3com Ingate Open Network Integration Notes - Application Notes For Ingate SIParator Using Remote Phones

Page 1 of 78
Application Notes for Ingate SIParator using Remote SIP Phones

Issue: Date: Abstract: 1.0 February 11, 2009 In this application, the 3Com VCX solution is the IPPBX and SIP Domain Server. It is the call control server processing the phone features and PBX functionality required for an enterprise. It resides on the private LAN segment of enterprise, away from the Internet and protected by the Ingate from any malicious attacks. The Ingate SIParator sits on the Enterprise network edge, providing a security solution for data and SIP communications with E-SBC functionality. It is responsible for all SIP communications security by providing Policy and Routing Rules to allow specific SIP traffic intended for the Enterprise. The SIP Phones can be of any vendor type, located anywhere across the Internet or any remote networks.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 2 of 78
Table of Contents
Revision History .................................................................................................... 4 References ........................................................................................................... 4 Objective ............................................................................................................... 5 Ingate Systems ..................................................................................................... 6
Ingate Product Overview ............................................................................................................. 7
Ingate SIParators ........................................................................................... 7 Ingate add-on software modules and licenses ............................................... 7 Background.................................................................................................... 7
Technical Specifications .............................................................................................................. 8
Ingate SIParator Models 19, 50, 55, 65 and 90 .......................................... 8 Ingate SIParator Technical Details .............................................................. 10 Ingate SIParator Pictures ............................................................................. 11 Ingate SIParator Product Features: ............................................................. 12 Configuration Technical Details .......................................................................... 14
How it Works ............................................................................................................................. 14
Software Revisions ............................................................................................. 16

Software Requirements ............................................................................................................. 16 Tool Requirements .................................................................................................................... 16
Installation Overview ........................................................................................... 17 Network Topology ............................................................................................... 19 Testing Observations .......................................................................................... 20 Configuration Details........................................................................................ 22
VCX Configuration .................................................................................................................. 22 Ingate Configuration Details ...................................................................................................... 45
Ingate Startup Tool ...................................................................................... 45 Connecting the Ingate Firewall/SIParator .................................................... 46 Using the Startup Tool ................................................................................. 48 Configure the Unit for the First Time ............................................................ 48 Change or Update Configuration ................................................................. 51 Network Topology ........................................................................................ 55 Product Type: Firewall ................................................................................ 56 Product Type: Standalone .......................................................................... 58 Product Type: DMZ SIParator..................................................................... 60 Product Type: DMZ-LAN SIParator ............................................................ 63 Product Type: LAN SIParator ..................................................................... 66 IP-PBX ......................................................................................................... 68 Upload Configuration ................................................................................... 70 Manual Configuration Steps......................................................................... 72 Verification Tests ................................................................................................ 76 Product Support .................................................................................................. 77
Ingate Product Support: ............................................................................................................ 77
Page 3 of 78
3COM product support: ............................................................................................................. 77
Conclusion .......................................................................................................... 78
Page 4 of 78
Revision History
Revision 1.0 Date 11/02/2009 Author Scott Beer Reason for change Doc Creation
References
Date Document Name Revision Company
Page 5 of 78
Objective
The 3Com VCX Connect solution offers organizations with up to 250 phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The platform's practical design and affordability help businesses replace antiquated PBXs with VoIP solutions that handle unified voicemail/email messaging (a standard feature). The 3Com VCX Connect solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be 3Com Business Phones or a number of different vendors. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. In this application, the focus is towards the support of the Remote/Home Office SIP Phone support. Ingate SIParators, an Enterprise level SIP Session Border Controller (E-SBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator, even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology. In this application, above and beyond the E-SBC capabilities that the Ingate products provide, the SIParator is providing a number of additional features to enable remote SIP Phones connectivity to the 3Com VCX Connect solution. The Ingate products offer the use of the Remote SIP Connectivity Module, where there are features such as Far End NAT Traversal and a STUN Server. These features allow the Ingate to overcome NAT issues on the far end of the call.
Page 6 of 78
Ingate Systems
Ingate Systems AB is a Stockholm, Sweden based high-tech company that designs, develops, manufactures and markets leading data communications products for trusted Unified Communications. Ingate designed the worlds first Session Initiation Protocol (SIP)-capable firewalls and SIParators, products that enable Unified Communications over the Internet. Unified Communications, with applications such as Internet telephony, presence indication, instant messaging, and audio/video conferencing, are modern and powerful business tools that enable enterprises to maintain reliable IPcommunications internally and externally. As more businesses utilize these applications, service providers are offering SIP trunks to connect Local Area Networks to the outer world via Internet and/or dedicated, managed IP-lines. The enterprise Session Border Controller (Firewall) needs to manage all incoming and outgoing traffic securely. Authorized traffic based on SIP needs to pass through the Session Border Controller in a controlled manner reaching SIP units inside and outside the LAN. Ingate's Session Border Controllers are compatible with existing networks, and allow businesses to utilize the cost and time saving benefits of IP-based real-time communications with minimum investment. Ingates leading products are marketed through world leading distributors, Value Added resellers and OEMs on all continents. Ingate has development facilities in Linkping, Sweden and a wholly owned subsidiary in the United States. We work long-term on our development projects and customer relations, as well as in the development and training of our employees.
Page 7 of 78
Ingate Product Overview

Ingate SIParators are compatible with all existing networks and come standard with a SIP proxy and a SIP registrar. They have support for NAT and PAT as well as for TLS and SRTP to encrypt both SIP signaling and media, eliminating the security issue most commonly associated with using enterprise VoIP. Ingate SIParators come in a range of sizes to meet enterprise needs from home office to large enterprise, and have been cited by users and media for ease of use. The flexible system of add-on software modules allows any enterprise to create the SIParator solution that exactly fits the need of the company for the moment.
Ingate SIParators
The Ingate SIParator is a device that connects to an existing firewall to seamlessly allow the traversal of SIP-based communications. Ingate SIParators are compatible with all existing firewalls and operating systems.
Ingate add-on software modules and licenses

Ingate's suite of software modules and the flexible licensing system give any enterprise the flexibility to create the firewall/SIParator that solves their specific need for the moment. All modules and licenses can be added at any time.
Background
Ingate's security technology dates back to 1996, and since 2001 SIP has been in focus when designing our award winning firewall products, making Ingate the only choice for enterprises planning for a secure, flexible and interoperable communication solution. Ingate products are a perfect fit for any SIP based VoIP/UC installation.
Page 8 of 78
Technical Specifications
Ingate SIParator Models 19, 50, 55, 65 and 90
The Ingate SIParator 19 has three ports and with different units can be scaled up to 6 ports with two Fiber ports on the SIParator 90, this provides a scalable solution to meet the needs of any size enterprise environments. The management interface for the products is the same Web-based Graphical User Interface (GUI) that has been cited by Ingate customers and the media for easeof-use. All Ingate SIParators are fully featured, supporting stateful inspection and packet filtering with rules defined and maintained by the network security administrator utilizing the GUI. The SIParators can be configured as a part of the DMZ or in a standalone mode. In both cases, the benefits of SIP-based communications can be added to the network quickly and easily. Trusted Network Security for VoIP The Ingate SIParator SIP Proxy architecture grants fully secure traversal of the SIP traffic. The ports for the media streams are only opened between the specific parties of a call and only for the duration of the call. The SIP proxy inspects the SIP packets before sending them on. TLS and SRTP encryption ensures privacy when communicating, making call eavesdropping, call hijacking and call spoofing harder to do. Ingate also supports authentication of users and servers. Support for SIP Trunking More and more Internet Service Providers offer a SIP trunk a combined Internet and voice connection. For enterprises using an IP-PBX, SIP trunks are an ideal cost-saving solution as they no longer need local PSTN gateways or costly PRIs/BRIs. The service provider provides the PSTN connection. However, in order for SIP trunks to be successful, SIP traffic (as well as all other data traffic) must be able to traverse the enterprise firewall. Ingates SIP Trunking software module, available for Ingate SIParators, enables firewall and NAT traversal using the built-in SIP proxy, allowing the enterprise to connect to the SIP trunk. In addition, Ingate SIParators and the Ingate SIP proxy deliver advanced security for all SIP communications, including those via a SIP trunk. Ingate products also help ease compatibility issues between the IP-PBX and Internet telephony service provider.
Page 9 of 78
Choose the Right Features for Your Network Ingate offers several other add-on software modules that allow you to tailor the SIParator to meet the specific demands of your business. Ingate Quality of Service (QoS) sets priorities to different kinds of data and allocates bandwidth for varied purposes for instance, giving priority to VoIP. Ingate Remote SIP Connectivity extends the SIP capabilities of the enterprise to employees working remotely (home office workers, road warriors, etc.). Remote SIP Connectivity manages the traversal of the remote NAT from the central Ingate SIParators and also includes a STUN server. Ingate Enhanced Security Module provides Intrusion Detection and Intrusion Prevention for SIP as well as encryption of the communication. The SIP Registrar Module allows for making the Ingate Registrar the primary registration server. Add Global VoIP Connectivity to your IP-PBX The SIParators opens up a world of possibilities and cost savings when used with a SIP based IP-PBX. Businesses can route telephone calls via IP, not only between branch offices and home workers, but also to offices and other users using SIP-based Internet telephony. No longer limited to telephony voice, communication can also include video, instant messaging, presence and more. In addition, the SIParators makes it possible for home workers, road warriors and even branch offices to belong the same central IP-PBX with the highest level of security. The SIParators also affords the possibility to set up a private VoIP network, if preferred. Advanced IP-PBX functions are supported, including such as call transfer, call hold, and voicemail. Global connectivity is assured with the Remote SIP Connectivity Module for providing Far End NAT Traversal solutions.
Page 10 of 78
Ingate SIParator Technical Details
Page 11 of 78
Ingate SIParator Pictures
Ingate SIParator 19
Ingate SIParator 50, 55 and 65
Ingate SIParator 90
Page 12 of 78
Ingate SIParator Product Features:

Product Specifications Physical Interface WAN 10/100Base-T ports (RJ-45) LAN 10/100Base-T ports (RJ-45) VoIP Protocol SIP Protocol SIP Proxy SIP B2BUA SIP Registrar SIP NAT/PAT Traffic TLS Transport SRTP Encryption Far End NAT Traversal Advance SIP Routing VoIP Survival Number of Concurrent RTP Sessions Number of Concurrent Encrypted RTP Sessions Quality of Service DiffServ Packet Marking and Recognition Call Adminsion Control Traffic Monitoring VLAN (802.1 p/q) Administration CLI Web-based GUI Email Alerts (SMTP) SNMP v3 SYSLOG Logging DHCP Client Server Relay Tested Features
Yes Yes Yes Yes Yes Yes Yes N/T N/T Yes Yes N/T 40 (Model 19) N/T N/T N/T N/T N/T Yes Yes N/T N/T N/T N/T N/T N/T
Page 13 of 78 Security Firewall Stateful Inspection Firewall DoS Protection SIP Traffic IDS/IPS Access Control Lists ALGs Network Address Translation Basic NAT (1:1), NAPT (Many:1), and Port Translation NAT-compatible SIP ALG Secure Management Multi-level access control RADIUS AAA Port Authentication (802.1x) SSH CLI VPN IPSec Tunnel Encryption 3DES AES NULL MD5 SHA1 Authentication Mechanisms XAUTH Digital certificates Pre-Shared Keys Secure ID PPTP Server Number of VPN Tunnels Troubleshooting PING Traceroute TCPdump utilities Packet Capture System Logging Yes Yes N/T Yes Yes (SIP) Yes Yes Yes N/T Yes N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T Yes Yes Yes Yes Yes
Page 14 of 78
Configuration Technical Details

How it Works
The 3Com 3102 Business Phone are SIP Phones and can be deployed anywhere over the internet, in Branch Offices, Home Offices and Road Warriors. Other SIP Phone vendors can also be used as SIP is an open standard. The VCX Connect IP-PBX is the SIP Domain Server, meaning that all SIP Phones communicate with the VCX Connect IP-PBX for communication services. The VCX Connect IP-PBX has a SIP Domain that should be Fully Qualified Domain Name (FQDN), for example vcx.sipdomain.com, allows SIP Phones and devices to resolve the FQDN to an IP address and directs them to the VCX Connect for communication services. But the VCX Connects IP Address is a Private IP Address on the Enterprise LAN. The Ingate is the enterprise Session Border Controller (Firewall) that manages all incoming and outgoing SIP traffic from the Internet. Authorizing traffic based on SIP policies to pass through the Session Border Controller in a controlled manner reaching SIP Phones and IP-PBXs inside and outside the LAN. Over the Public Internet the VCX Connect IP-PBX SIP Domain FQDN resolves to the Ingate public interface on the Internet, as the VCX Connect IP-PBX is located on the private LAN of the Enterprise. The Ingate then controls the VCX Connects SIP Domain and forwards SIP traffic for this domain to the VCX Connect IP-PBX and out to the various remote phones. The Ingate SIParator performs one additional function to assist in remote Branch Office, Home Office, and Road Warriors. Remote SIP Connectivity Module offers a Far End NAT Traversal feature to allow SIP Phones and devices to connect through remote NAT Firewalls.
Page 15 of 78
Example Network Configuration 3Com VCX Connect Primary Controller Domain: vcx.sipdomain.com IP Address: 10.51.77.11 3Com VCX Connect Secondary Controller Domain: vcx.sipdomain.com IP Address: 10.51.77.22 Ingate SIParator Domain: vcx.sipdomain.com WAN IP Address: 66.253.67.112 (For Remote 3Com Business Phones) Domain: vcx2.sipdomain.com WAN IP Address: 66.253.67.113 -------LAN IP Address: 10.51.77.100 LAN IP Address: 10.51.77.101 3Com Business Phones Primary Server: 66.253.67.112 Secondary Server: 66.253.67.113 Other SIP Phones SIP Server: vcx.sipdomain.com
Page 16 of 78
Software Revisions
Vendor Ingate Systems 3Com 3Com Product Model SIParator 19 VCX 3102 Business Phone Version 4.7.1
Software Requirements
Vendor Product Model Version
Tool Requirements
Vendor Wireshark Foundation Product Model Wireshark Version 1.0.6
Page 17 of 78
Installation Overview
The 3Com VCX Connect solution offers organizations with up to 250 phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The platform's practical design and affordability help businesses replace antiquated PBXs with VoIP solutions that handle unified voicemail/email messaging (a standard feature), support a full range of IP phones and interoperate with the PSTN. In this application the 3Com VCX is located on the private LAN network of the enterprise. Within this enterprise the 3Com VCX is servicing applications such as User Extensions, Call Center applications, PSTN access, User Voicemail, Auto-Attendant/IVR applications and more. Local Users are being serviced by the 3Com VCX on the private LAN network. The 3Com VCX becomes the SIP Domain Server for all of the SIP Phones. The 3Com VCX Connect solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be from a number of different vendors, such as 3Com, Polycom, Aastra, Counterpath and GrandStream. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. In this application, these SIP Phones are located outside of the private LAN of the enterprise but continue to be serviced by the 3Com VCX. This extends the ability of the 3Com VCX to provide user extensions remotely any where over the Internet. Although these SIP Phones are not co-located with the 3Com VCX they behave and appear to be, essentially extending the features of the 3Com VCX to Remote Offices, Home Offices, and Road Warriors. Ingate SIParators, an Enterprise level SIP Session Border Controller (E-SBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator, even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology.
Page 18 of 78 In this application, the Ingate SIParators are utilizing E-SBC capabilities to ensure SIP VoIP communications with the remote SIP phones to provide access to the 3Com VCX. The Ingate products are providing E-SBC functionality such as SIP Routing Rules, SIP Security Policies, SIP Protocol compliance, Far End & Near End NAT Traversal and more to provide reliable SIP communications with the remote SIP phones.
Page 19 of 78
Network Topology
Ingate SIParator Topology
Ingate SIParator Topology with 3Com Business Phones
Page 20 of 78
Testing Observations
1. SIP Trunking and Remote 3Com SIP Phone Deployment Overlap Issues For SIP Trunking Applications the Ingate is a Trusted Endpoint on the VCX Connect IP-PBX. This ensures that incoming SIP Trunking traffic from the various ITSPs via the Ingate are not authenticated by the 3Com VCX Connect IP-PBX. The overlap is that Remote SIP Phones should be authenticated by the VCX Connect IP-PBX for security purposes. This means that the Ingates IP Address should not be a Trusted Endpoint. As a result of deploying SIP Trunking and Remote SIP Phone on the same Ingate, special configuration is required to have SIP Trunking as a Trusted Endpoint and Remote SIP Phone support as a NonTrusted Endpoint. An additional WAN IP Address on the Ingate is needed to separate the handling of the SIP Trunking traffic and the handling of the Remote 3Com SIP Phone traffic. With two WAN IP Addresses the SIP Trunking is directed to one IP address and the Remote SIP Phone traffic is directed to the other. Then the Ingate can apply other Routing policies to change the source IP address from the Ingate to the VCX Connect based on the WAN IP addresses. 2. No FQDN Support on 3Com Business Phones The 3Com Business Phones are unable to enter a FQDN as a SIP Server address, only an IP Address is allowed, thus the Public IP Address of the Ingate SIParator is entered. A Dial Plan or DNS Override for SIP Requests must be created to direct traffic from the WAN IP Address of the Ingate to forward to the VCX Connect IP-PBX. Note Dial Plan and DNS Override are mutually exclusive; you program one or the other. DNS Override will take precedent over the Dial Plan. Other SIP Phones, typically SIP Phones can program a complete FQDN as the SIP Domain or Server. In this case the Ingate can use DNS Override for SIP Requests to relay the VCX Connects SIP Domain to the VCX Connect IP-PBX IP address.
Page 21 of 78 3. Secondary VCX on 3Com Business Phones As previous, the 3Com Business Phones are unable to enter a FQDN as a SIP Server address, only an IP Address is allowed, thus the Public IP Address of the Ingate SIParator is entered for the Primary VCX Connect controller. For the Secondary VCX Controller, a second (different) Public IP Address is required. The Ingate will now have a WAN IP Address to direct traffic to the Primary VCX Connect Controller, and a second WAN IP Address to direct traffic to the Secondary VCX Connect controller. Note Be sure these IP Addresses do not conflict with the Ingate WAN IP Address used for SIP Trunking Other SIP Phones, typically SIP Phones can program a complete FQDN as the SIP Domain or Server. In this case the Ingate can use DNS Override for SIP Requests to relay the SIP Domain to the VCX Connect Primary controller IP address. And also have a Second for the same SIP Domain to forward to the secondary VCX controller.
Page 22 of 78
Configuration Details
The following configuration details represent the configuration under test. The Ingate SIParator provides Telco communications for all outbound and inbound PSTN calls. In addition the SIParator provided NAT translation services for any remote phones or Teleworkers wanting to register a phone to their work extension. The VCX is configured with the SIParator IP address as a trusted endpoint. Therefore no authentication or registration is needed between these 2 devices. The SIParator is configured with the both the VCX Primary and Secondary IP addresses as the SIP Proxy. All inbound Telco calls i.e. DIDs are redirected by the SIParator to VCX. Remote phone are configured to use the SIParator public IP address as their SIP Proxy address. All phone SIP registrations received by the SIParator are forwarded to the VCX for authentication. Once authenticated these remote phones can make outbound calls using their office extension and receive inbound calls to their office extension at home, all of these calls are carried over their office Telco connection.
VCX Configuration
Defining a device on the VCX 8.0.7e as a Trusted Endpoint can now be done using the Web interface. Note: In versions prior to 8.x, creating a trusted endpoint was a 2 step process please refer to documentation for these version for details
Page 23 of 78 Using VCX Web Configuration GUI 1. Point a browser to VCX Server IP address (e.g.:http://158.101.74.100) The VCX login screen appears. Select the Central Management Console option.
Page 24 of 78 2. Enter a VCX username and password with administrative access. (New VCX installations have a default username admin and password besgroup.) Click Submit.
Page 25 of 78 3. Select the site name you wish to work on.
Page 26 of 78 4. Select Directory from the top menu
Page 27 of 78 5. Click Trusted End Points Tab on Right of the screen to add a device IP addresses
Page 28 of 78 a. Click the Add Trusted End Point button.
b. Enter the endpoint configuration as follows: IP Address: IP address of SIParator Netmask: Use Host mask of 255.255.255.255
Page 29 of 78 6. Click End Points Tab on Right of the screen to add a device name for each i.e. Aspect to the list as an endpoint a. Select Add End Point button
Page 30 of 78 b. The endpoint configuration window is displayed
c. Enter the endpoint configuration as follows: Type: Set to Gateway Active: Set to Yes. Name: Enter the name of the device i.e. SIParator B2BUA Description: Enter a description of the device i.e. Ingate Site Id: Enter your VCX site ID. IP Address: Enter the SIParator IP address Port Number: port number (usually 5060) Click the Save button. d. The List of End Points table appears, listing the new endpoint.
Page 31 of 78
Page 32 of 78 7. Click Routes Tab to create a Route with one or more endpoints
Page 33 of 78 a. Select the Add Route button and give it a name i.e. SIParator B2BUA and select Save
Page 34 of 78
Page 35 of 78 b. Select the End Points button on Right
Page 36 of 78 c. Select the Assign End Points button
Page 37 of 78 d. From the list of available endpoints put a check mark next to SIParator B2BUA and select the Assign Selected button
Page 38 of 78
Page 39 of 78 e. Confirm the OK
Page 40 of 78
Page 41 of 78 f. The Endpoint Aspect should be listed as shown
8. Click Patterns Tab and create a pattern if needed that a call must match in order for VCX to send the call to the SIParator server. Note: This step was skipped because the most common patterns are already defined by default on the VCX. Therefore an existing pattern of 81* was used in testing 9. Click Routes Tab, and create a route that lets VCX send calls to Aspect Unified IP. Click the Add Route Plan button.
Page 42 of 78
Page 43 of 78
g. In the Name field, enter a name for the routes i.e. Outbound SIP Trunk h. Under Pattern field select the pattern 81* i. Under Route field select the route SIParator B2BUA just created j. Under Active select the button to enable with a check mark.
Page 44 of 78 10. Click save which will return back to the Routes screen where the route Aspect should now be displayed
Page 45 of 78
Ingate Configuration Details

Ingate Startup Tool
The Ingate Startup Tool is an installation tool for Ingate Firewall and Ingate SIParator products using the Ingate SIP Trunking module or the Remote SIP Connectivity module, which facilitates the setup of complete SIP Trunking solutions or remote user solutions. The Startup Tool is designed to simplify the initial out of the box commissioning and programming of the Network Topology, SIP Trunk deployments and Remote User deployments. The tool will automatically configure a users Ingate Firewall or SIParator to work with the 3Com VCX solution, this will setup all the routing needed to enable remote users to access and use the enterprise 3Com VCX. Thanks to detailed interop testing, Ingate has been able to create this tool with pre-configured setups for the 3Com VCX solutions with use with remote phones. Download Free of Charge: The Startup Tool is free of charge for all Ingate Firewalls and SIParators. Get the latest version of the Startup Tool at http://www.ingate.com/Startup_Tool.php For more detailed programming instructions consult the Startup Tool Getting Started Guide, available here: http://www.ingate.com/appnotes/Ingate_Startup_Tool_Getting_Started_G uide.pdf Make sure that you always have the latest version of the configuration tool as Ingate continuously adds new vendors once interoperability testing is complete. The Startup Tool will install and run on any Windows 2000, Windows XP, Windows Vista, and Wine on Linux operating systems. Keep in mind, this Ingate Startup Tool is a commissioning tool, not an alternate administration tool. This tool is meant to get an out of the box Ingate started with a pre-configured setup, enough to make your first call from 3Com VCX to any Remote SIP Phone. Additional programming and administration of this Ingate unit should be done through the Web Administration.
Page 46 of 78
Connecting the Ingate Firewall/SIParator

From the factory the Ingate Firewall and SIParator does not come preconfigured with an IP address or Password to administer the unit. Web administration is not possible unless an IP Address and Password are assigned to the unit via the Startup Tool or Console port. The following will describe a process to connect the Ingate unit to the network then have the Ingate Startup Tool assign an IP Address and Password to the Unit. Configuration Steps: 1) 2) Connect Power to the Unit. Connect an Ethernet cable to Eth0. This Ethernet cable should connect to a LAN network. Below are some illustrations of where Eth0 are located on each of the Ingate Model types.
Ingate 1190 Firewall and SIParator 19 (Back)
Ingate 1500/1550/1650 Firewall and SIParator 50/55/65
Ingate 1900 Firewall and SIParator 90
Page 47 of 78 3) The PC/Server with the Startup Tool should be located on the same LAN segment/subnet. It is required that the Ingate unit and the Startup Tool are on the same LAN Subnet to which you are going to assign an IP Address to the Ingate Unit. Note: When configuring the unit for the first time, avoid having the Startup Tool on a PC/Server on a different Subnet, or across a Router, or NAT device, Tagged VLAN, or VPN Tunnel. Keep the network Simple.
4)
Proceed to Section: Using the Startup Tool for instructions on using the Startup Tool.
Page 48 of 78
Using the Startup Tool

There are three main reasons for using the Ingate Startup Tool. First, the Out of the Box configuring the Ingate Unit for the first time. Second, is to change or update an existing configuration. Third, is to register the unit, install a License Key, and upgrade the unit to the latest software. Configure the Unit for the First Time From the factory the Ingate Firewall and SIParator does not come preconfigured with an IP address or Password to administer the unit. Web administration is not possible unless an IP Address and Password are assigned to the unit via the Startup Tool or Console port. In the Startup Tool, when selecting Configure the unit for the first time, the Startup Tool will find the Ingate Unit on the network and assign an IP Address and Password to the Ingate unit. This procedure only needs to be done ONCE. When completed, the Ingate unit will have an IP Address and Password assigned. Note: If the Ingate Unit already has an IP Addressed and Password assigned to it (by the Startup Tool or Console) proceed directly to Section: Change or Update Configuration. Configuration Steps: 1) 2) Launch the Startup Tool Select the Model type of the Ingate Unit, and then click Next.
3)
Page 49 of 78 In the Select first what you would like to do, select Configure the unit for the first time.
4)
Other Options in the Select first what you would like to do,
a.
b.
c.
d.
e. f.
Page 50 of 78 Select Configure Remote SIP Connectivity if you want the tool to configure Remote Phone access to the 3Com VCX server. Select Register this unit with Ingate if you want the tool to connect with www.ingate.com to register the unit. If selected, consult the Startup Tool Getting Started Guide. Select Upgrade this unit if you want the tool to connect with www.ingate.com to download the latest software release and upgrade the unit. If selected, consult the Startup Tool Getting Started Guide. Select Backup the created configuration if you want the tool to apply the settings to an Ingate unit and save the config file. Select Creating a config without connecting to a unit if you want the tool to just create a config file. Select The tool remembers passwords if you want the tool to remember the passwords for the Ingate unit.
5)
In the Inside (Interface Eth0), a. Enter the IP Address to be assigned to the Ingate Unit. b. Enter the MAC Address of the Ingate Unit, this MAC Address will be used to find the unit on the network. The MAC Address can be found on a sticker attached to the unit.
6)
In the Select a Password, enter the Password to be assigned to the Ingate unit.
Page 51 of 78 Once all required values are entered, the Contact button will become active. Press the Contact button to have the Startu p Tool find the Ingate unit on the network, assign the IP Address and Password.
7)
8)
Proceed to Section: Network Topology.
Change or Update Configuration

When selecting the Change or update configuration of the unit setting in the Startup Tool the Ingate Unit must have already been assigned an IP Address and Password, either by the Startup Tool Configure the unit for the first time or via the Console port. In the Startup Tool, when selecting Change or update configuration of the unit, the Startup Tool will connect directly with the Ingate Unit on the network with the provided IP Address and Password. When completed, the Startup Tool will completely overwrite the existing configuration in the Ingate unit with the new settings. Note: If the Ingate Unit does not have an IP Addressed and Password assigned to it, proceed directly to Section: Configure the Unit for the First Time. 3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 52 of 78 Configuration Steps: 1) 2) Launch the Startup Tool Select the Model type of the Ingate Unit, and then click Next.
3)
In the Select first what you would like to do, select Change or update configuration of the unit.
Page 53 of 78 4) Other Options in the Select first what you would like to do,
a.
b.
c.
d.
e. f.
Select Configure Remote SIP Connectivity if you want the tool to configure Remote Phone access to the 3Com VCX server. Select Register this unit with Ingate if you want the tool to connect with www.ingate.com to register the unit. If selected, consult Startup Tool Getting Started Guide. Select Upgrade this unit if you want the tool to connect with www.ingate.com to download the latest software release and upgrade the unit. If selected, consult Startup Tool Getting Started Guide. Select Backup the created configuration if you want the tool to apply the settings to an Ingate unit and save the config file. Select Creating a config without connecting to a unit if you want the tool to just create a config file. Select The tool remembers passwords if you want the tool to remember the passwords for the Ingate unit.
Page 54 of 78 In the Inside (Interface Eth0), a. Enter the IP Address of the Ingate Unit.
5)
6)
In the Enter a Password, enter the Password of the Ingate unit.
7)
Once all required values are entered, the Contact button will become active. Press the Contact button to have the Startup Tool contact the Ingate unit on the network.
8)
Proceed to Section: Network Topology.
Page 55 of 78
Network Topology
The Network Topology is where the IP Addresses, Netmask, Default Gateways, Public IP Address of NATed Firewall, and DNS Servers are assigned to the Ingate unit. The configuration of the Network Topology is dependent on the deployment (Product) type. When selected, each type has a unique set of programming and deployment requirements, be sure to pick the Product Type that matches the network setup requirements.
Configuration Steps: 1) In the Product Type drop down list, select the deployment type of the Ingate Firewall or SIParator.
Hint: Match the picture to the network deployment. 2) When selecting the Product Type, the rest of the page will change based on the type selected. Go to the Sections below to configure the options based on your choice. Select; Firewall, DMZ SIParator, DMZ-LAN SIParator, LAN SIParator, and Standalone SIParator.
Page 56 of 78
Product Type: Firewall

When deploying an Ingate Firewall, there is only one way the Firewall can be installed. The Firewall must be the Default Gateway for the LAN; it is the primary edge device for all data and voice traffic out of the LAN to the Internet.
Configuration Steps: 1) In Product Type, select Firewall.
Page 57 of 78 2) Define the Inside (Interface Eth0) IP Address and Netmask. This is the IP Address that will be used on the LAN side on the Ingate unit.
3) Define the Outside (Interface Eth1) IP Address and Netmask. This is the IP Address that will be used on the Internet (WAN) side on the Ingate unit. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.
4) Enter the Default Gateway for the Ingate Firewall. The Default Gateway for the Ingate Firewall will always be an IP Address of the Gateway within the network of the outside interface (Eth1).
5) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
Page 58 of 78
Product Type: Standalone

When deploying an Ingate SIParator in a Standalone configuration, the SIParator resides on a LAN network and on the WAN/Internet network. The Default Gateway for SIParator resides on the WAN/Internet network. The existing Firewall is in parallel and independent of the SIParator. Firewall is the primary edge device for all data traffic out of the LAN to the Internet. The SIParator is the primary edge device for all voice traffic out of the LAN to the Internet.
Configuration Steps: 1) In Product Type, select Standalone SIParator.
2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.
Page 59 of 78 3) Define the Outside (Interface Eth1) IP Address and Netmask. This is the IP Address that will be used on the Internet (WAN) side on the Ingate unit. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.
4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.
Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
Page 60 of 78
Product Type: DMZ SIParator

When deploying an Ingate SIParator in a DMZ configuration, the Ingate resides on a DMZ network connected to an existing Firewall. The Ingate needs to know what the Public IP Address of the Firewall. This existing Firewall must be the Default Gateway for the DMZ network; the existing Firewall is the primary edge device for all data and voice traffic out of the LAN and DMZ to the Internet. SIP Signaling and Media must be forwarded to the Ingate SIParator, both from the Internet to the SIParator and from the DMZ to the LAN.
Configuration Steps: 1) In Product Type, select DMZ SIParator.
2) Define the IP Address and Netmask of the DMZ (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the DMZ network side on the existing Firewall.
Page 61 of 78 3) Define the LAN IP Address Range, the lower and upper limit of the network addresses located on the LAN. This is the scope of IP Addresses contained on the LAN side of the existing Firewall.
5) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT.
6) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
Page 62 of 78
7) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator c. If necessary; provide a Rule that allows the SIP Signaling on port 5060 using UDP/TCP transport on the DMZ network to the LAN network d. If necessary; provide a Rule that allows a range of RTP Media ports of 58024 to 60999 using UDP transport on the DMZ network to the LAN network.
Page 63 of 78
Product Type: DMZ-LAN SIParator

When deploying an Ingate SIParator in a DMZ-LAN configuration, the Ingate resides on a DMZ network connected to an existing Firewall and also on the LAN network. The Ingate needs to know what the Public IP Address of the Firewall. This existing Firewall must be the Default Gateway for the DMZ network; the existing Firewall is the primary edge device for all data and voice traffic out of the LAN and DMZ to the Internet. SIP Signaling and Media must be forwarded to the Ingate SIParator, from the Internet to the SIParator. The voice traffic from the LAN is directed to the SIParator then to the existing Firewall.
Configuration Steps: 1) In Product Type, select DMZ-LAN SIParator.
Page 64 of 78 2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.
3) Define the IP Address and Netmask of the DMZ (Interface Eth1). This is the IP Address that will be used on the Ingate unit to connect to the DMZ network side on the existing Firewall. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.
5) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT.
Page 65 of 78 6) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
7) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator
Page 66 of 78
Product Type: LAN SIParator

When deploying an Ingate SIParator in a LAN configuration, the Ingate resides on a LAN network with all of the other network devices. The existing Firewall must be the Default Gateway for the LAN network; the existing Firewall is the primary edge device for all data and voice traffic out of the LAN to the WAN/Internet. SIP Signaling and Media must be forwarded to the Ingate SIParator, from the Internet to the SIParator. The voice traffic from the LAN is directed to the SIParator then to the existing Firewall.
Configuration Steps: 1) In Product Type, select LAN SIParator.
Page 67 of 78 2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.
4) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT. 5) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses. 6) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator
Page 68 of 78
IP-PBX
The IP-PBX section is where the IP Addresses and Domain location are provided to the Ingate unit. The configuration of the IP-PBX will allow for the Ingate unit to know the location of the 3Com VCX server as to direct SIP traffic for the use with the Remote Phones. The IP Address of the 3Com VCX server must be on the same network subnet at the IP Address of the inside interface of the Ingate unit. Ingate has confirmed interoperability with the 3Com VCX.
Configuration Steps: 1) In the IP-PBX Type drop down list, select the 3Com vendor. Ingate has confirmed interoperability the 3Com VCX, the unique requirements of the vendor testing are contained in the Startup Tool.
Page 69 of 78 2) Enter the IP Address of the 3Com VCX. The IP Address should be on the same LAN subnet as the Ingate unit.
3) This solution requires the use of a FQDN for the SIP Domain of the 3Com VCX. This domain name is used to route SIP Requests to the 3Com VCX associated with that domain. Select Use domain name and enter the FQDN
Page 70 of 78
Upload Configuration
At this point the Startup Tool has all the information required to push a database into the Ingate unit. The Startup Tool can also create a backup file for later use.
Configuration Steps: 1) Press the Upload button. If you would like the Startup Tool to create a Backup file also select Backup the configuration. Upon pressing the Upload button the Startup Tool will push a database into the Ingate unit.
Page 71 of 78 2) When the Startup has finished uploading the database a window will appear and once pressing OK the Startup Tool will launch a default browser and direct you to the Ingate Web GUI.
3) Although the Startup Tool has pushed a database into the Ingate unit, the changes have not been applied to the unit. Press Apply Configuration to apply the changes to the Ingate unit.
4) A new page will appear after the previous step requesting to save the configuration. Press Save Configuration to complete the saving process.
Page 72 of 78
Manual Configuration Steps

SIP Trunking and Remote 3Com SIP Phone Deployment Overlap Programming Multiple IP Addresses WAN Interface Due to the requirement to separate Trusted SIP Trunking communication with the VCX Connect and Untrusted Remote SIP Phone communication with the VCX Connect, separation two WAN IP addresses are required. One for express use in SIP Trunking and another for Remote SIP Phones. And due to a 3Com Business Phone requirement a third WAN IP Address is required if there is a Failover VCX Connect is deployed.
Page 73 of 78
LAN Interface Here we create the separation of the Trusted LAN IP Address of the express use of SIP Trunking and the Untrusted LAN IP Address used for Remote SIP Phones.
Remote SIP Connectivity Here is the actual association between the Remote SIP Phone WAN IP Address and the Untrusted LAN IP Address of the Ingate.
Page 74 of 78
Routing Remote SIP Phones to VCX Connect IP-PBX Here are the two forms of Routing for the Remote SIP Phones. 1) 2) 3Com Business Phones with the WAN IP Address of the Ingate relaying to the LAN IP Address of the VCX Connect Other SIP Phone with SIP Domain routing of the FQDN to the Primary and Secondary VCX Connect controller.
Page 75 of 78
Page 76 of 78
Verification Tests
1.
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. Remote SIP Phone Registration Basic Call Local Extension calls Remote SIP Phone Basic Call PSTN Trunk calls Remote SIP Phone Basic Call Remote SIP Phone calls Local Extension Basic Call Remote SIP Phone calls PSTN Trunk Attended Transfer Local Extension calls Remote SIP Phone, Remote Phone Transfers Local Extension to PSTN Trunk Attended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Local Extension Attended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Remote SIP Phone Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to PSTN Trunk Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Local Extension Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Remote SIP Phone Unattended Transfer Local Extension calls Remote SIP Phone, Remote Phone Transfers Local Extension to PSTN Trunk Unattended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Local Extension Unattended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Remote SIP Phone Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to PSTN Trunk Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Local Extension Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Remote SIP Phone Conference Local Extension calls Remote SIP Phone, Remote Phone Conferences Local Extension to PSTN Trunk Conference Local Extension calls Remote SIP Phone, Remote SIP Phone Conference Local Extension to another Local Extension Conference Local Extension calls Remote SIP Phone, Remote SIP Phone Conferences Local Extension to another Remote SIP Phone Conference Remote SIP Phone calls Local Extension, Local Extension Conferences Remote SIP Phone to PSTN Trunk Conference Remote SIP Phone calls Local Extension, Local Extension Conferences Remote SIP Phone to another Local Extension Conference Remote SIP Phone calls Local Extension, Local Extension Conference Remote SIP Phone to another Remote SIP Phone Message Waiting DTMF - PSTN DTMF - Voicemail
Page 77 of 78
Product Support
Product support can be obtained from the respective product suppliers.
Ingate Product Support:

Main Ingate Support link: http://www.ingate.com/Helpdesk.php
Europe, Middle East, Asia Pacific and Africa Monday Friday, 8:00am 5:00pm (GMT+1) Telephone: +46-13-21 08 52 Fax : +46-13-21 08 51 E-mail: support@ingate.com North America, Latin America and South America Monday Friday, 8:00am 6:00pm (EST) (GMT-5) Telephone: +1-866-809-0002 E-mail: support@ingate.com
3COM product support:

Main 3COM Support link: http://www.3com.com/products/en_US/support/index.html <3COM Product Specific Link> <Insert Hyperlink>
Asia Pacific Telephone: +65 6543 6645 Fax: +65 6543 6518 E-mail: ap_service@3com.com Europe, Middle East and Africa Telephone: +44 (0)1442 435529 (Option 4) Fax : +44 (0)1442 435811 E-mail: focalpoint_services@3com.com North America and Latin America Telephone: 866-326-6222 (Option 3) Fax : 408-326-7140 E-mail: ecso_contracts@3com.com
Page 78 of 78
Conclusion
In this application, the 3Com VCX solution is the IP-PBX and SIP Domain Server. It is the call control server processing the phone features and PBX functionality required for an enterprise. It resides on the private LAN segment of enterprise, away from the Internet and protected by the Ingate from any malicious attacks. The Ingate SIParator or Firewall sits on the Enterprise network edge, providing a security solution for data and SIP communications with E-SBC functionality. It is responsible for all SIP communications security by providing Policy and Routing Rules to allow specific SIP traffic intended for the Enterprise. The SIP Phones can be of any vendor type, located anywhere across the Internet or any remote networks.

3com Ingate Open Network Integration Notes - Application Notes For Ingate SIParator Using Remote Phones

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

3com Ingate Open Network Integration Notes - Application Notes For Ingate SIParator Using Remote Phones

Transféré par

Droits d'auteur :

Formats disponibles

Page 1 of 78

Application Notes for Ingate SIParator using Remote SIP Phones

Software Revisions ............................................................................................. 16

Ingate Product Overview

Ingate add-on software modules and licenses

Ingate SIParator Technical Details

Ingate SIParator Pictures

Ingate SIParator 50, 55 and 65

Ingate SIParator Product Features:

Configuration Technical Details

Ingate SIParator Topology with 3Com Business Phones

Page 25 of 78 3. Select the site name you wish to work on.

Page 26 of 78 4. Select Directory from the top menu

Page 28 of 78 a. Click the Add Trusted End Point button.

Page 30 of 78 b. The endpoint configuration window is displayed

Page 35 of 78 b. Select the End Points button on Right

Page 36 of 78 c. Select the Assign End Points button

Page 39 of 78 e. Confirm the OK

Page 41 of 78 f. The Endpoint Aspect should be listed as shown

Ingate Configuration Details

Connecting the Ingate Firewall/SIParator

Ingate 1190 Firewall and SIParator 19 (Back)

Ingate 1500/1550/1650 Firewall and SIParator 50/55/65

Ingate 1900 Firewall and SIParator 90

Using the Startup Tool

Proceed to Section: Network Topology.

Change or Update Configuration

In the Enter a Password, enter the Password of the Ingate unit.

Proceed to Section: Network Topology.

Product Type: Firewall

Configuration Steps: 1) In Product Type, select Firewall.

Product Type: Standalone

Configuration Steps: 1) In Product Type, select Standalone SIParator.

Product Type: DMZ SIParator

Configuration Steps: 1) In Product Type, select DMZ SIParator.

Product Type: DMZ-LAN SIParator

Configuration Steps: 1) In Product Type, select DMZ-LAN SIParator.

Product Type: LAN SIParator

Configuration Steps: 1) In Product Type, select LAN SIParator.

Manual Configuration Steps

Ingate Product Support:

3COM product support:

Vous aimerez peut-être aussi