420 likes | 437 Views
Learn how to easily connect remote KX-UT Series SIP phones to NS1000 using a Mediatrix 501 Series SBC. Establish secure connections between offices without VPN. Detailed specifications, features, and network diagrams provided.
E N D
NS1000 ICMPR V2.01 Features
Session Border Controller 3.0 Session Border Controller (SBC) – Overview • Easy connection of remote KX-UT Series SIP phones to the NS1000 can be realized by using a Mediatrix 501 Series Session Border Controller (Firmware V5.35-M4). • Once the KX-UT phone is suitable programmed, it can be connected to the LAN at the remote office and connection will be established with the NS1000 at the main office. Remote Office Main Office Internet NS1000 Perimeter Router Mediatrix 501 SBC The SBC device assists in the NAT-Traversal process and can allow the connection of remote KX-UT terminals to the NS1000 without the need for a VPN. NB: The SBC/NS1000v2 supported configuration is for the SBC to sit BEHIND the Perimeter Router/Firewall (i.e. LAN Interface Only)
Session Border Controller 3.1 Session Border Controller (SBC) – Specification • KX-UT Series SIP Phones and 3rd Party SIP Phones which support Early Media functionality can be connected via the SBC. • One NS1000 can be connected to one SBC device only • One SBC Device can support up to 20 remote connections (Simultaneous RTP Streams) • The NS1000 can support Max 20 HTTP/HTTPS Sessions (required to manage the Remote Extension) • eSBC501 is available in 5/10/20 session versions; (It is possible to register 20 Remote extension on the NS1000 and use a 5 Session SBC, however only 5 simultaneous call paths will be supported through the SBC) Remote Office SIP/TR069(CWMP)/NTP NS1000 KX-UT supported s/w: V1.160 KX-UTxxx (Max 20 simultaneous connections.) Mediatrix eSBC 501 NB: If CA or other Applications are required at the Remote Office, a VPN will be required. The SBC supports KX-UT / SIP Phones only. IP-PTs (KX-NT3xx etc) and SIP Based DECT are NOT Supported by the SBC.
Session Border Controller 3.1.1 Session Border Controller (SBC) – Specification Supported Features (Using V-UTEXT32 Card) • Making and receiving a call • Extension numbers are displayed • External Caller ID is displayed (depending on system Settings) • Conversation with G.729, G.711 and G.722 (depending on Codec Priority settings) • Placing and retrieving a call on HOLD • Call TRANSFER • Call FORWARD (V-UTEXT32 Only)
Session Border Controller 3.2 Session Border Controller (SBC) – Router Programming • No special programming is required for the Remote Office Router. • The Main Office Router needs Port Forwarding set for SIP(UDP), RTP(UDP), T069(CWMP) and NTP. Main Office Remote Office Internet NS1000 No additional programming required. Port Forwarding required. SBC NB: No Additional A/K is required in the NS1000 for SBC.
Session Border Controller • 3.3 Session Border Controller (SBC) – Network Diagram Example • The example below shows a typical deployment Head Office Remote Office MPR:192.168.1.101 DSP:192.168.1.102 (RTP) Netmask:255.255.255.0 DGW:192.168.1.1 SIP Extension Server:192.168.1.101:15060 LAN1:192.168.1.1 *WAN1: 61.xxx.xxx.xxx (Provided by ISP) Internet *WAN2:210.xxx.xxx.xxx (Provided by ISP) LAN1:192.168.1.254 LAN2:192.168.0.254 Mediatrix SBC Router requires Port forward settings to allow incoming traffic to the SBC. e.g. SIP(UDP) 15060 ---> 192.168.1.254 RTP(UDP)12000 – 12031 ---> 192.168.1.254 PBX Extension SIP Extension Settings from Remote Office router (DHCP); IP:192.168.0.1 Netmask:255.255.255.0 DGW:192.168.0.254 Manual settings * SIP Server 61.xxx.xxxx.xxx : 15060 *NB: IP addresses shown here are an example. In deployment, these addresses must be changed to the Global IP addresses provided by the ISP.
Session Border Controller • 3.4 Session Border Controller (SBC) – What is does(1). • The example below shows what the SBC device does to allow NAT Traversal. MPR:192.168.1.101 DSP:192.168.1.102 (RTP) Netmask:255.255.255.0 DGW:192.168.1.1 SIP Extension Server:192.168.1.101:15060 *WAN1: 61.xxx.xxx.xxx (Provided by ISP) LAN LAN1:192.168.1.1 WAN Internet LAN1:192.168.1.254 *WAN2:210.xxx.xxx.xxxx (Provided by ISP) EXT201 LAN2:192.168.0.254 Mediatrix SBC EXT301 The typical problem for this scenario is that the necessary LAN IP addresses are embedded into the VoIP packet. The Routers add their own Global (WAN) IP addresses with the result that the audio is not delivered correctly between the extensions(1-way voice etc). The SBC and PBX record the communication path and the SBC adds information to the packet so that the audio can be routed correctly. In this way, the problem scenario can be overcome. Settings from Remote Office router (DHCP); IP:192.168.0.1 Netmask:255.255.255.0 DGW:192.168.0.254 Manual settings * SIP Server 61.xxx.xxx.xxx : 15060
Session Border Controller • 3.4 Session Border Controller (SBC) – What is does(2). • The packet capture below illustrates how the SIP Message Header is used to route the call. Remote Router HO EXT201 HO SBC NS1000 1. Call arrives from Remote side, but has both Global and local IP Address. 2. SBC adds ‘VIA’ information and starts ‘managing’ the call. 3. NS1000 can route call correctly based on local IP Address NB: This is an EXAMPLE – actual process is more complex!
Session Border Controller • 3.5 Session Border Controller (SBC) – NS1000 Programming(1) – Port Numbers. • Port Number parameters (UDP/HTTP/HTTPS etc) is set as Site Property. Configuration -> Slot -> Virtual -> Site Property -> Main-> Port Number. NB: The values shown here are the ‘default’ values programmed in the NS1000 Unit.
Session Border Controller • 3.5 Session Border Controller (SBC) – NS1000 Programming (2) – SIP Extension Ports / Server IP Address. • ‘Remote’ extension parameters (Head office Router IP Address etc) is set as Site Property. Configuration -> Slot -> Virtual -> Site Property -> Main-> SIP Extension. Set WAN side IP address of HQ’s Router In this example; 66.199.255.186 61.xxx.xxx.xxx 61.xxx.xxx.xxx 61.xxx.xxx.xxx Set port forward to NS1000 (Default) Set port forward to SBC (Default)
Session Border Controller • 3.5 Session Border Controller (SBC) – NS1000 Programming(3) – Remote Extension Setting. • Up to 20 KX-UT Extensions can be designated as ‘Remote’. • These Extensions will be controlled via the SBC. • ALL RTP traffic for the Remote Extension will pass through the SBC (No P2P) Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Remote Place. HTTPS MAX 20 EXT can be assigned as remote terminal. Enable Remote
Session Border Controller • 3.5 Session Border Controller (SBC) – NS1000 Programming(4) – Remote Extension Setting. • Please consider the Bandwidth requirements / availability of the Remote Location – It may be better to use a Codec which requires less bandwidth – such as G.729. Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Option.
Session Border Controller • 3.5 Session Border Controller (SBC) – NS1000 Programming(5) – Remote Extension Setting. • Enable ‘Bandwidth Control’ for the P2P Group that the Remote Extension belongs to. 3. Group -> 10. P2P Group -> Bandwidth Control Click ‘OK’
Session Border Controller • 3.5 Session Border Controller (SBC) – NS1000 Programming(6) – Remote Extension Setting. • Configure the Codec priority to be used by the Remote Extension. • -Please consider the available bandwidth at the remote site (G.729 uses less bandwidth than G.711)! Configuration -> 2. System -> 9. System Options-> Option 7. Click ‘Apply’
Session Border Controller 3.6 Session Border Controller (SBC) – UT Programming(1) – Remote Extension Deployment. There are TWO methods available for UT Deployment; • Register the Remote UT Extension locally at the NS1000 site and then move the extension to the remote location. When the UT phone is registered at the NS1000 site, the UT phone downloads its configuration (including SBC and WAN settings etc) will be downloaded directly from the NS1000. 2. Transfer the Configuration file stored on the NS1000 to the UT Phone which is ALREADY located at the remote site. The two methods are described in the following slides;
Session Border Controller 3.6 Session Border Controller (SBC) – UT Programming(2) – Remote Extension Deployment. Method 1 – Local Registration to NS1000 • Register desired the UT Extension to the NS1000, using a V-UTEXT32 card. 2. After configuring the UT Settings described in the previous slides, ‘APPLY’ the settings and then RESET the UT Phone (Either by IP RESET on the Phone display or by Power OFF/ON). The UT will then restart and download the updated configuration from the NS1000. 3. The UT Phone will display; 4. The UT Phone can now be transferred to the Remote Site and connected to the Local Router. When Connected, the UT Phone will display (Example) Connection Error (90002) Check Server and Set it. 29 OCT 12:00 SUN 351
Session Border Controller • 3.6 Session Border Controller (SBC) – UT Programming(3) – Remote Extension Registration. • ‘Remote’ extensions will have the same IP Address as the SBC device. Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Main. 192.168.1.254
Session Border Controller 3.6 Session Border Controller (SBC) – UT Programming(4) – Remote Extension Deployment. Method 2 – Remote Registration using NS1000 Configuration File (1) • After configuring the UT Settings described in the previous slides, “Save” the settings to the NS1000. (NB: The UT does not need to be registered to the NS1000 at this time) 2. The “UT_ACS_HTTPS_01NS1000.cfg” file must now be generated by the NS1000. This is only done at system Startup, so you must now Restart (Reset) the NS1000. Maintenance -> System Control-> 4. System Reset -> Backup -> “OK”
Session Border Controller 3.6 Session Border Controller (SBC) – UT Programming(5) – Remote Extension Deployment. Method 2 – Remote Registration using NS1000 Configuration File (2) 3. After the NS1000 has restarted, the “UT_ACS_HTTPS_01NS1000.cfg” file will have been created. This file can now be transferred PBX -> PC 4. Maintenance -> Utility-> 2. File Transfer PBX to PC-> “Transfer”
Session Border Controller 3.6 Session Border Controller (SBC) – UT Programming(6) – Remote Extension Deployment. Method 2 – Remote Registration using NS1000 Configuration File (3) 5. Connect the UT phone at the remote site and turn-on the in-built Web-Portal using the keys [#,5 ,3, 4] and select ‘ON’. 6. Using the Browser of you PC, access the UT Web-Portal (Example http://192.168.10.1) The Default Installer Logon Details are Username: instoperatoruserid Password: instpass 7. Using the ‘Maintenance’ Tab, Browse to the Config file and click ‘Import’
Session Border Controller 3.6 Session Border Controller (SBC) – UT Programming(7) – Remote Extension Deployment. Method 2 – Remote Registration using NS1000 Configuration File (4) • The UT phone can now be registered to the NS1000 system using the standard ‘Manual’ or ‘Automatic’ Registration methods (NB: UT Phones do not support Extension Number Registration). Example;
Session Border Controller • 3.7 Session Border Controller (SBC) – NS1000 Programming(Reference)). • The following parameters will be set to the KX-UT when it has been registered to the NS1000. a. Setting parameters of Remote SIP-MLT
Session Border Controller • 3.7 Session Border Controller (SBC) – NS1000 Programming(Reference). • ‘The following parameters will be set to the KX-UT when it has been registered to the NS1000 (Cont..). b. Networking Survivability, assigned to Remote SIP-MLT ( for Secondary NS ) c. Control Condition of Remote SIP-MLT
Session Border Controller • 3.7 Session Border Controller (SBC) – NS1000 Programming(Reference). • Port Setting for the NS1000 PBX Configuration -> Slot -> Virtual -> Site Property -> Main-> Port Number.
Session Border Controller • 3.8 Session Border Controller (SBC) – Head Office Router Programming(1). • The following port forwarding needs to be set in the Head Office Router. NB: If the Port Forward settings are not made correctly, Calling problems and/or Audio problems will occur!
Session Border Controller • 3.9 Session Border Controller (SBC) – Head Office Router Programming(2). • Troubleshooting (1): • There are two common problems associated with Perimeter Router configuration; • 1. Denial Of Service (DOS) Attacks (Also known as FLOOD attacks) What happens, is that the attacker sends many REGISTER requests, and the PBX gets tied-up responding with “404 – Not Found” messages. Countermeasure: Do not use 5060 as the standard SIP receiving port (Use a less well known number.
Session Border Controller • 3.9 Session Border Controller (SBC) – Head Office Router Programming(2). • Troubleshooting (2): • 2. One-Way or No Audio Problems Symptom: One-way voice or no voice can occur after several calls. Reason: The RTP ports are not set correctly in the Port forwarding settings in the Router. Countermeasure:This setting should be applied on SBC port settings (Use 35000 to 35999). It is also required that these ports should be port-forwarded to the SBC by the main Router.
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(1). The following items need to be set in the Mediatrix SBC: • PBX IP address, SIP EXT Port No. • SBC LAN IP Address/Subnet mask • Main Router LAN IP Address/WAN IP Address • Port Setting SIP/RTP • Firewall allow SIP/RTP packet NB: All documents are available online on the Mediatrix Download Portal at https://support.mediatrix.com/DownloadPlus/Download.asp. Or on the web site at the following link http://www.mediatrix.com/en/sessionbordercontroller Under the documentation tab.
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(2). The SBC (LAN Only Mode) is used as a ‘device on a stick’. Only one port (ET1 ~ ET4) needs to be connected to the LAN. The ET0/WAN Port is NOT used and should not be connected to the Network. (The ET0/WAN port is ‘virtualised’ and used internally by the SBC when configured in LAN SIParatormode.) NB: Do not Connect the ET0/WAN port at any time!
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(3). The SBC needs to be configuration needs to be changed from its default mode to LAN SIParatormode. Due to the programming limitations of the device, the following sequence must be used • Login to the SBC using the default IP Address (192.168.0.1) • Change the LAN Port IP-Address from 192.168.0.1 to 192.168.20.1 (Example) The reason for this is because the SBC will not allow it’s ET0/WAN port to share the same IP Address range as its LAN ports (ET1~4), so we must change the LAN port setting before proceeding with the configuration. 3. Set the SBC to LAN SIParatorMode (Ports ET1~ET4 will now share the same IP-Address as set for ET0/WAN – example 192.168.0.1) 4. The necessary SIP configuration can now be set
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(4). • Login to the SBC using the default IP Address (192.168.0.1) User Name: admin Password: admin
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(5). 2. Select ‘Network’ and change the LAN IP Address from default to 192.168.20.1 (Example) 1. Change LAN IP Address from default value. 2. Click ‘Apply’
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(6). 3. Re-configure your PC so that lies within the same network as the SBC (192.168.20.10 Example) and re-connect to the SBC (192.168.20.1) using your Web Browser. Then Change the Active Profile. 1. Click to permanently save changes 2. Select ‘Overview’ 3. Change profile to ‘Low’ 4. Click ‘Change’ 5. Click to permanently save changes
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(7). 4. Change the SBC Operating mode to LAN SIParator 1. Select ‘Network’ 2. Select ‘LAN SIParator’ Mode 3. Set the IP Address and Subnet Mask of the SBC 4. Set the DNS and Default Gateway Address (Outside Router) 5. Set SIP RTP Ports (35000~35999) and the External (WAN) IP Address of the Outside Router.
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(8). 5. The SBC will now reconfigure itself to LAN SIParator mode; 1. Select ‘Save & Reboot’ The SBC will now reconfigure itself (approx 3min)
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(8). 6. Now that the SBC Mode and Network settings have been configured, the SIP Server settings can now be made. Login to the SBC using the newly configured IP Address (192.168.0.1 Example) 1. Select ‘Applications’ and SIP Server. 2. Select ‘All’ and check the box. 3. Click Apply. 4. Save ‘Permanently’
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(9). 7. Configure the ‘Authorised User’ credentials 1. Select ‘Applications’ and SIP Switch Advance. 3. Set the SIP Address, User ID and Password for each Remote User. Example: EXT: 301/ SIP Address: 301@192.168.0.101/ User ID: 301/ Password: pass301 Where 192.169.0.101 is the IP-Address of the NS1000 3. Click Apply. 4. Save ‘Permanently’
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(10). 8. Configure the ‘Far End NAT Traversal’ options 1. Select ‘Applications’ and SIP Advanced. 2. Configure as shown..
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(11). 9. Configure the SIP Server UDP Port Number and advanced settings. 1. Change the SIP UDP Port to ‘15050’ NB: 5060 is not chosen as the SIP UDP port in order to reduce the risk of DOS/FLOOD attacks. 2. Configure as shown..
Session Border Controller 3.10 Session Border Controller (SBC) – SBC Programming(11). 10. Disable the ‘Trusted Networks’ parameter 1. Uncheck the box. 2. Click Apply. 4. Save ‘Permanently’ The SBC Configuration is now complete!