2.01 FEATURES
SESSION BORDER CONTROLLER
(EASY UT INSTALLATION)
Session Border Controller
3.0 Session Border Controller (SBC) – Overview
• Easy connection of remote KX-UT Series SIP phones to the NS1000 can be realized by using a
Mediatrix 501 Series Session Border Controller (Firmware V5.35-M4).
• Once the KX-UT phone is suitable programmed, it can be connected to the LAN at the remote
office and connection will be established with the NS1000 at the main office.
Remote Office
Main Office
Internet
NS1000
Perimeter
Router
Mediatrix 501 SBC
The SBC device assists in the NAT-Traversal process and can allow the connection of
remote KX-UT terminals to the NS1000 without the need for a VPN.
NB: The SBC/NS1000v2 supported configuration is for the SBC to sit BEHIND the
Perimeter Router/Firewall (i.e. LAN Interface Only)
Session Border Controller
3.1 Session Border Controller (SBC) – Specification
• KX-UT Series SIP Phones and 3rd Party SIP Phones which support Early Media functionality can be
connected via the SBC.
• One NS1000 can be connected to one SBC device only
• One SBC Device can support up to 20 remote connections (Simultaneous RTP Streams)
• The NS1000 can support Max 20 HTTP/HTTPS Sessions (required to manage the Remote Extension)
• eSBC501 is available in 5/10/20 session versions;
(It is possible to register 20 Remote extension on the NS1000 and use a 5 Session SBC, however only 5 simultaneous call paths will be
supported through the SBC)
Remote Office
SIP/TR069(CWMP)/NTP
NS1000
KX-UT supported s/w: V1.160
KX-UTxxx
Mediatrix eSBC 501
(Max 20
simultaneous
connections.)
NB: If CA or other Applications are required at the Remote Office, a VPN will be required.
The SBC supports KX-UT / SIP Phones only. IP-PTs (KX-NT3xx etc) and SIP Based DECT are NOT Supported by the SBC.
Session Border Controller
3.1.1 Session Border Controller (SBC) – Specification
Supported Features (Using V-UTEXT32 Card)
• Making and receiving a call
• Extension numbers are displayed
• External Caller ID is displayed (depending on system Settings)
• Conversation with G.729, G.711 and G.722 (depending on Codec Priority settings)
• Placing and retrieving a call on HOLD
• Call TRANSFER
• Call FORWARD (V-UTEXT32 Only)
Session Border Controller
3.2 Session Border Controller (SBC) – Router Programming
• No special programming is required for the Remote Office Router.
• The Main Office Router needs Port Forwarding set for SIP(UDP), RTP(UDP), T069(CWMP) and NTP.
Main Office
Remote Office
Internet
NS1000
Port
Forwarding
required.
SBC
NB: No Additional A/K is required in the NS1000 for SBC.
No additional
programming
required.
Session Border Controller
3.3 Session Border Controller (SBC) – Network Diagram Example
The example below shows a typical deployment
Head Office
MPR:192.168.1.101
DSP:192.168.1.102 (RTP)
Netmask:255.255.255.0
DGW:192.168.1.1
SIP Extension Server:192.168.1.101:15060
Remote Office
LAN1:192.168.1.1
*WAN1: 61.xxx.xxx.xxx
(Provided by ISP)
Internet
*WAN2:210.xxx.xxx.xxx
LAN1:192.168.1.254
(Provided by ISP)
LAN2:192.168.0.254
PBX Extension
Mediatrix SBC
Router requires Port forward settings to allow
incoming traffic to the SBC.
e.g.
SIP(UDP) 15060 ---> 192.168.1.254
RTP(UDP) 12000 – 12031 ---> 192.168.1.254
*NB: IP addresses shown here are an example.
In deployment, these addresses must be changed to the Global IP addresses provided by the ISP.
SIP
Extension
Settings from Remote Office router (DHCP);
IP:192.168.0.1
Netmask:255.255.255.0
DGW:192.168.0.254
Manual settings
* SIP Server 61.xxx.xxxx.xxx : 15060
Session Border Controller
3.4 Session Border Controller (SBC) – What is does(1).
The example below shows what the SBC device does to allow NAT Traversal.
MPR:192.168.1.101
DSP:192.168.1.102 (RTP)
Netmask:255.255.255.0
DGW:192.168.1.1
SIP Extension Server:192.168.1.101:15060
LAN
LAN1:192.168.1.1
LAN1:192.168.1.254
*WAN1: 61.xxx.xxx.xxx
(Provided by ISP)
WAN
Internet
*WAN2:210.xxx.xxx.xxxx
(Provided by ISP)
EXT201
LAN2:192.168.0.254
Mediatrix SBC
EXT301
The typical problem for this scenario is that the necessary LAN IP addresses are embedded into
the VoIP packet.
The Routers add their own Global (WAN) IP addresses with the result that the audio is not
delivered correctly between the extensions(1-way voice etc).
The SBC and PBX record the communication path and the SBC adds information to the packet so
that the audio can be routed correctly. In this way, the problem scenario can be overcome.
Settings from Remote Office router (DHCP);
IP:192.168.0.1
Netmask:255.255.255.0
DGW:192.168.0.254
Manual settings
* SIP Server 61.xxx.xxx.xxx : 15060
Session Border Controller
3.4 Session Border Controller (SBC) – What is does(2).
The packet capture below illustrates how the SIP Message Header is used to route the call.
Remote
Router
HO
SBC
NS1000
HO
EXT201
1. Call arrives from Remote
side, but has both Global
and local IP Address.
2. SBC adds ‘VIA’ information
and starts ‘managing’ the call.
NB: This is an EXAMPLE – actual
process is more complex!
3. NS1000 can route call correctly
based on local IP Address
Session Border Controller
3.5 Session Border Controller (SBC) – NS1000 Programming(1) – Port Numbers.
Port Number parameters (UDP/HTTP/HTTPS etc) is set as Site Property.
Configuration -> Slot -> Virtual -> Site Property -> Main-> Port Number.
NB: The values shown here are
the ‘default’ values programmed
in the NS1000 Unit.
Session Border Controller
3.5 Session Border Controller (SBC) – NS1000 Programming (2) – SIP Extension Ports / Server IP Address.
‘Remote’ extension parameters (Head office Router IP Address etc) is set as Site Property.
Configuration -> Slot -> Virtual -> Site Property -> Main-> SIP Extension.
Set WAN side IP
address of HQ’s Router
61.xxx.xxx.xxx
In this example;
66.199.255.186
61.xxx.xxx.xxx
61.xxx.xxx.xxx
Set port forward to
NS1000 (Default)
Set port forward to SBC
(Default)
Session Border Controller
3.5 Session Border Controller (SBC) – NS1000 Programming(3) – Remote Extension Setting.
Up to 20 KX-UT Extensions can be designated as ‘Remote’.
These Extensions will be controlled via the SBC.
ALL RTP traffic for the Remote Extension will pass through the SBC (No P2P)
Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Remote Place.
MAX 20 EXT can be assigned as remote terminal.
Remote
Enable
HTTPS
Session Border Controller
3.5 Session Border Controller (SBC) – NS1000 Programming(4) – Remote Extension Setting.
Please consider the Bandwidth requirements / availability of the Remote Location – It may be better
to use a Codec which requires less bandwidth – such as G.729.
Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Option.
Session Border Controller
3.5 Session Border Controller (SBC) – NS1000 Programming(5) – Remote Extension Setting.
Enable ‘Bandwidth Control’ for the P2P Group that the Remote Extension belongs to.
3. Group -> 10. P2P Group -> Bandwidth Control
Click ‘OK’
Session Border Controller
3.5 Session Border Controller (SBC) – NS1000 Programming(6) – Remote Extension Setting.
Configure the Codec priority to be used by the Remote Extension.
-Please consider the available bandwidth at the remote site (G.729 uses less bandwidth than G.711)!
Configuration -> 2. System -> 9. System Options-> Option 7.
Click ‘Apply’
Session Border Controller
3.6 Session Border Controller (SBC) – UT Programming(1) – Remote Extension Deployment.
There are TWO methods available for UT Deployment;
1. Register the Remote UT Extension locally at the NS1000 site and then move the extension to the
remote location.
When the UT phone is registered at the NS1000 site, the UT phone downloads its configuration
(including SBC and WAN settings etc) will be downloaded directly from the NS1000.
2. Transfer the Configuration file stored on the NS1000 to the UT Phone which is ALREADY located at
the remote site.
The two methods are described in the following slides;
Session Border Controller
3.6 Session Border Controller (SBC) – UT Programming(2) – Remote Extension Deployment.
Method 1 – Local Registration to NS1000
1. Register desired the UT Extension to the NS1000, using a V-UTEXT32 card.
2. After configuring the UT Settings described in the previous slides, ‘APPLY’ the settings and then
RESET the UT Phone (Either by IP RESET on the Phone display or by Power OFF/ON).
The UT will then restart and download the updated configuration from the NS1000.
3. The UT Phone will display;
Connection Error (90002)
Check Server and Set it.
4. The UT Phone can now be transferred to the Remote Site and connected to the Local Router. When
Connected, the UT Phone will display (Example)
29 OCT 12:00 SUN
351
Session Border Controller
3.6 Session Border Controller (SBC) – UT Programming(3) – Remote Extension Registration.
‘Remote’ extensions will have the same IP Address as the SBC device.
Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Main.
192.168.1.254
Session Border Controller
3.6 Session Border Controller (SBC) – UT Programming(4) – Remote Extension Deployment.
Method 2 – Remote Registration using NS1000 Configuration File (1)
1. After configuring the UT Settings described in the previous slides, “Save” the settings to the
NS1000. (NB: The UT does not need to be registered to the NS1000 at this time)
2. The “UT_ACS_HTTPS_01NS1000.cfg” file must now be generated by the NS1000. This is only done at
system Startup, so you must now Restart (Reset) the NS1000.
Maintenance -> System Control-> 4. System Reset -> Backup -> “OK”
Session Border Controller
3.6 Session Border Controller (SBC) – UT Programming(5) – Remote Extension Deployment.
Method 2 – Remote Registration using NS1000 Configuration File (2)
3. After the NS1000 has restarted, the “UT_ACS_HTTPS_01NS1000.cfg” file will have been created.
This file can now be transferred PBX -> PC
4.
Maintenance -> Utility-> 2. File Transfer PBX to PC-> “Transfer”
Session Border Controller
3.6 Session Border Controller (SBC) – UT Programming(6) – Remote Extension Deployment.
Method 2 – Remote Registration using NS1000 Configuration File (3)
5.
Connect the UT phone at the remote site and turn-on the in-built
Web-Portal using the keys [#,5 ,3, 4] and select ‘ON’.
6. Using the Browser of you PC, access the UT Web-Portal (Example http://192.168.10.1)
The Default Installer Logon Details are
Username: instoperatoruserid
Password: instpass
7. Using the ‘Maintenance’ Tab, Browse to the Config file and click ‘Import’
Session Border Controller
3.6 Session Border Controller (SBC) – UT Programming(7) – Remote Extension Deployment.
Method 2 – Remote Registration using NS1000 Configuration File (4)
8. The UT phone can now be registered to the NS1000 system using the standard ‘Manual’ or
‘Automatic’ Registration methods (NB: UT Phones do not support Extension Number Registration).
Example;
Session Border Controller
3.7 Session Border Controller (SBC) – NS1000 Programming(Reference)).
The following parameters will be set to the KX-UT when it has been registered to the NS1000.
a. Setting parameters of Remote SIP-MLT
WAN Side IP address / Name of Router
for CWMP
None
NAT - CWMP Server (HTTP) Port No.
WAN Side Port No. for CWMP
7547(1-65535)
NAT - CWMP Server (HTTPS) Port No.
WAN Side Port No. for CWMP
37457(1-65535)
NAT - SIP-MLT Data Download Server (HTTP) Port No.
WAN Side Port No. for Data Download
7580(1-65535)
NAT - SIP-MLT Data Download Server (HTTPS) Port No.
WAN Side Port No. for Data Download
37580(1-65535)
WAN Side IP address/Name for SIP
None
WAN Side Port No. for SIP
5060(1-65535)
WAN Side IP address for NTP
None
WAN Side Port No. for NTP
123(1-65535)
NAT – Keep Alive packet type for SIP
Blank UDP/ Register / None
NAT – Keep Alive send interval
20(10-86400)Sec
NAT - CWMP Server IP Address
NAT - SIP Proxy Server IP Address
NAT - SIP Proxy Server Port No.
NAT - NTP Server IP Address
NAT - NTP Server Port No.
NAT - Keep Alive Packet Type
NAT - Keep Alive Packet, Sending Interval Time (s)
NAT - SIP Register Expire Time (s)
NAT – Register Expire time
Session Border Controller
3.7 Session Border Controller (SBC) – NS1000 Programming(Reference).
‘The following parameters will be set to the KX-UT when it has been registered to the NS1000 (Cont..).
b. Networking Survivability, assigned to Remote SIP-MLT ( for Secondary NS )
NAT - CWMP Server (HTTP) Port No.
WAN Side Port No. for CWMP
7547(1-65535)
NAT - CWMP Server (HTTPS) Port No.
WAN Side Port No. for CWMP
37547(1-65535)
WAN Side IP Address/Name for SIP
none
WAN Side Port No. for SIP
5060(1-65535)
NAT - SIP Proxy Server IP Address
NAT - SIP Proxy Server Port No.
c. Control Condition of Remote SIP-MLT
PERIODIC Ability
PERIODIC Setting For Remote Terminal
Enable/Disable
PERIODIC Packet
Sending Interval Time (s)
PERIODIC Setting For Remote Terminal
30(30-3600)Sec
Session Border Controller
3.7 Session Border Controller (SBC) – NS1000 Programming(Reference).
Port Setting for the NS1000 PBX
Configuration -> Slot -> Virtual -> Site Property -> Main-> Port Number.
Session Border Controller
3.8 Session Border Controller (SBC) – Head Office Router Programming(1).
The following port forwarding needs to be set in the Head Office Router.
Item
Port Forward
Source Port
Destination IP Address
SIP UDP
15060
SBC Private IP Address
RTP UDP
35000-35999
SBC Private IP Address
TR-069 TCP
7547
PBX ICMPR Address
TR-069 TCP
37547
PBX ICMPR Address
http TCP
7580
PBX ICMPR Address
http TCP
37547
PBX ICMPR Address
NTP UDP
123
PBX ICMPR Address
NB: If the Port Forward settings are not made correctly,
Calling problems and/or Audio problems will occur!
Session Border Controller
3.9 Session Border Controller (SBC) – Head Office Router Programming(2).
Troubleshooting (1):
There are two common problems associated with Perimeter Router configuration;
1. Denial Of Service (DOS) Attacks (Also known as FLOOD attacks)
What happens, is that the attacker sends many REGISTER requests, and the PBX gets tiedup responding with “404 – Not Found” messages.
Countermeasure: Do not use 5060 as the standard SIP receiving port (Use a less well
known number.
Session Border Controller
3.9 Session Border Controller (SBC) – Head Office Router Programming(2).
Troubleshooting (2):
2. One-Way or No Audio Problems
Symptom: One-way voice or no voice can occur after several calls.
Reason: The RTP ports are not set correctly in the Port forwarding settings in the Router.
Countermeasure: This setting should be applied on SBC port settings (Use 35000 to 35999).
It is also required that these ports should be port-forwarded to the SBC by the main Router.
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(1).
The following items need to be set in the Mediatrix SBC:
• PBX IP address, SIP EXT Port No.
• SBC LAN IP Address/Subnet mask
• Main Router LAN IP Address/WAN IP Address
• Port Setting SIP/RTP
• Firewall allow SIP/RTP packet
NB:
All documents are available online on the Mediatrix Download Portal at
https://support.mediatrix.com/DownloadPlus/Download.asp.
Or on the web site at the following link
http://www.mediatrix.com/en/sessionbordercontroller Under the documentation tab.
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(2).
The SBC (LAN Only Mode) is used as a ‘device on a stick’.
Only one port (ET1 ~ ET4) needs to be connected to the LAN.
The ET0/WAN Port is NOT used and should not be connected to the Network.
(The ET0/WAN port is ‘virtualised’ and used internally by the SBC when configured in LAN SIParator
mode.)
NB: Do not Connect the
ET0/WAN port at any time!
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(3).
The SBC needs to be configuration needs to be changed from its default mode to LAN SIParator mode.
Due to the programming limitations of the device, the following sequence must be used
1. Login to the SBC using the default IP Address (192.168.0.1)
2. Change the LAN Port IP-Address from 192.168.0.1 to 192.168.20.1 (Example)
The reason for this is because the SBC will not allow it’s ET0/WAN port to share the same IP Address
range as its LAN ports (ET1~4), so we must change the LAN port setting before proceeding with the
configuration.
3. Set the SBC to LAN SIParator Mode
(Ports ET1~ET4 will now share the same IP-Address as set for ET0/WAN – example 192.168.0.1)
4. The necessary SIP configuration can now be set
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(4).
1. Login to the SBC using the default IP Address (192.168.0.1)
User Name: admin
Password: admin
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(5).
2. Select ‘Network’ and change the LAN IP Address from default to 192.168.20.1 (Example)
1. Change LAN IP
Address from
default value.
2. Click ‘Apply’
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(6).
3. Re-configure your PC so that lies within the same network as the SBC (192.168.20.10 Example) and
re-connect to the SBC (192.168.20.1) using your Web Browser. Then Change the Active Profile.
1. Click to permanently save changes
2. Select ‘Overview’
3. Change profile to ‘Low’
4. Click ‘Change’
5. Click to permanently save changes
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(7).
4. Change the SBC Operating mode to LAN SIParator
1. Select ‘Network’
2. Select ‘LAN
SIParator’ Mode
3. Set the IP Address and
Subnet Mask of the SBC
4. Set the DNS and Default
Gateway Address (Outside
Router)
5. Set SIP RTP Ports (35000~35999)
and the External (WAN) IP Address
of the Outside Router.
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(8).
5. The SBC will now reconfigure itself to LAN SIParator mode;
1. Select ‘Save & Reboot’
The SBC will now reconfigure itself (approx 3min)
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(8).
6. Now that the SBC Mode and Network settings have been configured, the SIP Server settings can now
be made.
Login to the SBC using the newly configured IP Address (192.168.0.1 Example)
1. Select ‘Applications’
and SIP Server.
2. Select ‘All’ and check the box.
3. Click Apply.
4. Save ‘Permanently’
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(9).
7. Configure the ‘Authorised User’ credentials
1. Select ‘Applications’
and SIP Switch Advance.
3. Set the SIP Address, User ID and
Password for each Remote User.
Example:
EXT: 301/ SIP Address: [email protected]/ User ID: 301/ Password: pass301
Where 192.169.0.101 is the IP-Address of the NS1000
3. Click Apply.
4. Save ‘Permanently’
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(10).
8. Configure the ‘Far End NAT Traversal’ options
1. Select ‘Applications’
and SIP Advanced.
2. Configure as shown..
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(11).
9. Configure the SIP Server UDP Port Number and advanced settings.
1. Change the SIP UDP
Port to ‘15050’
NB: 5060 is not chosen as the
SIP UDP port in order to reduce
the risk of DOS/FLOOD attacks.
2. Configure as shown..
Session Border Controller
3.10 Session Border Controller (SBC) – SBC Programming(11).
10. Disable the ‘Trusted Networks’ parameter
1. Uncheck the box.
2. Click Apply.
The SBC Configuration is now complete!
4. Save ‘Permanently’
THE END.