Académique Documents
Professionnel Documents
Culture Documents
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 2 of 78
Table of Contents
Revision History .................................................................................................... 4 References ........................................................................................................... 4 Objective ............................................................................................................... 5 Ingate Systems ..................................................................................................... 6
Ingate Product Overview ............................................................................................................. 7
Ingate SIParators ........................................................................................... 7 Ingate add-on software modules and licenses ............................................... 7 Background.................................................................................................... 7
Technical Specifications .............................................................................................................. 8
Ingate SIParator Models 19, 50, 55, 65 and 90 .......................................... 8 Ingate SIParator Technical Details .............................................................. 10 Ingate SIParator Pictures ............................................................................. 11 Ingate SIParator Product Features: ............................................................. 12 Configuration Technical Details .......................................................................... 14
How it Works ............................................................................................................................. 14
Installation Overview ........................................................................................... 17 Network Topology ............................................................................................... 19 Testing Observations .......................................................................................... 20 Configuration Details........................................................................................ 22
VCX Configuration .................................................................................................................. 22 Ingate Configuration Details ...................................................................................................... 45
Ingate Startup Tool ...................................................................................... 45 Connecting the Ingate Firewall/SIParator .................................................... 46 Using the Startup Tool ................................................................................. 48 Configure the Unit for the First Time ............................................................ 48 Change or Update Configuration ................................................................. 51 Network Topology ........................................................................................ 55 Product Type: Firewall ................................................................................ 56 Product Type: Standalone .......................................................................... 58 Product Type: DMZ SIParator..................................................................... 60 Product Type: DMZ-LAN SIParator ............................................................ 63 Product Type: LAN SIParator ..................................................................... 66 IP-PBX ......................................................................................................... 68 Upload Configuration ................................................................................... 70 Manual Configuration Steps......................................................................... 72 Verification Tests ................................................................................................ 76 Product Support .................................................................................................. 77
Ingate Product Support: ............................................................................................................ 77
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 3 of 78
3COM product support: ............................................................................................................. 77
Conclusion .......................................................................................................... 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 4 of 78
Revision History
Revision 1.0 Date 11/02/2009 Author Scott Beer Reason for change Doc Creation
References
Date Document Name Revision Company
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 5 of 78
Objective
The 3Com VCX Connect solution offers organizations with up to 250 phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The platform's practical design and affordability help businesses replace antiquated PBXs with VoIP solutions that handle unified voicemail/email messaging (a standard feature). The 3Com VCX Connect solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be 3Com Business Phones or a number of different vendors. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. In this application, the focus is towards the support of the Remote/Home Office SIP Phone support. Ingate SIParators, an Enterprise level SIP Session Border Controller (E-SBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator, even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology. In this application, above and beyond the E-SBC capabilities that the Ingate products provide, the SIParator is providing a number of additional features to enable remote SIP Phones connectivity to the 3Com VCX Connect solution. The Ingate products offer the use of the Remote SIP Connectivity Module, where there are features such as Far End NAT Traversal and a STUN Server. These features allow the Ingate to overcome NAT issues on the far end of the call.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 6 of 78
Ingate Systems
Ingate Systems AB is a Stockholm, Sweden based high-tech company that designs, develops, manufactures and markets leading data communications products for trusted Unified Communications. Ingate designed the worlds first Session Initiation Protocol (SIP)-capable firewalls and SIParators, products that enable Unified Communications over the Internet. Unified Communications, with applications such as Internet telephony, presence indication, instant messaging, and audio/video conferencing, are modern and powerful business tools that enable enterprises to maintain reliable IPcommunications internally and externally. As more businesses utilize these applications, service providers are offering SIP trunks to connect Local Area Networks to the outer world via Internet and/or dedicated, managed IP-lines. The enterprise Session Border Controller (Firewall) needs to manage all incoming and outgoing traffic securely. Authorized traffic based on SIP needs to pass through the Session Border Controller in a controlled manner reaching SIP units inside and outside the LAN. Ingate's Session Border Controllers are compatible with existing networks, and allow businesses to utilize the cost and time saving benefits of IP-based real-time communications with minimum investment. Ingates leading products are marketed through world leading distributors, Value Added resellers and OEMs on all continents. Ingate has development facilities in Linkping, Sweden and a wholly owned subsidiary in the United States. We work long-term on our development projects and customer relations, as well as in the development and training of our employees.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 7 of 78
Ingate SIParators
The Ingate SIParator is a device that connects to an existing firewall to seamlessly allow the traversal of SIP-based communications. Ingate SIParators are compatible with all existing firewalls and operating systems.
Background
Ingate's security technology dates back to 1996, and since 2001 SIP has been in focus when designing our award winning firewall products, making Ingate the only choice for enterprises planning for a secure, flexible and interoperable communication solution. Ingate products are a perfect fit for any SIP based VoIP/UC installation.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 8 of 78
Technical Specifications
Ingate SIParator Models 19, 50, 55, 65 and 90
The Ingate SIParator 19 has three ports and with different units can be scaled up to 6 ports with two Fiber ports on the SIParator 90, this provides a scalable solution to meet the needs of any size enterprise environments. The management interface for the products is the same Web-based Graphical User Interface (GUI) that has been cited by Ingate customers and the media for easeof-use. All Ingate SIParators are fully featured, supporting stateful inspection and packet filtering with rules defined and maintained by the network security administrator utilizing the GUI. The SIParators can be configured as a part of the DMZ or in a standalone mode. In both cases, the benefits of SIP-based communications can be added to the network quickly and easily. Trusted Network Security for VoIP The Ingate SIParator SIP Proxy architecture grants fully secure traversal of the SIP traffic. The ports for the media streams are only opened between the specific parties of a call and only for the duration of the call. The SIP proxy inspects the SIP packets before sending them on. TLS and SRTP encryption ensures privacy when communicating, making call eavesdropping, call hijacking and call spoofing harder to do. Ingate also supports authentication of users and servers. Support for SIP Trunking More and more Internet Service Providers offer a SIP trunk a combined Internet and voice connection. For enterprises using an IP-PBX, SIP trunks are an ideal cost-saving solution as they no longer need local PSTN gateways or costly PRIs/BRIs. The service provider provides the PSTN connection. However, in order for SIP trunks to be successful, SIP traffic (as well as all other data traffic) must be able to traverse the enterprise firewall. Ingates SIP Trunking software module, available for Ingate SIParators, enables firewall and NAT traversal using the built-in SIP proxy, allowing the enterprise to connect to the SIP trunk. In addition, Ingate SIParators and the Ingate SIP proxy deliver advanced security for all SIP communications, including those via a SIP trunk. Ingate products also help ease compatibility issues between the IP-PBX and Internet telephony service provider.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 9 of 78
Choose the Right Features for Your Network Ingate offers several other add-on software modules that allow you to tailor the SIParator to meet the specific demands of your business. Ingate Quality of Service (QoS) sets priorities to different kinds of data and allocates bandwidth for varied purposes for instance, giving priority to VoIP. Ingate Remote SIP Connectivity extends the SIP capabilities of the enterprise to employees working remotely (home office workers, road warriors, etc.). Remote SIP Connectivity manages the traversal of the remote NAT from the central Ingate SIParators and also includes a STUN server. Ingate Enhanced Security Module provides Intrusion Detection and Intrusion Prevention for SIP as well as encryption of the communication. The SIP Registrar Module allows for making the Ingate Registrar the primary registration server. Add Global VoIP Connectivity to your IP-PBX The SIParators opens up a world of possibilities and cost savings when used with a SIP based IP-PBX. Businesses can route telephone calls via IP, not only between branch offices and home workers, but also to offices and other users using SIP-based Internet telephony. No longer limited to telephony voice, communication can also include video, instant messaging, presence and more. In addition, the SIParators makes it possible for home workers, road warriors and even branch offices to belong the same central IP-PBX with the highest level of security. The SIParators also affords the possibility to set up a private VoIP network, if preferred. Advanced IP-PBX functions are supported, including such as call transfer, call hold, and voicemail. Global connectivity is assured with the Remote SIP Connectivity Module for providing Far End NAT Traversal solutions.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 10 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 11 of 78
Ingate SIParator 19
Ingate SIParator 90
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 12 of 78
Yes Yes Yes Yes Yes Yes Yes N/T N/T Yes Yes N/T 40 (Model 19) N/T N/T N/T N/T N/T Yes Yes N/T N/T N/T N/T N/T N/T
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 13 of 78 Security Firewall Stateful Inspection Firewall DoS Protection SIP Traffic IDS/IPS Access Control Lists ALGs Network Address Translation Basic NAT (1:1), NAPT (Many:1), and Port Translation NAT-compatible SIP ALG Secure Management Multi-level access control RADIUS AAA Port Authentication (802.1x) SSH CLI VPN IPSec Tunnel Encryption 3DES AES NULL MD5 SHA1 Authentication Mechanisms XAUTH Digital certificates Pre-Shared Keys Secure ID PPTP Server Number of VPN Tunnels Troubleshooting PING Traceroute TCPdump utilities Packet Capture System Logging Yes Yes N/T Yes Yes (SIP) Yes Yes Yes N/T Yes N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T Yes Yes Yes Yes Yes
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 14 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 15 of 78
Example Network Configuration 3Com VCX Connect Primary Controller Domain: vcx.sipdomain.com IP Address: 10.51.77.11 3Com VCX Connect Secondary Controller Domain: vcx.sipdomain.com IP Address: 10.51.77.22 Ingate SIParator Domain: vcx.sipdomain.com WAN IP Address: 66.253.67.112 (For Remote 3Com Business Phones) Domain: vcx2.sipdomain.com WAN IP Address: 66.253.67.113 -------LAN IP Address: 10.51.77.100 LAN IP Address: 10.51.77.101 3Com Business Phones Primary Server: 66.253.67.112 Secondary Server: 66.253.67.113 Other SIP Phones SIP Server: vcx.sipdomain.com
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 16 of 78
Software Revisions
Vendor Ingate Systems 3Com 3Com Product Model SIParator 19 VCX 3102 Business Phone Version 4.7.1
Software Requirements
Vendor Product Model Version
Tool Requirements
Vendor Wireshark Foundation Product Model Wireshark Version 1.0.6
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 17 of 78
Installation Overview
The 3Com VCX Connect solution offers organizations with up to 250 phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The platform's practical design and affordability help businesses replace antiquated PBXs with VoIP solutions that handle unified voicemail/email messaging (a standard feature), support a full range of IP phones and interoperate with the PSTN. In this application the 3Com VCX is located on the private LAN network of the enterprise. Within this enterprise the 3Com VCX is servicing applications such as User Extensions, Call Center applications, PSTN access, User Voicemail, Auto-Attendant/IVR applications and more. Local Users are being serviced by the 3Com VCX on the private LAN network. The 3Com VCX becomes the SIP Domain Server for all of the SIP Phones. The 3Com VCX Connect solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be from a number of different vendors, such as 3Com, Polycom, Aastra, Counterpath and GrandStream. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. In this application, these SIP Phones are located outside of the private LAN of the enterprise but continue to be serviced by the 3Com VCX. This extends the ability of the 3Com VCX to provide user extensions remotely any where over the Internet. Although these SIP Phones are not co-located with the 3Com VCX they behave and appear to be, essentially extending the features of the 3Com VCX to Remote Offices, Home Offices, and Road Warriors. Ingate SIParators, an Enterprise level SIP Session Border Controller (E-SBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator, even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 18 of 78 In this application, the Ingate SIParators are utilizing E-SBC capabilities to ensure SIP VoIP communications with the remote SIP phones to provide access to the 3Com VCX. The Ingate products are providing E-SBC functionality such as SIP Routing Rules, SIP Security Policies, SIP Protocol compliance, Far End & Near End NAT Traversal and more to provide reliable SIP communications with the remote SIP phones.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 19 of 78
Network Topology
Ingate SIParator Topology
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 20 of 78
Testing Observations
1. SIP Trunking and Remote 3Com SIP Phone Deployment Overlap Issues For SIP Trunking Applications the Ingate is a Trusted Endpoint on the VCX Connect IP-PBX. This ensures that incoming SIP Trunking traffic from the various ITSPs via the Ingate are not authenticated by the 3Com VCX Connect IP-PBX. The overlap is that Remote SIP Phones should be authenticated by the VCX Connect IP-PBX for security purposes. This means that the Ingates IP Address should not be a Trusted Endpoint. As a result of deploying SIP Trunking and Remote SIP Phone on the same Ingate, special configuration is required to have SIP Trunking as a Trusted Endpoint and Remote SIP Phone support as a NonTrusted Endpoint. An additional WAN IP Address on the Ingate is needed to separate the handling of the SIP Trunking traffic and the handling of the Remote 3Com SIP Phone traffic. With two WAN IP Addresses the SIP Trunking is directed to one IP address and the Remote SIP Phone traffic is directed to the other. Then the Ingate can apply other Routing policies to change the source IP address from the Ingate to the VCX Connect based on the WAN IP addresses. 2. No FQDN Support on 3Com Business Phones The 3Com Business Phones are unable to enter a FQDN as a SIP Server address, only an IP Address is allowed, thus the Public IP Address of the Ingate SIParator is entered. A Dial Plan or DNS Override for SIP Requests must be created to direct traffic from the WAN IP Address of the Ingate to forward to the VCX Connect IP-PBX. Note Dial Plan and DNS Override are mutually exclusive; you program one or the other. DNS Override will take precedent over the Dial Plan. Other SIP Phones, typically SIP Phones can program a complete FQDN as the SIP Domain or Server. In this case the Ingate can use DNS Override for SIP Requests to relay the VCX Connects SIP Domain to the VCX Connect IP-PBX IP address.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 21 of 78 3. Secondary VCX on 3Com Business Phones As previous, the 3Com Business Phones are unable to enter a FQDN as a SIP Server address, only an IP Address is allowed, thus the Public IP Address of the Ingate SIParator is entered for the Primary VCX Connect controller. For the Secondary VCX Controller, a second (different) Public IP Address is required. The Ingate will now have a WAN IP Address to direct traffic to the Primary VCX Connect Controller, and a second WAN IP Address to direct traffic to the Secondary VCX Connect controller. Note Be sure these IP Addresses do not conflict with the Ingate WAN IP Address used for SIP Trunking Other SIP Phones, typically SIP Phones can program a complete FQDN as the SIP Domain or Server. In this case the Ingate can use DNS Override for SIP Requests to relay the SIP Domain to the VCX Connect Primary controller IP address. And also have a Second for the same SIP Domain to forward to the secondary VCX controller.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 22 of 78
Configuration Details
The following configuration details represent the configuration under test. The Ingate SIParator provides Telco communications for all outbound and inbound PSTN calls. In addition the SIParator provided NAT translation services for any remote phones or Teleworkers wanting to register a phone to their work extension. The VCX is configured with the SIParator IP address as a trusted endpoint. Therefore no authentication or registration is needed between these 2 devices. The SIParator is configured with the both the VCX Primary and Secondary IP addresses as the SIP Proxy. All inbound Telco calls i.e. DIDs are redirected by the SIParator to VCX. Remote phone are configured to use the SIParator public IP address as their SIP Proxy address. All phone SIP registrations received by the SIParator are forwarded to the VCX for authentication. Once authenticated these remote phones can make outbound calls using their office extension and receive inbound calls to their office extension at home, all of these calls are carried over their office Telco connection.
VCX Configuration
Defining a device on the VCX 8.0.7e as a Trusted Endpoint can now be done using the Web interface. Note: In versions prior to 8.x, creating a trusted endpoint was a 2 step process please refer to documentation for these version for details
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 23 of 78 Using VCX Web Configuration GUI 1. Point a browser to VCX Server IP address (e.g.:http://158.101.74.100) The VCX login screen appears. Select the Central Management Console option.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 24 of 78 2. Enter a VCX username and password with administrative access. (New VCX installations have a default username admin and password besgroup.) Click Submit.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 27 of 78 5. Click Trusted End Points Tab on Right of the screen to add a device IP addresses
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
b. Enter the endpoint configuration as follows: IP Address: IP address of SIParator Netmask: Use Host mask of 255.255.255.255
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 29 of 78 6. Click End Points Tab on Right of the screen to add a device name for each i.e. Aspect to the list as an endpoint a. Select Add End Point button
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
c. Enter the endpoint configuration as follows: Type: Set to Gateway Active: Set to Yes. Name: Enter the name of the device i.e. SIParator B2BUA Description: Enter a description of the device i.e. Ingate Site Id: Enter your VCX site ID. IP Address: Enter the SIParator IP address Port Number: port number (usually 5060) Click the Save button. d. The List of End Points table appears, listing the new endpoint.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 31 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 32 of 78 7. Click Routes Tab to create a Route with one or more endpoints
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 33 of 78 a. Select the Add Route button and give it a name i.e. SIParator B2BUA and select Save
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 34 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 37 of 78 d. From the list of available endpoints put a check mark next to SIParator B2BUA and select the Assign Selected button
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 38 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 40 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
8. Click Patterns Tab and create a pattern if needed that a call must match in order for VCX to send the call to the SIParator server. Note: This step was skipped because the most common patterns are already defined by default on the VCX. Therefore an existing pattern of 81* was used in testing 9. Click Routes Tab, and create a route that lets VCX send calls to Aspect Unified IP. Click the Add Route Plan button.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 42 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 43 of 78
g. In the Name field, enter a name for the routes i.e. Outbound SIP Trunk h. Under Pattern field select the pattern 81* i. Under Route field select the route SIParator B2BUA just created j. Under Active select the button to enable with a check mark.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 44 of 78 10. Click save which will return back to the Routes screen where the route Aspect should now be displayed
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 45 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 46 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 47 of 78 3) The PC/Server with the Startup Tool should be located on the same LAN segment/subnet. It is required that the Ingate unit and the Startup Tool are on the same LAN Subnet to which you are going to assign an IP Address to the Ingate Unit. Note: When configuring the unit for the first time, avoid having the Startup Tool on a PC/Server on a different Subnet, or across a Router, or NAT device, Tagged VLAN, or VPN Tunnel. Keep the network Simple.
4)
Proceed to Section: Using the Startup Tool for instructions on using the Startup Tool.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 48 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
3)
Page 49 of 78 In the Select first what you would like to do, select Configure the unit for the first time.
4)
Other Options in the Select first what you would like to do,
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
a.
b.
c.
d.
e. f.
Page 50 of 78 Select Configure Remote SIP Connectivity if you want the tool to configure Remote Phone access to the 3Com VCX server. Select Register this unit with Ingate if you want the tool to connect with www.ingate.com to register the unit. If selected, consult the Startup Tool Getting Started Guide. Select Upgrade this unit if you want the tool to connect with www.ingate.com to download the latest software release and upgrade the unit. If selected, consult the Startup Tool Getting Started Guide. Select Backup the created configuration if you want the tool to apply the settings to an Ingate unit and save the config file. Select Creating a config without connecting to a unit if you want the tool to just create a config file. Select The tool remembers passwords if you want the tool to remember the passwords for the Ingate unit.
5)
In the Inside (Interface Eth0), a. Enter the IP Address to be assigned to the Ingate Unit. b. Enter the MAC Address of the Ingate Unit, this MAC Address will be used to find the unit on the network. The MAC Address can be found on a sticker attached to the unit.
6)
In the Select a Password, enter the Password to be assigned to the Ingate unit.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 51 of 78 Once all required values are entered, the Contact button will become active. Press the Contact button to have the Startu p Tool find the Ingate unit on the network, assign the IP Address and Password.
7)
8)
Page 52 of 78 Configuration Steps: 1) 2) Launch the Startup Tool Select the Model type of the Ingate Unit, and then click Next.
3)
In the Select first what you would like to do, select Change or update configuration of the unit.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 53 of 78 4) Other Options in the Select first what you would like to do,
a.
b.
c.
d.
e. f.
Select Configure Remote SIP Connectivity if you want the tool to configure Remote Phone access to the 3Com VCX server. Select Register this unit with Ingate if you want the tool to connect with www.ingate.com to register the unit. If selected, consult Startup Tool Getting Started Guide. Select Upgrade this unit if you want the tool to connect with www.ingate.com to download the latest software release and upgrade the unit. If selected, consult Startup Tool Getting Started Guide. Select Backup the created configuration if you want the tool to apply the settings to an Ingate unit and save the config file. Select Creating a config without connecting to a unit if you want the tool to just create a config file. Select The tool remembers passwords if you want the tool to remember the passwords for the Ingate unit.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 54 of 78 In the Inside (Interface Eth0), a. Enter the IP Address of the Ingate Unit.
5)
6)
7)
Once all required values are entered, the Contact button will become active. Press the Contact button to have the Startup Tool contact the Ingate unit on the network.
8)
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 55 of 78
Network Topology
The Network Topology is where the IP Addresses, Netmask, Default Gateways, Public IP Address of NATed Firewall, and DNS Servers are assigned to the Ingate unit. The configuration of the Network Topology is dependent on the deployment (Product) type. When selected, each type has a unique set of programming and deployment requirements, be sure to pick the Product Type that matches the network setup requirements.
Configuration Steps: 1) In the Product Type drop down list, select the deployment type of the Ingate Firewall or SIParator.
Hint: Match the picture to the network deployment. 2) When selecting the Product Type, the rest of the page will change based on the type selected. Go to the Sections below to configure the options based on your choice. Select; Firewall, DMZ SIParator, DMZ-LAN SIParator, LAN SIParator, and Standalone SIParator.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 56 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 57 of 78 2) Define the Inside (Interface Eth0) IP Address and Netmask. This is the IP Address that will be used on the LAN side on the Ingate unit.
3) Define the Outside (Interface Eth1) IP Address and Netmask. This is the IP Address that will be used on the Internet (WAN) side on the Ingate unit. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.
4) Enter the Default Gateway for the Ingate Firewall. The Default Gateway for the Ingate Firewall will always be an IP Address of the Gateway within the network of the outside interface (Eth1).
5) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 58 of 78
2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 59 of 78 3) Define the Outside (Interface Eth1) IP Address and Netmask. This is the IP Address that will be used on the Internet (WAN) side on the Ingate unit. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.
4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.
Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 60 of 78
2) Define the IP Address and Netmask of the DMZ (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the DMZ network side on the existing Firewall.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 61 of 78 3) Define the LAN IP Address Range, the lower and upper limit of the network addresses located on the LAN. This is the scope of IP Addresses contained on the LAN side of the existing Firewall.
4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.
5) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT.
6) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 62 of 78
7) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator c. If necessary; provide a Rule that allows the SIP Signaling on port 5060 using UDP/TCP transport on the DMZ network to the LAN network d. If necessary; provide a Rule that allows a range of RTP Media ports of 58024 to 60999 using UDP transport on the DMZ network to the LAN network.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 63 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 64 of 78 2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.
3) Define the IP Address and Netmask of the DMZ (Interface Eth1). This is the IP Address that will be used on the Ingate unit to connect to the DMZ network side on the existing Firewall. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.
4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.
5) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 65 of 78 6) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
7) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 66 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 67 of 78 2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.
3) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.
4) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT. 5) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses. 6) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 68 of 78
IP-PBX
The IP-PBX section is where the IP Addresses and Domain location are provided to the Ingate unit. The configuration of the IP-PBX will allow for the Ingate unit to know the location of the 3Com VCX server as to direct SIP traffic for the use with the Remote Phones. The IP Address of the 3Com VCX server must be on the same network subnet at the IP Address of the inside interface of the Ingate unit. Ingate has confirmed interoperability with the 3Com VCX.
Configuration Steps: 1) In the IP-PBX Type drop down list, select the 3Com vendor. Ingate has confirmed interoperability the 3Com VCX, the unique requirements of the vendor testing are contained in the Startup Tool.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 69 of 78 2) Enter the IP Address of the 3Com VCX. The IP Address should be on the same LAN subnet as the Ingate unit.
3) This solution requires the use of a FQDN for the SIP Domain of the 3Com VCX. This domain name is used to route SIP Requests to the 3Com VCX associated with that domain. Select Use domain name and enter the FQDN
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 70 of 78
Upload Configuration
At this point the Startup Tool has all the information required to push a database into the Ingate unit. The Startup Tool can also create a backup file for later use.
Configuration Steps: 1) Press the Upload button. If you would like the Startup Tool to create a Backup file also select Backup the configuration. Upon pressing the Upload button the Startup Tool will push a database into the Ingate unit.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 71 of 78 2) When the Startup has finished uploading the database a window will appear and once pressing OK the Startup Tool will launch a default browser and direct you to the Ingate Web GUI.
3) Although the Startup Tool has pushed a database into the Ingate unit, the changes have not been applied to the unit. Press Apply Configuration to apply the changes to the Ingate unit.
4) A new page will appear after the previous step requesting to save the configuration. Press Save Configuration to complete the saving process.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 72 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 73 of 78
LAN Interface Here we create the separation of the Trusted LAN IP Address of the express use of SIP Trunking and the Untrusted LAN IP Address used for Remote SIP Phones.
Remote SIP Connectivity Here is the actual association between the Remote SIP Phone WAN IP Address and the Untrusted LAN IP Address of the Ingate.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 74 of 78
Routing Remote SIP Phones to VCX Connect IP-PBX Here are the two forms of Routing for the Remote SIP Phones. 1) 2) 3Com Business Phones with the WAN IP Address of the Ingate relaying to the LAN IP Address of the VCX Connect Other SIP Phone with SIP Domain routing of the FQDN to the Primary and Secondary VCX Connect controller.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 75 of 78
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 76 of 78
Verification Tests
1.
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. Remote SIP Phone Registration Basic Call Local Extension calls Remote SIP Phone Basic Call PSTN Trunk calls Remote SIP Phone Basic Call Remote SIP Phone calls Local Extension Basic Call Remote SIP Phone calls PSTN Trunk Attended Transfer Local Extension calls Remote SIP Phone, Remote Phone Transfers Local Extension to PSTN Trunk Attended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Local Extension Attended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Remote SIP Phone Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to PSTN Trunk Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Local Extension Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Remote SIP Phone Unattended Transfer Local Extension calls Remote SIP Phone, Remote Phone Transfers Local Extension to PSTN Trunk Unattended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Local Extension Unattended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Remote SIP Phone Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to PSTN Trunk Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Local Extension Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Remote SIP Phone Conference Local Extension calls Remote SIP Phone, Remote Phone Conferences Local Extension to PSTN Trunk Conference Local Extension calls Remote SIP Phone, Remote SIP Phone Conference Local Extension to another Local Extension Conference Local Extension calls Remote SIP Phone, Remote SIP Phone Conferences Local Extension to another Remote SIP Phone Conference Remote SIP Phone calls Local Extension, Local Extension Conferences Remote SIP Phone to PSTN Trunk Conference Remote SIP Phone calls Local Extension, Local Extension Conferences Remote SIP Phone to another Local Extension Conference Remote SIP Phone calls Local Extension, Local Extension Conference Remote SIP Phone to another Remote SIP Phone Message Waiting DTMF - PSTN DTMF - Voicemail
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 77 of 78
Product Support
Product support can be obtained from the respective product suppliers.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION
Page 78 of 78
Conclusion
In this application, the 3Com VCX solution is the IP-PBX and SIP Domain Server. It is the call control server processing the phone features and PBX functionality required for an enterprise. It resides on the private LAN segment of enterprise, away from the Internet and protected by the Ingate from any malicious attacks. The Ingate SIParator or Firewall sits on the Enterprise network edge, providing a security solution for data and SIP communications with E-SBC functionality. It is responsible for all SIP communications security by providing Policy and Routing Rules to allow specific SIP traffic intended for the Enterprise. The SIP Phones can be of any vendor type, located anywhere across the Internet or any remote networks.
3Com Open Network Solutions Lab Application Notes Authors: Scott Beer 3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION