Académique Documents
Professionnel Documents
Culture Documents
for the
Comdasys Convergence series
&
Comdasys FMC series
Comdasys AG
Rüdesheimer Str. 7
D – 80686 München
Tel.: +49.89.5484333-0
Fax: +49.89.5484333-29
support@comdasys.com
http://www.comdasys.com
Disclaimer
We have taken all possible care to ensure that this manual contains correct, accurate informa-
tion. However, the manufacturer cannot assume liability for any possible errors. In addition,
the manufacturer cannot guarantee that the hardware will meet the purpose you require.
Comdasys reserves the right to make changes according to technical progress at any time.
Brand names may be registered trademarks and must be treated as such.
Copyright
c 2005-2008
Comdasys AG
80686 München, Germany
All rights reserved. No part of this manual may be reproduced, processed or distributed in any
form (print, photocopy, microfilm or any other process) or processed by an electronic system
without prior written permission from the manufacturer.
User Manual edition: May 2008
Contents
2005-2008
c Comdasys AG 3
1 Overview
2005-2008
c Comdasys AG 4
1.3 Scope of delivery (Convergence 30xx / 33xx)
2. Power cord
3. Network cable
4. Crossover network cable
5. Mounting brackets for 19” racks
6. RS232 console cable
7. Quick reference sheet
1. Convergence 30xx or 33xx with built-in power supply (the ports vary on what model you
purchased varying from 4+1 BRI ports to 2 E1/T1 ports)
2. Power cord
3. Network cable
4. Crossover network cable
5. Mounting brackets for 19” racks
6. RS232 console cable
7. Quick reference sheet
i Note that these devices are configured through an HTTP interface. The standard
configuration GUI is running on port 80. From there it is possible to configure everything
including the gateway components. It is possible to access the gateway configuration via a
separate GUI running on port 8080. Note however that any network setting you make there
will have no effect.
2005-2008
c Comdasys AG 5
1.4 Scope of delivery (Convergence 2600 / FMC 2800)
2005-2008
c Comdasys AG 6
1.5 Scope of delivery (Convergence 1600)
2005-2008
c Comdasys AG 7
1.6 Scope of delivery (Convergence 550 and 650)
2005-2008
c Comdasys AG 8
2 Basic configuration
The Convergence is configured by a web interface, that can be opened with the web browser
of your choice. Therefore, the Convergence configuration is independent of the operating
system used and can for example be accessed from Linux, Macintosh or Microsoft Windows
computers. It is also not necessary to install any special tools, except you want to copy files
or have command-line access. Please refer to the Command Line Guide documentation for
more information on that.
For the Web configuration, your web browser must support frames, but nowadays this ap-
plies to almost every modern browser. If you want to use the setup wizard you’ll also need
JavaScript support. Please make sure this is enabled in your web browser.
The LAN1 interface of the Convergence is configured to the following parameters by default.
Therefore, in order to be able to communicate with the Convergence , you need to configure
your PC to an address in the same subnet, as for example 10.0.0.206 .
2005-2008
c Comdasys AG 9
2.2 Establish a connection to the Convergence
! If you are dealing with a device that is equipped with a separate management inter-
face, you need to explicitly enable management access to the device via the LAN interface.
Please refer to section ?? section for more information about this topic.
2. Enter the username and password. The username is admin and the password in the
state of basic configuration is sesam.
For security reasons, you should change the default password as soon as possible.
Information on how this works can be found in section ??.
3. Select your language.
After having logged in successfully you should see the HTML page in figure ??. You
can change the language anytime on the Head.
• Page Header
2005-2008
c Comdasys AG 10
2.2 Establish a connection to the Convergence
The page header gives you information about the Convergence you are dealing with.
The Top Menu Bar is the top level navigation. This navigation gives you the major option to
select, namely Home, Apply Configuration (refer to ?? for more information), and Language.
The top navigation is a two level navigation. This manual is structured according to this
navigation. Select any of the top (main) menu points. When you do that, a submenu will open.
You are now able to make a selection and by selecting any of these points the configuration
will change. The main frame will remain empty until you do that.
The main frame will always contain the currently selected configuration screen. Use the ?? to
select what part of the Convergence you want to configure.
In the bottom line, you can find important product and software information on the bottom
right hand side. The most important thing is the software version which should be a four
digit number. This number can be followed by a dot. The number after this dot indicates the
patchset number the product contains. Note that Updates and Updates with included patches
install and behave exactly the same way. The numbering is just to indicate that this software
version is based on some major revision and just contains additional patches.
2.2.2 Home
When clicking home, you will always get to the status page.
2005-2008
c Comdasys AG 11
2.2 Establish a connection to the Convergence
The Convergence has a transaction based configuration mechanism. This means that any
changes you make, will only become active after applying the configuration changes. Clicking
the Apply Configuration options will finally store all changes made since you last applied and
restart the services as necessary through the configuration changes. If you do not want to
interrupt the operations of the Convergence , there is also a way of applying the configuration
changes for individual services only. Please refer to the ?? for more information on this.
The GUI follows a number of design principles. Understanding these is important for effec-
tively working with it.
There are both explicit as well as implicit default values. The explicit ones are set by default
in the WebGUI. Implicit ones are fields that can simply be left empty. The system will select
an appropriate value for you. You can leave all fields except the mandatory ones empty.
Mandatory values have to be configured. In the GUI, you can identify them by the symbol
behind the title. If left empty, you will receive an error message asking you to set the value.
The WebGUI does check the entered values for consistency and will not accept values failing
this check. This however cannot avoid misconfigurations since only basic sanity checks as
well as a syntax checking of the entered values is performed. These checks include tpye
checks (string or number, etc.), range checks (do entered numbers make sense), and basic
sanity checks (do certain parameters exclude each other, etc.).
2005-2008
c Comdasys AG 12
2.2 Establish a connection to the Convergence
Here you can see an alphabetical list of all services available on the Convergence. It is
possible to start, stop or restart services individually by clicking on Start: , Stop: or
Restart: . The button with the label Reapply configuration: allows you to make sure
that the corresponding parameters set in the Web interface are activated for the service. If
you want to make smaller configuration changes to individual services without affecting the
operation of all other services, you can make the appropriate changes and save them. Then
you come to this status page to apply the changes and restart the respective service.
The Status ”LEDs” show whether the corresponding service is (compare figure ??):
- active ; - inactive ; - disabled
2005-2008
c Comdasys AG 13
2.2 Establish a connection to the Convergence
Note that the product with integrated gateway devices have some special properties. First,
as already mentioned in this manual, you have to enter http://10.0.0.205 to correctly
connect. This means that the product is using the HTTP protocol as its default interface.
In addition to that, there is an additional menu entry in the configuration menu by the name
of Gateway. This menu point will bring you to the VoIP gateway configuration. When clicking
this menu, you will get to the configuration page shown in figure ??.
Here you will need to use the standard gateway credentials supplied with the gateway which
is public as username with an empty password. This will bring you into the gateway config-
uration. In order to get a description of the parameters there, please refer to the Mediatrix
3000 Series Digital Gateway documentation. Note that all menu points not making sense in
the integrated product have been made inaccessible.
The Convergence 4600 and 4800 provide an additional management interface for configu-
ration. The management interface is labeled FE on the front side of the appliance. Due to
2005-2008
c Comdasys AG 14
2.2 Establish a connection to the Convergence
additional available network interfaces the port arrangement differs from the other Comdasys
appliances.
For the Convergence 4xxx series the default IP address is configured on the management
interface instead of the primary lan interface.
2005-2008
c Comdasys AG 15
2.2 Establish a connection to the Convergence
Please refer to the table below for the port mappings on the front side of your 4xxx Conver-
gence series.
Label Usage
CON Connector for serial console
FE Management Interface, Fast Ethernet Connector
Key USB Connector, e.g. for attaching a keyboard
B1 GBIC Interface 1
B2 GBIC Interface 2
A1 LANA Interface
A2 LANB Interface
A3 DMZ Interface
A4 WAN Interface
2005-2008
c Comdasys AG 16
3 Expert mode
The Expert Mode assumes familiarity with the concepts of IP networking and if applicable with
those of VoIP.
In the expert mode you can find all configuration parameters structured in a two level menu.
The configuration can be performed in any order.
System In the section, you can configure all the system basics, update the unit, factory reset the unit, as we
Network The network part lets the user configure all interfaces, virtual interfaces, traffic shaping and other n
VPN
2005-2008
c Comdasys AG 17
3.1 System
Voice-over-IP The VoIP settings contain all the Session Border Controller configurations, Survivability functi
Fixed Mobile Convergence This sections contains all FMC related settings. Note that changes here usually
Diagnostics
Changing menu items marked with ? will be applied immediately, in contrast to the remain-
ing items, which will only be applied after excecuting Apply configuration , or the Reapply
Configuration followed by a restart of the respective service in the Status page. Using Apply
configuration will cause all services to restart.
3.1 System
In this section you can adjust date and time, specify a domain name server (DNS server) and
a host name for the Convergence. Note that the date and time settings will be overridden by
any NTP server settings. If an NTP server is set, the clock is synchronized from there. The
system name should be set for administrative purposes. It is not a crucial setting. The system
name is however shown as the command prompt when you access the system via command
line interface. There it is very helpful to see the system you are on.
2005-2008
c Comdasys AG 18
3.1 System
i The time and date setting will be applied immediately without the need of pressing
Apply Configuration.
Timezone
Usually NTP servers utilize GMT (Greenwich Median Time). Therefore to get the correct
timezone on your device, you need to set the time zone where the device is located. There
are two types of timezones that are supported by the device. The GMT timezones simply
define a fixed offset from GMT / UTC time. This however does not include daylight savings
time. The change between normal and daylight savings time occurs at different times in
different parts of the world. These are coded in the regional time zones (e.g. CET for Central
2005-2008
c Comdasys AG 19
3.1 System
European Time). If you select such a timezone the switch to daylight savings time and back
is done automatically by the device.
System name
The entered name must not contain any whitespace or special characters. Any system name
you set here should correspond with any name you assinged in a DNS server. Non matching
forward and reverse lookups as well as differing host names will cause problems with various
services.
By clicking the button Save , the settings will be applied.
With this menu item, the password for accessing the Convergence can be changed. The
default password is sesam. It is highly recommended to change it before connecting the
appliance to the Internet.
The chosen password should not contain whitespace, since such a password might be man-
gled by the used browser. If you still want to set such a password, please use the CLI interface
to avoid such browser problems. If you want to use passwords with special characters, please
check the Command Line Guide for information on how to safely accomplish this. By clicking
the button Save the new password will be applied.
The new password applies both for access over the web interface and over command line
interface (serial console, SSH).
! The new password will be applied immediately. This means that right after changing
the password with your browser, you will be asked for it to continue with the configuration.
2005-2008
c Comdasys AG 20
3.1 System
! By default the password length is limited to 8 characters for the WebGUI administra-
tion. Excess characters will be ignored silently. There are however ways to increase this
limit (e.g. by using RADIUS) , or to use certificate based authentication. Please refer to the
Command Line Guide for more information.
2005-2008
c Comdasys AG 21
3.1 System
Comdasys will publish regular system updates for their delivered systems. For unregistered
users without special maintenance agreements, these can be downloaded from the web page
http://www.comdasys.com. Users with special maintenance agreements will also get
software upgrades providing additional functionality. If you are interested, please contact us
via email: info@comdasys.com.
With this menu item, a local file on your PC can be selected and the update process can be
started. Depending on the network connection, this upload can take up to several minutes.
The update can even fail if done over a low bandwidth WAN link. It is not recommended to
perform the update with a connection of less than 128 kbit/s. However, aborted updates do
not harm the Convergence or influence it in any way.
After the update process, there will not be an automatic reboot or restart of services. In order
for the Update to take effect, you will need to reboot your Convergence system. You can
however perform this reboot at a later time. Having uploaded the update will have no effect
on the running system, since this will only install the update into the flash.
! You should not import old configurations into a more recent versions of the Conver-
gence system. You should have the configuration on the Convergence prior to the update.
During the update process, this configuration will be converted.
! Please refer to the Release Notes before doing an Upgrade. These might contain
special instructions to consider before upgrading to a certain version.
i Although the approach has been documented for an Update here, the exact same
thing can be done for a downgrade as well. This means that you can select an older
version just as if you were uploading a more recent file. Note that you will have to reapply
the configuration after rebooting the system when having downgraded. Note also that not
all services might come up properly after a reboot. Only after reapplying the configuration
this can be ensured. Note that you should only use compatible configurations with older
versions. This can be accomplished by reverting to a saved configuration or by doing a
factory reset.
i A timeout can occur while uploading an update. The Convergence has a hard set
timeout of 2 hours. This means that any upload will abort after this time if it has not com-
pleted. Note that your browser might interrupt the upload quicker than that.
2005-2008
c Comdasys AG 22
3.1 System
2005-2008
c Comdasys AG 23
3.1 System
Installing an update
1. Download the update and Readme (if applicable) file for the desired version and store
it on your PC. The current version of the Convergence can always be found in the right
bottom corner of the web interface.
2. Select the downloaded update file in the web interface.
3. Click the button Upload for upload.
4. If necessary, do additional configuration steps as recommended in the enclosed
Readme file. If there is none, no special considerations have to be taken.
5. Reboot the system in order for update to take effect.
6. Click Apply Configuration to adapt the configuration
i After rebooting with the new software version, please make sure to click Apply Con-
figuration to adapt the configuration to the new software version
Installing an update for the Convergence 30xx/33xx wit Integrated Voice Gateway
The Voice Gateway Software is separate from the system software, and therefore it must be
updated separately. The Gateway software update is packaged like a hotfix, but it is a full
software update for the gateway component.
1. Download the Gateway update bundle (GW Software Update) and store it on your
PC.
2. Unpack this ZIP archive, it will contain the software file (ending in .sh) and maybe
some documentation and release notes.
3. Select the downloaded update file (muse....sh) in the Upload Update Web Interface.
4. Click the button Upload for upload and wait for the Update to complete.
5. Reboot the system in order for update to take effect.
2005-2008
c Comdasys AG 24
3.1 System
3.1.4 Provisioning
The Convergence features provisioning facilities that can be used for mass deployment.
With that it is possible to create a more or less standard configuration plus a list of vari-
ables that are different for the respective Convergence . Provisioning is always a very project
specific topic where there is no real general answer. Suffice to say that Provisioning facil-
ities are present and can be used. For further information please contact your reseller or
support@comdasys.com .
In this section you can save or restore the configuration of the complete Convergence. By
clicking the button Save , the most important configuration files will be saved into an archive
file
configuration-<date>.cpio.gz
offered for download.
2005-2008
c Comdasys AG 25
3.1 System
Restoring configuration
1. Select the location of the backup file stored on your PC
2. Click the button Send for Upload
3. Apply configuration
i Note that this configuration saving applies to all necessary parameters for the Con-
vergence . This includes all FMC data like users and configured hosts registrations. It will
hence include the complete FMC database snapshot at the time the backup is made. If you
are using a product with integrated voice gateway functionality, this will also include e.g. the
ISDN configuration.
! The language of the GUI is also stored in the configuration archive, since it is part
of the configuration. This means if you restore a configuration later, the language might
change.
2005-2008
c Comdasys AG 26
3.1 System
! This mechanism is intended for backing up and restoring configurations on the same
devices. Please do not use this for provisioning purposes by creating a default configura-
tion and then replicating this to multiple devices. Note that also device specific files will be
included in this archive that you do not want to replicate to arbitrary devices. This however
does enable you to make a one-to-one restoration of a failed device. Saved configurations
do only work on equal restoration devices. Do not use a saved configuration from one de-
vice on a different device type unless this procedure has been okayed by the manufacturer!
The Configuration Rollback enables you to revert the configuration of your box back to an ear-
lier status. It depends on when you last saved you configuration which ones you will be able to
roll back to. After performing a rollback, you will always have to press Apply Configuration
to activate it. This will also provide you a chance to look at the restored configuration first,
before activating it.
i Before doing bigger changes to your configuration, it is always wise to go to this page
and save the current configuration. This will enable you to roll back to this conifguration at
a later point in time.
i Every time you use the Apply Configuration the current configuration will be
stored.
The naming convention of the stored configurations is as follows: DATE-TIME. The date will
be formatted as year month day always with two digits followed by a minus followed by the
time in 24 hours format. The following is an example filename of a backup ( 080311-1423)
done on March 11th 2008 at 14:23.
Number of Configurations
This field defines how many configurations should be stored on the system. You have a
choice between ’5’, ’15’ or ’25’ stored configurations. Saving a configuration will fail if there
is no space available on the system. The system however has been designed to provide
enough space for all of the above mentioned settings. This however does not necessarily
apply if additional data has been manually copied to the system in CLI mode.
Previous Configuration
Select the configuration you want to restore here by using the drop-down box. To activate this
configuration, you will need to select Apply Configuration .
2005-2008
c Comdasys AG 27
3.1 System
2005-2008
c Comdasys AG 28
3.1 System
! A restored configuration will not automatically be active after a reboot. The correct
procedure it to always press Apply Configuration after performing a restore. A reboot is
not necessary.
i The Backup will include all FMC settings, therefore you should be careful because
for example newly created users will get lost.
Active
You need to check this in order to enable the functionality.
Type
You can select between FTP and SCP. Note that you should use secure copy (SCP) whenever
possible because the backed up configuration also includes passwords, but also note that
using SCP needs some manual setup which is described below.
Servername
Specifiy the server to backup to here. You can either specify an IP address or a hostname
here. If you are using hostnames here make sure the DNS server has been set on the Basic
Settings page.
Path
You also need to specify a path on the server here, where the files should be stored. This
path is usually relative to the default login directory of the specified user.
2005-2008
c Comdasys AG 29
3.1 System
2005-2008
c Comdasys AG 30
3.1 System
Username
You have to specify a username here. If the FTP server does not require authentication, you
should still specify some name here e.g. anonymous.
Password
Specify the password of the defined user on the server. If this setting is incorrect, the backup
will fail. In that case you should check your server logs to see if there is an authentication
mismatch. This setting does not apply to SCP !
Interval
You have a choice of different backup intervals here. The following settings are possible:
• Daily: This will back up the configuration any day. Set the time in the Interval field.
• OnChange: This will create a backup after every material change (this does not include
changes to the FMC configuration)
• Hourly: This will create a backup every hour. There is no need for additional settings.
• Weekly: Backup every week. Select the day via the Interval field.
Time/Day of Week
The setting in the field always has to be an integer, and is only relevant if you have set the
Interval field to either Daily or Weekly.
If Daily is configured there, this field represents the time in full hours (24 hour time) when the
backup should be performed.
If Weekly is selected, this is the day of the week where 1 is Monday.
i The backup archive format of the automatic backup is identical with the backup format
for the manual Configuration Backup. In order to restore a backed up configuration, you
should hence use the Confguration Backup page. See ?? for more information.
i To configure SCP, some manual setup is needed. First, you need to log in to your
Convergence via SSH. If not already done, you need to run ssh-keygen -t dsa to generate
an SSH key pair. Then you need to setup up key-based login to your backup account on the
backup host by running ssh-copy-id -i /root/.ssh/id dsa.pub [backupuser]@[backuphost].
You will then be prompted for the password for that account. After entering the password,
you should be able to log in to the backup account via ssh [backupuser]@[backuphost]
without being asked for the password (the key will be used for authentication instead). Once
that works you are ready to use SCP for remote backups.
2005-2008
c Comdasys AG 31
3.1 System
It may take up to two minutes until the Convergence is fully operational and reachable again.
Depending on the configured WAN type and the number of possibly configured VPN tunnels,
it can take even longer until all tunnels are available again.
2005-2008
c Comdasys AG 32
3.1 System
On this page it is possible to define the SSH and the HTTP/HTTPS port used for administra-
tion.
The Default values are 22 for SSH, 443 for HTTPS (or port 80 for HTTP on systems that don’t
use HTTPS), as recommended by the Internet Assigned Numbers Authority
(http://www.iana.org/assignments/port-numbers).
i Note that you do not need to change these values in most cases. Changing them is
mostly done for security purposes if administration through the WAN interface is enabled.
Using non standard ports makes it harder for scan programs to find these open ports.
The ’Restore the basic configurations’ page allows you to restore the basic configuration and
/ or reset the ’Dualmode’ database (only FMC products) on the factory state. Refer to figure
?? on page ?? for more information on this.
! Ater ’Restore the basic configuration’ the default IP address is 10.0.0.205 and subnet
mask is 255.255.255.0
3.1.11 Licenses
This product contains Open Source Software. Most Open Source Software mandates that the
license of the package is included with the product containing the software. Therefore, this
page lists all licenses of Open Source packages contained in this Convergence . A mouse
click on the package name shows the complete license text.
2005-2008
c Comdasys AG 33
3.2 Network
3.2 Network
The internet connection can be configured with the menu item WAN interface. There are the
following parameters that can be set up (compare figure ?? on page ??).
Connection via IP
If the Convergence is connected to the internet via a leased line or an internet router (xDSL
router, ISDN router, etc.), you have to choose IP and enter the information for your network.
For the field Gateway you should enter the address of your router (default gateway) for the
WAN connection.
2005-2008
c Comdasys AG 34
3.2 Network
2005-2008
c Comdasys AG 35
3.2 Network
If the connection uses PPPoE, the username and password is all you have to enter.
If the connection uses PPTP there is additional information needed: The internal IP address
of your DSL modem, the related netmask (both should be known by your provider) and a
matching IP address for your Convergence. The IP of the Convergence has to be in the
same network as the IP address of the modem. Please ask your provider or consult your
DSL modem/router manual about the IP settings of your modem. A common IP address is
10.0.0.138.
This menu item is used for configuring the primary LAN interface. There are the following
parameters that can be set up (compare figure ?? on page ??):
Dynamic IP address
Select this if you have a DHCP server in your LAN network that you want the Convergence
to obtain its IP address from. This only applies to bigger networks where the Convergence
acts for certain dedicated functionality (e.g. VoIP) only. For the NAT parameter see the Static
case.
! Since the Convergence serves as a server for certain protocols such as SIP, the IP
address of the device must be known to the user. Assigning a truly dynamic IP address
hence does not make much sense. DHCP however is frequently used as a tool for the
central administation of IP addresses. You can have DHCP assign a fixed IP address to
a device. This approach is controlled by the MAC address that can be configured in the
DHCP server.
Static IP address
The IP address of the Convergence’s primary LAN interface.
Netmask
The netmask for the IP address of the Convergence’s primary LAN interface.
2005-2008
c Comdasys AG 36
3.2 Network
2005-2008
c Comdasys AG 37
3.2 Network
NAT
This option should be chosen if there is an address translation required for the whole network
traffic from this LAN to the Convergence’s WAN address. This only applies to outgoing traffic
from the LAN to the WAN.
Generally this is needed, if your provider does not provide official IP addresses for your LAN
(the usual case) and your Convergence is used as an internet router.
! You cannot specify a default gateway here directly. The settings you see below are
for the DHCP server and are only assigned to the hosts in the network. They do not apply
for the Convergence itself. In order to specify a default gateway for the product, please
configure it with the WAN interface. If you do not want to configure a WAN interface and
still have a default gateway, please configure a routing entry. Please see ?? for more
information.
2005-2008
c Comdasys AG 38
3.2 Network
DHCP server
The Convergence is able to automatically assign IP addresses to computers connected to the
primary LAN interface.
If this functionality shall be used, this option has to be selected. Note that this option applies
to DHCP server functionality. Do not confuse this with the above described DHCP client
functionality. You should also make sure that you have no other DHCP server running in your
network since this can have very adverse effects.
from IP, to IP
If the Convergence is intended to be used as DHCP server you have to define the address
range the DHCP server will assign to clients requesting an IP address. This address range
must not contain IP addresses of any other configured computer configured with a static IP
address within this LAN.
Both addresses have to be in the same subnet as the Convergence IP address. The beginning
and the end of the range of course also have to be in the same subnet.
Domain
This is the DNS domain that will be assigned to the client. When using a hostname without
domain in the DHCP client, the domain name will be attached as the default domain.
Standard Gateway IP
By default, the Convergence itself acts as a standard gateway. Another standard gateway can
be set by ticking this checkbox and assigning an IP address below.
2005-2008
c Comdasys AG 39
3.2 Network
4. Optionally you can specify DNS and NTP servers that will be transmitted and as-
signed to the computers that are using DHCP.
5. Save changes by clicking on Save . Your changes will be applied after selecting
Apply configuration.
2005-2008
c Comdasys AG 40
3.2 Network
There are several options for configuring the secondary LAN interface (Compare figure ?? on
page ??):
Deactivated
The secondary LAN interface will not be used.
DMZ
i This option is only available on Convergences which don’t feature a dedicated DMZ
interface (see section ??).
The secondary LAN interface serves for a so called demilitarized zone (DMZ); a secure net-
work area, that is separate both from the internet and from the local network. It is mostly used
for servers that shall be reachable from both the internal network and the internet. (e.g. mail
server, web server, etc.)
In this scenario, only the Convergence IP address and netmask in this DMZ has to be speci-
fied. There are no more options left.
2005-2008
c Comdasys AG 41
3.2 Network
Internal net
In this scenario, the secondary interface will be treated exactly the same way as the primary
one.
The possiblities of configuration are therefore the same as in section ??.
2005-2008
c Comdasys AG 42
3.2 Network
i This option is only available on a Convergence 2600, 3600, and 4600 and on FMC
2800, 3800, 4800
The DMZ interface can be used for implementing a so called demilitarized zone (DMZ); a
secure network area, is separate from both the internet and from the local network. It is
usually being used for servers that shall be reachable from both the internal network and the
internet. (e.g. mail server, web server, etc.). A DMZ will usually have official IP addresses. If
you want to provide services to the internet and want the servers to have private IP addresses,
we are not talking about full DMZ functionality, but rather about port forwarding. Please refer
to the Firewall section for more information on that.
The DMZ interface is deactivated by default. If you choose to activate it by selecting the
radio-button DMZ. To configure the DMZ, only the Convergence ’s IP address and netmask
for this DMZ have to be specified. There are no more options left. Typically you will want to
restrict access to the DMZ. For more information on that, refer to the Firewall section for
more information on that.
2005-2008
c Comdasys AG 43
3.2 Network
2005-2008
c Comdasys AG 44
3.2 Network
With the help of this menu item, it is possible to make the Convergence reachable from the
internet even if a dynamic IP address is assigned by your provider. The principle is very
simple. If a DynDNS provider is set up, the Convergence will post its current IP address each
time it is assigned a new one. This is the only possibility for setting up a VPN tunnel between
two VPN routers without static IP addresses.
For being able to use a dynamic DNS service, you have to register a name with such a service
(most DynDNS providers offer this basic service free of charge). This name and the essential
username and password for updating must be specified here together with the provider of the
service.
The Convergence can run a name server in order to forward and resolve DNS queries. On
this page you can manage the list of forwarders to be used. It will act as a caching server not
2005-2008
c Comdasys AG 45
3.2 Network
Provider Register at
DHS http://www.dhs.org
DynDNS http://www.dyndns.org
DyNS http://www.dyns.cx
easyDNS http://www.easydns.com
EZ.net http://www.ez-ip.net
HN.org http://www.hn.org
JustLinux http://www.justlinix.com
ODS http://www.ods.org
TZO.com http://www.tzo.com
ZoneEdit http://www.zoneedit.com
2005-2008
c Comdasys AG 46
3.2 Network
2005-2008
c Comdasys AG 47
3.2 Network
forwarding each individual query but rather only query once for each domain name (requeries
will be done according to the expiry times specified in the DNS names resovled). Therefore,
this functionality can also be used for performance improvement with applications that do a lot
of name server lookups. A simple configuration would be to enter the DNS server assigned
by your Internet provider. The PCs should then no longer contact this server for DNS, but the
Convergence which would then act as a caching forwarder.
Instead of configuring a forwarder for all requests, the DNS server can also be run as a slave
server for certain zones, or as a forwarder for certain zones. As slave server, it would not only
act as a caching proxy for certain zones, but as an authoritative name server.
2005-2008
c Comdasys AG 48
3.2 Network
3.2.7 Routing
With this menu item you can configure additional routing entries. Standard routes like the
default route and routing between the different configured interfaces is generated automati-
cally. Hence, this menu only has to be used for any additional routes desired. Note that you
only set the routes for outgoing IP packets here. In order to make the network behind the
Convergence accessible from your network, you have to make sure that the network towards
the Convergence is handled correctly.
Use to edit, or to delete an existing entry.
New routes are created by entering the matching values in the last row and can be applied by
clicking the button New .
2005-2008
c Comdasys AG 49
3.2 Network
4. Gateway The address of the gateway router that connects the destination network
with the local network. This address must be accessible via a local interface. The
gateway must hence represent the next hop that can be used for routing.
5. Interface The interface to which the gateway is connected (directly or indirectly via
one or more switches).
6. Click Save to save the changes. Your changes will be applied after selecting
Apply Configuration .
i Please beware when setting a default route here. Usually, the default route is aut-
matically set if the WAN interface is configured. In that case, the default route points to
the gateway specified in the WAN interface configuration. If you have established an ADSL
connection, the default gateway is usually assigned via DHCP. If you have no WAN interface
configured, you should specify a default gateway here. Specifying a default gateway works
by using destination 0.0.0.0 with netmask 0.0.0.0
Compare figure ?? on page ??.
3.2.8 Bandwidth
QoS and Bandwidth management makes it possible for you to exactly control your network
traffic. For this purpose, the allocation of bandwidth for different services and computers in the
network can be controlled with the available bandwidth management features. The bandwidth
management functionality is also used in conjunction with other functionalities described later,
as for example Call Admission Control. The following example will illustrate the concept:
You want to give precedence to the traffic of realtime applications like Voice-over-IP or Video
Conferencing, because maintaining a constant and low-jitter bandwidth is very critical for the
quality of these services. At the same time, concurrent internet traffic (e.g. for browsing web
pages) should not be shut down completely by too many concurrent real-time sessions. It
must of course by no means interfere with the performance of the prioritized service. Traf-
fic Shaping and QoS is very advanced functionality. You should know what you are doing
because you can easily prevent applications from functioning properly with misconfigurations
here. On the Internet, there is lots of information available on QoS and Traffic Shaping. An
in-depth explanation of the concepts would however be beyond the scope of this document.
The QoS configuration of the Convergence happens in so called classes, which are ordered
hierarchically. This approach is called hierarchical token bucket packet scheduling (HTB).
The classes’ names are composed as following:
2005-2008
c Comdasys AG 50
3.2 Network
The class id has to be unique for all classes! The configuration sections for the network
interfaces always exist, as long as the interface is configured. In that case, it can only be
changed but never deleted.
The only parameter of a network interface is the default class, the last number of the class’
ID, which will contain all of the data traffic not matched by any other class. Often this class
has only a small amount of bandwidth for itself since everything else is used by its children,
but can make heavy use of excess bandwidth.
Starting from any class in the list, you can arbitrarily create subclasses with the button on
the right hand side of the respective class. Now press the following button on the right hand
side of the respective class to get to the following mask.
The table for entering the configuration data contains the following fields:
Parent class
Shows the name of the parent class for this class. The traffic limit of a child must be less than
that of the parent. If a parent has multiple children, the sum of the bandwidths used by the
children should not exceed that of the parent class.
2005-2008
c Comdasys AG 51
3.2 Network
Description
Here you can enter a free description for making the setup easier to understand and main-
tain.
Rate
The bandwidth that will be provided for this class. All traffic, that passes through this class
will be shaped in a way, to not exceed this configured bandwidth limit. The unit is by default
”kilobit per second” but you can also enter Kbit, Mbit, bps, Kbps, Mbps. Note: bps stands
for ”bytes per second”.
Ceiling
This field defines the maximum amount of bandwidth this class can use at all. The difference
between rate and ceiling is the bandwidth that this class is allowed to “borrow” if there is
unused bandwidth available in the parent class. If this field is left blank, this class will never
borrow any bandwidth. If more than one class is demanding unused bandwidth, every class
gets allotted a contingent proportional to their own rate. In root classes, it makes no sense to
define a ceiling, because a root class cannot borrow bandwith from a parent class.
2005-2008
c Comdasys AG 52
3.2 Network
Priority
This field is used for setting the priority of the traffic for this class relatively to the classes on
the same level (sister classes). The bigger that number the lower the priority. Furthermore,
classes with higher bandwidths are preferred in the assignment of available bandwith.
2005-2008
c Comdasys AG 53
3.2 Network
! Never set a value smaller than MTU, since that will prevent larger packets from being
forwarded in one piece!
The parameter “Perturbation” defines the number of seconds after that SQF renews its hash
function for queuing incoming packets randomly. The default value is 10.
Both FIFO queues have the parameter “Limit”, which indicates the length of the queue. With
Byte FIFO you can specify the value using the unit ”bytes” and with Packet FIFO the
number of packets.
MTU
The maximum size of a packet, used for tranfer rate calculation. By default a value of 1500 is
used, which is appropriate for Ethernet based networks (default MTU value).
Filter
These rules define how packets are classified. If the conditions defined here match, the
packet will be assumed to be in the respective class. The algorithm used here is first match.
A packet will fall in the first class for which the conditions match.
You can for example check the source and destination information of the packets. The format
of such a entry is:
2005-2008
c Comdasys AG 54
3.2 Network
2005-2008
c Comdasys AG 55
3.2 Network
The bandwidth daemon monitors the network traffic in order to determine the amount of free
bandwidth. This allows for dynamic allocation of bandwidth for different services. Please see
section ?? for further information on bandwidth management.
In this section you can specify three parameters that affect the bandwidth daemon. These
are sample rate, number of samples and log-level. However, note that the default values the
bandwidth daemon is originally configured with do not need to be changed in most cases.
Sample rate
Specifies the frequency of the checks for available bandwidth in tenth of second. The default
value for this setting is 1 and this means that the daemon performs the checks every 0.1
seconds.
Number of samples
Specifies number of samples to be taken in order to calculate the current average bandwidth.
30 samples is the default. Number of samples together with the default sample rate value
give a time window of 3 seconds.
Log level
You can view log messages created by the bandwidth daemon in the system logfiles by set-
ting log level to error, warning, info, or debug. Choosing none disables logging bandwidth
daemon’s messages.
Logging configuration for Convergence is desribed in section ??.
Finally, save your changes by clicking Save . Your changes will be applied as soon as you
apply the current configuration.
2005-2008
c Comdasys AG 56
3.2 Network
3.2.10 NTP
The table on this site contains one or more NTP servers Convergence should consult in order
to set the system time.
To add new entry to the list simply fill in name or IP address of an NTP server and click Add
. An NTP server can be also used with a preference by checking preferred. This means
that an answer received from such server won’t be dropped but in case it differs significantly
from other answers. Note that only very reliable and stable NTP servers should be given a
preference.
Setting up NTP
1. Check Active to enable NTP. Click Save to save you changes.
2. Click Add to add an NTP server to be use. You have to provide its IP address.
Optionally you can check Preferred to prefer time information received from this server.
Use to edit, or to delete an existing entry. Your changes will be applied
after selecting Apply Configuration .
2005-2008
c Comdasys AG 57
3.2 Network
2005-2008
c Comdasys AG 58
3.2 Network
! Comdasys uses full NTP4 which can cause trouble when trying to use the NTP
service running on Windows Server 2003 (w32time) as a clock source. The w32time service
has a few known issues which can cause the NTP server on Comdasys products to not
synchronize correctly with it while SNTP clients can often successfully get their time from
the Windows Server 2003. The problem is that SNTP as used in some SIP phones and
Windows clients is a stripped-down version of NTP which is less reliable and less accurate
so it looks like the Windows Server 2003 is running correctly while in fact not being correctly
set up to serve as a reliable NTP clock source. It’s essential that the Windows Server 2003
itself is correctly synchronized against a reliable clock source; the internal system clock is
not sufficient. For more information about configuring w32time see the MicroSoft knowledge
base entry 816042.
2005-2008
c Comdasys AG 59
3.2 Network
3.2.11 VRRP
VRRP is usually used for redundancy purposes in the Convergence. There are different types
of redundancy that depend on the exact scenario. What VRRP offers is the possibility to have
two Convergenceshare a virtual IP address where only one of them will be active at any point
in time.
In the FMC case, setting up VRRP however is not enough. You need to use it in conjunction
with the Database Synchronization feature. Please refer to ?? for more information on this.
Virtual Router Redundancy Protocol (VRRP) is a non-proprietary redundancy protocol de-
scribed in RFC 2338 designed to increase the availability of the default gateway servicing
hosts on the same subnet. This increased reliability is achieved by advertising a ”virtual
router” (an abstract representation of master and backup routers acting as a group) as a de-
fault gateway to the host(s) instead of one physical router. Two or more physical routers are
then configured to stand for the virtual router, with only one doing the actual routing at any
given time. If the current physical router that is routing the data on behalf of the virtual router
fails, an arrangement is made for another physical router to automatically replace it. The phys-
ical router that is currently forwarding data on behalf of the virtual router is called the master
router. Physical routers standing by to take over from the master router in case something
goes wrong are called backup routers.
VRRP is primarily intended to provide redundancy between two Convergence products, but
it can also be used in conjunction with any router providing this functionality such as Cisco,
Huawei, Juniper and others.
VRRP specifies an election protocol to provide the virtual router function described earlier. All
protocol messaging is performed using IP multicast datagrams, thus the protocol can operate
over a variety of multiaccess LAN technologies supporting IP multicast. Each VRRP virtual
router has a single well-known MAC address allocated to it. This document currently only
details the mapping to networks using the IEEE 802 48-bit MAC address. The virtual router
MAC address is used as the source in all periodic VRRP messages sent by the Master router
to enable bridge learning in an extended LAN.
A virtual router is defined by its virtual router identifier (VSID) and a set of IP addresses. A
VRRP router may associate a virtual router with its real addresses on an interface, and may
also be configured with additional virtual router mappings and priority for virtual routers it is
willing to backup. The mapping between VSID and addresses must be coordinated among all
VRRP routers on a LAN.
To minimize network traffic, only the Master for each virtual router sends periodic VRRP Ad-
vertisement messages. A Backup router will not attempt to pre-empt the Master unless it
has higher priority. This eliminates service disruption unless a more preferred path becomes
available. It’s also possible to administratively prohibit all preemption attempts. The only ex-
ception is that a VRRP router will always become Master of any virtual router associated with
addresses it owns. If the Master becomes unavailable then the highest priority Backup will
2005-2008
c Comdasys AG 60
3.2 Network
transition to Master after a short delay, providing a controlled transition of the virtual router
responsibility with minimal service interruption.
The VRRP protocol design provides rapid transition from Backup to Master to minimize ser-
vice interruption, and incorporates optimizations that reduce protocol complexity while guar-
anteeing controlled Master transition for typical operational scenarios. The optimizations re-
sult in an election protocol with minimal runtime state requirements, minimal active protocol
states, and a single message type and sender.The expected duration of Master election (from
the pool of backup routers) in case of a failure is quite small ( ¡¡ 1 second ).
Configuration of VRRP
1. In order to add a virtual server you need to use the Add button. Use to
edit, or to delete an existing entry.
2. Specify the Interface that this VRRP virtual address should be assigned on.
3. Set the VSID for the virtual service identifcation. VRRP allows you to define groups
of virtual servers / routers that can provide redundancy for each other. This must be a
number, and this number must be unique for the group of routers you want to provide
redundancy for.
2005-2008
c Comdasys AG 61
3.3 VPN
4. The Priority field specifies the sending VRRP router’s priority for the virtual router.
Higher values equal higher priority. The priority must be between 0 and 255 where
these extrema have special meaning as described below.
The priority value for the VRRP router that owns the IP address(es) associated with the
virtual router MUST be 255 (decimal).
VRRP routers backing up a virtual router MUST use priority values between 1-254
(decimal). The default priority value for VRRP routers backing up a virtual router is 100
(decimal).
The priority value zero (0) has special meaning indicating that the current Master has
stopped participating in VRRP. This is used to trigger Backup routers to quickly transi-
tion to Master without having to wait for the current Master to timeout.
5. Provide the IP address. This is the virtual IP address that should be used for this
Virtual Server. Note that you have to set this exact IP address on all devices with the
same VSID in the same network segement.
6. Click Save to save your changes. Your changes will be applied after selecting
Apply Configuration .
! Note that whenever the Master in a VRRP group comes back up, it will immediately
assume the virtual IP address configured here. This can have undesired effects because
any open session (e.g. SSH) to the currently active node will immediately break as soon as
the master comes back up. This behavior however can differ when using VRRP to provide
redundancy e.g. for the FMC services on the Convergenceİn those cases the VRRP master
will only brought back up, once it is save to do so. This means as soon as there are no more
voice calls active on the slave, but after 4 hours at the very latest. Also see ??
3.3 VPN
3.3.1 Certificates
This menu item is used for the administration of X.509 certificates which can be used for
both IPsec connections and OpenVPN connections. Note that it is necessary to have such a
certificate in place before creating a VPN connection using certificates.
You have to differentiate between plain certificates, containing a public key (signed by a Cer-
tification authority or self-signed), and complete certificate-key pairs, containing a public key
and the matching private key.
Before using certificates for VPN tunnels, there are several steps to be taken:
2005-2008
c Comdasys AG 62
3.3 VPN
1. Login to one of the two Convergences (call it Box A) (see Command Line Guide).
2. Execute the script /etc/ssl/mkCAcert.sh to create a self-signed CA cerificate-key
pair. The certificate and the key are automatically saved in the appropriate location.
Example:
/etc/ssl/mkCAcert.sh "RootCA company" "/CN=Root-CA/O=company/C=DE"
3. Download the CA certificate onto the local PC.
4. Login to the web interface of Box A and select the menu item Certificates. The CA
certificate that has just been created is shown in the list of installed CA certificates.
Furthermore, a form is shown below in which a new X.509 certificate can be created.
2005-2008
c Comdasys AG 63
3.3 VPN
5. In this form, a certificate-key pair for each Convergence (Box A and Box B) has to be
created. Thereby at least Common name, Company/Organisation and Country must
be entered. Click on Create certificate .
6. Download the certificate-key pair for Box B onto the local PC.
7. Login to the web interface of Box B and select the menu item Certificates.
8. Upload the CA certificate previously saved on your local PC (see step 3).
9. Upload the X.509 certificate-key pair saved on your local PC (see step 6).
After you have finished all these tasks, the certificates needed for the connection setup are
available on both Convergences.
On the menu page Certificates you will find the following forms:
• Installed CA certificates
• Installed X.509 certificates (i.e. certificate-key pairs)
• Create X.509 certificate (only if a private CA key is present on the Convergence, see
step 2 above)
2005-2008
c Comdasys AG 64
3.3 VPN
Managing CA certificates
CA certificates (i.e. root certificates) are needed to create and to verify X.509 certificates.
To ensure proper authentication, the CA certificates stored on all VPN partner hosts must be
the same.
In this form, CA certificates can be imported, exported or deleted. For the creation of a CA
certificate the script mkCAcert.sh is provided on the Convergence. It is executed in the
command line mode. This script creates two files - a private CA key and a public certificate.
You can of course also use third party tools for creating these certificates, or use existing
ones.
If the certificate was directly created on the Convergence, it can be exported by clicking on
on the right side of the listed certificate. After that, it can be distributed to all other VPN
partners.
All these partners can - if they are also Convergence appliances - import the CA certificate
here.
2005-2008
c Comdasys AG 65
3.3 VPN
OpenVPN shared secrets are simple shared secrets protecting an OpenVPN connection
without the need of using certificates. This is a very simple, secure, and effective way if you
are with a small organization that only has to setup a few VPN tunnels. It is necessary to
create a shared secret before setting up the first VPN connection.
An OpenVPN shared secret file is created on the first Convergence involved. Thereafter it is
beeing copied to the local PC via the web browser from where it is being uploaded to a second
Convergence involved. You should use separate shared keys for each VPN connection to
improve security.
All these steps are taken in this menu:
The list Current shared secret files contains all local OpenVPN shared secret files present.
They can be exported by clicking on or can be deleted by clicking on .
2005-2008
c Comdasys AG 66
3.3 VPN
2. Alternatively, click on Browse and select an existing OpenVPN shared secret file
on the local PC (previously created by a different Convergence ). Click Load file to
upload the file.
3.3.3 Connections
In this menu the connection information of all configured VPN tunnels to remote hosts (other
Convergences or third party products) is managed.
The list shown on this page contains all VPN tunnels configured so far.
The active status ”LED” indicates whether the connection is active or inactive. Connections
can be deactivated and activated by clicking on the status ”LED”.
If the connection is inactive the ”LED” will appear so, too . Use to edit, or to
delete an existing entry.
2005-2008
c Comdasys AG 67
3.3 VPN
! Unlike OpenVPN that supports both certificates and shared secrets in any combina-
tion with static and dynamic IP addresses, IPsec has two limitations pertaining to the use
of shared secrets:
1. One of the two terminal stations needs to have a static IP address.
2. The terminal station using a dynamic IP address cannot be accessed via a dynamic
DNS name.
2005-2008
c Comdasys AG 68
3.3 VPN
•X.509 certificate
When choosing the authentication via X.509 certificates, both partners must have
X.509 certificates signed with the same CA key. Furthermore, the corresponding
CA certificate must be available on both partner stations.
The procedure to ensure this, is described in section ??. You should however have
a basic understanding of X.509 certificates when trying to set up such a connection
in order to avoid potential security pitfalls.
For the configuration of an IPsec connection, the corresponding certificate is se-
lected and the label of the certificate stored on the remote station is typed in. This
label can be looked up in the web interface of the remote station in the menu
Certificates if it’s a Convergence (see section ??). If you are using third party
equipment, you have to refer to that documentation for how to handle certificates.
•Shared secret
When choosing the authentication via a Shared secret, simply use the same pass-
word and type it in on both partner stations.
i When using Shared secrets for authentication, both partners have to use either static
IP addresses or names. The option Partner unknown is not applicable in this case!
2005-2008
c Comdasys AG 69
3.3 VPN
2005-2008
c Comdasys AG 70
3.3 VPN
5. Transfer net
Enter two IP addresses that are to be used internally for transferring the VPN packets.
This transfer network can be used for traffic shaping or firewalling. It is important that
both addresses entered here lie within a single network. It is also important to have
matching entries on both sides of the VPN tunnel. The addresses of the Transfer Net-
work have to be reciprocally identical for two VPN hosts - i.e. the local IP address of
one partner has to be the remote IP address of the other.
6. OpenVPN port
OpenVPN works port-based. That means every OpenVPN connection must have a
unique port number. All packets for this connection will then be exchanged via this port.
This port number must be the same on both connection partners.
7. Authentication
OpenVPN can use two methods of authentication for VPN connections: certificates, or
a common password file.
(OpenVPN Shared secret).
•X.509 certificate
When choosing the authentication via X.509 certificates, both partners must have
X.509 certificates signed with the same CA key. Furthermore, the corresponding
CA certificate must be available on both partner stations.
The procedure to ensure this situation is described in the IPSEC section.
For the setup of an OpenVPN connection using certificate authentication, one of
the connection partners has to be configured as TLS server and the other one as
TLS client.
•Shared secret
When choosing the authentication via a Shared secret, the same OpenVPN Shared
secret file simply has to be selected on both partners (see section ??).
L2TP allows you to easily connect client hosts via VPN. It is hence mostly used for Roadwar-
rior scenarios. Using L2TP for such configurations is especially comfortable for clients running
MS Windows 2000 or Windows XP as this type of connection is already part of the standard
network connection schema of those operating systems. In this menu the server-side config-
uration is set. Besides this the login-data for each user and PC is entered.
2005-2008
c Comdasys AG 71
3.3 VPN
2005-2008
c Comdasys AG 72
3.3 VPN
7. Click Save to save the parameters. Your changes will be applied after selecting
Apply configuration.
2005-2008
c Comdasys AG 73
3.3 VPN
2005-2008
c Comdasys AG 74
3.4 Security
Windows XP supports both possibilities whereas Windows 2000 only supports X.509
certificates.
4. X.509 certificate
If you select X.509 Certificate in the menu IPsec authentication the X.509 cer-
tificates on both sides have to be signed by the same CA key. Furthermore, the cor-
responding CA certificate must be available on the client computer. Please refer to
your Windows documentation on how to handle certificates on Windows systems. Un-
less you habe special tools simplifying the process, you will have to use the Microsoft
Management Console.
5. Preshared secret
If you select Shared secret in the menu IPsec authentication, a password has to
be entered that must be the same on all clients running Windows XP connecting to
this Convergence. The problem is that authentication in IPSEC is done via the remote
IP address. Since this address is arbitrary in our case, we cannot identify the remote
computer at the IPSEC level. Therefore, all computers have to authenticate with the
same shared secret.
6. Click Save to save account data. Your changes will be applied after selecting Apply
configuration.
3.4 Security
On this page, the fundamental level of security that shall be used by the Convergence is
defined. Security as defined here only applies to the accessibility of the Convergence and the
firewall settings.
By selecting Highest security, access to the Convergence is limited to the permitted
administration ports and the defined VPN tunnels. Particularly it is not possible to access
the Internet via the Convergence, to set up own firewall rules or Port-Forwardings using this
setting.
We recommend using this setting if the location secured by the Convergence shall have ac-
cess to the Internet only via a VPN tunnel connected to the remote partner-network. This can
be used for very restrictive branch connectivity solutions.
The option User defined allows you to make significantly more advanced and flexible con-
figurations. In particular, access to the internet can be granted, ports can be forwarded to
certain computers connected to the LAN and your own custom firewall rules can be estab-
lished.
2005-2008
c Comdasys AG 75
3.4 Security
The configuration matrix ”Open administration ports via” enables the exact definition of
the allowed locations from which configuration access shall be enabled. The opening of the
administrative ports can be done on a per interface basis.
2005-2008
c Comdasys AG 76
3.4 Security
3.4.2 Firewall
The firewall of the Convergence can be configured in two ways (also combined):
It is possible to select the most important services needed - all necessary firewall rules are
created automatically. Note that the first section deals with outbound connections. You can
also choose to permit all outbound connections.
The more security relevant part however are the inbound connections. By default, these are
disabled on the WAN interface. You can selectively enable the protocols. Note that you need
at least one signalling protocol (either TLS or SIP) plus the media stream protocol (RTP) for a
working setup.
Besides this, it is possible to configure your own, very detailed rules. This way of configuration
is recommended to be used only by experienced users and administrators. Wrong firewall
rules can cause network applications to stop working. People changing these settings should
hence know what they are doing.
The basic services are defined for data traffic between two network interfaces. Thereby,
different outgoing services (i.e. from the internal interface to the Internet) can be allowed just
as data transfer between the two local networks. Select the checkboxes of the appropriate
basic services that shall be allowed for incoming and outgoing requests. By selecting the
checkbox allow all outgoing connections, all ports for the basic services listed are opened.
These options are only shown for the secondary LAN interface if this interface is configured
(i.e. is not deactivated).
The custom rules of the firewall are executed top-down. By clicking on the arrow-buttons
( and ) you can newly arrange the firewall rules. Registered rules can be edited by
clicking on or can be deleted by clicking on .
2005-2008
c Comdasys AG 77
3.4 Security
2005-2008
c Comdasys AG 78
3.4 Security
2. Define the rule. Specify Protocol (TCP, UDP, ICMP, other), Interfaces and IP details
that this rule shall match.
3. Choose rule target (Filter policy) in order to specify what should happen to the traffic
this rule applies for.
4. Click Create rule to save your changes. Your changes will be applied after selecting
Apply configuration.
Port forwarding allows you to forward incoming data packets that arrive at the Convergence
to a certain computer within the local network. It is being used in conjunction with NAT and
is the only way to directly access a computer connected to the private LAN from the Internet.
Port forwarding is also often described as virtual server functionality.
To reach several computers within the private LAN via the same protocol it is also possible to
change the ports.
Example:
Three computers within the LAN shall be accessed via SSH. SSH normaly uses port 22. But
it’s impossible to reach all three computers via port 22 of the Convergence.
2005-2008
c Comdasys AG 79
3.5 Voice-over-IP
With Port forwarding you can now define that e.g. port 2022 of the Convergence is forwarded
to port 22 of the first computer, port 2023 is forwarded to port 22 of the second computer
and so on. An SSH client connecting to port 2022 of the Convergence would actually be
connected to port 22 of the first computer in the LAN.
3.5 Voice-over-IP
The SIP Proxy in the Convergence can be used in a variety of scenarios. The most frequent
use is as a SIP Proxy in front of another SIP server. In the WebGUI, this can be found under
the Survivability template. For these applications, the WebGUI has been geared towards
2005-2008
c Comdasys AG 80
3.5 Voice-over-IP
telephony applications. When acting in front of another SIP server, it is also possible to limit
the number of permitted sessions based on bandwidth restrictions (Call Admission Control).
The second class of frequently used scenarios is SBC (Session Border Controller) Scenarios.
In these, the Convergence will not only perform SIP signalling interworking, but it will also
perform media handling for any SIP initiated sessions. This feature can be used to achieve
a connection between two networks that do not have a routing connection (as for example
customer premise network and data center network), handle NAT between networks, or pro-
tect a network from the outside world without destroying the ability to have VoIP connectivity.
This can be used to voice enable existing networks that have firewalls to separate segments,
use devices from behind a NAT, as for example some NAT router on the Internet, or facilitate
deployments in hosted scenarios. The Convergence supports three different types of SBC
scenarios, Branch SBC, Cascaded SBC, and Central SBC. The latter is only supported by the
bigger higher end Convergence .
Some variants of the SBC scenarios are the SIP Trunking as well as ENUM. With its ENUM
functionality the Convergence acts as an ENUM lookup gateway and as a Session Border
Controller controlling calls coming in over the Internet. The SIP Trunking is a derived SBC
scenario where you only have a single logical connection (that could of course consist of
many individual SIP sessions) between an IP PBX and a Trunking Server usually offered by a
carrier. This setup replaces a local PSTN gateway on the customer premise, and is hence a
step towards a full IP-only customer premise connectivity.
Other scenarios include stand-alone functionality where the Convergence Appliance will act
as a small SIP Server forwarding certain sessions to another server or to a SIP gateway.
It is also possible to configure custom scenarios with the SIP Proxy. This however is beyond
the scope of this manual. Check the Command Line Reference for more information on
that.
Before any parameters for the SIP Proxy can be configured, you need to choose among
the Survivability, Branch SBC, Cascaded SBC, SBC, SIP Trunking, Standalone, ENUM, or
Custom template configurations. For all types of branch office scenarios without the need
for media handling, you will most likely want the Survivability Template. The Branch SBC
scenario is suited for branch connectivity scenarios where media handling or NAT traversal is
a requirement. The Cascaded SBC is usually used on the way from a Branch SBC to an IP
PBX to act as a media relay. Both SIP messages as well as media would pass through two
hosts in this scenario. Explaining all usage scenarios would be far beyond the scope of this
manual. You can however find a quick scenario descriptions the each of the sections below.
Select a template and press Select to activate it. You can switch templates without losing
your configured parameters.
2005-2008
c Comdasys AG 81
3.5 Voice-over-IP
The typical survivability scenario is explained rather quickly. Assume having a small/medium
office with some WAN link. The central SIP server usually used for VoIP telephony, and hence
being an IP PBX, is located in the datacenter, at the other side of this WAN link. The WAN
link can either be an Internet line or some leased-line internal to the datacenter network. In
the latter case, using a single interface of the Convergence can be enough. The interface
configuration has a significant impact on the parameters you need to set for the SIP Proxy
here. Both scenarios (single and multiple interface) are mentioned in the appropriate places
in the following.
The Survivability scenario is to provide telephony functionality to the small/medium office even
if the central SIP server is unavailable due to a WAN failure. In such case, the Convergence
will take over the functionality of the SIP server. Once the SIP server is reachable again, the
operation returns to normal.
The current status of the product can be seen in the Status Page described in ??. Beside
the VoIP Router Status display, you will see the text Survivability Mode, if the product has
detected a failure of the central SIP server. Once operation returns to normal, this text display
will disappear again.
The second side to this scenario is Call Admission Control. Since all SIP messages are routed
through the appliance, it can freely decide on how to act upon certain requests. Call Admis-
sion Control is about denying certain requests based on the defined bandwidth constraints.
This mechanism is essential for providing QoS for real-time communications.
2005-2008
c Comdasys AG 82
3.5 Voice-over-IP
of the branch and hence find the phone in the Registration database. This means
that extension dialing still works in survivability mode.
If you do not have such a scenario where you want to call the internal phones with
a shortcut, simply leave this field blank.
– Prefix number (figure ?? on page ??)
The Prefix number describes the prefix the number has if it is an outgoing call.
Usually, this is just a simple digit as for example a ”0” for getting an outgoing line.
Expressions for this can however be more complex than that. You can enter ar-
bitrary regular expressions here. Only numbers having the correct prefix will be
routed to the gateway in the survivability case. This prevents unavailable internal
numbers from ending up in the PSTN and going somewhere unintentionally.
– PBX Address (figure ?? on page ??)
As we have already described above, in Survivability Mode, the Convergence proxy
only acts if the central PBX is not reachable. This parameter is for entering the
address of the central PBX. It can either be entered in the form of an IP address,
a host name or even as a DNS SRV address. Note that entering a DNS or DNS
SRV name can introduce more latency in forwarding messages to the IP PBX since
the hostname has to be looked up first. You also have to note that if you enter a
DNS name, the DNS server has to be available upon a WAN failure or any other
conditions the Survivability mode is intended to work in.
– SIP Transmit Type (figure ?? on page ??)
The SIP Transmit Type parameter is the transmission type the proxy uses to contact
the central SIP server. The Convergence supports 3 different SIP transport modes,
UDP, TCP, and the encrypted TLS variant. The type to use depends first and
foremost on the used SIP server. The TCP and UDP types are straightforward and
just specify the used protocol type.
The only type requiring further explanation is TLS. For TLS additional things like
the encryption keys are required. Since this is a very advanced topic, this cannot
be configured via the WebGUI as of yet. The Convergence will generate TLS
keys automatically that can be downloaded for the use in Servers/Phones via SCP.
Please consult the Command Line Reference for more information on how to do
that.
– Timeout (figure ?? on page ??)
The Timeout value is one of the most central parameters in the Survivability sce-
nario. This timeout value will be used to determine whether the IP PBX is online
or not. It is the maximum time the proxy will wait for a response upon a request
before falling to survivability mode. Note that this mode will not lead to the fact that
all SIP messages will be delayed by 2 seconds. There is a background checking
algorithm running that will decide whether the IP PBX is available or not. Usual
2005-2008
c Comdasys AG 83
3.5 Voice-over-IP
values for this timeout parameter range between 2-4 seconds. It will be used for
both the PBX as well as the 2. Node to determine their availability.
– Ignore Gateway during Register (figure ?? on page ??)
This feature is only required if the Convergence is utilized with topology hiding
which will prompt it to change the contact headers of SIP messages. This will be
the case with the Force Return Route and Multiport Mapping features. In these
cases, it might be desirable to have the product handle the messages from some
local voice gateway, but not to perform contact header manipulation on them. This
should be the case whenever there is a routing connection from the central SIP
server to the branch voice gateway in such a scenario. Such a routing connection
can be implemented in various ways, as for example port forwarding. Some SIP
servers also require this because they treat such gateways unlike regular clients.
– Enable Hunting (figure ?? on page ??)
This feature only applies to scenarios where there are multiple fallback gateways
present. In that case it might be desirable that a gateway hunting is performed
between these multiple gateways. The redirection causes here are the same ones
that are defined between the IP PBX and the first gateway. This can be used for
a variety of scenarios as for example stacking gateways or having gateways in
multiple locations and applying Call Admission Control Parameters to them. The
decision parameters for the gateway hunting are configured with the gateways. If
this parameter is not set, only the first gateway will be considered in survivability
mode or with CAC redirection.
2005-2008
c Comdasys AG 84
3.5 Voice-over-IP
must both be filled in. The Short Prefix is a number that must match an incoming
request. This is probably best explained by an example:
Assume that you have a number range 123456789xx for the phones connected
to the Convergence where xx stands for an arbitrary extension. Since 123456789
is a very long prefix, there might be additional prefixes configured in your central
softswitch, that you also want to be considered correctly concerning survivability
and CAC. So let us assume you have a second prefix configured, say 58000xx
where the xx is the same suffix as above. The Convergence will then map this
short prefix to the long version above, and only then perform all checks concerning
CAC and survivability.
∗ Short Prefix
Prefix that has to match an incoming request. If such a match is found, the
Convergence will map this prefix to the long office prefix as described below.
∗ Map to Office Prefix
Long office prefix that the above described short one will be mapped to. This
Office Prefix including the extension should then match an actually registered
phone to make the survivability function work properly. It could however also
2005-2008
c Comdasys AG 85
3.5 Voice-over-IP
be mapped to a call that should be routed out through a gateway in the surviv-
ability case.
– Class of Service (figure ?? on page ??)
Sometimes it is usefull to set some restrictions to some phone numbers. With the
Class of Service enhancements parameters it is possible to deny or allow some
target numbers for special phones. For example you can allow or deny national or
international calls or even special numbers.
∗ Source
This parameter should contain the phone number of the source phone.
∗ Destination
Put in here the destination number that is denied or allowed. For example, if
destination contains 00, all phone numbers beginning with 00 are allowed or
denied depending on the policy parameter
∗ Policy
The policy parameter can only contain the values allow or deny. If this param-
eter is set to deny, the call from the source number to the destination number
is blocked.
2005-2008
c Comdasys AG 86
3.5 Voice-over-IP
• Sip Settings
2005-2008
c Comdasys AG 87
3.5 Voice-over-IP
value is very long, the danger is that upon return to normal operation, the IP PBX
will have lost the registration of many phones. This parameter forces the phones
to use a shorter registration timeout during survivability and hence to register more
often. Once the connectivity comes back, the IP PBX will get reregisters from the
phones in this branch office very rapidly.
– Disable Loose Routing (figure ?? on page ??)
Loose routing is defined in RFC3261 and will make the Convergence route all in
dialog messages the same way that the dialog setup was routed. This however
assumes properly behaving SIP endpoints and a properly behaving SIP servers.
In simple scenarios, where the endpoints are registered to a server, this works
for most endpoints. With a survivability scenario, where the messages are routed
onwards, and where the proxy is on the return route in addition to that, the correct
behavior of loose routing is not guaranteed with all devices. In order to avoid that,
loose routing can be disabled in normal operation (non survivability). If you see
in dialog messages like ACK and BYEs not flowing as expected. A typical sign is
ACKs or BYEs coming from the softswitch being directly returned to it.
– Fix Broken Loose Routing (figure ?? on page ??)
In contrast to the Disable Loose Routing function, the function here will also disable
the loose routing in survivability mode. This should only be necessary for some
broken endpoints with incomplete support for RFC3261. In all other situations,
loose routing should work fine in survivability mode. Enable this feature only if you
really experience problems. Not
– Force Return Route for NOTIFIES (figure ?? on page ??)
While some SIP servers support an outbound proxy feature for addressing SIP
messages to endpoints, they often do not fully implement the feature for additional
messages beyond RFC3261. With this mode of operation, all messages specified
in RFC3261 would be addressed to the endpoint, but sent to the outbound proxy
that then makes the final delivery. While this works well for INVITE, ACK, BYE and
REFER messages, messages like SUBSCRIBE, NOTIFIES, PUBLISH are often
treated differently. This poses a special problem for NOTIFIES beacause they are
sent depending on header fields in the SUBSCRIBE message. Therefore, similar to
the Force Return Route feature, it is specifically possible to have the Convergence
change the Contact information for SUBSCRIBE and NOTIFY requests. This will
lead to the fact, that notify requests are always addressed to the Convergence
acting as a SIP Proxy. Since there is no such thing as a forking for these requests,
it is easily possible to handle them correctly.
– Mask Proxy Domain on Register (figure ?? on page ??)
If set, the Proxy will replace the domain part of the SIP URI of each message
flowing through it with the SIP Domain (IP address or DNS name) of the SIP server.
Some SIP servers have problems accepting SIP messages for multiple domains or
do not do so due to security reasons. Most systems however work effortlessly
2005-2008
c Comdasys AG 88
3.5 Voice-over-IP
without such modifications. Also check any options that your server might offer to
set domains aliases. This parameter should hence only be used if you encounter
problems pertaining to that.
– Preset Record Route (figure ?? on page ??)
The preset record route parameter allows influencing how the record route Header
in the SIP message will be written. The record route header in SIP is for making
sure that all messages belonging to a session go through all servers that were
on the path of the original message. Explained in more detail, this means that
the messages will go through all SIP entities on the way that marked the original
message with a record route field. If the Convergence is only used with a single
interface and a single IP, you can completely disregard this field. If the Convergence
however is used with a WAN and a LAN address, it can be quite significant what
IP address is set in this record route field. By default, the Convergence always
selects the primary IP address of the interface the packet is going out on. In some
scenarios, especially in those involving VPNs and NAT, this can however be the
wrong one. Therefore, it is possible to explicitly configure this address and port to
be used in the record route field. It can also be interesting for scenarios where the
Convergence is being used behind another firewall that performs port forwarding.
In that case, the external IP address and the forwarded port have to be entered
here.
– No Rerouting on (figure ?? on page ??)
The proxy will perform rerouting on a number of replies from the central softswitch.
This is necessary especially in conjunction with CAC. If the proxy receives a nega-
tive reply for a session initiation request, it will try to perform the specified rerouting.
It will not do any rerouting on the responses specified here. The possible response
codes are listed below. Select all by pressing SHIFT and selecting them with a
Cursor key. Alternatively, you can use CTRL + A to select all.
∗ 400 Bad Request
∗ 401 Unauthorized
∗ 402 PaymentRequired
∗ 403 Forbidden
∗ 404 Not Found
∗ 405 Method Not Allowed
∗ 406 Not Acceptable
∗ 408 Request Timeout
∗ 410 Gone
∗ 480 Temporarily Unavailable
2005-2008
c Comdasys AG 89
3.5 Voice-over-IP
– 2. PBX Node
Some IP PBXs / Softswitches support clustering or redundancy through a second
host. There are two ways of implementing this clustering, either transparent, in
which case we do not have to handle anything exlicitly in the branch office, or with
two IP addresses. This field is meant for the latter concept which is frequently
being used if the 2 nodes of a cluster have been spatially separated. In that case
they are available through different WAN links thus increasing the robustness of the
overall solution. If such redundany precautions have been taken in the data center,
the branch equipment must also support this. If this field is set, the Survivability
function of the Convergence will only take over if both the PBX as well as the 2.
Node have failed. If only the first node has failed, messages will automatically be
forwarded to the second node.
2005-2008
c Comdasys AG 90
3.5 Voice-over-IP
– PBX Alias
The Survivability and Call Admission Control function will only be enabled for SIP
messages that fall into the domain this SIP proxy is responsible for. Please also
refer to the Domains parameter. For correctly determining the direction of the mes-
sages flowing, the proxy must also be aware what messages are coming from the
Server side, and which ones come from the client side. To correctly determine this,
the proxy must be able to know what messages are coming from the PBX. These
can be messages coming from the IP address of the PBX and 2. Node PBX pa-
rameters, but especially clustered or load balanced servers could have messages
coming from other IP addresses also. So it is necessary to configure all source
IP addresses or host names from where SIP messages of the PBX can originate
from.
– Failover Server Replication
This parameter will replicate all Register messages to a second backup server.
This can either be a second Convergence operated in redundancy mode or any
other type of SIP server that can be used as a backup. The usual scenario is that
of a second Convergence being used in this mode.
2005-2008
c Comdasys AG 91
3.5 Voice-over-IP
– Debug
This switch will make the SIP proxy write debug messages to the system log. These
can either be seen in CLI mode on the Convergence, or on the specified logging
server. See the logging parameters in this document or refer to the Command Line
Guide for more documentation on how to have a look at the logging.
2005-2008
c Comdasys AG 92
3.5 Voice-over-IP
an individual port for each device. This mode of operation is usually not required and
is only necessary for special scenarios involving SIP forking (multiple devices with the
same username part of the URI), where the requests already arrive forked from the
server. If in such sceanrios, the Force Return Route feature is used to change the con-
tact parts of the SIP messages, these would be forked again by the Convergence . It
is then necessary to utilize this feature to put the Convergence in a situation where it
can uniquely determine where to send the already forked request. The destination port
information where the SIP server sent the message is then used to correctly direct the
message to the right SIP endpoint. It should again be reiterated that this type of mes-
sage routing somewhat bends the conventions of SIP, but it is required for the described
scenario. There is one notable exception. If the PBX is able to correctly support an
outbound proxy feature, where the forked request is addressed to the endpoint’s URI
but sent to the Convergence neither the Force Return Route nor the multiport feature
are required. This is the most desirable configuration and should be used whenever
possible.
• Enable Dual Registration Support
This will open a second SIP signalling port on port 5080. Some SIP phones have built-
in functions for implementing survivability functionality. It is then possible to provision
a second SIP server the phone should go to in case the first server stops responding.
The Convergence can emulate two different servers, where the first one would stop
responding to Registration requests of such phones in Survivability mode. This is feature
should not be necessary, since the Convergence implements a transparent survivability
function. However, some phones need this dual registration approach to realize when
they entered survivability mode. This is necessary to adapt the feature handling to the
reduced set available in survivability mode.
• Enable Call FW in Surv.
This feature is to enable processing of SIP 302 response messages in survivability
mode. If all your phones and gateways are able to handle such responses themselves,
you can leave this checkbox disabled and still have the functionality. While there are
many phones that support this feature, gateways mostly do not. Therefore, if you want
to have call forwarding functionality in conjunction with incoming calls through a gate-
way, you should activcate this feature. When activated, the Convergence will intercept
any SIP 302 response message and translate it into a new session with the forwarding
target specified in the SIP response. In that case, the Convergence would behave like
a normal SIP server supporting call forwarding features.
The Convergence can use its built-in bandwidth management capabilities to influence the SIP
signalling decisions. These SIP signalling decisions can both be influenced for packets com-
ing from the phone as well as coming from the central SIP server. Real-time traffic can be
2005-2008
c Comdasys AG 93
3.5 Voice-over-IP
classified and measured while it is flowing through the box (refer to the Bandwidth Manage-
ment Section ?? for more details). The limits for the different traffic bandwidth classes will
be used as decision basis for either permitting or denying the establishment of new SIP ses-
sions. Based on the information obtained from measuring the traffic, Call Admission checks
against predefined policies can now be made. These checks are enforced by the SIP Proxy.
In case of a limit violation that would mean that a SIP 606 Not Acceptable message would
be signalled to the central SIP server or the SIP endpoint. There are many variations to the
parameters and also to the enforcement. Instead of signalling the Not Acceptable directly to
the endpoint, the session can also be just marked (by modifiying the request URI) to let the
central SIP server do the enforcement. The central server can then decide to e.g. signal a
Busy, or it can choose an alternative route (e.g. through a locally present PSTN gateway)to
avoid a network congestion.
Figure 3.39: Survivability and Call Admission Control (CAC Parameters continued)
• CAC
The CAC parameter indicates whether Call Admission Control shall be performed or
not. Uncheck this in order to completely disable this feature.
• CAC check if from IP network (strict checking)
This parameter should be checked if there is a local PSTN in the branch office. If this pa-
rameter is not checked, the Convergence will assume that all Calls to and from non-local
2005-2008
c Comdasys AG 94
3.5 Voice-over-IP
destinations will go over the bottleneck link and hence require Call Admission Control
(of course only if all other parameters like Link etc. match). This would however mean,
that for a Call coming in over the local gateway, going to the central PBX then coming
back in to the Convergence, Call Admission Control would be falsely performed although
the Media Stream would stay in the local network. Strict checking will additionally check
the SDP header to determine how the RTP streams would flow to correctly perform the
Call Admission Control.
• T38 Media Stream Measurement
Enabling T38 stream measurement will make sure that enough bandwidth is reserved,
even though the actual bandwidth use can vary greatly. T38 media stream bandwidth
can range anywhere from 10 kbit/s to 100 kbit/s depending on the nature of the page
that is currently being faxed. A white page will be on the low end, a page with complex
shapes on the high side. Therefore, a simple stream measurement as usually done
for CAC is insufficient escpecially if talking about small branch offices where statistical
effects will not mask such a varying bandwidth. The smaller the branch, and the fewer
the number of simultaneously possible connections, the more severe is the impact of
such an inaccuracy in the stream measurement. It could lead to an additional connection
being permitted, that does not have space once the fax traffic picks up again. Therefore,
this option should always be checked in small branch offices. It works in conjunction
with the FAX URI option that is explained below.
• FAX URIs
This function is especially important in conjunction with the Bandwidth Reservation, and
the T38 fax protocol. If you are not using T38, you will not have to specify anything here.
The particular difficulty lies in the nature of how fax handling with T38 is done in SIP
networks. Faxing is done by first setting up a normal media stream with G.711, G.729
or a similar speech codec. Once the gateway or ATA has detected that it is dealing
with fax traffic, it will initiate a codec renegotiation to the T38 codec. This renegotiation
is done via INVITES, and hence sets up an additional media stream for an existing
session. Once the T38 connection is established, the speech connection will not carry
any data until the fax transmission is finished. This very special behavior needs to be
handled specifically in CAC scenarios. If this box is checked, the bandwidth required for
T38 will already be reserved for the initial call setup, even if a compressed codec is used
there. If there is only insufficient bandwidth for the T38 connection, the original call will
already be rejected.
• Bandwidth Reservation
Bandwidth reservation determines the kind of call admission control done by the Con-
vergence . There are two types. If Bandwidth Reservation is disabled, the CAC will
only count actually established calls. That way, the maximum number of possible calls
can be fitted, but there is the danger of overbooking. Overbooking in those cases can
happen if you have a large number of potential sessions. Those are session that are for
example in a ringing state. This sessions have not been established yet, and hence they
are not counted. Moreover, there is the chance that at least some of these sessions are
2005-2008
c Comdasys AG 95
3.5 Voice-over-IP
never completed (nobody picks up the phone). This means that the CAC check is only
done against the actually established connections. Until a limit is reached, additional
sessions will be permitted. In this window you can have some amount of sessions in a
transient state(Session Progress, Ringing, etc.. Once permitted, all these sessions can
be established in overbook the link by the number of sessions in a transient state that
get established minus one. On a large site, with very many calls, this windows will be
very small so that ovebooking should not be an issue.
The other option is that of reserving bandwidth as soon as the call is setup. This means
that a call is counted as established as soon as the number is dialed. This also means
that sessions in a transient state are fully counted, even though they might never lead
to an established session. This very conservative setup will completely prevent over-
booking, but might waste bandwidth and thus prevent calls from being established that
would theoretically have space especially in situation where calls are not picked up. The
Convergence does however detect SIP forking mechanism which are for example used
for keyset operation in VoIP scenarios. A forked request will only be interpreted as a
single session.
• Ignore Prefix
All prefixes specified here will be ignored for any CAC decision. This means that if
you specify a prefix of xx here, the CAC checks will be based on the dialed number
with the specified prefix being removed first. This feature will only be used in telephony
scenarios where special prefixes can be dialed to e.g. enable the transmission of the
Caller ID. Functions like these are often used by prefixing an access code to the actual
number you want to dial. This prefix must of course not change the CAC assessment
of where the call is going. In order to achieve this, simply add all possible prefixes that
should be ignored to this list. Regular Expressions are allowed here for specifying a
number of prefixes at once. Note however that the special telephony prefixes ”*” or ”#”
are interpreted normally when in the beginning of the regular expressions.
• CAC Bandwidth Check
Each SIP session uses a certain average bandwidth depending on the codec being
used. For G.711 for example the bandwidth required for each session is around 80 - 85
kbit/s including the overhead packets. The bandwidth check parameter here, identifies
how much bandwidth must still be available in order to permit another session. Note that
you have to enter the parameter manually, since codices can be renegotiated during a
session. This means that this parameter has to reflect the highest possible bandwidth
that two endpoints can use after completing their codec negitiation. In pure VoIP sce-
narions that would be 11000 bytes/second for G.711 scenarios and 4000 bytes/second
for G.729 scenarions. In the latter case you should make sure that G.729 is used by all
phones. If not, the fallback codec would typically be G.711. Specifying the maximum
used bandwidth here is important since otherwise it would mean that your session is
permitted first, then renegotiated with another codec and denied there. This kind of be-
haviour would be very user unfriendly. For each Call Admission decision, as to whether
a call should be permitted or not, the worse case is hence assumed. This parameter can
2005-2008
c Comdasys AG 96
3.5 Voice-over-IP
also be used for deliberately leaving some room to the bandwidth limit by checking for
a higher bandwidth than required. The difference would then remain unused which can
be desirable under certain conditions. Note that this field is entered in ”bytes/second”,
not ”bits/s”.
• Redirect to PBX
If there is no more bandwidth for permitting an extra session, the Call can be either de-
nied, or it can be redirected to a gateway. These actions will be discussed later in more
detail. The field here specifies another possible action. The SIP Proxy can modify the
dialled number by prefixing something to let the IP PBX know that the usual call routing
path does not apply. In this case, the rerouting to e.g. a local gateway can be performed
by the central IP PBX. This does not require any Call Admission Control awareness of
the central PBX, simple call routing features with multiple alternative routes, as for ex-
ample found in least cost routing features, do suffice. The central IP PBX can then route
the call over the local gateway in the branch office, thus not generating traffic load on
the bottleneck link.
• Prefix
As already just described, this prefix will be added to the dialled number to inform the
central SIP server that an alternative routing needs to be performed. This prefix can be
any combination of alphanumeric characters and special characters like ”*” or ”#”. In
telephony applications, the prefix will most likely be numeric.
• CAC excluded Numbers
All prefixes specified here will not be considered at all for a CAC decision. Regular
expressions can be specified here. This can be used for excluding certain number
ranges because you know that there will always be enough bandwidth, or because you
maybe want to exclude emergency calls. Excluded calls can cause an overload on a
link if you are not careful in configuring your bandwidth rules.
In Voice scenarios with a central IP PBX as a SIP server, there is a commonly offered
feature named Pickup group. This permits using any telephone and dial a certain special
extension like for example ”*9” in order to pick up the call of another ringing telephone
inside this branch office. In such a case, the Convergence must be told that the ”*9” is
not a regular number but rather the special extension for that. No Admission Control will
be performed on the extensions entered here. Note that you can enter a regular expres-
sion here and the above described functionality will apply to all extensions matching this
expression. This also means that characters having a predefined meaning in a regular
expression must be escaped to match the real character. Escaping can be done by
adding a backslash before the character in question. In order to match the ”*9” used in
the example above, you hence have to enter a ”\*9” into the field. Refer to the Command
Line Reference for more information on regular expressions.
2005-2008
c Comdasys AG 97
3.5 Voice-over-IP
! This is a dangerous function since it can break CAC althogether, especially when
using regular expressions. Be very careful that the expression specified here only matches
the actual calls that you want to have filtered and no more.
• CAC
We have already explained the basic approach of how the Call Admission Control is
handled. In order to configure Call Admission control, we first need to define a link for
which we want to do Call Admission Control. The properties of that link, as for example
how much bandwidth is allowed to be used for voice, is defined inside a traffic class.
See the ?? management section for more information on that. The link definition here is
done by entering the source and destination IP ranges. In the bandwidth management,
multiple voice traffic classes can be defined for each link. After defining the link, we now
need to configure a policy, since a reaction in case of an overload must be configured.
These actions can also be configured in the Convergence Series. The enforcement of
the policy can be any action configurable in SIP. Each CAC policy consists of a Limit
Class, an Action, and a Link. Define the three parameters, then press Add to add
them to the list of Call Admission rules. In the following, we will define the different
parameters in more detail:
– Limit Class
The Limit Class definitions make the connection between the SIP and the IP layer.
All traffic class definitions are used for making assessments as to whether addi-
tional calls can be accommodated. For the Limit definitions, the Bandwidth Man-
agement Configuration is used where a traffic class with certain limits is defined.
The limit is enforced by the Call Admission Control functionality. For more informa-
tion on the definition of the traffic rules refer to the section ?? of this handbook.
As for the configuration, simply select the class representing the real-time traffic
you want to limit with this rule definition.
– Action
For each Call Admission rule definition, the Convergence permits the specification
of an action in the case of a limit violation. As we have already mentioned above,
simply denying calls is the simplest of all actions that can be taken. Sometimes
however it is inappropriate. Imagine for example a case where we can route a call
over multiple links. Since the Convergence is operating at the edge of one or more
bottleneck links, there might be an alternative route to the destination via a second
link. The other possibility is to use the TDM network via a gateway realizing a local
breakout. This second possible action is Redirect. Choose one of the two from the
Drop-Down list. Future versions will come with additional actions.
– Link
2005-2008
c Comdasys AG 98
3.5 Voice-over-IP
The notion of a link is fundamental to the way the Convergence does Call Admis-
sion Control. The simplest case of a link is a physical network connection. The
Convergence however does not stop there. A link is closely associated with the
routing functionality offered by the Convergence. Typically source and destination
addresses are used for classifying packets as belonging to a certain link (matches
the standard IP networking principles). The source address could for example be
used to configure groups for the phones. Group 1 could get a range of IP ad-
dresses, Group 2 another.
Simply enter the Source and Destination IP addresses or network addresses that
you want have the limit and action applied to. The mentioned IP addresses pertain
to the SIP signalling traffic. The source would for example be the local branch net-
work; the destination would most likely be the IP PBX. Type a ”0” for any IP out of
this range.
The Domain list parameter is one of the most important parameters in the Convergence . The
Convergence will only apply the Survivability, Call Admission Control, and/or Session Border
Controller logic to SIP messages directed at this domain. Domain as used here refers to the
rear part of a URI parameter. This means that if you have some client send a SIP message
for 500@foo.bar to the Convergence it will only act upon it in the way described if foo.bar
can be found in the domain list. Otherwise it will simply perform a DNS lookup and forward
the message appropriately. In that case it will behave like a standard stateful SIP Proxy.
This means that for Survivability scenarios, the message will be routed correctly only if all
applicable domains are entered here. This must be at least the IP address of the IP PBX
and if used also any DNS names as well as aliases. If you specify DNS names here, you
should also specify the corresponding IP address (if possible) to avoid unnecessary DNS
lookups. If a SIP message arrives with the DNS name replaced by the IP address only a
quick comparison has to be performed instead of a DNS reverse lookup. For domain names
where no reverse lookups are possible, both the IP address as well as the domain name must
be specified here to enable the correct operation.
2005-2008
c Comdasys AG 99
3.5 Voice-over-IP
– IP address
The IP address is that of the PSTN gateway. The Convergence can interact with
any PSTN gateway that supports SIP as specified in RFC3261. Some restrictions
concerning features available in the phones etc. might however apply. Although
the name of the field says otherwise, it is also possible to specify DNS / DNS SRV
names here. In most cases however, Survivability scenarios will be induced by
WAN failures. If your DNS server is unavailable in such cases, as is frequently the
case, putting the DNS name of the gateway here will result in total failure. Therefore
you should only use DNS names if you are sure the DNS server is available in all
scenarios the Survivability function has to work in. A possibility to achieve that is
to use the DNS slave function in the Convergence where it can be a caching DNS
slave for some configurable master and hence answer DNS queries even if the
master is offline.
Directly behind the IP-address, you need to specify the transmit mode. This can
again be either UDP, TCP or TLS. The same restrictions and possibilities as for the
IP PBX apply, so refer to the subsection Survivability Parameters on page ?? for
more information on this.
– Strip digits
This parameter determines how many characters of the phone number must be re-
moved in Survivability mode before passing the message on to the PSTN breakout
gateway. Under normal operation, this will all be done by the PBX. In survivability
mode, the Convergence will perform the necessary number manipulations.
– Prefix numbers
After a certain amount of digits has been removed, it is possible to prefix any
combination of digits before the call is forwarded by the gateway. Note that the
functionality here does of course not only apply to numbers, it could also be any
characters allowed in URIs. The most common case however with a gateway will
be phone numbers where prefixes are commonly used. Prefixing something would
hence be necessary if the gateway expects numbers in a certain format. As already
explained before, this URI manipulation would normally be performed by the SIP
server. This however is impossible in the Survivability case which is why the Con-
vergence will perform this here. The gateway is hence unaware of the fact that it is
operating in Survivability mode. This functionality is hence completely transparent
to the gateway.
– CAC
It is possible to perform Call Admission Control in Survivability mode before the Call
is being forwarded to a gateway. This is necessary since it cannot be assumed that
the gateway is always locally connected to the LAN. It could be located off site.
This could mean that in a backup case, it can only be reached via some backup
link. There are many scenarios that are conceivable. The Call Admission Control
parameters will allow limiting the number of calls going to the gateway. For more
2005-2008
c Comdasys AG 100
3.5 Voice-over-IP
This template is very similar to the Survivability scenario, and in fact it will also act as a
survivability component in the network. Therefore we will provide a general introduction here,
but for the description of the actual features we will often refer to the Survivability section. We
will however point out the differences here.
The main difference between the Branch SBC and the Survivability Template is the fact that
with the former, the Convergence will always do media handling in addition to the SIP sig-
nalling handling. The Branch SBC scenario will usually be used in scenarios where you have
a branch office that you want to equip with real-time communication. That could for exam-
ple be a scenario where the users in this branch offices are to be hooked up to a centralized
softswitch. Especially in bigger network it is however often impossible to provide a flatly routed
network across all locations where users are to be connected to the softswitch. This poses
special challenges then, because the peer-to-peer type communication of SIP endpoints con-
cerning media handling actually requires such a network.
2005-2008
c Comdasys AG 101
3.5 Voice-over-IP
2005-2008
c Comdasys AG 102
3.5 Voice-over-IP
2005-2008
c Comdasys AG 103
3.5 Voice-over-IP
• Own number
See ?? for a more detailed description.
• Prefix Number
See ?? for a more detailed description.
• PBX Address
See ?? for a more detailed description.
• PBX Alias
See ?? for a more detailed description.
• Internal IP
Since the Branch SBC will do media handling if a SIP session leaves the boundaries of
the local branch office, the Convergence needs to know the internal network address
for which it should not be doing media handling. For all session where both the source
and the target are within this network, the media streams will continue to flow directly
between the endpoints.
• Netmask
This parameter describes the netmask for the above configured network IP address.
This netmask enables the Convergence to check whether two endpoints are actually
local or not.
• External IP
All Convergence products support multiple virtual and non virtual interface. When acting
as a branch session border controller, there however must be a unique uplink interface
through which outgoing media streams should be routed. When looking at the SIP
messages that are leaving the branch SBC, all SDP bodies will contain this external
IP address, and hence all endpoint having a connection with some endpoint inside the
Branch SBC will be sending their media streams to this external IP address.
• Timeout
See ?? for a more detailed description.
• Alive check via SIP instead of ICMP
See ?? for a more detailed description.
• Registration Timeout
See ?? for a more detailed description.
2005-2008
c Comdasys AG 104
3.5 Voice-over-IP
• RTP Proxy
See ?? for a more detailed description.
• RTP Bind Address
See ?? for a more detailed description.
• Force Return Route
See ?? for a more detailed description.
• Mask Proxy Domain on Register
See ?? for a more detailed description.
• Local Gateway
This is another Branch SBC specific parameter. You need to configure whether media
handling should be done for calls to and from gateway calls. If checked, the gateway will
be assumed to be local, and media handling will be disabled for all calls between local
endpoints and the local gateway. If not checked, the gateway is assumed to be external,
e.g. located at the central softswitch. This will enable media handling for all external
calls.
• Debug
See ?? for a more detailed description.
• Disable Loose Routing
See ?? for a more detailed description.
• Failover Server Replication and Failover Server IP
See ?? for a more detailed description.
• Gateway DNS Alias
If this checkbox is enabled, the information in the field wiht the same name
• Survivability
In the Branch SBC mode of operation, Survivability functionality must be separately
enabled. Check this box to activate survivability. In this case, the Convergence will
behave exactly the same way as in Survivability mode, but it will do the media handling
in addition to that.
• CFW in Survivability Mode
See ?? for a more detailed description.
2005-2008
c Comdasys AG 105
3.5 Voice-over-IP
• No ReRouting On
See ?? for a more detailed description.
3.5.4.3 CAC
• CAC
The Convergence is able to do Call Admission Control in addition to Branch SBC func-
tions. By default, this functionality is however not enabled in this mode. To enable it,
simply activate this checkbox.
• Bandwidth Reservation
See ?? for a more detailed description.
• CAC Bandwidth Check
See ?? for a more detailed description.
2005-2008
c Comdasys AG 106
3.5 Voice-over-IP
• Redirect to PBX
The fields Prefix and Redirect to PBX are related. Please see ?? for a more detailed
description of these parameters.
• CAC Excluded Numbers
See ?? for a more detailed description.
• CAC
See ?? for a more detailed description.
3.5.4.5 Gateways
The cascaded SBC deployment allows the branch offices to connect to a protected SIP server
while using their own private network. The central SBC may or may not serve as a media
bridge for inter-branch calls. This means that the Convergence is deployed in the branch
office with the Branch SBC Template, and centrally the Convergence is deployed with the
Cascaded SBC template. As such, the Cascaded SBC will act mostly as a media bridge.
Since in this configuration mode, the central SIP server cannot see the topology if the network,
the CAC functionality must be activated on the SBCs in order to ensure proper bandwidth
management.
2005-2008
c Comdasys AG 107
3.5 Voice-over-IP
2005-2008
c Comdasys AG 108
3.5 Voice-over-IP
• Internal IP Since the Branch SBC will do media handling if a SIP session leaves the
boundaries of the local branch office, the Convergence needs to know the internal net-
work address for which it should not be doing media handling. For all session where
both the source and the target are within this network, the media streams will continue
to flow directly between the endpoints.
• Netmask This parameter describes the netmask for the above configured network IP
address. This netmask enables the Convergence to check whether two endpoints are
actually local or not.
• External IP All Convergence products support multiple virtual and non virtual interface.
When acting as a branch session border controller, there however must be a unique
uplink interface through which outgoing media streams should be routed. When looking
at the SIP messages that are leaving the branch SBC, all SDP bodies will contain this
external IP address, and hence all endpoint having a connection with some endpoint
inside the Branch SBC will be sending their media streams to this external IP address.
• RTP Proxy See ?? for a more detailed description.
• RTP Bind Address
See ?? for a more detailed description.
• Force Return Route
See ?? for a more detailed description.
• Mask Proxy Domain on Register
See ?? for a more detailed description.
• Debug
See ?? for a more detailed description.
• Disable Loose Routing
See ?? for a more detailed description.
• Failover Server Replication and Failover Server IP
See ?? for a more detailed description.
• Map Office Prefix to Branch SBC IP
2005-2008
c Comdasys AG 109
3.5 Voice-over-IP
3.5.5.2 CAC
• CAC
The Convergence is able to do Call Admission Control in addition to Branch SBC func-
tions. By default, this functionality is however not enabled in this mode. To enable it,
simply activate this checkbox.
• Bandwidth Reservation
See ?? for a more detailed description.
• CAC Bandwidth Check
See ?? for a more detailed description.
• Redirect to PBX
The fields Prefix and Redirect to PBX are related. Please see ?? for a more detailed
description of these parameters.
• CAC Excluded Numbers
See ?? for a more detailed description.
• CAC
See ?? for a more detailed description.
A Session Border Controller (SBC) is a VoIP session-aware device that controls call admis-
sion to a network at the border of that network. The central SBC function is not available in
all Convergence products. Contrary to the Branch SBC, the SBC function is not only an in-
frastructure function, but a securiy component providing a separation between networks. The
Convergence currently performs, NAT Traversal, SRTP termination as well as other functions
in that mode. The Convergence is still primarily built to fulfill these infrastructure functions. It
is not built to perform some other functions usually attributed to SBCs, such as protocol trans-
lation (e.g. to MGCP). While the functionality will increase in the future, the Convergence is
still positioned to be a pure SIP device. A typical centralized Session Border Controller breaks
down into two logically distinct pieces.
• Signalling The Signaling SBC function controls access of VoIP signaling messages to
the core of the network, and manipulates the contents of these messages.
2005-2008
c Comdasys AG 110
3.5 Voice-over-IP
• Media
The Media SBC function controls access of media packets to the network, provides
differentiated services and QoS for different media streams. It can also be used to pro-
vide security functions like SRTP termination to differentiate between different security
zones, and avoid things like service theft.
This template will act as a centralized session border controller, handling all media streams
emanating from client coming from the WAN network and being behind a firewall. The most
important function of a centralized SBC is hence the ability to enable clients behind a NAT
firewall to do IP communication. The challenge is to make this work behind arbitrary firewall
types including those typically found in public Internet Hotspots. The goal is enable ubiqitous
IP communication while keeping the network inside the SBC to remain secure. In order to
properly understand this setup, we first need to do some explanation of the supported NAT
networks.
NATs are active network devices placed in the data path. NATs are similar to firewalls, and
different from routers, in that they are topologically sensitive. They have an ”inside” and an
”outside,” and undertake different operations on intercepted packets depending on whether
the packet is going from inside to outside, or in opposite direction.
NATs are IP header translators, and, in particular, NATs are IP address translators. The
header of an IP packet contains the source and destination IP addresses. If the packet is being
passed in the direction from the inside to the outside, a NAT rewrites the source address in the
packet header to a different value, and alters the IP and TCP header checksums in the packet
at the same time to reflect the change of the address field. When a packet is received from
the outside destined to the inside, the destination address is rewritten to a different value, and
again the IP and TCP header checksums are recalculated. The ”inside” does not necessarily
use globally unique addresses to number every device within the network served by the NAT.
The inside (or ”local”) network may use addresses from private address blocks, implying that
the uniqueness of the address holds only for the site.
NATs are configured with a pool of public addresses, and when an ”inside” host first sends an
outbound packet, an address is drawn from this pool and mapped as a temporary alias to the
inside host’s local address. This mapped address is used as the new source address for the
outgoing packet, and a local session state is set up in the NAT unit for the mapping between
the private and the public addresses. This type of pure NAT has become very uncommon
nowadays, but it is still mentioned for completeness here.
The variant of the NAT commonly used today is the Port-Translating NAT, or NAPT (today
the term NAT is frequently used to also refer to this type of NAT mapping). This form of
NAT is used in the context of TCP and User Datagram Protocol (UDP) sessions, where the
NAT maps the local source address and source port number to a public source address and
2005-2008
c Comdasys AG 111
3.5 Voice-over-IP
a public-side port number for outgoing packets. Incoming packets addressed to this public
address and port pair are translated to the corresponding local address and port.
Again the NAPT is attempting to be transparent in terms of providing a consistent view of the
session to each end, using a symmetric binding of a local address and port pair to an external
address and port pair. NAPTs allow concurrent outgoing sessions to be distinguished by the
combination of the mapped address and mapped port value. In this way each unique external
pool address may be used for up to 65,535 concurrent mapped sessions.
For a while the terminology distinction between NATs and NAPTs was considered important,
but this has faded over time.
It should be noted that a large number of mapped sessions in a firewall can pose both a
security as well as a performance problem. Each NAT mapping is a pinhole in the firewall
that can be used to sneak information into the protected network. In addition to that with a
large number of sessions, the firewall might have to do a lot of comparisons for each arriving
packet to check for the connection this packet belongs to. These restrictions especially pose
problems in VoIP scenarios, since each active SIP clients in a call state necessitates at least
2 active NAT mappings
! Note that if you want to use SIP endpoints across the WAN port, you will need to
use manually change security settings. If your messages arrive on the WAN interface, the
firewall will block those by default. It is however relatively easy to enable SIP and RTP traffic
on the WAN interface. Please refer to the ?? section for more information about this topic.
Signalling The Convergence will do signalling handling and provide Session Border Con-
troller function between an inside and an outside network, typically the Internet. In addition to
that it will do far end NAT traversal. After the client has registered, the remote NAT mapping
is learned by the Convergence so that it can send subsequent requests to this client. A SIP
OPTIONS message is sent periodically (typically every 30 seconds) to keep the remote NAT
mapping alive and thus keep the remote client operational. The SBC will also perform vali-
dation of received SIP messages before forwarding them to the internal SIP server. With that
approach, malformed SIP messages will be detected and dropped. In addition to that, addi-
tional semantic checks will be made on the SIP mesages based on the available information
before forwarding them to the internal SIP server. The connection to the media handling is
done by modifying the SDP bodies of the SIP messages. With that modification, the SBC will
be in the middle of every media stream from a client to the inside network, as well as in every
media stream between two clients behind two distinct NATs.
The media handler will create its own session for each connection setup done via the sig-
nalling handling. Similarly to the SIP approach to handling remote NATs, the remote NAT
2005-2008
c Comdasys AG 112
3.5 Voice-over-IP
mapping is learned by the SBC, so that packets can be sent to the client behind the remote
NAT. Once the media stream has been initiated in both directions, no redirection of the media
streams are permitted, expept that is negotiated via SIP messages. This protects the users
from session hijacking. In addition to that, the source of the media stream packets is validated
against the stored session parameters to avoid somebody from sending dummy packets to
the respective port of the SBC and thus disrupting the session. It also features a dead peer
detection to clean up invalid sessions. Additionally, the Convergence can perform SRTP termi-
nation. With that function, the Convergence will terminate all sessions emanting from clients
on the outside network and send plain RTP to the SIP server or any connected equipment
like gateways. In the reverse direction, those devices will send plain RTP to the SBC which in
turn will encrypt everything before sending it to the clients on the outside network.
The following will explain the parameters that can be configured for the SBC template.
This field is for entering the IP address or the DNS name of the PBX for which you want to
act as a Session Border Controller. All requests (passing security checks) coming from the
external interface will be forwarded to this PBX.
2005-2008
c Comdasys AG 113
3.5 Voice-over-IP
2005-2008
c Comdasys AG 114
3.5 Voice-over-IP
• Presence Server IP
If you have a separate presence server, you can specify the IP address here. This
would force the SBC to handle presence requests, as for example the SIP PUBLISH
method separately from the standard SIP server. As such, you could have a separate
SIP server and Presence server and let the SBC correctly separate the requests for
these. The advantage of this is that your SIP server does not have to be aware of any
presence functionality, because the SBC is already separating the requests.
• Voicemail Server IP
You can specify the IP address of your voicemail server here. This is for special sce-
narios where the voicemail server is also integrated via SIP and where it should be
prevented that in dialog requests should also correctly flow through the SIP server. This
should only be relevant if you are using a SIP proxy type of server as your central SIP
server. In such cases it can happen that in dialog requests such as ACKs and BYEs
are routed throught the SIP server instead of directly to the SBC. Therefore, the Route
headers of the messages must be modified accordingly.
• PSTN Gateway IP
This field is similar to the one for the Voicemal Server IP. If specified, it is used to aid the
correct SIP message modification. Again, if a back-to-back user agent is used instead
of a SIP Proxy as the central server, this will be impossible. All signalling to the gateway
will then be handled by the B2BUA and the SBC will be completely unaware of this. The
media stream can of course still be directly passed to the voice gateway.
• Secure Media (SRTP)
If this is enabled, the SBC will perform SRTP termination for all incoming sessions, and
will only initiate encrypted sessions to the outside world. Internally, RTP will still be used.
• Mask Proxy Domain on Register / SIP Domain
The SBC can hide the SIP domain towards the SIP server. This means that a different
domain can be used towards the outside world, while a completely different SIP domain
can be used on the SIP server. Enter an IP address or a domain name here, and the
SBC will rewrite this domain for all requests coming in from the outside network. The
most elegant solution however is to use DNS names where both the SIP server as well
as the clients coming from the outside network. The resolutions for this domain name
should be the external IP address of the SBC for the clients, and for the SIP server on
the internal networks. If configured properly this way, this parameter is not necessary.
SIP Trunking is another possibility of using the Convergence . In this scenario, the Conver-
gence acts as a Topology Hiding Session Border Controller. SIP Trunking will mostly be used
for telephony applications, but the Convergence can also support alternative media formats
2005-2008
c Comdasys AG 115
3.5 Voice-over-IP
like video conferencing with the identical configuration. For the explanation of the parameters,
we will however heavily rely on pure VoIP terminology.
In a SIP Trunking scenario, the Convergence will usually be placed at the edge of an office
network.
• Own Number
• PBX
This field is for entering the IP address or the DNS name of the PBX for which you
want to implement SIP Trunking. All requests coming from the Trunking provider will be
forwarded to this PBX. There are two different variants a PBX can behave. One can have
the PBX register with the Trunking provider, or use a static registration with the provider.
On the PBX, simply set the address of the internal interface of the Convergence as
the SIP Trunking address. Hence you do not have your PBX connected to any outside
network. Just the routing / switching between the PBX and the Convergence must be
possible.
2005-2008
c Comdasys AG 116
3.5 Voice-over-IP
2005-2008
c Comdasys AG 117
3.5 Voice-over-IP
• Trunk Address
The trunk address needs to be set to the IP address, DNS name, or DNS SRV name of
the SIP server of the trunking connection provider. If a DNS SRV name is specified, the
?? must be enabled.
! If DNS SRV is enabled, this information will be ignored since the discovered values
from the DNS server are used.
2005-2008
c Comdasys AG 118
3.5 Voice-over-IP
– Trunk Port
This field specifies the port that should be used to contact the trunking provider. As
always, the default SIP ports (5060 for TCP and UDP, 5061 for TLS) will be used if
nothing is specified. If non standard ports are used by your provider, please enter
them here.
! If DNS SRV is enabled, this information will be ignored since the discovered values
from the DNS server are used.
• Retransmisson Timer
The various retransmission timer settings are all tightly related and therefore will be ex-
plained together. Note that all the rentransmission logic only applies to the UDP variant
of SIP. Both the TCP and TLS variant use the connection oriented Transport Control Pro-
tocol for the transmission of the messages. This transport layer protocol ensures that all
messages sent from some source reach the destination. This means that there are error
correction and retransmission mechanisms already built into the transport layer meaning
that the SIP application layer does not have to handle retransmissions any more.
The situation is quite different with UDP, where any message can get lost. The retrans-
mission timers refer to SIP requests. All SIP requests mandate a response from the
endpoint (in our case eihter the PBX or the trunking provider). Since the PBX will usu-
ally be connected through a local ethernet interface, there should be no problem with
lost packets on this side. The trunking provider connection however usually goes over
the Internet where messages can easily be lost or delayed. These timers set the interval
that the Convergence waits for a response to a request before sending it again. Com-
monly the timers are increased with the default being (500 msec, 1000 msec, and 2000
msec).
– Retransmission Timer 1
This is the first retransmission timer and must be set in milliseconds. If no response
(both provisional 1xx responses as well as final ones will be accepted here) to a
request is received within this time, a retransmission is initiated. The accuracy of
the retransmission will be around 50 msec. This means that if this timer is set to 500
msec, which is also the default value, the retransmission will occur in the interval
between 450 msec and 550msec after the first request has been sent without a
reponse arriving.
– Retransmission Timer 2
Also see above for a more detailed explanation. The timer must also be set in
milliseconds with the default being 1000 msec.
2005-2008
c Comdasys AG 119
3.5 Voice-over-IP
– Retransmission Timer 3
Also see above for a more detailed explanation. The timer must also be set in
milliseconds with the default being 2000 msec.
– Final Retransmission Timer
After the final retransmission timer hits, the server will be considered down or un-
reachable, and no further attempts will be made. If DNS SRV is configured, the
failover mode will be entered and a DNS lookup to discover the secondary server
will be initiated. Once that server has been discovered, messages will be sent there
instead of the primary server. The primary server will only be contacted after the
penalty box has expired. Once that has happened, an attempt is made to contact
the primary server. If it still does not respond even to the retransmission sequence,
it will again be put into the penalty box. If it is reachable, all subsequent requests
will go there again.
2005-2008
c Comdasys AG 120
3.5 Voice-over-IP
messages that are leaving the branch SBC, all SDP bodies will contain this external
IP address, and hence all endpoint having a connection with some endpoint inside the
Branch SBC will be sending their media streams to this external IP address.
The standalone template is the simplest template explained here. The Convergence can act
as a mini SIP server, thus providing basic call functionality and other basic functionalities
supported by the SIP devices. PSTN gateways can be used for making external calls. This
template can also be used in conjunction with the B2BUA to use SIP carrier accounts as
gateways.
• Own number
Under normal operations, the phones can be reached via two different numbers, their
complete PSTN number and internally by simply dialing an extension. An example
will illustrate this. Let us assume that the branch office can be reached via the ”+49
89 4711” from the outside. Internally you have the extensions ”100” and ”110”. This
2005-2008
c Comdasys AG 121
3.5 Voice-over-IP
means that from the PSTN you can reach the phones by dialling ”+49 89 4711 100”.
Internally, the phones can be reached via their full number or via their extension only.
The registration with the SIP server and the SIP Proxy in our case here is performed with
the full number. By knowing the Own Number of the branch, the Proxy upon receiving
a call for an extension in Survivability mode can now prepend the number of the branch
and hence find the phone in the Registration database. This means that extension
dialling still works in survivability mode. This can be used to avoid having to do number
manipulation in the gateway for incoming calls. If you do not want to use this feature,
simply leave the field blank.
• Prefix number
The Prefix number describes the prefix the number has if it is an outgoing call. Usually
this is just a simple digit as for example a ”0” for getting an outside line. Expressions for
this can however be more complex than that. You can enter arbitrary regular expressions
here. Only numbers having the correct prefix will be routed to the gateway. This pre-
vents unavailable internal numbers from ending up in the PSTN and going somewhere
unintentionally.
• Timeout
The timeout value is the maximum time the proxy will wait for a response from a gateway
upon a request before falling into hunting mode. If a negative response is received
2005-2008
c Comdasys AG 122
3.5 Voice-over-IP
• Debug
This switch will make the SIP proxy write debug messages to the system log. These
can either be seen in CLI mode on the Convergence, or on the specified logging server.
See the logging parameters in this document or refer to the Command Line Guide for
more documentation on how to have a look at the logging.
2005-2008
c Comdasys AG 123
3.5 Voice-over-IP
See Survivability Configuration on page ?? for more information on the parameters here.
The Enum template is relatively straightforward to explain. The typical usage scenario is
the Convergence connected to the Internet externally and connected to a SIP Server / IP
PBX internally. The Convergence acts as an ENUM lookup server and as a Session Border
Controller for incoming calls.
The IP PBX must be configured to forward all calls to the Convergence appliance. The Con-
vergence will try to convert the dialled phone number into an E.164 number to perform an
ENUM lookup. If it successfully finds a SIP URI registered under this number, it will forward
the call via IP. Otherwise it will signal back a trunk busy to the IP PBX that should in turn try
the next available trunk meaning it will route the call as before via PSTN. In that scenario, the
Convergence can be integrated into the existing Voice infrastructure. The Convergence must
of course also be configured to permit incoming calls, by opening the firewall etc. Also see
the firewall section for more details on this.
There might be other usage scenarios, where the ENUM template can be useful. An extensive
discussion would however be beyond the scope of this book.
• PBX Address
This parameter is for entering the address of the connected IP PBX. It can either be
entered in the form of an IP address, a host name or even as a DNS SRV address.
Note that entering a DNS or DNS SRV name can introduce more latency in forwarding
messages to the IP PBX since the hostname has to be looked up first.
• SIP Transmit Type
The SIP Transmit Type parameter is the transmission type the proxy uses to contact the
IP PBX. The Convergence supports 3 different SIP transport modes, UDP, TCP, and the
encrypted TLS variant. The type to use depends first and foremost on the used IP PBX.
The TCP and UDP types are straightforward and just specify the used protocol type.
The only type requiring further explanation is TLS. For TLS additional things like the
encryption keys are required. Since this is a very advanced topic, this cannot be config-
ured via the WebGUI as of yet. The Convergence will generate TLS keys automatically
that can be downloaded for the use in the IP PBX via SCP. Please consult the Command
Line Reference for more information on how to do that.
• Debug
This switch will make the SIP proxy write debug messages to the system log. These
can either be seen in CLI mode on the Convergence, or on the specified logging server.
2005-2008
c Comdasys AG 124
3.5 Voice-over-IP
2005-2008
c Comdasys AG 125
3.5 Voice-over-IP
2005-2008
c Comdasys AG 126
3.6 SIP Proxy Users
See the logging parameters in this document or refer to the Command Line Guide for
more documentation on how check the logging output.
The following parameters are all used to convert a telephone number into a full E.164 num-
ber.
• City Code
Enter the plain city code 3-digits in the US and other countries. It can also be a number
of variable length in many countries.
• Country Code
Enter the Country Code for your country without any preceding digits. This would be a
”1” for the USA, the ”49” for Germany, etc.
• Long Distance Prefix
Enter the number you have to dial on your phone before making a long distance call. In
the US this is a ”1”, in most European countries a ”0”.
• International Prefix
Enter the number you have to dial on your phone before making an international call. In
the US this is the ”011” in most European countries the ”00”.
The custom template allows you to use your own configuration script for the SIP Proxy. Please
refer to the Command Line Reference on more information on how to create your custom SIP
Proxy configuration script. It is also possible to use one of the above defined scenarios, and
then modify the script appropriately to suit your needs.
This menu item lists any currently registered SIP proxy / Session Border Controller users. A
user is represented by its URI and its name, where the name may be an alphanumeric string
or a telephone number extention.
i Note that the relevance of this information varies quite significantly. In Survivability
and Branch SBC mode, this information is only utilized for Survivability functionality and
plays no role in normal mode. In the Cascaded SBC and SIP Trunking scenarios this infor-
mation is not used at all. In the SBC scenario, this information is quite important however
because it is being used for the NAT detection.
2005-2008
c Comdasys AG 127
3.6 SIP Proxy Users
2005-2008
c Comdasys AG 128
3.7 SIP TLS configuration
More details on registered users are provided by the SER server command serctl ul
show. Please refer to the Command Line Reference Guide for further information on the
usage of serctl.
Settings for SIP proxy are described extensively in section ??.
The SIP TLS configuration page is a simple tool to upload a TLS private key and a TLS
certificate used to communicate with the client in TLS mode. Naturally this is only relevant
if you have a client that is able to support SIP in TLS mode. Otherwise you can ignore this
section.
The Convergencegenerates a new privat key and a certificate automatically while booting if
noprivate key or certificate exists. Therefore, if you do not want to setup authentication based
on certificates, there is no need to do any configuration here.
2005-2008
c Comdasys AG 129
3.7 SIP TLS configuration
To upload a new TLS Private Key press the Browse button and select the new private key
from your file system (Figure: ??).
In the next step press the Upload button and the new TLS private key will be saved onto the
Convergence. The procedure for the TLS certificate is essentially the same (Figure: ??).
! The TLS certificate must fit the TLS private key, otherwise no TLS communication
will be possible
If you do not have any keys to use for TLS communication, you can also use the Conver-
genceto create a key set. Simply press Generate and the Convergencegenerates a new
default TLS private key and TLS certificate. These will be stored on the Convergenceand
activated after pressing Apply Configuration .
3.7.1 B2BUA
Contrary to the SIP Proxy, the B2BUA does not only handle the SIP signalling, it also handles
the media sessions. It is therefore a lot more relevant what types of sessions are being
initiated. The B2BUA must also support the media codecs. Due to these reasons, the B2BUA
at the moment can only be used for Voice scenarios. The biggest use of the B2BUA is for
terminating calls coming from the Internet (e.g. for Security Reasons). In such a setup,
people can be allowed to make calls from the Internet that will be handed to some device
on the LAN without having a direct routing connection. Not even the SIP messages will be
forwarded before being completely parsed and reassembled. The B2BUA will terminate the
call coming from the outside and setup a new internal call. This can be desirable for security
purposes if you are having e.g. mobile users or home workers that you do not want to connect
via e.g. VPN.
In another scenario, the B2BUA routinely gets used in scenarios involving SIP carriers. SIP
carriers usually expect a UA (User Agent like a SIP phone or a Softclient) to be on the other
side. The B2BUA can emulate a phone being permanently connected to the SIP carrier.
Incoming calls for a SIP carrier can then be mapped to arbitrary users or even to the SIP
Proxy and hence an IP PBX. As such, it is possible to have the B2BUA also act like a virtual
gateway. The mapping between users and the SIP carrier accounts is done by a set of simple
Call Routing Rules (see ??) that can be defined.
2005-2008
c Comdasys AG 130
3.7 SIP TLS configuration
2005-2008
c Comdasys AG 131
3.7 SIP TLS configuration
Here, it is possible to define a SIP carrier account. Refer to your SIP carrier for obtaining the
necessary information. Note that some SIP carriers use the same ID for the phone number
and the User Name. It is possible to have a whole list of SIP carrier accounts by filling out
all necessary fields, then pressing Add . In the following, we will explain the meaning of the
different fields that are available.
Username: Enter the Username for your SIP carrier account here. This Username param-
eter is used for authenticating you at your SIP carrier. Every SIP carrier usually requires
authentication which means that you must enter a value here. Not entering a value here will
cause the system to malfunction.
Password: Enter the Password for your SIP carrier account here.
Phone Number: The phone number is the number given to the user by the SIP carrier
usually without any prefixes. This should be the number you are reachable under within the
SIP network of the carrier.
Host: The host is the SIP server provided by the carrier. Usually they will provide a host-
name, but it can of course also be an IP address. The SIP server is also often called Registrar
or Registry Server.
Domain: The domain tag is the domain name that will be used in the ”from” Header of all
requests and that is expected in that header. The B2BUA manages an internal domain. Most
SIP carriers however do require their domain name to appear in the Header field. For most
SIP carriers, this domain is equal to their DNS domain name. This field can also be an IP
address instead of a domain name. In that case, it will most likely equal the host field.
NAT: This setting indicates whether there is a NAT between the Convergence and the SIP
carrier. If the Convergence itself is performing the NAT, there is no NAT in between when
considered from the perspective of this setting. If this option is checked, the Convergence will
send SIP Pings to keep the SIP signalling channel to the SIP carrier open. The SIP Ping is a
simple SIP OPTIONS packet that most SIP carriers will respond to because this mechanism
is routinely used by other SIP phones as well. Checking this option while not behind a NAT
will cause no harm, it will only cause network traffic.
2005-2008
c Comdasys AG 132
3.7 SIP TLS configuration
Attempt direct Media Connection: This parameter controls whether the B2BUA should
allow the endpoints to establish a direct media connection. This can be useful for e.g. fax
transmission. It however also might cause security problems, because it will allow a user
inside your local area network to establish a direct connection to the SIP carrier. Furthermore,
the firewall settings in the Convergence must permit this. With the default settings, the firewall
will allow the outgoing media connection from the phone to the SIP carrier. Since we have an
established session then, the firewall will also admit packets coming from the SIP carrier.
If you leave this button unchecked, the B2BUA will terminate the connection from the SIP
carrier. If you forward this call to another user in the B2BUA, a second call leg will be set up.
This means that the media stream will flow from the SIP carrier to the Convergence and that
the Convergence will set up a second call internally to the user. This elegantly circumvents the
NAT problem. This setup is very secure and means that the B2BUA can perform transcoding.
This means that you can use compressed codecs that some SIP carriers support (e.g. GSM)
with a SIP phone that does not support such a codec. This setup can have problems with very
restrictive firewall settings. Usually the Stateful firewall will detect the media streams with their
associated ports and let them traverse the firewall. Better than relying on the firewall setting
not to change however is to explicitly allow this traffic. The simplest way to accomplish this
is to make sure that you permit incoming UDP Traffic for the Convergence. Please refer to
the ?? section for further documentation on how to accomplish this. You can also make more
restrictive firewall rules for this by e.g. only permitting UDP traffic from your SIP carrier.
3.7.1.2 Users
SIP user accounts are very similar to SIP carrier accounts. The difference is that the Con-
vergence is now a server when considered from the connected phone. This means that you
have to use the information here to configure your SIP UA (User Agent) device or Softclient.
As with SIP carriers, it is possible to manage a practically arbitrary number of SIP UAs here.
Fill in the desired parameters, then click Add . In the following, we will explain the meaning
of the different parameters:
Username: Enter the Username the phone has to use for authentication here. You can
leave this field blank and also leave the field in your UA blank. Your UA will then be able to
connect without authentication.
Password: Enter the Username the phone has to use for authentication here. You can leave
this field blank and also leave the field in your UA blank. Your UA will then be able to connect
without authentication.
2005-2008
c Comdasys AG 133
3.7 SIP TLS configuration
Host: Enter an IP address or hostname if your UA is using a fixed IP address. When entering
this IP address, the B2BUA will always try to contact your UA under the IP address specified.
It will completely ignore the data sent in the Registration request. If your UA is not sending
SIP REGISTER methods, you have to fill in the parameter here.
Dynamic Host: Check this box if you want to use the information obtained via a SIP REGIS-
TER message to contact the UA. If this option is checked, the B2BUA will always try to contact
the UA under the IP address contained within the last REGISTER message of this UA. If this
option is checked, the Host parameter is completely ignored.
NAT: Check this option if your UA can be behind a NAT firewall. This can be the case with
mobile users coming from the Internet side. If this option is checked, the B2BUA will ignore
the IP addresses contained within the SIP REGISTER message if it does not equal the IP
address the IP packet has been received from. This situation forces the B2BUA to conclude
that the UA is behind a NAT firewall. The B2BUA will try to contact the UA not via its private
address, but will send the SIP message to the official IP address the request was received
from. This approach is very efficient since it will in most cases make the use of STUN in
the UA unnecessary. If your UA supports NAT discovery mechanisms, you will probably not
need to check this option. It should be noted that this option however does no harm if the UA
happens not to be behind a firewall.
Attempt direct Media Connection: This parameter controls whether the B2BUA should
allow the endpoints to establish a direct media connection. This can be useful for e.g. fax
transmission. It however also might cause security problems, because it will allow a user
inside your local area network to establish a direct connection to another user on the Internet
or to a SIP carrier.
If you leave this button unchecked, the B2BUA will terminate the connection from the UA. If you
forward this call to another user in the B2BUA, a second call leg will be set up. This means that
the media stream will flow from the first user to the Convergence and that the Convergence
will set up a second call internally to the other user. While this might be undesirable for purely
internal connections, it can elegantly circumvent the NAT problem when having one internal
and one external user. For more information, you can also consult the SIP carrier section ??
on page ??.
Codecs: Check all codecs that should be allowed for the specified user. Any codec not
listed here will lead to a call rejection, or at least a codec negotiation until one of the codecs
mentioned here is used. This can also be used to enforce certain policies. You can for
example allow only compressed codecs for all users coming in from the WAN side in order to
preserve bandwidth. These WAN users will then not be able to set up a call with e.g. G.711.
2005-2008
c Comdasys AG 134
3.8 Diagnostics
After the configuration of the users and the SIP carrier accounts, we now need to define some
call routing rules. These rules will be used for making the appropriate connections. You have
to understand that each rule defined here only applies to a single direction. If for example we
define a rule that all numbers starting with a ”0” should be routed to the SIP carrier account,
this does nothing to the other direction. In order to accept calls from the SIP carrier account,
we need to define a second rule. The structure of the rules is very simple. You simply define
a Source and a Target for each rule.
From: Enter the number where the call is coming from. This can only be one of two things,
either a SIP carrier account, or a regular expression (there is no full regular expression sup-
port) identifying a certain number range. If you have multiple rules, these will be evaluated in
a best fit manner. You can enter simple patterns here to work with any number of prefixes.
Enter ”0*” to denote all calls starting with ”0”. To denote a SIP carrier account use the number
entered in the phone number field.
To: Choose either a user or a SIP carrier account. Another option is to route the call to the
SIP proxy. In that case, you however need to specify a number to which extension connected
to the SIP Proxy you want to route the phone. For that, it is of no interest in what mode the
SIP Proxy is configured. If it is for example configured in survivability mode, the call will be
passed on to the central SIP server that then forwards to the phone with the number entered
in the Number field.
Number: Number to be dialled if a call is forwarded to the SIP Proxy. See the description of
the To field for more information.
3.8 Diagnostics
3.8.1 Syslog-File
This page displays the last lines of the Syslog output the Convergence produces. The output
of this file is explained in more detail in the Command Line Guide. The output also depends on
the Syslog settings and the mode that is configured there (see ?? for more detailed description
of the possible settings here). If Debug is used there, a lot of information will be displayed.
The output can be refreshed by pressing the Reload button. It is also possible to adapt the
number of lines displayed, by entering the desired number into the Number of Lines field.
2005-2008
c Comdasys AG 135
3.8 Diagnostics
! By default, the Syslog file is stored in a RAM disk on the device. This means that the
information is lost after a reboot. In order to implement a persistent storage, an external
Syslog Server is recommended. It is however possible to move the the log file to the flash
from the CLI interface.
i The Convergence performs log rotation on a regular basis to avoid filling up the
storage space. This log rotation will compress the current syslog file. All files are stored in
the /var/log/ directory and can be accessed e.g. via WinSCP.
3.8.2 Logging
Here you can specify an external syslog server, on which all important messages from the
Convergence are logged.
Syslog is a standard for logging system messages under Unix and Linux and meanwhile also
many other platforms including Windows. It supports both local and remote (i.e. over the
network) logging.
If you wish to save system messages from the Convergence, you will have to specify the
computer, where the messages should be sent to and the log level for which messages should
be saved. This is especially recommended if the Convergence is operated as a firewall.
2005-2008
c Comdasys AG 136
3.8 Diagnostics
2005-2008
c Comdasys AG 137
3.8 Diagnostics
The debugging tools allow you to easily track down the reasons for network connectivity prob-
lems over the web interface without knowing any CLI commands.
3.8.4 Ping
Ping sends network packets to a computer and waits for the response while measuring the
elapsed time until a response arrives.
This program is able to examine if a computer is reachable or not. For this reason it is ap-
plicable for instance to check whether the connection to a certain host is working. You can
easily trace down the reason for connectivity problems by first trying to ping the first gateway
on the way, then the second and so forth. Once that fails, you will know exactly what link is
the problem.
3.8.5 Traceroute
This program traces the path packets from the Convergence to a certain host on the take. It
can complement and expedite certain debugging approaches taken with ping. Note that when
trying to trace routes over the internet, that some routers will block this attempt. You will then
be unable to get the desired result for a traceroute although the network connection is working
2005-2008
c Comdasys AG 138
3.8 Diagnostics
properly. Usually, traceroute is used after you have detected a specific network problem with
the ping tool to further narrow down the reason.
i If you assume that an internet connection is inoperable, you have to define the IP
address of your Convergence instead of your system name, because in this case the DNS
service could probably not be able to resolve system names.
The output is shown in realtime line after line. This means: if ping does not respond for several
seconds, the probability that the address is not reachable is very high.
2005-2008
c Comdasys AG 139
3.8 Diagnostics
3.8.6 SNMP
• Readonly password
Specify a SNMPv1 or SNMPv2c community that will be allowed read-only access.
• Read-/Write password
Specify a SNMPv1 or SNMPv2c community that will be allowed read-write access.
• Enable SNMP trap sending
This checkbox enables active monitoring. The SNMP Daemon will send traps in case
of a process not running or low diskspace. Beside this a trap is sent on starting and
stopping of the SNMPD Daemon.
• SNMP trap community name
Specify the community name which will be used in traps.
Trap destination
Here you can specify one or more ip-addresses as a destination for SNMP traps.
Proxy
This option enables the SNMP Daemon to act as a proxy, passing certain requests to a SNMP
service running on another machine. Following configuration settings are available:
• IP address
The IP-address of the machine to which the proxy should forward.
• Port
Optional: The port on which the target machine is listening for snmp. Default is port 161
• Password
The SNMP community string on the target machine.
2005-2008
c Comdasys AG 140
3.8 Diagnostics
• SNMP Version
Choose between SNMP version 1 or 2c
• Object-ID (OID)
Optional: Part of the OID tree which should be passed through to the target machine.
Default is the whole OID tree .1.3
2005-2008
c Comdasys AG 141
3.8 Diagnostics
This section shows how many packets have been dropped and the matched firewall rule.
You can see the over-all number and size of dropped packets and additional information of
the matched rule (protocol, input/output interface, source and destination). Depending on
the direction of packets, rules are joined in three chains INPUT, OUTPUT, and FORWARD.
Information about dropped packets may be helpful for testing connections or improving your
firewall rules.
The information shown on this page is a summary of packets dropped by the firewall and will
be refreshed every time you choose this menu item or click Refresh . You can also reset
firewall packet counters by clicking Reset .
2005-2008
c Comdasys AG 142
3.8 Diagnostics
Network debugging would not be possible without analyzing network traffic. A prerequisite
for performing such analysis, however, is collecting information, e.g. in form of a packet trace
created with a command line tool tcpdump. This page offers a simple interface for tcpdump.
2005-2008
c Comdasys AG 143
3.8 Diagnostics
3. Click on Start to start the trace. In order to stop and download the trace file, simply
click on Stop and corfirm saving the file to your disk. If you just want to check, whether
the trace is already completed (e.g. in case you have specified a maximum size of file
or number of packets to be traced) click on Status . Your trace will not be interrupted,
if it is still running.
2005-2008
c Comdasys AG 144
3.8 Diagnostics
2005-2008
c Comdasys AG 145
4 Enterprise Mobility (Fixed Mobile
Convergence)
The vision of FMC is for people to use a single communication device with a single number,
taking advantage of less expensive, high-speed WLAN connectivity, while enjoying widerang-
ing mobility on existing Public Mobile Networks. FMC should provide the subscriber a con-
sistent user experience regardless of location and time-of-day with no interruption of service
when roaming between fixed-line (through Wifi) and mobile networks. The goal of FMC is
to break the paradox that arises from the fragmentation of communications channels and to
make multiple channels (networks) appear and behave as a single channel thus restoring the
core value of communications; improved productivity and reachability.
The Fixed-Mobile-Convergence functionality of the Convergence makes the use of handset
device flexible and independent of the used network infrastructure. This is achieved by con-
necting the Convergence to the PBX system. The mobile device can then be used as a PBX
extension both over the Wifi network, as well as over cellular. A mid-call handover from cel-
lular to WLAN and back is possible as the handset device supports dynamic detection of the
sufficient WLAN network coverage. The Convergence consists of two components, a Client
and a Server. In order for everything to work correctly, the client needs to be properly in-
stalled on the handset. Refer to the separate client documentation for more information on
that. According to the quality of the link over WLAN the Convergence handles media path for
the ongoing calls and carries out the handover of the media stream. While a handover will be
successful in most scenarios, the seamlessness cannot be guaranteed with an abrupt signal
loss. This situation is no different than commonly observed in contemporary cell networks.
Getting onto an elevator is a frequently cited example for such a sudden loss of connectivity.
The speech quality of WLAN calls does not differ significantly from the quality of calls set up
via cellular. The Convergence in conjunction with the client will select the right codec and also
otherwise do everything to guarantee the best possible voice quality. The Convergence can
also do transcoding to support specially optimized codecs on the WLAN side, while using gen-
eral purpose codecs like G711 on the PBX side. When doing transcoding, the Convergence
will need to have control over the media stream at all times.
2005-2008
c Comdasys AG 146
4.1 Introduction to Fixed-Mobile-Convergence for the Enterprise
Following configuration steps are necessary to configure your dual mode solution. Please
refer to the more detailed descriptions of the menu points above.
1. First you need to Configure a Number Profile. For more information refer to ??.
2. Configure SIP Endpoints. You need to specify a PBX host and if applicable a sep-
arate host for the incoming GSM callthrough calls. This second host will be used for
handling the callthrough calls, that are first connected to the Enterprise and only then
the actual called number is being dialed. You can provide a name for each host which
you will use later to associate e.g. Registrations. Choose a meaningful name that re-
flects the intended usage of this host to simplify the use in the other sections where this
name will be reflected. Click Add to create a new entry, fill the form and click Save to
save your changes. Use to edit, or to delete an existing entry. For detailed
description of the configuration parameters please refer to ??.
3. Configure Global Settings. There are several SIP and RTP related options to con-
figure. You will find detailed description of these in the sections above. ??
4. Callthrough Number You have to specify the dial-in (also called callthrough or tram-
polin number) to be used for handling calls initiated from the GSM network.
5. Configure Registrations. A registration represents the link of a configured user with
a user on the PBX. Click Add to create a new entry, fill the form and click Save to
save your changes. Use to edit, or to delete an existing entry. For detailed
description of the configuration parameters please refer to ??.
6. Create User accounts. Click Add to create new entry, fill the form and click Save
to save your changes. Note that you need to associate the user with a registration for
him to be able to make calls via the PBX. Use to edit, or to delete an
existing entry. For detailed description of the configuration parameters please refer to
??.
7. If not done already install license file for Convergence (refer to ?? for further details
on License Management).
8. Your changes will be applied after selecting Apply configuration.
! Note that the Numbers in the User account configuration must be unequal to the num-
ber used in the Registration. Having both sides equal can lead to weird behavior especially
when using features.
Besides the basic call functionality with a single phone number that is supported both via
WLAN and GSM Convergence provides a wide range of the standard enterprise PBX features.
2005-2008
c Comdasys AG 147
4.1 Introduction to Fixed-Mobile-Convergence for the Enterprise
These features are signalled via SIP in WLAN, and via DTMF in cellular mode. The dual mode
client on the handset will make this fact completely transparent to the user. It will be possible
to access the features completely transparently from the handset. Any features described
here will also work through handoffs in both directions. The features described here equal
the features usually provided in a SIP phone. In order to make them usable through handoffs,
their implementation has been changed and distributed between the Convergence and the
client. It should be noted that also combinations of these features are usable. In addition
to these typical SIP client side features, the server based SIP features are also available as
described below. To avoid possible conflicts with systems provided by many operators such
as VoiceMail systems, accessing some features requires using more complex DTMF signals
than just a single digit. Following features are provided:
• Hold
• Toggle
• Consultation
• Conferencing (3pty)
• Transfer
• Combinations of the above
i Note that the selectable features can vary depending on the client, client version, as
well as the used PBX. Feature combinations that are not supported are not offered by the
FMC client.
i The transfer feature requires the PBX to support the SIP REFER message as de-
fined in RFC 3515. The implemented transfer mechanism is an unattended transfer with
a fallback function in case the transfer is declined by the PBX. In that fallback case, the
previous call is resumed.
In addition to the emulated SIP phone features, the server side features of the PBX can be
used. The number and type of features are very dependent on the connected PBX, but there
are some rules to tell what features are available. Many features in SIP PBXes are enabled /
disabled by using access codes. All of these features can usually be fully used in conjunction
with full dual mode operation. In addition to features enabled by access codes, some group
features are also usable via the dual mode handset. The following is a list of features that are
typically supported if the PBX supports this:
• Pickup
• Call Back
• Call Forwarding
2005-2008
c Comdasys AG 148
4.1 Introduction to Fixed-Mobile-Convergence for the Enterprise
• Hunting
• Simultaneous Ringing
• Call Groups
• Boss Secretary
• ...
Besides the above described telephony functionality the Convergence has been designed to
provide an overall and unified communication experience. This naturally does not only include
voice communication, but also Instant Messaging and Presence. XMPP (formerly known as
Jabber) is the industry standard protocol for that, and the Convergence support interacting
with such a server much the same way this is done with the PBX. In order to understand this,
we first have to explain some basic principles about XMPP / Jabber. The assumption is, that
an organization has its own XMPP Server.
The Jabber network is server-based (i.e. clients do not talk directly to one another) but de-
centralized; by design there is no central authoritative server, as there is with services such
as AOL Instant Messenger or MSN Messenger. Anyone may run their own XMPP server on
their own domain. Standard TCP port for Jabber is 5222.
Every user on the network has a unique Jabber ID (usually abbreviated as JID). To avoid the
need for a central server with a list of IDs, the JID is structured like an e-mail address with a
username and a DNS address for the server where that user resides separated by an at sign
(@), such as username@domain.com.
Since a user may wish to log in from multiple locations, the server allows the client to spec-
ify a further string known as a resource, which identifies which of the user’s clients it is (for
example home, work and mobile). This may then be included in the JID by adding a for-
ward slash followed by the name of the resource. Each resource may have specified a nu-
merical value called priority. For example the full JID of a user’s mobile account would be
username@domain.com/mobile. This is what the Convergence uses. It will register with the
XMPP server under a configured user name and as mobile account. Messages that are sim-
ply sent to username@domain.com will go to the client with highest priority, but those sent
2005-2008
c Comdasys AG 149
4.2 FMC Enterprise Configuration Introduction
The Convergence has multiple network interfaces, that can in principle all be used for the FMC
application. The main interface that handles the connection towards the PBX is the LAN1
interface. The default SIP port for Client registrations is 5060. For the server registrations, the
Convergence will select a dynamic port for each SIP user. The port range for this is 12000
and higher, depending on the number of configured users.
If clients are to be used in different networks, or behind NAT routers, you need to utilize
the Session Border Controller component of the Convergence . This component will provide
security and NAT handling and ensures that all networks configured on the Convergence are
cleanly separated. This Session Border Controller component runs on all interfaces by default
and uses the port 5062 for UDP/TCP signalling and 5061 as TLS signalling. If you want to
make use of these features, you will need to point your client to these ports.
! The FMC application does not accept SIP signalling on port 5060 from any interface
except for LAN1. If you use a different interface, you will need to make use of the above
described SBC functionality.
! If you intend to use TLS, you should make sure to have correct certificates. You
can do this on the SIP TLS configuration section where you can either generate or upload
appropriate certificates.
On the following pages you will find the detailed instruction of the setup of your FMC solution.
The configuration settings are divided into several different groups. First you may want to con-
figure the Global Options followed by the Numbering Profiles, the Endpoints, the Callthrough
2005-2008
c Comdasys AG 150
4.3 Global Settings
Numbers, the Registrations and the User Accounts. If you want to utilize the single number
functionality, you will also have to configure a GSM number for a user.
This means that the menu items in the Dual Mode menu is order the same way it should be
filled out.
i Note that the order of configuration does matter because certain information is re-
quired in order to be able to configure certains things. For instance, you do need a Regis-
tration representing a PBX account in order to configure a dual mode user.
i Registrations and User accounts might sound alike, but in the Convergence they
mean fundamentally different things. The appliance acts with two different identities for
each user. On the one hand, it acts like a server for the FMC Client. On the other side, it
acts like a client towards the PBX. In this manual, Registration is always used to refer to
the latter (the communication side with the PBX), whereas User Account describes the side
towards the handset.
The following section contains global settings necessary for the FMC component on the sys-
tem. Note that various fields have to be filled in for the system to work properly.
This part of configuration contains general settings concerning used PBX, SIP related features
and media stream settings. These settings are essential for operating your Convergence
properly.
2005-2008
c Comdasys AG 151
4.3 Global Settings
2005-2008
c Comdasys AG 152
4.3 Global Settings
2005-2008
c Comdasys AG 153
4.3 Global Settings
! The correct detection of the used DTMF mode is not always possible. It can further-
more consume quite some resources especially if the Convergence came to the conclusion
that inband DTMF is being used. In order to avoid such problems, it is recommended that
you always disable inband DTMF if anything else is supported by the peers.
2005-2008
c Comdasys AG 154
4.3 Global Settings
be played back to give the user an audible feedback. Some PBXs also do that towards their
endpoints. As already noted, the Convergence will also provide Early Media to the client if
Enable Client Early Media (see ??) is enabled. By default, the Convergence will however pass
through the early media coming from the PBXs and forward them to the client. That conflicts
with the early media sent by the Convergence . Although the client can handle this, you will
hear both tones be played back, that from the PBX as well as the one from the Convergence .
If your PBX supports early media, and you want to activate early media towards the client on
the Convergence , you have to check this option. The other option is to not activate the early
media towards the client and leave this box unchecked. In that case the early media will be
passed through from the client and you get the progress tones from you PBX or your media
server.
• Source pattern to target pattern mappings defined by explicit rules (see ?? for more
information about this)
• Considering numbers as internal depending on their length (see ??)
• Automatic conversions based on the Number Profile settings performed here (see ??)
When checking this option here, the number conversion process will be completely switched
off. This means that any dialed number will be passed through straight to the PBX without
any modification.
• fgVoIP V2.9.1
• fgVoIP V3.0.0
• fgVoIP V3.11
• fgVoIP V3.12
2005-2008
c Comdasys AG 155
4.3 Global Settings
Options to be configured in this section affect the general behavior of the SIP related fea-
tures. This is especially relevant for the registration behavior as well as the NAT handling in
conjunction with the SBC component.
Domains
The SIP domain is sometimes important for digest authentication as well as for the request
URI formatting towards some PBXs. All messages orginating from the Convergence towards
the PBX will contain the domain you specify here in the appropriate SIP header fields (in all
places where you would normally find its IP address). If left blank, the IP address of the first
LAN interface will be used.
i If registrations fail, please make a SIP trace. If you see registrations rejected with the
error request Interval too Brief, you will need to increase the timeout set here. By default,
many servers expect expirations timeouts between 1800 and 3600 seconds.
2005-2008
c Comdasys AG 156
4.3 Global Settings
the IP address specified here is a LAN, WAN, or DMZ interface. For all messages arriving
through this interface on port 5062 (or port 5061 for TLS), NAT handling will be performed.
The Convergence can easily check whehter a NAT is involved. This can be done by checking
for private IP address ranges and seeing if the source of the message matches the source in-
dicated in the SIP signalling. Should this not be the case, NAT handling has to be performed.
This means that all messages must be returned through the firewall pinhole that the message
came from. The same holds true for the media stream. The addresses in the SIP header and
the SDP body will then in part not be considered. There is no need for the configuration of
any special handling on the client side.
i The Convergence when doing NAT handling will utilize a built-in Session Border
Controller for handling clients behind NATs. In those cases, the client needs to be registered
via port 5062. For TLS there is no such distinction since there NAT detection will always
be done by default (so port 5061 can always be used). This distinction is due in part
to security concerns. Explicitly not doing NAT detection makes the communication over
insecure links a little safer. The mechanisms needed to perform the NAT handling can
increase the liklyhood of such attacks as session hijacking. When using TLS as a signalling
protocol, this risk is not there because the signalling is done through a secure channel.
i Note that it is also possible to make use of an external Session Border Controller. For
that purpose simply configure the Convergence as a SIP server in the used Session Border
Controller and have the SBC forward the SIP messages to port 5060 of the Convergence.
Then the external SBC will perform the NAT handling.
Port Ranges
Due to the complexity of the product, the possibility to change the used port ranges has been
restricted to expert mode. The follwoing will provide some information on the utilized port
ranges.
2005-2008
c Comdasys AG 157
4.3 Global Settings
i Port Ranges for Signalling and Media Streams: For signalling the client must use
port 5060 towards the server. As noted above, ports 5061 should be used for TLS and
5062 for NAT handling (always towards the client). For the media streams the port range
16384 - 22384 is used. For NAT handling the ports 35000-36500 are used. A call requiring
NAT handling will use a port in the 16384 and up range in addition to a port above 35000
from where the media stream is forwarded to the appropriate PIN hole. The media stream
from the FMC Server towards the internal SBC component, the internal loopback interface
is used, so externally only the stream from port 35000+ can be seen. Note that the highest
port used depends on the number of simulatenously open connections. Note that a call can
have up to 6 different legs in a callthrough scenario. In the SIP signalling towards the PBX,
the ports 12000 and up are being used. Every configured registration will use its own port.
This usage of different ports is necessary because some PBX have problems if multiple
distinct registrations are coming from the same port and IP address. The media handling
port range towards the PBX is also 16384 - 22384. The port used for callthrough is also
5060.
! When using a client from behind a NAT firewall, it must be registered with port 5062
(or 5061 with TLS) which is where the Session Border Controller component is currently
running. Trying to register with port 5060 will fail because no NAT handling is performed
there. When using TLS, NAT detection is always performed automatically.
This enables you to statically specify the next hop for all SIP messages towards the PBX. This
is often used for placing SIP Proxies or Session Border Controllers on the network edge for
protecting the Convergence and / or the PBX. This option will not really change the message
routing of the messages except for adding this static routing entry. When configured, the
Convergence will add a static route header to accomodate this statically defined next hop.
Other than that everything will remain the same as without an outbound proxy. If you want
more information about outbound proxies, please refer to RFC 3261.
Address
SRV name, hostname, or IP address of the outbound SIP Proxy (DNS SRV excluding the SRV
prefix). Please make sure the DNS settings in the Convergence are correct in case you are
using hostnames here.
Port
The port number will be ignored in the case you have specified a DNS SRV name. Otherwise,
the SIP messages will be sent out to the port specified here.
2005-2008
c Comdasys AG 158
4.3 Global Settings
i This setting will usually be used in conjunction with a large network where the Con-
vergence is for example placed into a branch office that is only connected to the PBX
through a WAN link. In those cases you will often find some device offering survivability
services in the branch office. In order to be able to use this service, all SIP messages have
to be routed through this device. In those cases simply specify the survivable proxy device
as an outbound proxy here.
Configure the phone number for invoking the callback functionality here. It must have the same
format as the number arriving from the PBX when a callback is invoked. The callback feature
tries to revert the direction of a call. This is usually done to make use of the cheaper rates
when making a call from fixed line to the mobile phone as compared to the other direction.
The following section explains the basic functionality of the callback feature:
• User dials a certain number in GSM mode (simply enters the number into the FMC client
and presses callback)
• The FMC client will initiate a call to the configured callback number
• The Convergence will reject this call and initate a call to back to the Client. Now the
direction of the call is reversed.
• The FMC client will pick up the incoming call and dial the actual number via DTMF (the
Convergence will play back ringtones etc.)
• The call is connected if the other party picks up
For security reasons, this feature will work only from GSM numbers known to the Conver-
gence . This means that only configured users will be able to utilize the callback functional-
ity.
i Callback is usually utilized in scenarios where the user is travelling abroad having
bought a national SIM card (e.g. prepaid card). This is registered into the system. When
making a callthrough call you would then however need to pay international call rates be-
cause the callthrough number is in the home country. In order to avoid that, simply invoke
a callback, and the incoming call will be free (or just airtime) on the phone.
i The client needs to support the callback functionality in order to be able to comfort-
ably use it. If the client does not support it, it can still be used manually by calling the
callback number, waiting for the incoming call and then dial the desired number.
2005-2008
c Comdasys AG 159
4.3 Global Settings
IMS stands for IP Multimedia Subsystem and is a technology mostly driven by mobile oper-
ators to provide an operator centric approach to Fixed Mobile Convergence. This standard
defines a handover mechanism that is implemented by all compatible handsets. The Conver-
gence also supports this way of performing handovers. Contrary to the standard approach,
this mechanism works by having the client initiate the second call. This makes it much less
suitable for Enterprise use, because some of the control over the billing is lost. The IMS VCC
handover will work with all VCC compliant handsets and clients.
Whenever performing a handover between GSM and WLAN or vice versa, the client will hence
attempt to initiate a call to a preconfigured number. In the case of the WLAN to GSM handover,
a GSM call will be made to some fixed line phone number that needs to be configured here.
The treatment of this number should be similar to the callthrough number.
Beyond being a dual mode solution, the Convergence will help you to facilitate your mobile
telephony experience. In order to lower roaming cost and to accommodate the communication
needs, many people own more than one SIM card and hence have more than one number.
These multiple SIM cards can be administered using the Convergence and activated from
anywhere thus always correctly forwarding the calls to the currently used number.
In order to support this feature, it is possible to configure multiple GSM numbers for each user
account (see ??. When we talk about multiple numbers, we speak about at least two and
potentially up to ten, although 5 should be some sort of practical limit. Switching between
those different SIM cards has to be possible without any data connection because it cannot
be guaranteed to be available when needing to do the switch. Therefore activating a different
SIM card should be possible simply by making a call to a special number.
The provisioning of this special number is done here by the administrator. By calling this
number with a provisioned SIM card will identify the calling user and activate the SIM card he
utilized. This implies that the authentication of the user is based on Caller ID. If this is a known
2005-2008
c Comdasys AG 160
4.3 Global Settings
user, the SIM card that he is currently calling with is assumed to be the active number. The
server will reject in order to signal the user that the switching was successful.
The RTP Options are used to set system wide behavior of RTP media streams such as time-
outs and sending of RTP keepalive packets.
This field is now used for DiffServ and ECN. The original intention was for a sending host to
specify a preference for how the datagram would be handled as it made its way through an
internetwork. For instance, one host could set its IPv4 datagrams’ TOS field value to prefer
low delay, while another might prefer high reliability.
These bits have been redefined, most recently through DiffServ working group in the IETF
and the Explicit Congestion Notification codepoints (see RFC 3168). In order to set the field,
use a decimal number between 0 and 255. The value will be taken as 8 bits with the bitmask’s
meaning being explained above.
! Note that if you want to use FMC services across the WAN port, you will need to
use the separate 5062 (default setting) port for UDP messages. For TLS, you can use
the standard 5061 port. On port 5062 (deault setting), NAT handling has been enabled in
contrast to the standard B2BUA mode. If your messages arrive on the WAN interface, the
firewall will block those by default. It is however relatively easy to enable SIP and RTP traffic
on the WAN interface. Please refer to the ?? section for more information about this topic.
i Note that this setting applies only to WAN interface traffic. To perform generic DSCP
and TOS tagging, you have to define rules in the /etc/sysconfig/firewall.custom file
2005-2008
c Comdasys AG 161
4.4 Number Profiles
The TOS and DSCP values must of course be changed to the desired ones. To accomplish
the same for the signalling, use the following lines:
iptables -I OUTPUT -t mangle -m layer7 --l7proto sip \
-j DSCP --set-dscp 35
iptables -I OUTPUT -t mangle -m layer7 --l7proto sip \
-j TOS --set-tos 17
i Note that there are some other predefined timeouts hardcoded to the B2BUA. As just
mentioned, the Convergence will drop any call after not having received RTP media for 30
seconds. This is called the RTP timeout and is used for hanging up dead calls. Note that
this timeout does not come into effect when having a call on Hold. If that is the case, there
is a timeout of 300 seconds. Meaning that after a call was on Hold for 300 seconds, it is
simply hung up because it is assumed that the party was forgotten or lost (e.g. when the
FMC user who put the other party on hold dropped out of the call).
Every PBX is associated with a unique Number Profile. This profile defines how outgoing
numbers will be formatted towards the PBX. With some options, also the incoming numbers
2005-2008
c Comdasys AG 162
4.4 Number Profiles
from the PBX are modified to provide the correct Caller ID display on the client. The goal is
to always have dialable numbers especially after receiving a call. The number in the Call Log
is then assumed to be in the E164 format so that it can be dialed both via WLAN as well as
over the cellular network. However this cannot be assumed from a number coming from a
PBX. With some PBXs sepcial number formatting would need to be done. With others it is not
even possible to format the numbers approrpiately. This is when the Convergence needs to
take over this job. Note that it is possible to define additional mappings through the Number
Patterns page. The parameters set here in the number profile will be used by the number
converter for formatting outbound requests.
The FMC number converter performs its operations in 3 stages:
1. Source pattern to target pattern mappings defined by explicit rules (see ?? for more
information about this)
2. Considering numbers as internal depending on their length
3. Automatic conversions based on the Number Profile settings performed here
When a match is found in a specific stage, all following stages are skipped. The exception to
this rule are the ??. There the Treat As field determines if further processing is done or not.
Select the Number Profiles menu entry, and you will see the following mask (the content as
always will vary depending on your configuration):
! Note that by default there is no number profile configured. You however need to
configure at least one to proceed. This step is crucial since it determines how numbers
are sent to your PBX. If you make mistakes here, it will lead to no connections or wrong
connections at a later point in time.
i The fields Country Code, Country Prefix, Area Code, Area Prefix have to be set if you
want to have the Convergence operate correctly. Note that numbers on the cell phone are
typically dialed in E164 format and therefore need to be reformatted by the Convergence .
You can add arbitrarily many number profiles. Each number profile must be associated with
a PBX. You can also define multiple SIP Host referencing the same PBX but using different
Number Profiles. This will however be considered later. First we want to define a general
Number Profile.
• Name
This is a name identifying the number profile in the other masks. You will need to use
this name whenever you are referencing the number profile defined here.
2005-2008
c Comdasys AG 163
4.4 Number Profiles
• Country Code The country code is the international prefix number of the country the
host is located in. This paramter is used in conjunction with the City Code to correctly
compose numbers for outgoing calls.
You have to specify it with leading zeroes instead of the plus sign, e.g. 0049 instead of
+49. The + sign will be handled automatically on the client side already, or on the GSM
side if we are dealing with a callthrough case.
Note that this setting only applies to numbers dialed from your mobile device. Whenever
you dial a number that starts with your own country code, the Convergence will strip
away this country code before extending the call to the PBX.
• Country Prefix Prefix to denote that a country code will follow, e.g. 00. This is required
for properly converting E164 numbers. As briefly mentioned before it will be 00 for most
countries, but in the US it is for example 011.
• Area Code The Area Code is used in conjunction with the Country Code to correctly
compose the numbers for outgoing calls. Note that this only applies to numbers dialed
from the mobile device. Whenever you dial a number that starts with our own city code
(relative to where the Convergence is positioned), the Convergence would strip away
its own Area Code before sending to the PBX. Note that the area code also has to be
specified without any leading zeroes.
2005-2008
c Comdasys AG 164
4.4 Number Profiles
• Area Prefix Enter the number you have to dial on your phone before making a long
distance call. In the US this is a 1, in most European countries a 0.
• Outgoing Prefix With this parameter you can specify the prefix required for getting an
outside line with your PBX. In most cases this will simply be a single digit. Note that this
digit will not be prefixed if the Convergence identifies a call as an internal call.
• Fixed Prefix A fixed prefix can be added to all numbers sent to the PBX. This can be
used for a variety of reasons where you want to know in the PBX that this is actually an
FMC call. This could e.g. be used for doing a special treatment in the billing or a least
cost routing implementation.
• Internal Length Numbers that do not exceed this length will always be considered as
internal numbers. This setting is authoritative for Stage 2. Sometimes there is no real
pattern to internal numbers. Mostly however, internal numbers have a maximum length.
Since there are few real numbers with three digits. To disable this you should set this to
0.
• Remove Prefix
This prefix will be matched against any calls coming from the PBX. If a SIP From header
contains a number with this prefix, the prefix will be removed from this number. This will
however only be done if the call is forwarded directly to the WLAN side of the user. When
forwarding to GSM, the modification is usually not done because the PBX will also do
some number processing. If you want to have the number modification also done if the
call is forwarded to the GSM side, the ?? box must be checked also.
• Use Remove Prefix for GSM
This option activates the removing of the prefix in a SIP From header for a case where
the call is forwarded to the GSM side of the Called User. See ?? for a more in depth
description of this.
As briefly mentioned above, these parameters will be used to do a conversion in three steps.
The first step is an explicit specification as described in ??. If nothing matches, an automatic
conversion in two steps is done
2005-2008
c Comdasys AG 165
4.4 Number Profiles
2. The number is checked to see whether it starts with the country prefix followed by the
country code and area code, as specified if so, the number is flagged as outgoing and
the country prefix together with the country code and the are code are removed.
3. If the previous does not apply the number is examined whether it starts with the country
prefix followed by the country code (without area code) if so, the number is flagged as
outgoing and the country prefix together with the country code are replaced by the area
prefix.
4. If the previous does not apply, the number is checked to see whether it begins with the
area prefix and the area code as configured if so, the number is flagged as outgoing
and area prefix together with area code are removed.
5. If the previous does not apply, the number is checked to see whether it begins with a 0
if so, it is flagged as outgoing.
6. All numbers that are flagged as outgoing are prepended by the dialout prefix as speci-
fied.
7. The fixed prefix (if configured) is prepended to all numbers.
! Note that there must be a valid number profile before you can define a SIP Host.
2005-2008
c Comdasys AG 166
4.5 Endpoint configuration
In order to be able to configure any users, you must first configure the SIP endpoint you want
the Convergence to work against. The SIP endpoint will be some sort of SIP Server, typically
a PBX. A SIP server can be one of the following:
Each configured host may have a wide variety of different configuration settings. The most im-
portant ones are the network addresses, authentication options, as well as some SIP settings.
You will have to assign a Number Profile to each enpoint.
! At least one SIP Endpoint has ot be configured before you will be able to do any
further configuration.
2005-2008
c Comdasys AG 167
4.5 Endpoint configuration
Common name
The common name of a SIP host uniquely identifies it. This name will be used throughout all
further configuration. It may be the hostname or DNS name of the configured host, but it does
not have to be. It is used for internal purposes only and should be descriptive because it is
used in other configuration pages.
Hostname/IP Address
This setting enables you to specify the address for a SIP host either as its IP address or as
a fully qualified domain name (FQDN). If you are going to use the FQDN you need to make
sure that the Convergence is able to resolve the configured FQDN correctly.
Port
In some configurations it is necessary to specify the port on which your desired host listens
for incoming SIP connections. The default is to connect to port 5060, the standard SIP port.
If that is okay for your use, you can simply leave this field blank. This should work for most
configurations.
The most frequent reason for using a non-standard port are security considerations to use
a non standard ports for making an attack more difficult. This approach can make denial of
service or other attacks more difficult by obscuring that the Convergence is actually a SIP
aware device. A lot of the scanning bots used for trying to determine vulnerable systems on
the Internet only check for these standard ports. Note however that by obscuring the port
cannot and must not replace real security mechanisms such as digest auhthentication.
Realm
The realm parameter specifies the authentication realm used when connecting and authen-
ticating to the SIP endpoint / host. If the host is behaving completely compliant to the SIP
specifications, it should reject any attempt to register with the wrong realm. All devices con-
nected to the Convergence must hence belong to the same authentication realm to work
together. Although the n otion of a realm is cleanly specified in RFC2543, many UAs fail to
implement it. These then simply ignore the parameter. Therefore, the likelihood is very high
that registrations will work even without setting this parameter.
Preserve Caller ID
This setting applies to incoming calls that are extended to the cellular side of the dual mode
device. If disabled, a special header field is added to preserve the Caller ID of the orignially
received call, while enabling the call to be correctly billed to the called FMC user. Some
PBXs however do not support this special header which is why the From: header needs to
be overwritten. This however will most likely break the billing of the used PBX. Below, both
options are explained in more detail. When in doubt, simply leave disabled.
2005-2008
c Comdasys AG 168
4.5 Endpoint configuration
• Disabled The Convergence will add the SIP P-Asserted-Identity Header to message
setting up the cellular call leg towards the dual mode device which contains the Caller
ID of the original call. In order to ensure the correct billing of the call, the From Header
will show the Enterprise number of the called dual mode user. The same holds true for
the Contact: Header. Most PBXs should be able to setup the call with this SIP message.
The important part however is that the original Caller ID is correctly passed on to the
voice gateway. Some PBX also interpret the P-Asserted-ID header and put it into the
From: header towards the gateway. Others simply pass it through to the voice gateway
and rely on that to do the call properties translation to the Caller ID. This is the default
behavior.
• Enabled If enabled the Convergence will simply replace the From: header with the origi-
nal Caller ID. This will almost certainly break billing and make some PBXs reject the call
(because it is not coming from any known user). For others not supporting any special
headers however, this might in fact be the only way to get the Caller ID information right.
The result of the above can be one of two things. Either the user sees the correct Caller
ID of the original caller, or he sees the his own office number / the enterprise trunk number.
The first alternative is of course the preferable one, however not possible in all combinations,
especially if the correct billing is required.
! Even if all of the above is properly supported by the PBX and the Caller ID gets
sent out correctly it might still not arrive on the other side. Most carriers will screen the sent
Caller ID information and restrict the number range to that of the Trunk connection. All other
numbers will usually be replaced by the head number of the Trunk the PBX is connected
to. In order to enable all Caller ID information to come through, you must have the No
Screening feature enabled on your PSTN trunk.
Available Codec
Please select the preferred codec towards the PBX. This codec setting will become effective
whenever a call is terminated on your PBX, or on an IP phone / Gateway connected via your
PBX. The codec set here will always represent the first codec offered in the signalling between
the Convergence and the PBX.
2005-2008
c Comdasys AG 169
4.5 Endpoint configuration
i The Convergence supports both the G.711 alaw and ulaw codecs towards the PBX.
Both codecs are always offered, so the PBX is completely free to determine the used codec
by selecting its preference. The use of compressed codecs is not possible and not recom-
mended on this side of the Convergence . Typically compressed codecs are used on the
mobile device, and transcoding to a different compressed codec would seriously degrade
the quality. On the mobile device side, using a compressed codec such as ILBC or GSM
is even recommended because it is less straining for the WIFI network. On the other hand,
especially ILBC is very resilient in bad network condition and could even lead to better voice
quality under certain conditions. When using the FMC client across a WAN connection, the
use of a compressed codec is highly recommended.
! Note that at least one Number Profile needs to be selected for an endpoint. It is
not possible to configure an endpoint without a number profile. Before forwarding a call
to the PBX, the Convergence will enforce the configured number profile against the dialed
number. This is one of the key concepts in FMC. While the cell phone now is an enterprise
phone, numbers are assumed to be dialed in E164 or abbreviated E164 format. This is
done to provide a uniform behavior between plain cellular mode and enterprise mode. It
would be very inconvenient if the stored contact only worked in one of the two modes. The
Convergence will do the number formatting, so that the SIP endpoint will only get proper
enterprise numbers.
Local Interface
Specify the interface to be used for sending / receiving the SIP messages. It will be the IP
address of the configured interface that the PBX will see in all messages. It has to be able
to return messages to this IP, so all routing and security settings on involved firewalls need
to be set appropriately. Different SIP endpoints can be configured to use separate network
interfaces. This enables a clean network separation as is sometimes required for security
purposes.
2005-2008
c Comdasys AG 170
4.6 Callthrough Numbers
The dial-in (also called callthrough or trampolin number) routes cellular calls through the en-
terprise PBX to keep all supplementary services working. In addition to that, this enables a
true single number service, where the callee will always see the enterprise number. When you
are in the cellular and dial a number, this callthrough number will be dialed by the FMC client
followed by the number of your desired target. The sequence of events is that the mobile user
first sets up a call to the Convergence , and it will then forward the call to the right destination
through the PBX. This usually works without first picking up the call (one-step-dialing).
Sometimes however, this might not work without answering the call because PSTN providers
will cut the resulting phone number after a fixed amount of digits. Numbers up to 18 digits are
supported by most providers. These 18 digits must suffice for both the Callthrough number,
as well as the dialed number.
In that case, your client will make use DTMF dialing (check the client documentation for more
information on that). In that configuration, the Convergence will accept the call and then
listen for a DTMF sequence. The client will signal the callee number via DTMF which will
subsequently be translated to SIP and dialed through the PBX (two-step dialing).
2005-2008
c Comdasys AG 171
4.6 Callthrough Numbers
! The dial-in number must be specified exactly as the Convergence receives the call
from the media gateway or the PBX. This means that the number should not contain any
prefixes that are stripped by the PBX. If the callthrough number is not working, please check
in a trace that the SIP INVITE message sent by the PBX or media gateway contains exactly
the number specified here.
! The dial-in number is only usable for configured users. This is essential for security
purposes. In order to authenticate the users, the Calling Party number field is used. In most
countries, the accuracy of this number is guaranteed by law and accordingly enforced by
the carriers.
It is possible to specify multiple callthrough numbers here. The assumption is a large organi-
zation with PSTN break-in / break-out in several countries and or locations. In those cases it
is advisable to always use the nearest dial-in number. If you are travelling abroad for exam-
ple, it is most of the times cheaper to use a dial-in number at your current location rather than
always calling home.
2005-2008
c Comdasys AG 172
4.6 Callthrough Numbers
• Port: Describes the port of the SIP host the callthrough number should be registered
against.
• Registration Password: In this case the configured number will be used as Request URI
and username for registering with the PBX. This field is for configuring the password
used for digest authentication.
i In case the callthrough number does not work you should check that the number is
configured without any prefixes / suffixes. In order to check you can make a trace of the call
coming in across your PBX. Check the Request URI and the To to exactly match the above
specified number. If the call is rejected, the user cannot be authenticated. This could also
have to do with the Caller ID. The Convergencewill check up to 10 digits. If less digits are
coming in across the gateway, these need to exactly match the configured number. This is
necessary for security purposes, because otherwise the number cannot be guaranteed to
be unique. If you have a number with less digits, the prefix in the Caller ID of the incoming
call also has to match the configured number
2005-2008
c Comdasys AG 173
4.7 Registrations
4.7 Registrations
2005-2008
c Comdasys AG 174
4.7 Registrations
i At least one SIP Endpoint has to be configured because each Registration has to be
made against a SIP Endpoint. Please refer to ?? for more information on this.
PBX Number
The number of the dualmode handset as registered on the PBX. Note that this number must
also be set on the PBX. The Convergence will use this number to register with the PBX.
Somtimes this parameter is referred to as SIP URI in PBXs.
PBX Username
The username used to register and authenticate on the PBX. Together with the password
defined below, this information will be used if there is a digest challenge from the PBX. The
Convergence supports the auhthentication both for the REGISTER as well as for other SIP
requests where the Convergence is challenged.
! The username should be indentical to the PBX Number because anything else might
be unsupported by certain PBXs.
PBX Password
The password used to authenticate on the PBX. This field may be left blank if no authentication
is required on your PBX. If you want to be using full authentication, you should also use a safe
password here, as specified in the ?? section.
SIP Host
Select the host you want to register this account to. Please refer to the ?? page for more
information on configuring different SIP Hosts / Endpoints.
i Note that a Registration will only become active once a User Account has been
associated with it.
2005-2008
c Comdasys AG 175
4.8 User Accounts
Each of the SIP user accounts represents an FMC subscriber. As described above, the User
Account is solely responsible for handling the communication towards the FMC client. In order
to associate a User Account with the PBX, a Registration has to be assigned to each User
Account. The following should provide an overview of the necessary details that need to be
configured for each user account.
2005-2008
c Comdasys AG 176
4.8 User Accounts
SIP Number
The SIP number is the number the client uses to register with the Convergence . It must
be different from the PBX number, although it can just be different by prefixing something to
the PBX number or e.g. by omitting the country code. This differentation is enforced by the
GUI and is necessary to enforce a very strict separation between the PBX and the FMC client
side. You should also note, that this number has to be unique across all users configured in the
Convergence. The FMC client will use this number for registering against the Convergence.
! The SIP Number has to be unique in two ways. Firstly this number must not be
assigned twice for two different users. Secondly, this number must be different from the
Registration number used with the Server. If you do not follow this rule, you might see
strange effects on the server side that have to do with the nature how incoming SIP mes-
sages are mapped. If you ever see the SIP error message 488, please check all the utilized
numbers for uniqueness. The GUI will enforce this uniqueness as far as it can. Dupli-
cates however can still be introduced e.g. via database batch import, or by accessing the
database directly.
i The SIP number is also used for authentication of the client. Contrary to the Reg-
istration side, this setting is used for both identification and digest authentication. That
means that this number has to be configured into the Client both as a URI as well as for
authentication purposes.
GSM Number
It is possible to assign multiple GSM numbers to a user. This table will always reflect the
currently active number for the user in question. You can select a number form a drop-down
box here. You can also leave this field blank. Doing so will result in the user being unable to
use the system in cellular mode. If a GSM number for a user is configured after the user has
been created with a blank number, the newly configured number will automatically become
active. See ?? for more information on the configuration of a GSM number.
i Whenever the client Registers with the Convergence, you will see a SIP 401 response
challeging the client. This will prompt the FMC client to resend the original request with the
correct digest information. If this is again rejected, there is probably a password mismatch.
That is the most obvious reason that you should check
2005-2008
c Comdasys AG 177
4.8 User Accounts
Registrations
Every FMC user must be associated with a user on the PBX. This will determine how the
dual mode user is reachable, under what phone number, the call groups he is part of, etc.
The Convergence must be given the information it needs to register this user with the PBX.
This information is entered in the ?? section. Here you only associate an FMC user with the
account on the PBX.
! Every users must be associated with a registration. If you do not select a registration
here, the creation of the user will fail.
i Whenever you check the Registrations, those will only become active once a User
Account has been associated with them. This means if you have configured Registrations
that have no User Account associated with them, you will not see them register with the
PBX until this is the case.
Enable User
This item has to be checked for a user to be able to use his account. If not checked, the
user is essentially disabled. The user will not be able to register, not be able to make calls. If
disabled, the number of this user will also not be available in cellular operation.
Use DMC
DMC stands for Direct Media Connect. This is a mechanism for letting payload pass directly
between two IP communication endpoints. In the FMC case this would typically be the FMC
client in WLAN mode communicating with an IP phone connected through a PBX. DMC be-
comes active after a call is established. The media is then renegotiated to let the two parties
communicate directly. This is done using SIP ReINVITE requests mechanisms. As soon as
features are involved, or a handover occurs, the direct media connection is cancelled and
2005-2008
c Comdasys AG 178
4.8 User Accounts
media passes across the Convergence again. This means that during a dialog, the media
connection can change multiple times between direct and indirect media connection. DMC is
activated on a per user basis and is turned off by default.
! DMC will only be attempted in WLAN mode. DMC will also only be attempted if the
user registers locally and is not behind a NAT firewall. In those cases the Convergence
needs to stay in the media stream because those devices could not establish a direct path
of communication.
! DMC will only work correctly if the proper codecs are set. The FMC client needs to
utilize a codec that is also supported by the endpoints directly connected to the PBX. ILBC
is typically not supported by gateways or IP phones.
Former version compatibility
NAT Handling
You do not need to enable anything special for NAT handling. All you need to do to enable
NAT handling is use the target port 5062 on the client. Using this is only recommended if you
actually want to use the handset behind a NAT. If port 5062 is used, and the Convergence
detects that the device is not behind a NAT, it will act normally as if port 5060 was used.
However this detection will take extra effort and is thus unnecessary. If the NAT handling port
is used, the Convergence will use the origin information of all SIP messages and all RTP
traffic from the client to determine where to respond to. This will enable NAT traversal without
any special features on the client (such as STUN).
i Note that all user changes will take effect immediately after saving without press-
ing Apply Configuration. Note also that this behavior has changed compared to previous
version.
2005-2008
c Comdasys AG 179
4.8 User Accounts
! When deleting a user, this deletion will cascaded to all data associated with this user.
That would be Call Forwardings, GSM Numbers, as well as Registrations. Please make
sure that this is what you want before confirming the deletion.
2005-2008
c Comdasys AG 180
4.9 Number Conversions
GSM Number
In order to provide a true FMC solution, the FMC client also needs to be integrated when in
the cell phone network. The connection to the FMC client in those cases is the GSM number.
The GSM number of the handset is use for static roaming, mid-call handovers as well as
callthrough calls.
You must specify the number exactly as you have to dial it on the PBX for creating an outbound
call. If you need a leading zero there for makinga PSTN call, you also have to specify it here.
• SIP User: You need to select a user to create the GSM number for. You can of course
create multiple GSM numbers per user. Those numbers can be activated in the User
Account settings or by calling the configured GSM switching number to activate the
currently used SIM card / GSM number. You can also refer to ?? for more information.
• GSM Number: This is the GSM number of the handset. As mentioned above, this
number is utilized without doing any mappings for static roaming calls and must be
configured exactly as they need to be dialed with the configured SIP Endpoint.
i The first number created for a user is automatically set as the active number for the
specified user.
! Each GSM number needs to be unique in the entire list of configured numbers. The
reasons lies in the necessity of the Convergence to uniquely map an incoming GSM call to
a user. This would not be possible if the number was configured more than once.
! If the GSM number has 10 digits or less, it must exactly match the Caller ID in
callthrough scenarios. The Convergencewill check at least 10 digits to make sure that a
number does not accidentally match.
The Number Pattern page can be opened by pressing the menu option in the navigation
page.
The mask allows you to define source and target patterns, activate/disable, delete, edit, move
(up/down) a rule and add new ones. The rules are processed from the first to the last. The first
match will be used to apply the appropriate mapping. All in all, the Number Patterns defined
here have priority over the automatic conversions defined in the Number Profiles section.
Both however can work side by side, if the Treat As parameter is set to something other than
Internal Call because the standard number mapping will also be done then.
2005-2008
c Comdasys AG 181
4.9 Number Conversions
2005-2008
c Comdasys AG 182
4.9 Number Conversions
Source to target pattern mappings are defined by explicit rules. Incoming Numbers (the num-
bers will be calls coming from the client) that match a source pattern are reformatted as
defined by the target pattern. The source pattern can be any Perl Compatible Regular Ex-
pression (PCRE). Every expression entered will be checked for validity but not for semantically
making sense, so beware! The same holds true for the targert pattern. The target pattern can
only consist of the digits (0-9) and dollarsigns ($). Whenever a piece of a source pattern is
enclosed in brackets, it will be considered as captured subpattern that could be inserted in
the target pattern by using a $ followed by the number of the bracketed pair. Up to 9 captured
substrings can be used. For example, assuming that a leading 0 is used to dial out, then any
of the following definitions shall map the incoming number 911 to the outgoing number 0911,
making it possible to call 911 directly from an internal phone:
Let us consider these examples:
! Note that this 911 should only be understood as an example. Emergency num-
bers (depending on country) will automatically handled by the client and will be forwarded
through the GSM network.
! You should be very careful with this function because wrong rules can destroy the
called party numbers thus rendering the whole solution useless. It can also lead to miscon-
nection due to wrong number mappings.
The rule in the middle starts the target pattern with a literal 0, copies the content of the first
and second bracket pair (1and2) and appends a literal 1. Most likely you would use the last
rule since the source pattern is constant and this rule definition has the best readability. In
cases where an incoming number matches several source patterns, the first matching pattern
wins, i.e. as soon as a match is found, no further matching is tried. Copying parts of a
source pattern becomes useful when the source pattern contains wildcard characters. E.g.
assuming you want all numbers that begin with 0005 or 0006 to be mapped to 55505 or
55506, respectively, followed by the rest of the number, you could define:
The first bracket pair matches one of the ciphers 5 or 6 and captures the cipher as $1. The
dot within the second brace pair (captured as $2) matches any single character while the
following plus sign specifies to repeat the last pattern one or more times. Please note that
2005-2008
c Comdasys AG 183
4.9 Number Conversions
a plus is a special character so if you want to match a literal + in a source pattern you must
write it as \+. Also note that you cannot use a literal plus sign in the target pattern.
Please see http://www.pcre.org for more information about Perl Compatible Regular
Expressions. If a number matches any of the rules, Stage 2 and Stage 3 are skipped. Hence
the automatic mapping as defined in the Number Profiles pages will not apply!!
Priority
The priority in the number patterns determines the order in which these will be matched. The
number can be 0 or higher with 0 being the highest possible priority.
Source Pattern
Enter the source pattern in the above described format. Note that you can leave this field
empty, but then your rule would never match.
Target Pattern
The match source pattern will be mapped to this. Please use the above described format to
write the patterns. This field must not remain empty.
Treat As
• Internal Call
If this option is selected no further number tanslation will be done.
• Local Area Call
If the call is to be treated as a local area call, depending on the settings in the number
profile, the country code and area code will be removed and any appliable prefixes
made. The converted number will be treated like one the user has dialed and that runs
through the number profile.
• National Call
If the call is to be treated as a national call, depending on the settings in the number pro-
file, the country code will be removed and any appliable prefixes made. The converted
number will be treated like one the user has dialed and that runs through the number
profile.
2005-2008
c Comdasys AG 184
4.10 Client based call forwarding
• International Call
If the call is to be treated as an international call, depending on the settings in the
number profile, any appliable prefixes will be made. The converted number will be
treated like one the user has dialed and that runs through the number profile.
Rule Active
This enables you to activate and deactivate rules. It is useful both for debugging purposes as
well as for temorarily deactivating certain rules. Any defined rule will only be applied if this
option is checked.
This page allows to configure and activate client specific call forwardings. This can also be
done from the FMC client. The see FMC clientmanual for more information on this. The call
forwarding behavior of the Convergence mimics the call forwarding functionality of a standard
SIP client. This means that the server does not have to implement any special features to
support this, except for supporting SIP redirection with the 302 session redirection response.
There are three different ways to do the call forwarding, Always, On Busy, On Unavailable. All
three can be configured and activated separately.
The call forwarding will become active anytime the Convergence receives a call from the PBX.
The reaction will depend on the type of forwarding set. Each type can be configured with a
separate number. Each type can also be activated separately. If multiple forwardings are
activated you have to pay attention to the precendence.
Call forwarding types:
• Always - This will configure the number used for an unconditional immediate forwarding.
The target can be specified here. In order to activate this you can check the checkbox
next to the field for entering the number. The change will take effect immediately.
• Busy - This will configure a call forwarding if the extension and hence the FMC client
is busy. The target can be specified here. In order to activate this you can check
the checkbox next to the field for entering the number. The change will take effect
immediately.
• Unavailable - The call will be forwarded if the called FMC client does not answer for a
period of 60 seconds. The target can be specified here. In order to activate this you can
check the checkbox next to the field for entering the number. The change will take effect
immediately.
2005-2008
c Comdasys AG 185
4.10 Client based call forwarding
2005-2008
c Comdasys AG 186
4.11 PBX Access Codes
i The call forwarding can be activated both via WLAN as well as GSM. In GSM mode,
the callthrough number needs to be configured in the client because the activation is done
through it.
! You need to specify the call forwarding number exactly as you need to dial it on the
PBX. That means if the PBX for example expects a leading zero, you need to specify it
here.
This page allows the configuration of rewrite rules for access codes sent by the FMC client
towards the PBX. Access codes are used by the PBX to implement platform specific features
as for example Group Pickup. These Access Codes however are configurable in the PBX. The
FMC client supports hiding such access code features behind an easily selectable menu. Now
if the Access Code e.g. for Pickup changes on the PBX, you would hence need to change
the stored code on each client. To avoid this, you can simply define a mapping here in the
Convergence. It will then take the access code sent by the client and translate it to the correct
one towards the SIP Endpoint, namely the PBX.
The following example should give a better insight into what is actually happening. If the FMC
user has a predefined setting for a DTMF invoked feature say ∗8 on his FMC client, but the
customer’s PBX expects #9, you can simply specify this mapping here.
• Endpoint: This will allow the selection of an endpoint to use. This means that the defined
mapping will be applied for all users registered here.
• Name: You can configure a descriptive name for the feature. This parameter has purely
informational value
• FMC Feature Code: Configure the feature code to search for in every call. This se-
quence will be replaced by the respective PBX Faeture Code. This should only contain
symbols that can be dialed from a standard phone, namely digits, ∗and #
2005-2008
c Comdasys AG 187
4.12 Supported PBX Features
• PBX Feature Code: The code to replace the matched FMC Feature Code with. This
should only contain symbols that can be dialed from a standard phone, namely digits,
∗and #
i This feature is purely optional and is usually only used for special customer
Using this configuration options, it is possible to communicate to clients, which features are
available on the respective SIP endpoints. To avoid a manual configuration of this on the
client, the server will send these supported features. The supported features will be sent
in the response to a registration request via SIP. The client can adapt its display based on
this information to not display unavailable features. This applies to both in-call and out of
call features. In order to achieve this, the PBX supported features must be configured for
every SIP Endpoint. By default, all supported features are enabled, so that you only need to
selectively disable them if not supported by the PBX.
As mentioned above, the selectable features are static. The features all have a uniqe feature
code Fxx where xx is a number. You can enable or disable them on a per SIP Endpoint Basis.
The following features have been defined:
2005-2008
c Comdasys AG 188
4.12 Supported PBX Features
• Conference
• Callback
• Pickup
• Group Call Pickup / Boss Secretary
• Call Forwarding
i It depends on the FMC client and its version which fields are actually interpreted and
which ones are ignored.
2005-2008
c Comdasys AG 189
4.12 Supported PBX Features
• Name: This is a descriptive name for the feature in question. There is no need to
configure this since it has been predefined.
• Code: The Feature code here is predefined and cannot be changed.
• Active: Select this to activate or deactivate the feature. This will prompt the Convergence
to signal support for this feature in the Registration response for all users associated with
this endpoint.
2005-2008
c Comdasys AG 190
4.12 Supported PBX Features
Besides the Predefined PBX Features, it is also possible to assign user defined ones. This
again needs to work in conjunction with the client. The idea behind this is to define a mecha-
nism between Server and Client to signal if certain features should be displayed or not. You
will probably not need this unless you have larger strongly customized deployments. The
following should give an overview over the configuration options.
2005-2008
c Comdasys AG 191
4.12 Supported PBX Features
The following explains the configuration of the fields in detail. As you can see that this closely
resembles the Predefined PBX Features
• Endpoint: You need to select a SIP Endpoint for which these feature settings apply.
Contrary to the predefined features, you need to set this on a per feature basis here.
• Name: This is a descriptive name for the feature in question. You should put a descrip-
tive name of the feature in questions, but the parameter is purely informational.
• Code: The Feature code to send to the FMC client. The same one must be used on the
client. The format has to be Uxx where xx is a number.
• Active: Select this to activate or deactivate the feature. This will prompt the Convergence
to signal support for this feature in the Registration response for all users associated with
this endpoint.
2005-2008
c Comdasys AG 192
4.13 Client Download
The Convergence allows an easy deployment of the FMC client using a installation package
builder. You simply select an FMC user of you system and the Convergence generates a
ready to use installation file for the FMC client. You can either download the FMC client to
your workstation or sent it directy to an email address.
• User: select here the user you want to build the client for
• Interface: select here the interface which should be used to connect to the Convergence.
This is used by the Convergence to preconfigure the right registrar IP address for the
FMC client configuration.
• Port: the portnumber for connecting the Convergence. Please note that the Conver-
gence listens only on port 5062 if you are connecting via the WAN interface.
• MOC Number: The MOC (Mobile Originated Call) number is dialed by the FMC client
if it is operating in GSM mode. The number is virtualy the same as the Call through
Number (See ??). You should configure it in international format e.g. +4989123456789
to allow the FMC client to call this number even it is used in a different country.
• MTC Number: The Mobile terminated prefix is used to identify if an incoming GSM call is
initiated by the Convergence or if it is an external call. The FMC client matches the caller
id of the incoming GSM call with the MTC number. Calls triggerd by the Convergence
(static roaming or handover) use the associated PBX number by default as caller id. You
need to put here the PBX numer of your user in international format. If you are unshure
about this field it is save to leave it blank. Then, no matching will be done on the FMC
client.
• Send Client via Mail: Check this box if you want to mail the FMC client to a specific
e-mail address instead of downloading it.
• To-Address: Specify the recipient of the mail here
• SMTP authentication type: Chose here between the PLAIN and LOGIN authentification
method. For Microsoft Exchange SMTP server you have to use the LOGIN method. You
can also set the authentification type to NONE. In this case no username and password
is used e.g. Sendmail or Postfix servers dont have authentification enabled by default.
• SMTP server: Specify here the smtp server used to deliver the client
• SMTP port: The port for connecting the smtp server. Use the default port 25.
• SMTP username: Specify the username here if you need authentication
• SMTP password: Specify the password for the authentication
2005-2008
c Comdasys AG 193
4.14 Import User List
Setting up a large number of users requires sometimes a lot of handwork. To allow the import
of a large number of users you can create a .csv file (Comma Separated Values) and the
Convergence will setup the accounts for you. All the users will be imported for one specific
endpoint.
Each line of the file configures one user and should have the syntax:
PBX Username; PBX Password; PBX Number; SIP Number; SIP Password; GSM
Number
Optionaly you can configure up to three GSM numbers by using the following syntax:
PBX Username; PBX Password; PBX Number; SIP Number; SIP Password; GSM
Number1; GSM Number2; GSM Number3
You can add comments to the file by inserting a as first character into the file. The import will
be only done if all lines of the .csv file are formatted correctly.
! It is not possible to overwrite or recreate users. If user exits allready the complete
importe will be rejected. Remove the corresponding line from the CSV file and try the import
again.
Finaly this is an example of an csv file:
# myimport.csv
#
# PBX Username; PBX Password; PBX Number; SIP Number; SIP Password; GSM Number1;
#
4000;x4rewrre;4000;14000;mypw0815;017212345678
4001;43eedcff;4001;14001;superman;017212345111;017978912345
4002;xnj43ked;4002;14002;sonne123;017212345123
4003;432dsaxd;4004;14003;foobar99;017212345456
In order to use the XMPP functionalities you have to configure XMPP endpoints and XMPP
users. The concept of XMPP Endpoints and XMPP Users is quite similar to the concept of
SIP Endpoints and SIP User Accounts. The XMPP endpoints are used for Instand Messaging
2005-2008
c Comdasys AG 194
4.15 XMPP Endpoints
and Presence only. You can use here either your own XMPP server or one of the free servers
of the public JABBER network. Look at https://www.xmpp.net/servers to have a list
of public available servers.
2005-2008
c Comdasys AG 195
4.16 XMPP Users
• TLS: This checkbox enables TLS (Transport Layer Security) for the communication with
the XMPP server. You should enable this by default since most of the servers will only
work if TLS is enabled.
Each FMC User can assigned with an XMPP user in order to use instand messaging fea-
tures. Here you create the mapping between the FMC user, the XMPP user and the XMPP
endpoint.
i Before you can use the XMPP users you have to create the XMPP accounts on your
XMPP server first. This is done by administrative tasks on the XMPP server. If you are
using a public XMPP server you can create your XMPP account with an external XMPP
client like Miranda IM (Windows) or Pidgin (Linux).
The following explains the configuration of the fields in detail.
2005-2008
c Comdasys AG 196
4.17 Enterprise FMC Status Page
• FMC User Name: Select the FMC user that should be assigned to this XMPP account.
• XMPP Endpoint Name: Select the XMPP endpoint you want to use for this XMPP ac-
count.
• XMPP User Name: Configure your XMPP username here. If your XMPP login is
test123@jabber.org you must put only the userpart (test123) here.
• Password: configure the password for the XMPP user.
• Activate XMPP User: Check this box to activate the XMPP user. If the account is not
activated the Convergence tries not to connect to the XMPP server and XMPP function-
alities are disabled.
The status page displays the active PBX registrations, the registered users, as well as all
active calls. You can always press Reload to get the most up to date view. The page will not
refresh automatically. The displayed information in detail includes:
• Active EndPoint Registrations: Every registration to the PBX as well as its status are
listed here. All registrations should be in the Status REGED signifying that they are
correctly registered with the SIP endpoint.
• Registered Users: This displays all users that are currently registered via IP. The IP
address and port will give you some indication as to where these users registered from.
Note that if you see the local host’s IP address here, this indicates that the user regis-
tered from behind a NAT network. In order to see the originCommand Line section.
• Call Status: This will show all active calls where the name represents the local user,
and the Connected User field the party the user is connected to. You will not see who
initiated the call in this screen, only that this call is ongoing.
This section provides information of how to connect to the FMC database with external tools
like Microsoft Access or OpenOffice.org Base. With the usage of external tools you wil gain
more power and flexibility in managing large amounts of FMC configuration data and will also
be able to automate common management tasks.
The current FMC convergences are using a PostgreSQL Database for saving all the following
data in the database:
• Global Settings
2005-2008
c Comdasys AG 197
4.18 Using external Tools with the FMC Database
2005-2008
c Comdasys AG 198
4.18 Using external Tools with the FMC Database
• SIP Endpoints
• User Accounts
• Registrations
• Numbering Profiles
• Numbering Patterns
• Call Forwarding
• PBX Access Codes
• PBX Features
The database name of the Database to use is FMC, the default username is pgsql and the
password is 18273645. The default port of the PostgreSQL database is defined as 5432.
The PostgreSQL database is configured to listen only to connections from the loopback
adapter or the LANA and/or LANB network. If you want to make a connection to database
from another network, you will need to use a SSH tunnel to forward a local port to the database
port on the FMC via a SSH connection.
Creating a SSH tunnel with a Linux system for example is quite easy, just open a terminal and
enter the following command: ssh -L9500:HOSTNAME:5432 root@HOSTNAME
Just replace the placeholder HOSTNAME with the IP address or hostname of your FMC.
After establishing the SSH connection you can connect to the FMC database via the local port
9500.
For connecting OpenOffice.org Base to the FMC database we will use the PostgreSQL JDBC
driver, which can be found at http://jdbc.postgresql.org.
After starting OpenOffice.org the database wizard will appear. Select the option Connect to
an existing database and select JDBC from the dropdown box.
Enter the URL for the connection in the following format jdbc:postgresql://hostname:
port/databasename .
When you are using the SSH tunnel method to connect to the database, the URL will look like
the following: jdbc:postgresql://localhost:9500/FMC.
2005-2008
c Comdasys AG 199
4.18 Using external Tools with the FMC Database
If you are connecting directly to the database via your local network the URL might look like
this (in this example the FMC has an internal IP address of 10.100.5.65): jdbc:postgresql:
//10.100.5.65:5432/FMC.
The field JDBC driver class must be set to the class org.postgresql.Driver. To
verify that your PostgreSQL JDBC driver works correctly you can press the button Test
class.
Just press Next and enter pgsql as username for the connection and check the box Password
required. Now you can test the connection to the database via the Button Test Connection.
When prompted for the password just enter 18273645. If all of your settings were correct you
will see an infobox popping up which should tellyou that the connection to the database was
successful.
You can now press the Button Finish and work with the database.
For connecting Microsoft Access with the PostgreSQL database you will first need the Post-
greSQL ODBC driver, which can be found at http://www.postgresql.org. You can just
install the downloaded driver by doubleclicking the downloaded .msi file.
If you don’t connect to the database from your internal network you will need a tool to open
an SSH connection and creating a local forwarded (tunneled) port to the FMC. We recom-
mend the usage of PuTTY which is a free and opensource SSH client for Microsoft Windows
operating systems.
For a detailed description of how to setup your PuTTY client with forwarding of local ports see
the PuTTY user documentation which can be found at http://the.earth.li/∼sgtatham/
putty/0.60/htmldoc/Chapter3.html#using-port-forwarding.
After setting up the database connection either via local network or SSH tunnel you will need
to create an ODBC datasource which can be used from inside Microsoft Access later on.
See the Screenshot below how to configure a ODBC Datasource where you use the local port
9500 to access the database via a SSH tunnel.
Now you can start Microsoft Access and create a new database file. After that you can
create links to the FMC Tables via File -> External Data -> Link Tables. A Dialog
appears in which you need to select as file type ODBC and then select the previously created
ODBC datasource. In the next dialog you can select which tables from the FMC database you
want to have linked with your Microsoft Access Database. You are now able to access the
FMC database tables from inside Microsoft Access and all changes you make to the data in
the tables are present on then FMC.
2005-2008
c Comdasys AG 200
4.18 Using external Tools with the FMC Database
The table sip user contains all user account settings foreign key which points to the corre-
sponding outgoing registration.
i The Username field can be entered into the database, but is currently not used. It is
only there for future use. The field must not be NULL and should therefore just be an empty
string.
The table sip reg contains the configuration of all outbound registrations and a foreign key
that points to the corresponding endpoint of the registration.
i The Realm field can be entered into the database, but is currently not used. It is only
there for future use and may be NULL at present.
2005-2008
c Comdasys AG 201
4.19 Synchronize database
The table sip endpoint contains all configuration data of the endpoints. A foreign key points
to the converter profile which should be applied when making outgoing calls.
4.18.1.4 settings
The table settings contains all global settings and contains only a key and value column.
4.18.1.5 nc profiles
The table nc profiles contains all configured number converter profiles which can be used
from the endpoint configuration.
4.18.1.6 nc patterns
The table nc patterns contains the configured call routing patterns which should be applied to
all outgoing calls.
i There are also additional tables present such as Codecs. These are for internal use
and should not be altered.
The synchronization of the user data between two Convergenceis ordinarily used in a redun-
dancy configuration. In such a configuration, we would have two appliances, one serving as
a master, the other serving as a slave. This slave will obtain its configuration from the master
server. Therefore, this is not a real synchronisation but rather having a master containing the
configuration. The Slave will however keep a copy of the configuration, so that it can continue
to operate if the master fails.
This applies only to the FMC part of the configuration. Things like IP addressing etc. are con-
sidered separately. This automatically synchronized configuration however includes all Users,
Endpoints, and Registrations, Number Profiles, etc. The synchonization is done by directly
accessing the configuration database of the master server. The all changes to users, en-
points, or registrations will become effective immediately and will therefore also be scheduled
for synchonization right after pressing ”Save” in the WebGUI. In order to lower the network
load, several changes are collected and then synchronized in one step.
2005-2008
c Comdasys AG 202
4.19 Synchronize database
i It can take up to 3 minutes until all changes have been properly synchronized to the
Slave device.
i Changing the configuration will only be supported on the Master Server. If the Master
is down, the Slave can continue to operate normally. For consistency purposes however,
no configuration change will be possible for the time the Master is down.
The Synchronize database page is used to configure the Convergence in Master, Slave or
in Standalone mode. It will also configure the database synchronization.
The first item Operating mode will be used to select the operating mode for the unit. Master
IP is the IP of the interface which acts as a master and the Slave IP is respectively for the
interface acting as slave.
i To configureboth Master and Slave you need to have a network connection. In theory
a standard routed connection is enough. Since this feature is however used in conjunction
with VRRP, you need to have a connection supporting Multicast requests, usually a switched
connection.
In the Standalone mode the Convergence uses the database without network connection to
other databases. The IP addresses under the Operating mode item will be ignored. This
is the default operation mode. At any time you can turn a Standalone Convergenceinto the
master of a cluster. You have to be careful turning it into a slave because you will lose your
configuration.
The Master mode initialize the local database as master and the database from the Conver-
gence with the Slave IP as slave. The connection deamon starts on the master Convergence
after the initializing process. You need to configure the Master the Master IP and Slave IP.
2005-2008
c Comdasys AG 203
4.19 Synchronize database
2005-2008
c Comdasys AG 204
4.19 Synchronize database
You also need to download the security key to enable communication between the Master and
the Slave, see ?? for more information on that.
This puts the Convergenceinto slave mode. All configuration data will be fetched from the
master. To start the Convergence in Slave mode you need the Master IP and Slave IP. The
Slave IP naturally is the IP address of the unit you are currently configuring and you need to
specify the appropriate interface IP address that should be used for synchronization.
After applying this configuration, the unit will start to synchronize the data from the master
server.
i The Security Keys (see ??) of the Master must be present on the slave. Otherwise
the unit will not be able to synchronize the configuration.
! All FMC configuration data present on this device will be overwritten by data fetched
from the master. This means that the configuration present on this device will be lost
i You can switch a Slave back into Standalone mode, but the synchronized data will
be kept.
Two HPMC appliances can be deployed in a failover fashion. In such a configuration, the
secondary server can take over the functionality of the primary one. In order to offer that, we
will make use of the VRRP protocol to provide a dynamic failover mechanism. The properties
of this failover mechanism are as follows:
2005-2008
c Comdasys AG 205
4.19 Synchronize database
• The secondary appliance does not have to be maintained, since the configuration will
always be taken from the primary appliance (only pertaining to the FMC configuration)
The configuration of the solution is as follows. The primary server will contain all FMC con-
figuration. The slave server is normally configured for networking, firewalling etc. The FMC
configuration is only done by pointing to the master server via database synchronization, as
described in ?? . This will lead to a mirroring of this configuration. The VRRP portion has to
be setup separately. Please refer to ?? for more information.
2005-2008
c Comdasys AG 206
4.20 SIP TLS configuration
The SIP TLS configuration page is a simple tool to upload a TLS private key and a TLS
certificate used to communicate with the client in TLS mode. Naturally this is only relevant
if you have a client that is able to support SIP in TLS mode. Otherwise you can ignore this
section.
The Convergencegenerates a new privat key and a certificate automatically while booting if
noprivate key or certificate exists. Therefore, if you do not want to setup authentication based
on certificates, there is no need to do any configuration here.
To upload a new TLS Private Key press the Browse button and select the new private key
from your file system (Figure: ??).
2005-2008
c Comdasys AG 207
4.21 QOS
In the next step press the Upload button and the new TLS private key will be saved onto the
Convergence. The procedure for the TLS certificate is essentially the same (Figure: ??).
! The TLS certificate must fit the TLS private key, otherwise no TLS communication
will be possible
If you do not have any keys to use for TLS communication, you can also use the Conver-
genceto create a key set. Simply press Generate and the Convergencegenerates a new
default TLS private key and TLS certificate. These will be stored on the Convergenceand
activated after pressing Apply Configuration .
4.21 QOS
This page allows to configure layer 3 QoS tagging by using DSCP/TOS byte in IP header.
This tagging is supported both towards the FMC clientside as well as towards the PBX side.
Simply configure the correct interfaces here. Note that this tagging only makes sense for
outbound traffic.
There are three different ways to specify the traffic you want to mark:
• Interface
• IP and Application Protocol
• TCP / UDP Ports
• Protocol: Select a Protocol, either UDP, TCP, ICMP or ANY. ANY will match all packets.
• Received on Interface: This will match packets arriving on a specified interface. This
option only applies if the traffic is just forwarded and the Convergencehence acts as a
router. For traffic terminated on this device this rule is useless.
• Sent over Interface: Will match all packets sent out over the given interface. It does not
matter if the packets were forwarded or generated by the local device.
• Destination Port: Matches all packets addressed to the given destination port.
• L7 Protocol: Stands for Layer 7 Protocol and will actually analyze the payload of each
packet to match a certain protocol. Only a subset of the supported protocols is given as
a choice here, namely ANY, SIP, RTP, TLS. More protocols are usable via the CLI.
2005-2008
c Comdasys AG 208
4.21 QOS
! The use of Layer 7 Filtering is discouraged for devices needing to handle high data
rates (in excess of 5MBit constant load) because analyzing each packet can become quite
resource consuming.
Traffic tagging methods:
• DSCP: Stands for DiffServ and is specified in the RFCs 2474 and 2475. The DiffServ
standard supersedes the original specification for defining packet priority described in
RFC 791
• TOS: Type of Service as described in RFC 791
Both set inteded QoS tag into the same byte field in IP header. If this byte field will be
interpreted as DSCP or TOS dependes on network infrastructure settings. Value can be
entered in decimal (e.g.”38”) or hexadecimal (e.g.”0x26”).
i Note that it is only possible to specify one tagging method (i.e. DSCP or TOS) for
any given tagging rule.
2005-2008
c Comdasys AG 209
5 Command Line Interface
The Convergence does not only offer configuration via the Web interface but further provides
access through a CLI (Command Line Interface).
You can access this CLI in three ways:
In every case the username is root and the password is identical to the password set in the
Web interface.
You will get a Linux prompt that can be used like any other Linux computer. A detailed descrip-
tion of the functionality accessible through the CLI is provided in the Commandline Guide.
The configuration via the CLI is primarily used for special tasks as resetting to factory defaults
and for extended debugging.
There are 12 console windows available when accessing Convergence products with a key-
board and VGA monitor.1 They can be reached by pressing the Alt key and one of the
function keys F1 to F12 simultaneously. Some of these consoles are reserved for special
1
Applies only to Convergence products with VGA connector. As VGA connector is not accessible from outside
the product, this way to connect Convergence is reserved for service purposes. Opening the product and using
VGA connector should be done by the service engineering staff only.
2005-2008
c Comdasys AG 210
5.2 Initial setup using the Command Line Interface
purposes though, so only some of these consoles are usable for an administrator’s command
line console:
It is also possible to access Convergence products via RS232 (aka COM1) and a terminal
emulator program like MS Windows’ Hyperterminal. The connection parameters for the serial
line are: 9600 baud, 8 data bits, no parity, 1 stop bit, VT100 emulation.
The third possibility to get a command line terminal is to use a SSH (i.e. secure shell) con-
nection using any SSH client (e.g. OpenSSH on Unix/Linux, PuTTY on Windows).
Convergence products allow SSH version 2 connections from all configured interfaces, unless
set differently in the security settings of the graphical user interface.
If you log in via one of the local methods (VGA console or RS232 console) you get a login
menu. You can exit this quick configuration menu by pressing s . The quick configuration
menu can be used to e.g. assign an IP address to the unit. The menu does the same as the
analog WebGUI pages.
After exiting the quick configuration menu, you will see the following login prompt:
Akira login:
2005-2008
c Comdasys AG 211
5.2 Initial setup using the Command Line Interface
The only available user to log on is root, with the same password as the admin’s password
in the browser interface, initially sesam. You should change this password via the browser as
soon as possible!
After having logged in you see a prompt like this:
Akira login: root
password:
Akira Linux Release 1.2 (Lisa) for i686 at revision 528
No mail.
root@Akira:˜ #
The shell used is a normal bash, as known from almost all Linux distributions and a number
of commercial Unices. The actual numbers may vary, as they show the current version of
the software at the time of this writing. Also the name Akira is just the initial name of the
Convergence and can be altered using the Web interface (system name).
When you have logged in, you probably want to adjust the IP settings of the first LAN interface
first:
Examples:
1. To change your LAN’s IP address to 192.168.1.20 (because your local network is e.g.
192.168.1.0/24), add the following command:
ifconfig eth0 192.168.1.20 network 255.255.255.0
2. If you want to modify the Convergenceś WAN address, e.g. if you have a static internet
address and want to do the rest of the configuration from a remote site, add (e.g. for a
static address 1.2.3.4 with gateway 1.2.3.1):
ifconfig eth1 1.2.3.4 netmask 255.255.255.0 up
route add default gw 1.2.3.1
In both cases, immediately after entering these commands the Convergence is accessible
from the given networks, but these settings have to be done again in the web interface (or in
the basconfig directly, as shown below) to become permanent.
! Be careful if you intend to configure the Convergence remotely: Initially there are no
firewall rules in place and everyone who knows the IP address may log in and modify the box
if the standard password has not been changed. Also pay attention that you don’t change
the IP address of the interface with which you’re currently logged in if you’re connected via
SSH!
2005-2008
c Comdasys AG 212
5.3 Restrictions using the Command Line Interface
While the command line environment is a plain bash shell there are nevertheless limitations
on what can or should be done here. These limitations result from the approach of the Con-
vergence to
1. remain upgradeable, even when certain changes are done on the command line
2. remain compatible with the web interface
• Your modifications may disappear if you select Apply config in the web interface.
• Your modifications may disappear if you reboot your Convergence.
• Your modifications may disappear if you upgrade to a newer version of the system.
• Your Convergence may suddenly lack functionalities or functionalities stop working as
desired.
• The security of your Convergence might be compromised.
In any of these cases, the manufacturer does not take any responsibility for damage that oc-
curs (especially security breaches) because of improper use of this command line interface.
So the restrictions are (unless explicitly permitted by manufacturer’s support):
• Don’t modify configuration files, unless for special program packets that are not meant
to be configured from the graphical user interface.
• Don’t modify startup scripts.
• Don’t modify parts of software programs.
• Don’t install your own software packages.
• Don’t change passwords (even if you find out how to do that).
Because almost all features of the Convergence products can be configured via the browser
GUI (and this is what you should normally do) all that is left that can safely be done on the
command line is:
• Modify configuration files for special program packets that cannot be configured in the
WebUI (e.g. traffic shaping).
• Check error conditions more thoroughly.
• Debug network connections with the provided tools.
• Modify the central configuration file /etc/config/baseconfig, which contains all
configurable options of the web interface. See chapter ?? for details on this file.
2005-2008
c Comdasys AG 213
5.4 Configuration utilities
To avoid accidential editing of managed configuration file running vi or vim on such a file will
result in a warning and ask you whether to continue2 . If you find the need to edit a managed
configuration file repeatedly you can avoid the warning by passing -n as first argument, e.g.:
vi -n /etc/openser/openser.cfg
Configuring Convergence products is normally done by editing one central configuration file
called the baseconfig file which location is /etc/config/baseconfig. This file controls
how the necessary configuration files for almost all services are generated by the applyconfig.sh
utility. Because the reference for the baseconfig file is quite extensive the details of this file
are described in chapter ?? after explaining the utilities which work with this file first.
applyconfig.sh processes the baseconfig file and generates the configuration files for all
daemons and other services that can be configured via the WebUI. There are two modi in
which applyconfig.sh operates: with or without command line options. When called with-
out any command line options all configuration files are generated, overwriting already existing
ones. If arguments are passed only configuration files for those services are generated.
For example:
applyconfig.sh syslog
causes only the configuration file for the syslog daemon to be generated, overwriting the
previous one.
Because old configuration files are overwritten you should not edit the controlled configura-
tion files directly as the next you’re pressing Apply configuration in the WebGUI all your
changes will get overwritten by applyconfig.sh.
Now that applyconfig.sh has written the configuration files we need to restart one or
more (maybe even all) services. This is handled by the restartservices utility, which
even allows groups of services to be restarted.
Like applyconfig.sh this utility operates on all services when called without arguments. If
arguments are given only the specified services are restarted. To get a list of known services
and service group enter:
2
This feature is available since release 4675.18 and 6060.2 respectivly.
2005-2008
c Comdasys AG 214
5.4 Configuration utilities
restartservices -l
Another very useful command line argument is -n which causes restartservices to just show
what it would do without actually doing something so you can be sure that it really will do what
you want it to do, e.g.:
root@Akira/˜ # restartservices -n logging
/usr/bin/setsid /etc/rc.d/rc3.d/K89klogd stop
/usr/bin/setsid /etc/rc.d/rc3.d/K90syslogd stop
/sbin/stophttpd
/sbin/stopsshd
/usr/bin/setsid /etc/rc.d/rc3.d/S10syslogd start
/usr/bin/setsid /etc/rc.d/rc3.d/S11klogd start
/sbin/starthttpd
/sbin/startsshd
Particular service can be enabled (or disabled) by typing chkconfig followed by the name
of the service and on (or off ).
For example:
chkconfig dyndns on
enables DynDNS
chkconfig dyndns off
2005-2008
c Comdasys AG 215
5.5 The ”baseconfig” configuration file
disables it.
Furthermore, chkconfig can be run with -q (quiet mode) which will suppress output, e.g.
chkconfig -q dyndns. This can be used for scripting purposes, since chkconfig return
value is 0 for enabled services, and >0 otherwise.
Convergence products don’t create Linux IPTables firewall rules directly but use an interme-
diate format called CIG which helps simplifying the creation on firewall setups.
Custom IPTables rules may be added in /etc/sysconfig/firewall.custom.
The applyfirewall.sh utility flushes the current firewall rules, compiles the CIG script
(located in /etc/sysconfig/firewall.wig) into IPTables rules and applies them.
The flushfirewall.sh tool just flushes the firewall, thus temporarily disabling it, which
could be done for testing purposes. This, however will not flush NAT related rules. If you want
to disable NAT too, call flushfirewall.sh with the command line option -n.
flushfirewall.sh -n
saveconfiguration saves the most important configuration files The files currently are:
/etc/passwd, /etc/htpasswd, /etc/config/baseconfig, /etc/ssl/*, /etc/ssh/*,
/etc/openvpn/* into a file
/tmp/configuration-<date>.cpio.gz (or /root/configuration-<date>.cpio.gz
in older releases)
To restore a configuration that was saved with saveconfiguration use restoreconfiguration
and supply the appropriate file as argument. Note that restoreconfiguration automatically calls
applyconfig.sh and restartservices to regenerate the configuration files for all ser-
vices and to restart them.
2005-2008
c Comdasys AG 216
5.6 Parameter Reference for baseconfig
The purpose of the baseconfig file is to have a central configuration file that controls the
generation of configuration files for all included services. The generation of configuration files
is handled by the applyconfig.sh script which is described in section ??.
A complete reference to all baseconfig keys, their explanations and their possible values is
provided in chapter ??.
The file baseconfig contains all configuration parameters that can be set using the web
interface. Whenever data from the web interface is saved the entire file is read, the accord-
ing entries are added/modified/deleted and then the entire file is written back in alphabetical
order.
This behaviour has two consequences:
• You may add as many additional parameters as you want (they just have no effect).
• You cannot use comments in this file the normal way. If you want to add a comment to a
parameter, just create a new parameter with the same name as the original parameter,
followed e.g. with comment.
Example:
system_name=gatekeeper
system_name_comment=This is the name of my box
You already could see the overall syntax of entries in this file:
<Variable>=<Value>
<Variable> is the name of the parameter. A complete list of names used in the Conver-
gence can be found in section ??. <Value> can be any entry, its interpretation depends on
<Variable> and the service that to be configured.
The following chapters describe all keys and their meanings used in the /etc/config/baseconfig
file. See chapter ?? for an overview of this file.
2005-2008
c Comdasys AG 217
5.6 Parameter Reference for baseconfig
Name: lana ip
Description: IP address of first LAN interface or “dhcp” for dynamic IP support
Example: lana ip=10.0.0.205
Name: lana nm
Description: Net mask of first LAN interface
Example: lana nm=255.255.255.0
Name: lana dhcp ntp1, lana dhcp ntp2, lana dhcp ntp3
Description: Specifies optional NTP time servers forwarded to a DHCP client along with
its assigned address. Not to be confused with system dns, which is used
by the Convergence itself.
Example: lana dhcp ntp1=217.145.104.11
2005-2008
c Comdasys AG 218
5.6 Parameter Reference for baseconfig
Name: lanb ip
Description: IP address of second LAN interface (eth2) or “dhcp” for dynamic IP support
Example: lanb ip=192.168.1.1
Name: lanb nm
Description: Net mask of second LAN interface (eth2)
Example: lanb nm=255.255.255.0
2005-2008
c Comdasys AG 219
5.6 Parameter Reference for baseconfig
Name: lanb dhcp ntp1, lanb dhcp ntp2, lanb dhcp ntp3
Description: Specifies optional NTP time servers forwarded to a DHCP client along with
its assigned address. Not to be confused with system dns, which is used
by the Convergence itself.
Example: lanb dhcp ntp1=217.145.104.11
These settings configure the WAN interface eth1 and its PPP connection, if required.
Name: wan ip
Description:
• Static IP address of WAN interface (eth1), if a static Internet address
is used for connection
• IP address of Convergence in transfer net to DSL modem, if PPTP is
used
Name: wan gw
Description: IP address of PPTP DSL modem
Example: wan gw=62.34.178.35
2005-2008
c Comdasys AG 220
5.6 Parameter Reference for baseconfig
Name: wan nm
Description: Netmask of WAN interface (eth1)
Example: wan nm=255.255.255.248
Use these settings to configure virtual interfaces on your box (so called IP Aliasing). These
settings are also there for another reason. A virtual interface can also be configured as a
VLAN.
The acronym VLAN expands to Virtual Local Area Network. A VLAN is a logical local area
network (or LAN) that extends beyond a single traditional LAN to a group of LAN segments,
given specific configurations.
A LAN is a local area network and is defined as all devices in the same broadcast domain. If
you remember, routers stop broadcasts, switches just forward them. VLAN is a virtual LAN.
In technical terms, a VLAN is a broadcast domain created by switches. Normally, it is a router
creating that broadcast domain. With VLANs, a switch can create the broadcast domain.
This works by, you, the administrator, putting some switch ports in a VLAN other than 1, the
default VLAN. All ports in a single VLAN are in a single broadcast domain. Since switches can
talk to each other, some ports on switch A can be in VLAN 10 and other ports on switch B can
be in VLAN 10. Broadcasts between these devices will not be seen on any other port in any
other VLAN, other than 10. However, these devices can all communicate because they are
on the same VLAN. Without additional configuration, they would not be able to communicate
with any other devices, not in their VLAN.
Similarly to physical LANs, you need a router to exchange packets between two VLANs. In
order to achieve that, you can create a Virtual Interface for each VLAN the Convergence is in.
You can then define routing policies as well as security policies between the virtual interfaces
to route packets any way you like.
2005-2008
c Comdasys AG 221
5.6 Parameter Reference for baseconfig
! Note that you cannot configure two interfaces with the same network and netmask.
Especially overlapping netmasks will not be caught by the sanity check in the configuration
management, but can cause very unwanted routing behavior.
2005-2008
c Comdasys AG 222
5.6 Parameter Reference for baseconfig
Use these settings to customize port numbers for ssh and https.
These settings configure an dynamic DNS service, which is especially useful, when no static
address is available for the WAN interface.
For most services the same username/password may be used for a number of hostnames. If
you use this feature, a malicious user on one Convergence might be able to modify registered
addresses from other boxes, which is a potential security risk!
2005-2008
c Comdasys AG 223
5.6 Parameter Reference for baseconfig
2005-2008
c Comdasys AG 224
5.6 Parameter Reference for baseconfig
These settings contain static routes, one per parameter. The parameters need to be num-
bered consecutively; if a number is missing, processing of routing information will stop at that
gap.
Name: routex
Description: Static route with numerical identifier <x>; parameter contains all informa-
tion in a semicolon separated array:
[<Network to be routed to>; <netmask of network to be routed to>; <gate-
way>; <interface>]
Example: route0=[10.1.0.0;255.255.255.0;10.0.0.254;LANA]
route1=[10.2.0.0;255.255.255.0;10.0.0.254;LANA]
2005-2008
c Comdasys AG 225
5.6 Parameter Reference for baseconfig
These settings configure the bandwidth daemon that monitors the network traffic and calcu-
lates the current average bandwidth. The bandwidth daemon is queried by the SIP proxy for
Call Admission Control (CAC).
Name: bw rate
Description: Sample rate, in tenth of second; the default value is “1”
Example: 1
Name: bw size
Description: Number of samples; combined with bw rate this value determines the size
of a time window the bandwidth daemon uses; the default value is “30”
Example: 30
Name: bw log
Description: Log level; possible values are: “none”, “error”, “warning”, “info”,
“debug”
Example: info
These settings define NTP servers that can be used to synchronize the system time with.
Name: ntp on
Description: Turning on/off NTP; one of:
“on”: NTP feature enabled; implies ntp namex, ntp prefx
“off”: NTP feature disabled
Example: ntp on=on
2005-2008
c Comdasys AG 226
5.6 Parameter Reference for baseconfig
These settings contain all information to configure iptables. In general firewall rules are exe-
cuted in the following order:
• Allow rules for active clients (DNS, dynamic DNS, syslog, etc.)
• Allow rules for admin access (ssh and https)
• Allow rules for IPsec and OpenVPN
• Allow rules for base services (see fw lana services, fw lanb services)
• Include file /etc/sysconfig/firewall.custom (except rules added with ”iptables
-I”)
• User defined rules (with fw rulex ..., see below)
• Deny all
There are a number of ”meta” rules that cause a whole range of rules to be generated.
Name: fw seclevel
Description: This parameter allows to disable all access configuration and set the Con-
vergence to a special secure mode. Valid values:
• “secure”: All local Internet access is switched off. Only access be-
tween local networks and remote sites via tunnel connections are
possible.
• “custom”: normal operation
Example: fw seclevel=custom
Name: fw loglevel
Description: Level indicating which rules generate messages; value is an integer be-
tween “0” (no logging at all) and “9” (very verbose logging). Default level is
“4” (log all denied packets).
This parameter just states how many iptables LOG rules are created.
Example: fw loglevel=0
2005-2008
c Comdasys AG 227
5.6 Parameter Reference for baseconfig
2005-2008
c Comdasys AG 228
5.6 Parameter Reference for baseconfig
Name: fw rulex s ip
Description: Source IP address; may also specify a network address.
In fact, if fw rulex s nm is not “255.255.255.255”, it has to be a valid
network address.
Example: see example below ??
2005-2008
c Comdasys AG 229
5.6 Parameter Reference for baseconfig
Name: fw rulex s nm
Description: Source IP address netmask.
If fw rulex s nm is not “255.255.255.255”, fw rulex s ip has to be
a valid network address.
Example: see example below ??
Name: fw rulex d ip
Description: Destination IP address; may also specify a network address.
In fact, if fw rulex d nm is not “255.255.255.255”, it has to be a valid
network address.
Example: see example below ??
Name: fw rulex d nm
Description: Destination IP address netmask.
If fw rulex d nm is not “255.255.255.255”, fw rulex d ip has to be
a valid network address.
Example: see example below ??
2005-2008
c Comdasys AG 230
5.6 Parameter Reference for baseconfig
fw_rule0_in_int=ANY
fw_rule0_out_int=WAN
fw_rule0_d_ip=16.1.2.120
fw_rule0_d_nm=255.255.255.255
fw_rule0_d_port=22
fw_rule0_policy=ACCEPT
fw_rule0_type=TCP
This allows access from any internal network SSH (i.e. port 22) access to the internet com-
puter with address 16.1.2.120.
5.6.16 Settings for Port Forwarding (fwd )
These settings contain port forwardings to computers in NAT’ed local networks, one per pa-
rameter. The parameters have to be numbered consecutively; if a number is missing, pro-
cessing will stop at that gap.
Name: fwdx
Description: Forwarding rule; parameter contains all information in semicolon separated
array:
Port on Convergence target IP address, target port
Example: fwd0=[2222;10.0.0.10;22]
Sets port forwarding from Convergenceś WAN interface
port 2222 to the SSH port on local box 10.0.0.10
These settings contain VPN definitions, one tunnel per parameter set vpnx . The tunnels
have to be numbered consecutively; if a number is missing, processing of tunnels will stop at
that gap.
2005-2008
c Comdasys AG 231
5.6 Parameter Reference for baseconfig
These parameters describe IPsec and OpenVPN tunnels. While most parameters are com-
mon for both types, there are some specific ones:
• IPsec only: vpnx local if, vpnx remote
• OpenVPN only: vpnx local ip, vpnx remote ip, vpnx port, vpnx tls
2005-2008
c Comdasys AG 232
5.6 Parameter Reference for baseconfig
Name: vpnx ss
Description: Defines
• a shared secret for a password based setup of an IPsec connection
• a shared secret file for a shared secret based setup of an OpenVPN
connection. The file /etc/openvpn/secrets/<ss>.key must ex-
ist.
This parameter and vpnx cert are mutually exclusive.
Example: vpn0 ss=test secret
2005-2008
c Comdasys AG 233
5.6 Parameter Reference for baseconfig
2005-2008
c Comdasys AG 234
5.6 Parameter Reference for baseconfig
These settings contain all information to set up a L2PT server on the Convergence.
2005-2008
c Comdasys AG 235
5.6 Parameter Reference for baseconfig
These settings contain settings that apply to special users / computers upon their connection
setup. The user specific parameters have to be numbered consecutively; if a number is
missing, processing will stop at that gap.
When using L2TP to connect Windows XP and Windows 2000 computers, there is a number
of protocol layers involved:
1. Mostly PPP to connect the remote computer to the Internet; authentication is done via
connection settings.
2. An IPsec connection is set up to establish an encrypted communication channel; the
authentication can be done via passwords (shared secrets) or certificates; both possi-
bilities can be configured on a per-user basis.
3. An L2TP (Layer 2 tunnel protocol) connection is established on top of IPsec. No authen-
tication is done on this layer.
4. On top there is another PPP session that finally establishes an IP session between the
remote computer and the Convergence. This session has to be authenticated again,
using username and password. Within this session, the remote computer also receives
its IP address.
2005-2008
c Comdasys AG 236
5.6 Parameter Reference for baseconfig
2005-2008
c Comdasys AG 237
5.7 Settings for Voice-over-IP (ser )
These settings configure the SIP proxy service. This service features multiple configuration
templates that are explained in more detail in the handbook. The parameter values discussed
here are sometimes used for multiple configuration templates. This is always explained to-
gether with the keys. Besides the parameter values as explained below, the keys for tls have
to be setup if this is desired. All Comdasys products will autocreate tls keys for use with the
SIP Proxy. If the interaction with phones is desired, there are two ways of setting this up. Ei-
ther you download the preconfigured keys (they are generated on first boot of the Comdasys
device, or you upload the desired keys to the Comdasys.
The most important parameter is that for selecting the used template profile is the ser type
parameter. This one selects the scenario the product is to be used in. The following scenarios
are possible.
5.7.1.1 Disabled
5.7.1.2 Custom
Custom template that permits configuration via CLI. This is usually not recommended unless
for specialized projects. This is mostly used in large projects with specialized configuration
templates that are put into the Convergence through mass deployment tools.
2005-2008
c Comdasys AG 238
5.7 Settings for Voice-over-IP (ser )
5.7.1.3 Standalone
Standalone template which will make SIP Proxy act as a standalone SIP server. This is a
very simple template to setup simple configurations. The configuration of voice gateways to
enable outbound calls is supported.
5.7.1.4 Survivability
Survivability template which will forward all messages to a central SIP server unless this one
is unavailable. In this case, the SIP Proxy will take over the role of the central SIP server. This
template also support CAC scenarios.
Session Border Controller template that makes the SIP Proxy act as an SBC in front of a SIP
server / B2BUA. There is a great varierty of configurations for this. Depending on the exact
usage, the Survivability and Branch SBC configurations could also apply. This selection is
the template for a typical centralized Session Border Controller used to connect endpoints
coming from the Internet, usually behind NAT Routers. This template will hence perform NAT
handling.
Branch SBC which sits in front of a SIP server but at a decentral location instead of a central
one as with the SBC template. As such, it will typically serve in Enterprise Branch Office
scenarios, or in Hosted scenarios. A hosted service provider can use the product to terminate
his service at the customer premise. In order to use that service, the Convergence would
receive one data center IP address as well an IP address in the local range. With that, the
phones on the customer premise would only interact with the Convergence through a local IP
address. No changes to the network, routing or anything else would be necessary to support
deploying a VoIP solution.
The Convergence offers two different ways of handling SIP Trunking scenarios, via the SIP
Proxy / SBC component and via the B2BUA. The selection here will make the Convergence
behave like a special SBC for SIP Trunking scenarios. As such, it will not perform a registration
with a provider, the locally connected PBX / SIP server behind the SBC has to perform that.
The SBC approach has the advantage that features between the local PBX and the Trunking
Provider are transparently handed through. This is something a B2BUA approach cannot
absolutely guarantee.
2005-2008
c Comdasys AG 239
5.7 Settings for Voice-over-IP (ser )
This scenario is a very specialized central SBC scenario where it is assumed that a Branch
SBC is connected behind. In contrast to the central SBC scenario, it will not stay in the
media path for connections that stay ”inside” a single branch. This also works dynamically for
features. For example if you first have a branch internal call, the central SBC will not be in the
media stream. If the media however is renegotiated for example because one party was put
on hold, the central SBC can pcik up the media stream.
With this template the SIP Proxy will act as an IP-to-IP gateway performing message forward-
ing based on ENUM lookups as well as SBC functionality for incoming calls.
2005-2008
c Comdasys AG 240
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 241
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 242
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 243
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 244
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 245
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 246
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 247
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 248
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 249
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 250
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 251
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 252
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 253
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 254
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 255
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 256
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 257
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 258
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 259
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 260
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 261
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 262
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 263
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 264
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 265
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 266
5.7 Settings for Voice-over-IP (ser )
2005-2008
c Comdasys AG 267
5.7 Settings for Voice-over-IP (ser )
Contrary to earlier versions, the FMC settings are now stored in a database. Therefore, it is
not possible to perform any CLI configurations here. You can however access the database
directly.
For more information about this refer to ??.
2005-2008
c Comdasys AG 268
6 Documentation for packaged products
This chapter contains documentation from third-party products that are used by Convergence
products. The documentations are included for completeness reasons. Please note that these
documents are copyrighted by their respective owners and are not the property of Comdasys
AG.
The Convergence Series porducts feature sophisticated traffic control and bandwidth man-
agement support. Since traffic control is an immensely complex topic, you should refer to
http://lartc.org/howto/ to get a more detailed introduction as to how Linux handles
this. Here we will only describe where to find the respective configuration files. There are
two ways for configuring traffic control in the Convergence Series. The Convergence series
has a config file where the kind of configuration can be selected. It can be found under
/etc/sysconfig/trafficshaping. If configuration via the shaper script is selected, all
of the features of Linux traffic control can be utilized. The downside is a very complex configu-
ration process, which must be done in /usr/sbin/shaper.sh. A very simple but frequently
used configuration can be found there which can be adapted to your liking.
The preferred way of configuring traffic control in the convergence series is via htb.init. HTB
stands for Hierarchical Token n Bucket which can be configured to work in conjunction with
SFQ (Stochastic Fairness Queuing) and Priority Queuing. An example configuration is avail-
able from the Comdasys Website which documents the way this is configured. Online help for
this topic is available on the box itself by displaying the README file in the htb directory.
Most Convergence products have the ISC BIND9 installed. As the BIND9 configuration file
reference is longer than this document we do not include it here. For in-depth documentation
please consult the BIND9 Administrator’s Reference Manual, located at:
http://www.nominum.com/content/documents/bind9arm.pdf
2005-2008
c Comdasys AG 269
6.3 SIP Proxy / Registrar
The Convergence Series uses the OpenSER (derived from SER from IPTel.org) as Proxy /
Registrar. Details can be found at http://www.openser.org/, including links to further
documentation. Note that the documenation included here is only a small excerpt of the
lower level functionalities of OpenSER. There is also a lot of documentation available on the
Internet.
i Own additions however have been made both to the documentation as well as to the
software. Most commands used in the WebGUI generated openser.cfg file are actually not
part of the standard OpenSER.
There is a script openserctl to control the SIP Proxy server process. It can be used to man-
age users, access control lists, in memory contacts, and to monitor server health. Executing
serctl with no arguments will produce this output:
# openserctl
/usr/sbin/openserctl 1.1 - $Revision: 1.6.2.2 $
parameter usage:
* subscribers *
add <username> <password> <email> .. add a new subscriber (*)
passwd <username> <passwd> ......... change user’s password (*)
rm <username> ...................... delete a user (*)
mail <username> .................... send an email to a user
rpid add <username> <rpid> ......... add rpid for a user (*)
rpid rm <username> ................. set rpid to NULL for a user (*)
rpid show <username> ............... show rpid of a user
2005-2008
c Comdasys AG 270
6.3 SIP Proxy / Registrar
* usrloc *
ul show [<username>]................ show in-RAM online users
ul rm <username> [<contact URI>].... delete user’s UsrLoc entries
ul add <username> <uri> ............ introduce a permanent UrLoc entry
showdb [<username>] ................ show online users flushed in DB
* pa *
pa pres <p_uri> <pstate>............ set pstate for a presentity
pa loc <p_uri> <loc>................ set location for a presentity
* domains *
domain show ........................ show list of served domains
domain add <domainname> ............ add a new served domain
domain rm <domainname> ............. remove a served domain
* lcr *
* IP addresses must be entered in dotted quad format e.g. 1.2.3.4 *
* <uri_scheme> and <transport> must be entered in integer or text,*
* e.g. transport ’2’ is identical to transport ’tcp’. *
* scheme: 1=sip, 2=sips; transport: 1=udp, 2=tcp, 3=tls *
* Examples: openserctl lcr addgw_grp usa 1 *
* openserctl lcr addgw level3 1.2.3.4 5080 sip tcp 1 *
* openserctl lcr addroute +1 % 1 1 *
lcr show ...................................... show routes, gateways and group
lcr reload .................................... reload lcr gateways
lcr addgw_grp <grp_name> ...................... add gateway group, autocreate g
lcr addgw_grp <grp_name> <grp_id> ............. add gateway group with grp_id
2005-2008
c Comdasys AG 271
6.3 SIP Proxy / Registrar
serctl add
serctl password
serctl rm
The contents of the in memory cache can be managed with the ul argument. Please take
care using these commands. As for example:
serctl ul rm joe
will remove the current contact information about Joe from memory. Whereas
openserctl rm joe
will delete joe’s account.
2005-2008
c Comdasys AG 272
6.3 SIP Proxy / Registrar
===Domain list===
---Domain---
name : ’location’
size : 512
table: 0x402ee6d0
d_ll {
n : 2
first: 0x402f1a74
last : 0x402f089c
}
lock : 0
...Record(0x402f1a74)...
domain: ’location’
aor : ’test’
˜˜˜Contact(0x402f708c)˜˜˜
domain : ’location’
aor : ’test’
Contact: ’sip:test@192.168.0.100:5060’
Expires: 2501
q : 0.00
Call-ID: ’000a8a93-d4660017-4571a6cd-658ac1bf@192.168.0.100’
CSeq : 101
State : CS_SYNC
next : (nil)
prev : (nil)
˜˜˜/Contact˜˜˜˜
.../Record...
...Record(0x402f089c)...
domain: ’location’
aor : ’joe’
˜˜˜Contact(0x402f0924)˜˜˜
domain : ’location’
aor : ’joe’
Contact: ’sip:192.168.0.101:14354’
Expires: 432
q : 0.00
Call-ID: ’e8d93059-e46e-4fd9-958b-ccb36a1cf245@192.168.0.101’
CSeq : 11
State : CS_SYNC
next : (nil)
prev : (nil)
˜˜˜/Contact˜˜˜˜
.../Record...
2005-2008
c Comdasys AG 273
6.3 SIP Proxy / Registrar
---/Domain---
===/Domain list===
Transaction Statistics:
Module name = tm; statistics=11
tm:received_replies = 8465
tm:relayed_replies = 8355
tm:local_replies = 71
tm:UAS_transactions = 8317
tm:UAC_transactions = 0
tm:2xx_transactions = 4243
tm:3xx_transactions = 0
2005-2008
c Comdasys AG 274
6.3 SIP Proxy / Registrar
tm:4xx_transactions = 4073
tm:5xx_transactions = 0
tm:6xx_transactions = 6
tm:inuse_transactions = 2
UsrLoc Stats:
Module name = usrloc; statistics=6
usrloc:aliases-users = 0
usrloc:aliases-contacts = 0
usrloc:aliases-expires = 0
usrloc:location-users = 1
usrloc:location-contacts = 1
usrloc:location-expires = 16
6.3.2 TLS
TLS, as defined in SIP RFC 3261, is a mandatory feature for proxies and can be used to
secure the SIP signalling on a hop-by-hop basis (not end-to-end). It is a secure SIP transport
method (besides UDP and TCP) for user agents or other SIP servers/proxies connecting to
the Convergence. TLS works on top of TCP.
The configuration of the SIP server is written to the file /etc/ser/ser.cfg. It is dynamically
created by the web based configuration application depending on the selected scenario. The
”SBC” (Session Border Controller) scenario currently uses TLS as the only possible transport
method. For a documentation of the syntax of the configuration file and the rich sets of
features and commands of the OpenSER please refer to its documentation.
The main configuration settings regarding TLS are shown below.
The default paths for the server certificate and private key is
/etc/ser Put the server certificate in the file
/etc/ser/cert.pem
and the private key into
2005-2008
c Comdasys AG 275
6.3 SIP Proxy / Registrar
/etc/ser/prik.pem
and make sure to set the file permissions to a restrictive value (”600”: -rw-------).
tls certificate="/etc/ser/cert.pem" path to server certificate
tls private key="/etc/ser/prik.pem" path to server private key
tls method=TLSv1 possible values are TLSv1, SSLv2, SSLv3,
SSLv23
disable tls=0 temporarily disables TLS when set to 1
tls verify=on requires a certificate from the connecting client
tls require certificate=on only used if tls verify=on
• tls require cert=0 - the verification pro-
cess will succeed if the client does not
provide a certificate, or if it provides one,
it verifies correctly against the server’s list
of trusted certification authorities.
• tls require cert=1 - the verification
process will only succeed if the client pro-
vides a certificate and this verifies cor-
rectly against the server’s list of trusted
CAs.
Various options for the SER accept regular expressions. A regular expression, or regexp, is a
way of describing a class of strings. It matches every input record whose text belongs to that
class. Thus they are used in comparison expressions to match input strings.
The simplest regular expression is a sequence of letters, numbers, or both. Such a regexp
matches any string that contains that sequence. Thus, the regexp ‘foo’ matches any string
containing ‘foo’. Other kinds of regexps let you specify more complicated classes of strings.
2005-2008
c Comdasys AG 276
6.3 SIP Proxy / Registrar
‘.’ This matches any single character except ‘.P’ matches any single character
a newline. followed by a ‘P’ in a string. Using
concatenation we can make reg-
ular expressions like ‘U.A’, which
matches any three-character se-
quence that begins with ‘U’ and
ends with ‘A’.
‘[...]’ This is called a character set. It matches ‘[MVX]’ matches any one of the
any one of the characters that are en- characters ‘M’, ‘V’, or ‘X’ in a string.
closed in the square brackets.
Ranges of characters are indicated by ‘[0-9]’ matches any digit.
using a hyphen between the beginning
and ending characters, and enclosing the
whole thing in brackets.
‘[ˆ...]’ This is a complemented character set. ‘[ˆ0-9]’ matches any character
The first character after the ‘[’ must be that is not a digit.
a ‘ˆ’. It matches any characters except
those in the square brackets (or newline).
‘|’ This is the alternation operator and it is ‘ˆP|[0-9]’ matches any string
used to specify alternatives. The alter- that matches either ‘ˆP’ or ‘[0-9]’.
nation applies to the largest possible reg- This means it matches any string
exps on either side. that contains a digit or starts with
‘P’.
‘(...)’ Parentheses are used for grouping in reg-
ular expressions as in arithmetic. They
can be used to concatenate regular ex-
pressions containing the alternation oper-
ator, ‘|’.
‘*’ This symbol means that the preceding ‘ph*’ applies the ‘*’ symbol to the
regular expression is to be matched zero preceding ‘p’ and looks for matches
or as many times as possible to find a to one ‘p’ followed by any number
match. of ‘h’s. This will also match just ‘p’
if no ‘h’s are present.
The ‘*’ repeats the smallest possible pre-
ceding expression. Use parentheses if
you wish to repeat a larger expression. It
finds as many repetitions as possible.
‘+’ This symbol is similar to ‘*’, but the pre- ‘wh+y’ would match ‘why’ and
ceding expression it to be matched at ‘whhy’ but not ‘wy’, whereas ‘wh*y’
least once. would match all three of these
strings.
‘?’ This symbol is similar to ‘*’, but the pre- ‘fe?d’ will match ‘fed’ and ‘fd’, but
ceding expression can be matched once nothing else.
or not at all.
2005-2008
c Comdasys AG 277
6.3 SIP Proxy / Registrar
‘\’ This is used to suppress the special ‘\$’ matches the character ‘$’.
meaning of a character when matching.
In regular expressions, the ‘*’, ‘+’, and ‘?’ operators have the highest precedence, followed
by concatenation, and finally by ‘|’. As in arithmetic, parentheses can change how operators
are grouped.
Case is significant in regular expressions, both when matching ordinary characters (i.e., not
metacharacters), and inside character sets. Thus a ‘w’ in a regular expression matches only
a lower case ‘w’ and not an upper case ‘W’.
2005-2008
c Comdasys AG 278
7 Extended options and debugging
The Convergence does not only offer configuration via the Web interface but further provides
access through a CLI (Command Line Interface).
You can access this CLI in three ways:
In every case the username is root and the password is identical to the password set in the
Web interface.
You will get a Linux prompt that can be used like any other Linux computer. A detailed descrip-
tion of the functionality accessible through the CLI is provided in the Commandline Guide.
The configuration via the CLI is primarily used for special tasks as resetting to factory defaults
and for extended debugging.
2005-2008
c Comdasys AG 279
A Sample scenarios
A.0.4 Survivability
In the Survivability scenario, the Convergence is simply used as a SIP Proxy that can take over
the functionality of a central softswitch (compare figure ?? ??). All you need to do to configure
this is use the Convergence as an outbound proxy for your local phones and gateways. The
Convergence will constantly monitor the connection to the softswitch. Once the connection
breaks, the Convergence will instanly take over.
Using the Convergence in your branch office can also help address the QoS problems typically
associated with converged networks. Maintaining voice quality is a requirement that cannot
be tackled with standard quality of service means. Too many voice calls on a WAN link
will degrade the voice quality of all connections. In order to avoid that, the Convergence can
enforce hard limits on the number of possible calls based on predefined bandwidth constraints.
This functionality is commonly referred to as Call Admission Control.
The Convergence will continuously monitor the VoIP traffic streams. If the maximum allowable
number of calls or the maximum allowable user bandwidth is reached, all additional calls flow-
ing over that WAN link would be denied. This is accomplished via standard SIP mechanisms,
so that neither special software in the data center nor special phone hardware is necessary.
The advantages of this decentralized over centralized server-based ones are numerous:
The more generic Branch Connectivity Solution is very similar to the Standard Survivability
scenario. For an illustration, please compare to figure ?? There is one major difference in the
handling of network. In the Branch Connectivity Scenario, the Convergence has two network
connections, one internal, one external one. The SIP signalling and VoIP media handling
is translated between these two networks. As such, the device serves as a decentralized
Session Border Controller. Contrary to a far end NAT traversal solution like a central SBC, the
decentral SBC has a number of advantages especially in Enterprise scenarios.
2005-2008
c Comdasys AG 280
A Sample scenarios
2005-2008
c Comdasys AG 281
A Sample scenarios
The Hosted scenario is a slight variation of the Branch Connectivity Scenario. The difference
is probably the ownership of the device as well as the security policy. In Hosted Scenar-
ios, the Convergence is a customer premise termination equipment managed by the Hosted
Operator. This means that the Convergence is used to deliver a service to the customer
premises. Security and Survivability are important topics there. Figure ?? should give you an
overview.
If you have a Comdasys product with integrated Voice Gateway cards, you can support the
same scenarios as described here, with having the Voice Gateway built into the device. The
figure ?? should give an overview of how this fits together.
When used for SIP Trunking, the Convergence will support such functionalities as:
• Securing Network Boundaries and providing Connectivity between your PBX and the
external network
• NAT handling for both signalling and payload
• Signalling control of calls through the network, and gracefully reject calls when nec-
essary, protecting the network from Denial of Service attacks and sudden spikes in
congestion.
• Support for both Full Topology Hiding as well as SIP Proxy mode for improving interop-
erability and Feature interworking
2005-2008
c Comdasys AG 282
A Sample scenarios
2005-2008
c Comdasys AG 283
A Sample scenarios
• Advanced Security Features such as TLS and SRTP Termination for implementing se-
cure connectivity over insecure network links without having to upgrade all your equip-
ment. You can also use VPN based encryption for communication towards the SIP
Trunking provider
• DNS SRV handling for supporting redundancy configurations with your SIP Trunking
Provider
• SBC Mode
– Full Termination of Media
– Malformed Packet Protection and Topology hiding, but supports transparent pass-
through of signalling
– DNS SRV Solution and Support for failover and load balancing solutions
• B2BUA Mode
2005-2008
c Comdasys AG 284
A Sample scenarios
The choice which way to use will depend on wheter your carrier requires SIP registration and
whether your PBX connected to this trunk can perform the registration or not. If it can, the
transparent SBC approach is the suitable one because it can preserve the features across
the SIP Trunk. With this approach even propriertary signalling such as SIP-Q is possible.
If that is not the case, you will need to use the Back-to-Back User Agent based approach.
This can be configured in the B2BUA section.
i Products with Integrated Voice Gateway and Autoattendent functionality only support
the SIP Trunking without Registration. They cannot handle individual user accounts with
digest authentication with the SIP Provider.
The Convergence can also be used as a central Session Border Controller for Remote and
Internet users. The Convergence can provide the following functions:
2005-2008
c Comdasys AG 285
A Sample scenarios
2005-2008
c Comdasys AG 286
A Sample scenarios
The Cascaded SBC Scenario has to be seen in conjunction with the Branch SBC scenario. It
is a special version of the Centralized SBC. Media streams will be achnored for all connections
from the Branch to the Headquarter, or for connections between branches. If the connection
stays behind one of the Branch SBCs however, the Cascaded SBC will not anchor these
media streams.
Figure ?? ?? provides a typical setup for this scenario.
A.0.11 FMC
The Convergence enable enterprises to fully leverage their existing network infrastructure as
well as their WLAN networks for enabling more efficient voice communication while drastically
reducing the cost of mobile communication. This can be accomplished by offering its employ-
ees a true one number solution for their fixed line and mobile phones where the Mobile phone
can either be connected via GSM or via WLAN while retaining the Enterprise PBX features.
Besides Enterprises, Service Providers can use the Convergence to enhance their offering
2005-2008
c Comdasys AG 287
A Sample scenarios
by Voice Features and can thus become Virtual Mobile Operators. This would make special
sense to pure ISPs, WISPs (Wireless Internet Service Providers) and IP Telephony Service
Providers.
The Convergence enables enterprises and service providers, to deploy converged applica-
tions that now become seamlessly usable on their mobile devices. The Convergence allow
enterprises to make full use of dual mode phones (WLAN/WiFi/GSM/UTMS/CDMA) by en-
abling them to use their own wireless infrastructure for voice calls wherever possible. Besides
using their own wireless infrastructure, the WLAN capabilities of the dual mode phones can be
utilized anywhere in the range of an accessible Hotspot. The Comdasys FMC systems enable
static as well as dynamic handovers for making sure that the appropriate transport WLAN or
GSM/UMTS/CDMA is being used. The Comdasys FMC will also make sure that the media
path is handled appropriately depending on where the dual mode phone is currently located
(e.g. NAT handling for dual mode phone behind a Hotspot) The following picture shows the
principal layout of this scenario.
2005-2008
c Comdasys AG 288
A Sample scenarios
2005-2008
c Comdasys AG 289
B Support
For a more in depth information on the Configuration, you should first refer to the Command
Line Handbook. This will give you information about the possibilities of tracking down miscon-
figurations or problem through tracing etc. The Command Line reference is available from
ftp://ftp.comdasys.com/pub/documentation
For further support, Howto’s and FAQ’s visit our Website:
http://www.comdasys.com/Support/
or request support via eMail:
support@comdasys.com
2005-2008
c Comdasys AG 290