SIP Trunking Configuration with



Similar documents
SIP Trunking with Microsoft Office Communication Server 2007 R2

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Securing SIP Trunks APPLICATION NOTE.

Recommended IP Telephony Architecture

Application Notes for Configuring Microsoft Office Communications Server 2007 R2 and Avaya IP Office PSTN Call Routing - Issue 1.0

How To Support An Ip Trunking Service

Quick Setup Guide. Integration of Aastra MX-ONE / Aastra 700 and Microsoft Lync Server 2010

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

OpenScape Business V2

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security

Voice Over IP and Firewalls

Enabling Users for Lync services

Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2

SBC 1000 / SBC 2000 Series Configuration Guide (For Microsoft Lync Server 2013)

White Paper. avaya.com 1. Table of Contents. Starting Points

nexvortex Setup Template

Siemens OpenScape Voice V7 SIP Connectivity with OpenScape SBC V7. to Integra SIP Service

Application Notes for Configuring Intelepeer SIP Trunking with Avaya IP Office Issue 1.0

What is an E-SBC? WHITE PAPER

VOIP THE ULTIMATE GUIDE VERSION /23/2014 onevoiceinc.com

Configuring a Pure-IP SIP Trunk in Lync 2013

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Wave SIP Trunk Configuration Guide FOR BROADVOX

An Oracle White Paper August What Is an Enterprise Session Border Controller?

Building the Lync Security Eco System in the Cloud Fact Sheet.

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

BrainDumps Q.A

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

SIP Security Controllers. Product Overview

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Ingate Firewall/SIParator SIP Security for the Enterprise

Application Notes for BT Wholesale/HIPCOM SIP Trunk Service and Avaya IP Office 8.0 Issue 1.0

TLS and SRTP for Skype Connect. Technical Datasheet

Best Practices for Securing IP Telephony

Secure VoIP for optimal business communication

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Configuring an Etherspeak SIP Trunk in Microsoft Lync 2013

Voice over IP Basics for IT Technicians

IP Ports and Protocols used by H.323 Devices

Grandstream Networks, Inc. How to Integrate UCM6100 with Microsoft Lync Server

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

APPLICATION NOTE. SIP Trunking Connectivity, Security and Deployment Scenarios. Introduction

Dialogic. BorderNet Products Interwork and Connect Seamlessly and Securely at the Network Edge

BroadSoft Partner Configuration Guide

PETER CUTLER SCOTT PAGE. November 15, 2011

Enterprise Voice and Online Services with Microsoft Lync Server 2013

Benefits of Using a Demarcation Device When Integrating Legacy Voice, SIP Trunks and Microsoft OCS R2

Software-Powered VoIP

Basic Vulnerability Issues for SIP Security

Oracle s SIP Network Consolidation Solutions. Using SIP to Reduce Expenditures and Improve Communications

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Unified Communications in RealPresence Access Director System Environments

Oracle s Solution for Secure Remote Workers. Providing Protected Access to Enterprise Communications

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1


Microsoft Office Communications Server 2007 & Coyote Point Equalizer Deployment Guide DEPLOYMENT GUIDE

SBC 1000/2000 Configuration Guide with Lync 2013 for Windstream/ LPAETEC SIP Trunk Deployments

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS

Voice over IP Security

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

Configuring the Sonus SBC 2000 with Cisco Unified Call Manager 10.5 for Verizon Deployment

EarthLink Business SIP Trunking. NEC SV8100 IP PBX Customer Configuration Guide

SIP Trunking The Provider s Perspective

Building the Lync Security Eco System in the Cloud Fact Sheet.

Voice over IP (VoIP) Basics for IT Technicians

Vega 100G and Vega 200G Gamma Config Guide

About Firewall Protection

Allstream Converged IP Telephony

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

SangomaSBCs Keeping Your VoIP Network Secure. Simon Horton Sangoma

EarthLink Business SIP Trunking. Toshiba IPedge Customer Configuration Guide

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

VoIP Security regarding the Open Source Software Asterisk

nexvortex Setup Guide

Application Note - Using Tenor behind a Firewall/NAT

VOICE OVER IP SECURITY

Application Notes for Microsoft Office Communicator Clients with Avaya Communication Manager Phones - Issue 1.1

ThinkTel ITSP with Registration Setup Quick Start Guide

SIP SECURITY JULY 2014

Setup Reference Guide for KX-TDE/NCP to SBC SIP Trunking

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

Application Notes for configuring Avaya IP Office IP500 R7.0 with 2Ring NetFAX R3.0 Issue 1.0

Local Session Controller: Cisco s Solution for the U.S. Department of Defense Network of the Future

EarthLink Business SIP Trunking. Switchvox SMB 5.5 & Adtran SIP Proxy Implementation Guide

Table of Contents. Confidential and Proprietary

SBC WHITE PAPER. The Critical Component

An Oracle White Paper February Centralized vs. Distributed SIP Trunking: Making an Informed Decision

nexvortex Setup Guide

Abstract. Avaya Solution & Interoperability Test Lab

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Skype Connect Getting Started Guide

Setup Reference Guide for KX-NS1000 to SBC SIP Trunking

Transcription:

SIP Trunking Configuration with Microsoft Office Communication Server 2007 R2 A Dell Technical White Paper End-to-End Solutions Team Dell Product Group - Enterprise

THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. Dell, the DELL logo, the DELL badge, PowerEdge, PowerVault, and Dell EqualLogic are trademarks of Dell, Inc.; Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. Sipera is a registered trademark of Sipera Systems. Wireshark is a registered trademark of the Wireshark Foundation. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. 2009 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever without the express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell.

CONTENTS INTRODUCTION... 4 SIP TRUNKING REQUIREMENTS... 5 OCS R2 TELEPHONY/VOICE ROUTING INFRASTRUCTURE... 5 SECURITY AND PERIMETER NETWORK COMPONENTS... 5 SIP TRUNK SERVICE PROVIDER... 7 END-TO-END CONSIDERATIONS... 8 SIP TRUNKING CONFIGURATION EXAMPLE WITH OCS 2007 R2... 9 EDGE DEVICE COMMUNICATION... 9 MEDIATION SERVER SETUP... 13 END-TO-END COMMUNICATION... 14 TESTING THE CONFIGURATION... 15 OUTBOUND CALL VERIFICATION... 15 INBOUND CALL VERIFICATION... 16 CONCLUSION... 17

Introduction Microsoft Office Communication Server 2007 Release 2 (OCS R2) introduces many new features and server roles to Unified Communication (UC) enterprise users. One of the new features provides enterprises with direct connectivity to PSTN and Voice-over-IP (VoIP) network without deploying PBX and IP-PSTN gateways in their environments. The connectivity to the PSTN users and external VoIP users is provided by Internet Telephony Service Providers (ITSP) using Session Initiation Protocol (SIP) Trunking technology. This enables internal and external calling to public telephone numbers and reduces the complexity of the end to end deployment. SIP Trunking technology offers a cost-effective means of voice communication by offloading the Time Division Multiplexing (TDM) integration requirements of PSTN to a SIP service provider without a loss of end-user functionality when compared with traditional TDM-based deployment. OCS 2007 R2 is configured with dial plans that achieve the desired level of internal and external routing. It uses a defined set of transport protocols for SIP signaling and media traffic. For such a deployment, the SIP trunk service provider selected should be able to support the same protocols or should have a very minimal number of intermediate components for interoperability requirements. Traffic routing and security, component integration, and consideration of ports between the service provider and the OCS infrastructure play important roles in SIP trunking deployment and successful communication. This white paper defines the SIP trunking deployment and configuration requirements with OCS 2007 R2 infrastructure. It also briefly steps through an example of testing deployment to provide an understanding of the procedures involved in a basic setup. Sip trunk service providers that are certified to operate with OCS R2 are listed here ( http://technet.microsoft.com/en-us/office/bb735838.aspx#trunking).

SIP Trunking Requirements SIP Trunking setup requirements vary depending on the types of protocols involved and the communication methods provisioned by the SIP trunk service provider. Usually, service providers follow a standard format of SIP trunking that is widely accepted in the VoIP and telecom industry. The underlying transport protocols may be different based on their provisioning and deployment methodologies. OCS R2 also uses a defined set of protocols for internal SIP communication. When provisioning a SIP trunking solution for an OCS 2007 R2 environment, you must ensure that the underlying protocols and ports are accepted by both parties and that security mechanisms are in place. The interoperability factors and security concerns between OCS R2 and service provider may lead to additional components in the deployment path. Therefore, the SIP trunking requirements for an OCS R2 deployment can be categorized into three segments: OCS 2007 R2 telephony infrastructure, SIP trunk service provider, and Interface components to provide security and interoperability. OCS R2 telephony/voice Routing Infrastructure In addition to instant messaging, live-meeting, and conferencing components, OCS R2 contains enterprise voicerouting functionality that you can configure to provide connectivity between internal-uc and external-telephony devices. The Front-End Communication Server pool in OCS 2007 R2 takes much of the responsibility for defining and processing inbound and outbound rules, similar to a PBX deployment. The Mediation Server provides gating functionality and isolates the OCS infrastructure within an external telecom environment. It also translates SIP signals and RTP media between the communication server and SIP trunk setup. In SIP trunking topology, when an enterprise voice user initiates a call from an Office Communicator client to an external SIP or PSTN user, the appropriate rules are invoked and phone normalization occurs. The call is then forwarded through the Mediation Server to SIP trunk connectivity for completion. As mentioned earlier, the routing functionality for Enterprise Voice is configured through rules and policies defined in the Global Voice Configuration. These rules are set up with the following administrative parameters: Location Profiles: These profiles specify how OCS 2007 R2 front-end servers route calls that are dialed by the user. They include normalization rules that convert the number dialed in OCS to E.164 format. Policy: A policy specifies the calling privileges that apply to users. Default policy can be setup that enables simultaneous ringing, meaning that incoming calls are simultaneously routed to a user s internal desk phone and Communicator devices. Policies are also used to implement class of service to control what number ranges users are allowed to dial. Routes: A route allows defined location profile users with outside dialing privileges to call external phones and pass through defined mediation servers and an SIP trunk service provider. This configuration allows internal users to call phone numbers outside of the organization. Security and Perimeter Network Components Using the Internet for telephony drives cost savings in terms of both operating and capital expenditures. However, the deployment of SIP trunks means that voice is sent and received over TCP/IP as packets instead of routing through traditional circuit-switched networks. This configuration creates new security concerns, since the

enterprise network is now exposed to VoIP threats from the Internet. VoIP technology is susceptible to viruses, Denial of Service (DoS) attacks, spoofing, eavesdropping, VoIP spam, session hijacking, and many other issues just like any other Internet-packet communication. Traditional firewalls only ensure protection against standard security and Quality of Service (QoS) threats from the Internet. For VoIP-specific threats, SIP-aware security measures are required in the perimeter network joining the Mediation Server to the SIP trunk circuit. If the SIP trunk service provider can provision the same transport protocols used by the Mediation Server and is capable of communicating SIP signals over TLS or TCP and media packets with RTP or SRTP, then a Virtual Private network (VPN) connection between the enterprise edge site and the service provider is sufficient to fulfill security requirements. In such a deployment, the Session Border Controller (SBC) at the service provider and the Mediation server at the enterprise site manage the VoIP sessions, as shown in Figure-1. Figure 1 SIP trunking with OCS 2007 R2 using a VPN connection between routers at both sites If the service provider does not use TLS or TCP transport in other words, UDP is the only option for SIP communication then some additional edge device(s) may be required at the enterprise perimeter site for protocol handling and SBC functions. Most service providers address security requirements for SIP signaling using IPSec (Secure Internet protocol) or secure tunnels. One or more additional edge device(s) may be required at the enterprise site to perform the following functions: Secure link/tunnel termination SBC functions for SIP session management and termination Secure UC access NAT (Network Address Translation) traversal and signal/media encryption (if still required) Transport protocol translation from UDP to TCP or TLS E.164 format conversion applicable if the service provider is using a non-e.164 format; note that Mediation Server in OCS 2007 R2 is also capable of providing the E.164 format conversion

There are devices available from SIP security vendors that provide all of the requirements (listed above) built into one box. These functions must comply with enterprise policies and should be performed efficiently without impairing QoS. Figure-2 shows a SIP trunking implementation that uses an IPSec tunnel for signaling between the ITSP and the UC enterprise. Additional edge devices in the demilitarized zone (DMZ) are required, depending upon the protocols and methods provisioned by the service provider. Figure 2 SIP trunking with OCS 2007 R2 using IPSec tunnel and additional Edge device at Enterprise site In addition to setup, signaling and media ports for listening and transmission are enabled on device interfaces for proper relay of messages. The media ports are usually configured with a large range which allows random allocation of ports for each call thereby adding another level of security for RTP traffic. SIP Trunk Service Provider The SIP trunk service provider consists of a Session Border Controller (SBC), IP-PSTN gateways, and other intermediary components. The SBC provides SIP services across NAT and firewall devices located at the enterprise site. It communicates with the enterprise edge device or Mediation Server to manage all VoIP sessions. The PSTN gateways and switches are responsible for handling calls that are eventually routed to the PSTN network.

The SIP trunk customer supplies the provider with the number of users allowed external phone connectivity in the OCS R2 infrastructure and rerouted through the SIP trunk. The service provider leases the required number of unique Direct Inward Dialing (DID) phone numbers for that OCS setup. Typically the ITSP can provide DID numbers from a number of regions/countries via one SIP Trunk. End-to-End Considerations Important considerations that should be planned for when implementing end-to-end communication of SIP trunking are: 1. The signaling and media ports on the interfaces of sending and receiving devices in the communication path should match or coordinate. Any mismatch or restrictions on receiving ports will block traffic from the sending device. 2. The firewalls on enterprise and service-provider premises should allow only the specific IP addresses, SIP signaling, and media ports of edge devices or routers, as agreed by both parties in the communication. 3. The IP addresses on the external edge of terminal routers should be publicly routable. 4. If the service provider is capable of provisioning TLS protocol in complete end- to-end communication, then the process requires installation of authentication certificates on the devices involved in the setup. Such a scenario may not require deployment of edge security devices on the enterprise side, as shown in Figure-1. 5. If the Service provider is provisioning a secure tunnel like IPSec for SIP signaling then extra security considerations are required for media traffic that is routed outside the IPSec tunnel. One reason a service provider may not use IPSec for RTP traffic is to avoid overloading the channel. In such a scenario, SRTP should be used for media security.

SIP Trunking Configuration Example with OCS 2007 R2 This section briefly provides the configuration steps for an example deployment of SIP trunking with OCS 2007 R2. The setup for this test environment is shown in Figure-3. The SIP service provider in this example provisions SIP over UDP using an IPSec connection that is terminated at the enterprise side on a terminal router. This can be any basic router capable of handling layer-3 services and IPSec termination. An edge device behind the router acts as an SBC, providing NAT traversal, security, and protocol interoperability with OCS 2007 R2 Mediation Server setup. Figure 3 Dell Test environment of SIP trunking with OCS 2007 R2 using IPSec tunnel Edge Device Communication This setup uses a Sipera IPCS 310 as a sample edge device that lies in the DMZ and is configured to receive SIP/RTP traffic from the router and send it to the Mediation Server after processing. Figures 4 through 9 show basic configuration steps for a Sipera device (using its management console). 1. The interfaces of the Sipera device linking the internal side to the Mediation Server and the external side to the trunk service provider are configured with respective domain IP addresses along with the transport protocol and listening ports. In this setup, the SIP signaling from the service provider is received on UDP transport and repackaged on TCP for the Mediation Server side.

Figure 4 Screenshot showing the SIP signaling interfaces and ports of Sipera device 2. The media ports range for RTP traffic are also defined on these interfaces. Figure 5 Screenshot showing the Media interfaces and ports

3. The routing profile is configured for SIP packet routing with next-hop IP location. It basically ensures that the packets originating from the SIP trunk provider will be relayed to the Mediation server and vice versa. Figure 6 Screenshot showing the next-hop routing location and transport 4. Server configuration defines the virtual entities assigned to the internal and external interfaces that are responsible for executing routing profiles. Figure 7 Screenshot showing the Server Configuration entity for Mediation side

Figure 8 Screenshot showing the Server Configuration for Service provider side 5. Some rules can also be applied to server interworking to define the phone number patterns that are allowed to pass. Converting phone numbers into E.164 format also occurs in this step. Figure 9 Screenshot showing the Server interworking and phone pattern policy

Note that the steps defined above are for basic configurations only. For more advanced configurations including security settings refer to the Sipera IPCS deployment guides. Mediation Server Setup The Mediation Server acts as the gateway for the OCS infrastructure. Microsoft highly recommends having two Ethernet interfaces on a Mediation Server for complete network isolation: The external edge interface to communicate with the Sipera device and the internal edge interface to link to OCS internal infrastructure. You can configure the Mediation Server and activate it using the OCS 2007 R2 administration console. 1. The General tab in Mediation Server properties is configured with the internal edge interface IP address and external edge IP address, along with the SIP listening port. The location profile is part of the Enterprise Voice configuration defined in the Global Voice Configuration. For a detailed configuration of location profile and OCS R2 telephony routing, refer to the Microsoft OCS R2 Deployment Guide. The media ports range is defined for RTP/SRTP traffic. Figure 10 Screenshot showing the General setting on Mediation Server properties 2. The Next Hop Connections tab is configured with the OCS R2 Front-End Server/pool address and PSTN gateway address (which is Sipera IPCS in this case), along with the SIP port. The Mediation Server can be configured to use either TLS or TCP transport with Sipera. Usually the connection between SIpera and

Mediation is secure and dedicated, therefore extra security with TLS may not be required. But if TLS option is considered, the security certificates are required on both devices for mutual handshake and authentication process. With TLS based option, the encryption level can also be defined for media packets to use SRTP. Figure 11 Screenshot showing the Next hop Connections setting on Mediation Server properties End-to-End Communication As previously mentioned, OCS R2 Enterprise Voice routing is configured with a location profile and policies that use DID phone numbers assigned by the service provider. Defined outbound routing traffic is sent to the Mediation Server, which communicates with the Sipera edge device in the DMZ. In turn, the edge device communicates with the terminal router, which relays traffic through the external firewall to the service provider. The process happens in reverse for inbound traffic routed from the PSTN user to the enterprise site user. In case of inbound communication failure from the service provider to the enterprise site, you can troubleshoot the problem by first verifying the connection between the firewalls and terminal routers at both ends. If you determine that the IPSec (or VPN) termination points are pinging and required ports are open, then you should analyze the SIP traffic logs on the terminal router, edge device, Mediation server and OCS R2 internal receiving point. If the reports show that SIP signals are successfully received on these devices, then you should analyze media traffic along the same path for errors. Use the same troubleshooting steps in reverse order for outbound calls originating from the OCS R2 enterprise user to the PSTN user.

Testing the Configuration This section discusses two basic testing scenarios for the sample deployment outlined in the previous section. These scenarios verify inbound and outbound call flows as routed through the deployment path. Outbound Call Verification The outbound call test involves initiating a phone or communicator call from the OCS 2007 R2 infrastructure to an external (PSTN) phone number. When the call is initiated from an OCS R2 registered end-point, the call is normalized through the applied location profile and routed to the next-hop (if the user is allowed to use that route) the OCS location profile verifies that it is destined for an outbound route. The SIP signal verifies the path by establishing a session through the Mediation Server to the Sipera device, which performs the transport transformation. The signal is then routed outside of the corporate network through the firewall, and received at the service provider site. The service provider processes the signal and initiates a discovery on the destination to determine whether the signal should be routed through the PSTN gateway or to the Internet for VoIP and SIP users. When the service provider completes the discovery, it sends an acknowledgement signal back to the OCS user and establishes a session. Media traffic then flows, using RTP packets. Figure-12 shows the SIP and RTP trace (captured using the Wireshark network protocol analyzer) between the Sipera edge device and the service provider for an outbound call. The SBC-SIP IP and SBC-RTP IP represents the separate IP addresses for SIP and RTP traffic used by the service provider in this configuration. The SIP listening port is 5103 on the service provider side and 5060 on the Sipera side (as shown in the following figure). Figure 12 Screenshot showing the Outbound Call sequence

Inbound Call Verification The inbound call test involves initiating a phone call from and external (PSTN) phone number to the OCS 2007 R2 user. The service provider routes the SIP signal through its SBC and router to the enterprise site, where the Sipera edge device receives the session after passing though the terminal router. The edge device then routes the SIP signal on TCP or TLS to the Mediation Server and then to the OCS R2 internal infrastructure. The SIP session is established between OCS R2 user and PSTN user after verification and media traffic is allowed to flow. Figure-13 shows SIP and RTP traces (captured using Wireshark) between the Sipera edge device and the service provider for an inbound call. Figure 13 Screenshot showing the Inbound Call sequence

Conclusion SIP trunking deployment provides a cost-effective solution with OCS 2007 R2. The configuration requires careful planning and consideration with the types of transport protocols and communication methods supported by the SIP trunk service provider. You should also take the security factors into account to avoid any VoIP threats from the Internet. In addition to SIP trunking configuration support, the OCS 2007 R2 infrastructure offers a complete set of unified communications with advanced features such as enhanced instant messaging, A/V conferencing, Live Meeting, and much more. PowerEdge servers and Dell PowerVault, Dell EqualLogic, and Dell/EMC storage provide suitable platforms for deploying the OCS 2007 R2 infrastructure. Dell offers Microsoft SQL Server solutions for hosting OCS 2007 R2 back-end databases and also offers complementary Microsoft Exchange Server solutions for hosting e- mail. These solutions provide a comprehensive platform for implementing an OCS 2007 R2 infrastructure with required availability features. Dell Services include assessment, design, and implementation tailored to UC and messaging deployments. More information about Dell Unified Communications is available at www.dell.com/unified.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information