Avaya Solution & Interoperability Test Lab Implementing Encrypted Conversations Between Avaya Softphone Endpoints with Avaya IP Office 403 and Avaya S8300 Media Server - Issue 1.0 Abstract These Application Notes describe how to utilize various technologies to create encrypted conversations directly between Avaya Softphone endpoints. In particular, this document takes a closer look at an Avaya S8300 Media Server and an Avaya IP Office 403 and describes how to secure conversations between PC Softphones. The voice traffic is secured via IPSec encryption that is provided by a combination of an Avaya Security Gateway 200 (SG200) and a pair of Avaya VPNremote clients installed in the Avaya Softphone endpoints. Additionally, the configuration shows how to take advantage of the Direct Media capabilities that are built-in throughout Avaya s product line in order to keep the encrypted conversation local to the Avaya Softphone endpoints and the Avaya SG200. 1 of 32
1. Introduction These Application Notes describe how to utilize various technologies to create encrypted conversations directly between Avaya Softphone endpoints and an Avaya Security Gateway 200 (SG200). In particular, this document takes a closer look at an Avaya S8300 Media Server and an Avaya IP Office 403 and describes how to secure conversations between PC Softphones via IPSec encryption that is provided by a combination of an Avaya SG200 and a pair of Avaya VPNremote clients installed in the Avaya Softphone endpoints. Additionally, the configuration shows how to take advantage of the Direct Media capabilities that are built-in throughout Avaya s product line in order to keep the encrypted conversation local to the Avaya Softphone endpoints and the Avaya SG200. This is an important point because the core network will be relieved of voice traffic, as the Avaya SG200 will push secure, encrypted voice traffic to the edge of the network. In Figure 1, an Avaya IP Office 403 and an Avaya Communication Manager are connected via an H.323 trunk. The example in these Application Notes shows this trunk is configured with Direct Media options. Additionally, a route pattern example shows Avaya Communications Manager Software (S8300) Softphone extension 41100 and IP Office extension 29905 being able to reach each other. Next, a configuration of the Avaya SG200 and the client endpoints is provided to illustrate encryption of the Softphone endpoints between the two products. Lastly, options are shown for configuring the Avaya Softphone and the Avaya Phone Manager Pro (Avaya Softphone for IP Office). Some things to note: The Avaya P333T Stackable Layer 2 Switch is set to factory defaults. No configuration is necessary. The two Softphone endpoints will shuffle their IP address for direct media after the phone call is answered. The encrypted tunnels are between the IP endpoints and the SG200. The endpoints do not have the capability to create tunnels directly between themselves. The encrypted tunnels between the IP endpoints will negotiate a G.729A codec. This codec provides a good compromise between voice quality and bandwidth utilization. 2 of 32
Management Server.150 10.1.2.0/24 Avaya P333T Switch 10.1.2.0/24.50 Avaya IP Office 403 Avaya S8300/G700 PC running Avaya Softphone and Avaya VPNremote Public address 10.1.1.200 Private Address 140.140.140.1 Ext 41100 IPSec Tunnel Avaya P333T Switch 10.1.2.1 Private Avaya SG200 Public 10.1.1.1 PC running Avaya Phone Manager Pro and Avaya VPNremote Public address 10.1.1.100 Private Address 140.140.140.2 Ext 29905.23 Figure 1: Sample Network used for IPSec Encryption and Direct Media 2. Equipment and Software Validated The following equipment and software were used for the sample configuration provided: Equipment Software Avaya S8300 Media Server R011X.03.1.532.0 Avaya G700 Media Gateway 20.1.18.0(A) 16 Avaya IP Office 403 2.09 Avaya Softphone 5.0.4.4 Avaya Phone Manager Pro 2.0.7 Avaya VPNremote Client 4.1.14 Avaya SG200 4.31.26 Avaya P333T Layer 2 Stackable Switch 3.12.1 Table A: Version Table 3. Configure the Avaya Communications Manager Gateway The configuration for the Avaya S8300 Media Server is described in three parts. The first part describes how to configure the stations for direct media, the second part describes how to configure IP Trunks for direct media, and the third part describes how to configure the dialplan. 3 of 32
3.1. Configure Extensions Step 1: Configure the extensions. Enter the appropriate extension information for the IP Telephone. On page 1, verify that the IP Softphone field is on. On page 2, turn on Direct IP-IP Audio Connections and IP Audio Hairpinning. See Figure 2. Change Station 41102 STATION Page 1 of 4 SPE B Extension: 41100 Lock Messages? n BCC: 0 Type: 4624 Security Code: TN: 1 Port: S00081 Coverage Path 1: COR: 1 Name: S8300 41102 Coverage Path 2: COS: 1 Hunt-to Station: STATION OPTIONS Loss Group: 2 Personalized Ringing Pattern: 1 Message Lamp Ext: 41100 Speakerphone: 2-way Mute Button Enabled? y Display Language: english Media Complex Ext: IP SoftPhone? y change station 41102 Page 2 of 4 SPE B STATION FEATURE OPTIONS LWC Reception: spe Auto Select Any Idle Appearance? n LWC Activation? y Coverage Msg Retrieval? y LWC Log External Calls? n Auto Answer: none CDR Privacy? n Data Restriction? n Redirect Notification? y Idle Appearance Preference? n Per Button Ring Control? n Bridged Call Alerting? n Restrict Last Appearance? y Active Station Ringing: single H.320 Conversion? n Per Station CPN - Send Calling Number? Service Link Mode: as-needed Multimedia Mode: enhanced MWI Served User Type: AUDIX Name: Emergency Location Ext: 41102 Display Client Redirection? n Select Last Used Appearance? n Coverage After Forwarding? s Multimedia Early Answer? n Direct IP-IP Audio Connections? y IP Audio Hairpinning? y Figure 2: Configuring Extension for Direct Media 4 of 32
3.2. Configuring IP Trunks Step 1: Configure IP node names. Assign names and IP addresses for the Avaya S8300 Media Server interface. Assign a name to the far-end IP Office gatekeeper and enter its IP address. See Figure 3. change node-names ip Page 1 of 1 SPE B IP NODE NAMES Name IP Address Name IP Address PROCR 10.1.2.150... IP-Office 10.1.2.50... default 0.0.0.0... Figure 3: Configuring IP Node Names Step 2: Verify the gateway and subnet mask information for the Avaya S8300 Media Server interface. This information should have been auto-populated from the initial web server administration. See Figure 4. change ip-interfaces Page 1 of 19 SPE B Enable IP INTERFACES Eth Pt Type Slot Code Sfx Node Name Subnet Mask Gateway Address Rgn y PROCR 10. 1. 2.150 255.255.255.0 10.1.2.1 6 Figure 4: Configuring IP Interfaces Net 5 of 32
Step 3: Create the signal group. Figure 5 shows the configuration of the associated signaling group parameters for Trunk Group 8. Notice that the field Trunk Group for Channel Selection must be left blank when adding the signaling group, even though this screen shows the value 8. This value will be added in a later step. Turn on Direct IP-IP Audio Connections and IP Audio Hairpinning. change signaling-group 8 Page 1 of 5 SPE B SIGNALING GROUP Group Number: 8 Group Type: h.323 Remote Office? n Max number of NCA TSC: 0 Max number of CA TSC: 0 Trunk Group for NCA TSC: Trunk Group for Channel Selection: 8 Supplementary Service Protocol: b Near-end Node Name: procr Far-end Node Name: IP-Office Near-end Listen Port: 1720 Far-end Listen Port: 1720 Far-end Network Region: LRQ Required? n Calls Share IP Signaling Connection? n RRQ Required? n Bypass If IP Threshold Exceeded? n Direct IP-IP Audio Connections? y IP Audio Hairpinning? y Interworking Message: PROGress Figure 5: Configuring IP Signal Group Parameters 6 of 32
Step 4: Create the trunk group. Figure 6 shows IP trunk group 8 configured. Pages 1 and 2 describe trunk group attributes. Page 6 assigns ports to the trunk group where the first 15 ports were assigned for voice over this trunk. When entering the ports on page 6, simply enter IP and the S8300 will automatically assign the T00XXX port ID for the IP trunk. Now set the Trunk Group for Channel Selection field to 8 in the signaling-group. Figure 6 shows how to configure the trunk group. change trunk-group 8 Page 1 of 22 SPE B TRUNK GROUP Group Number: 2 Group Type: isdn CDR Reports: y Group Name: IP Office IP Trunk COR: 1 TN: 1 TAC: 108 Direction: two-way Outgoing Display? y Carrier Medium: IP Dial Access? n Busy Threshold: 255 Night Service: Queue Length: 0 Service Type: tie Auth Code? n TestCall ITC: rest Far End Test Line No: TestCall BCC: 4 TRUNK PARAMETERS Codeset to Send Display: 0 Codeset to Send National IEs: 6 Max Message Size to Send: 260 Charge Advice: none Supplementary Service Protocol: b Digit Handling (in/out): enbloc/enbloc Trunk Hunt: cyclical QSIG Value-Added? y Digital Loss Group: 13 Calling Number - Delete: Insert: Numbering Format: lev0-pvt Bit Rate: 1200 Synchronization: async Duplex: full Disconnect Supervision - In? y Out? n Answer Supervision Timeout: 0 change trunk-group 8 Page 2 of 22 SPE B TRUNK FEATURES ACA Assignment? n Measured: none Wideband Support? n Internal Alert? n Maintenance Tests? y Data Restriction? n NCA-TSC Trunk Member: Send Name: y Send Calling Number: y Used for DCS? n Suppress # Outpulsing? N Numbering Format: private Outgoing Channel ID Encoding: preferred UUI IE Treatment: service-provider Send UUI IE? y Send UCID? n Send Codeset 6/7 LAI IE? y Replace Restricted Numbers? n Replace Unavailable Numbers? n Send Connected Number: y SBS? n Network (Japan) Needs Connect Before Disconnect? n 7 of 32
change trunk-group 8 Page 6 of 22 SPE B TRUNK GROUP Administered Members (min/max): 1/31 GROUP MEMBER ASSIGNMENTS Total Administered Members: 31 Port Code Sfx Name Night Sig Grp 1: T00109 8 2: T00110 8 3: T00111 8 4: T00112 8 5: T00113 8 6: T00114 8 7: T00115 8 8: T00116 8 9: T00117 8 10: T00118 8 11: T00119 8 12: T00120 8 13: T00121 8 14: T00122 8 15: T00123 8 Figure 6: Configuring IP Trunk 2 for Private Numbering Step 5: Assign an IP network region. Figure 7 shows the network region QoS parameters for the IP trunk. Point the network region to the appropriate IP Codec set. Turn on Direct IP-IP Audio Connections and IP Audio Hairpinning. change ip-network-region 6 Page 1 of 2 SPE B IP Network Region Region: 1 Name: Audio Parameters Codec Set: 1 Location: UDP Port Range Min: 16384 Max: 32767 Direct IP-IP Audio Connections? y IP Audio Hairpinning? y RTCP Enabled? y RTCP Monitor Server Parameters Use Default Server Parameters? y DiffServ/TOS Parameters Call Control PHB Value: 34 VoIP Media PHB Value: 46 BBE PHB Value: 43 802.1p/Q Enabled? n change ip-network-region 6 Page 2 of 2 SPE B Inter Network Region Connection Management Region (Group Of 32) 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 001-032 1 1 033-064 065-096 097-128 Figure 7: Configuring IP Network Region 8 of 32
Step 6: Choose a codec negotiation list. Assign preferred codecs in descending order. See Figure 8. change ip-codec-set 1 Page 1 of 1 SPE B Codec Set: 1 IP Codec Set Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.729A n 2 20 2: G.729 n 2 20 3: G.711MU n 2 20 4: 5: 6: 7: Figure 8: Configuring IP Codec Set 3.3. Configuring Dial Plans Telephone extensions beginning with 2 are forwarded to IP Office. These extensions are not defined in the Avaya Communication Manager system. Instead, they are compared against a Uniform Dialplan Table. If there is a match, digits are analyzed and manipulated in the AAR Analysis Table and are then forwarded to the corresponding trunk group to IP Office, based on the Route Pattern Table. Step 1: Create a Uniform Dialplan for 2. Create an entry for the first four digits of the five-digit extension. Specify the length of 5 so that the last digit will act as a placeholder for the number. Although the last digits are not directly referenced in the ensuing figures, they will be passed along. The first digit is deleted and 200 is added to form the seven digit number 200XXXX. This number is then forwarded to the AAR analysis table for further processing. See Figure 9. change uniform-dialplan 2 Page 1 of 2 SPE B UNIFORM DIAL PLAN TABLE Percent Full: 0 Matching Insert Node Matching Insert Node Pattern Len Del Digits Net Conv Num Pattern Len Del Digits Net Conv Num 2 5 1 200 aar n 31228 5 0 ext n Figure 9: A Uniform Dial Plan Form 9 of 32
Step 2: Create an AAR Analysis entry. Create the AAR analysis entry for the seven-digit number of 200XXXX. Specify a minimum and maximum of 7 digits. Route pattern 4 is assigned for further processing in the Route Pattern Table. change aar analysis 200 Page 1 of 2 SPE B AAR DIGIT ANALYSIS TABLE Percent Full: 5 Dialed Total Route Call Node ANI String Min Max Pattern Type Num Reqd 200 7 7 4 aar n Figure 10: AAR Analysis Form Step 3: Create Route Pattern 4. Route Pattern 4 has one entry associated with it. The entry corresponds to trunk group 8 that was previously created. The digits will be forwarded to the trunk. Before the seven digits are forwarded, the first three digits, 200, will be stripped off and the digit 2 will be added so that only the original five digits will be sent. See Figure 11. change route-pattern 4 Page 1 of 3 SPE B Pattern Number: 20 Grp FRL NPA Pfx Hop Toll No. Inserted DCS/ IXC No Mrk Lmt List Del Digits QSIG Dgts Intw 1: 8 0 0 3 2 n user 2: n user 3: n user 4: n user 5: n user 6: n user BCC VALUE TSC CA-TSC ITC BCIE Service/Feature BAND No. Numbering LAR 0 1 2 3 4 W Request Dgts Format Subaddress 1: y y y y y n y as-needed bothept lev0-pvt none 2: y y y y y n n rest none 3: y y y y y n n rest none Figure 11: Route Pattern Form 10 of 32
3.4. Configuring IP Office Step 1: Configure a user. Under the User option in Avaya IP Office Manager, enter the user information. Figure 12: Configuring User Information 11 of 32
Step 2: Enter telephony options. The form in Figure 13 captures the most common telephony options. Choose VoIP for Phone Manager Type when configuring a station for Phone Manager Pro. Figure 13: Configuring Telephony Options 12 of 32
Step 3: Configure Line options. Create a new line and enter information as in Figure 14. Figure 14: Configuring H.323 Line Options 13 of 32
Step 4: Enter VoIP information. Enter the information as in Figure 15 for proper H.323 trunk operation. Make sure Enable Faststart, Out of Band DTMF, and Allow Direct Media Path are all checked. Figure 15: Configuring IP Office VoIP settings 14 of 32
Step 5: Configure Shortcode. Configure the shortcode so that the Avaya Communication Manager dialplan digits will be forwarded to the Avaya IP Office H.323 trunk as in Figure 16. Figure 16: Configuring IP Office Shortcodes to Forward Digits to S8300 Step 6: Save and reboot. Save the configuration changes and reboot the Avaya IP Office. 15 of 32
3.5. Configuring Avaya SG200 Step 1: Configure interfaces. From a PC, launch a web browser and log into the Avaya SG200. Select Configure and then select the Network tab. Configure the Public and Private Interfaces with the appropriate IP addresses. Re-connect to the Avaya SG200 with the PC configured to the new network information. See Figure 17 and Figure 18. Figure 17: Configuring Public Interface of the Avaya SG200 16 of 32
Figure 18: Configuring Private Interface of the Avaya SG200 17 of 32
Step 2: Configure a dynamic policy. Click on the Security Tab and select Dynamic Policy. Click on the Address Pool button and enter the IP Address pool range as in Figure 19. Figure 19: Configuring a Dynamic Policy 18 of 32
Step 3: Configure Remote Users. Click on the Users tab and select Remote Users. Add two new users as in Figure 20. Figure 20: Configuring Remote Users 19 of 32
Step 4: Create a VPN (Screen 1). Click on the Security tab and on VPN Setup. Click on the Add button and enter the information as in Figure 21. Click Next to continue. Figure 21: Creating a VPN (Screen 1) 20 of 32
Step 5: Create a VPN (Screen 2). Leave this screen blank. Click on the Next button to continue. Figure 22: Creating a VPN (Screen 2) 21 of 32
Step 6: Create a VPN (Screen 3). Move the users from Available User(s) to Member User(s). Click on Next to continue. Figure 23: Creating a VPN (Screen 3) 22 of 32
Step 7: Create a VPN (Screen 4). Enter the information as in Figure 24. Click on the Add button to create the encryption and authentication parameters. Click on Finish to complete the VPN configuration. Figure 24: Create a VPN (Screen 4) 23 of 32
3.6. Configuring Avaya VPNremote VPN Client Software Step 1: Install Avaya VPNremote VPN Client Software. Supply the parameters as shown in Figure 25. Figure 25: Configuring Avaya VPNremote VPN Client Software Log in Parameters 24 of 32
Step 2: Configure Avaya VPNremote VPN Client Software Preferences. Configure the preferences as shown in Figure 26. Figure 26: Configuring VPNremote Preferences 25 of 32
3.7. Configuring Avaya IP Softphone Step 1: Configure Avaya IP Softphone. Install the Avaya Softphone and use the configuration parameters as shown in Figure 27. Figure 27: Configuring Avaya IP Softphone 26 of 32
3.8. Configuring Avaya Phone Manager Pro Step 1: Configure Avaya Phone Manager Pro. Configure the Avaya Phone Manager Pro log on screen by pressing the Configure button and choosing PBX. Enter the information as in the form in Figure 28. Figure 28: Configuring Avaya Phone Manager Pro PBX Log On Information 27 of 32
Step 2: Configure Preferences. Click on Configure and select Preferences Click on the Phone Manager tab and select the preferences as in Figure 29. Figure 29: Configuring Avaya Phone Manager Pro Phone Manager Preferences 28 of 32
Step 3: Configure Audio Codec. Click on Configure and Preferences Click on the Audio Codec tab and enter information as in Figure 30. Figure 30: Configuring Avaya Phone Manager Pro Codec and Faststart 29 of 32
4. Verification Steps Log into the Avaya S8300 Media Server and type status trunk 8. The trunk status should be in service/idle as shown in Figure 31. If not, recheck the configuration. status trunk 8 Page 1 SPE B TRUNK GROUP STATUS Member Port Service State Mtce Connected Ports Busy 008/001 T00011 in-service/idle no 008/002 T00012 in-service/idle no 008/003 T00013 in-service/idle no Figure 31: Displaying the Status of the Trunk Verify that the PC client tunnels are up. Open the Avaya VPNremote VPN Client Software, click on the Advanced button, click on the Secure Connection tab. Verify that the tunnels are up. If they are, click on one of them to view details of the key exchange and encryption algorithm information. See Figure 32. Figure 32: Verifying Client Tunnel Information 30 of 32
Place calls between the two softphones and verify that the calls route properly, the displays are correct, and voice quality is acceptable. It is possible to monitor the progress of the call on the Avaya S8300 Media Server trunk by typing list trace tac 108, where the TAC ID was previously assigned in the trunk group form for trunk 8. Notice that the last two lines show that the two PC endpoints shuffled their respective IP addresses, 140.140.140.1 and 140.140.140.2. See Figure 33. list trace tac 108 Page 1 SPE B LIST TRACE time data 05:36:01 Calling party station 41100 cid 0x149 05:36:01 Calling Number & Name 41100 ACM JIM 05:36:01 dial 29905 05:36:01 term trunk-group 8 cid 0x149 05:36:01 dial 29905 05:36:01 route-pattern 4 preference 1 cid 0x149 05:36:01 seize trunk-group 8 member 2 cid 0x149 05:36:01 Setup digits 2009905 05:36:01 Calling Number & Name NO-CPNumber NO-CPName 05:36:01 G711MU ss:off ps:20 rn:6/6 140.140.140.1:16384 10.1.2.152:17386 05:36:02 Alert trunk-group 8 member 2 cid 0x149 05:36:02 G729A ss:off ps:20 rn:6/6 10.1.2.50:49242 10.1.2.152:17388 05:36:05 active trunk-group 8 member 2 cid 0x149 05:36:05 G729A ss:off ps:20 rn:6/6 140.140.140.1:16384 10.1.2.50:49242 05:36:05 G729A ss:off ps:20 rn:6/6 10.1.2.50:49242 140.140.140.1:16384 05:36:06 G729A ss:off ps:20 rn:6/6 140.140.140.2:5020 140.140.140.1:16384 05:36:06 G729A ss:off ps:20 rn:6/6 140.140.140.1:16384 140.140.140.2:5020 Figure 33: Displaying The Trace of a Call Over a Trunk 5. Conclusion After completing the configurations as described above, the network administrator should be able to place encrypted calls over the network keeping the voice packets local to the two machines and the Avaya SG200. 31 of 32
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at interoplabnotes@list.avaya.com 32 of 32