3com Ingate Open Network Integration Notes -Application Notes for Ingate SIParator Using Remote...

of 78

Authors: Scott Beer

3COM CONFIDENTIAL: NOT FOR EXTERNAL DISTRIBUTION

Application Notes for Ingate SIParator using Remote SIP Phones Issue: 1.0 Date: February 11, 2009 Abstract: In this application, the 3Com VCX solution is the IP-

PBX and SIP Domain Server. It is the call control server processing the phone features and PBX functionality required for an enterprise. It resides on the private LAN segment of enterprise, away from the Internet and protected by the Ingate from any malicious attacks.

The Ingate SIParator sits on the Enterprise network edge, providing a security solution for data and SIP communications with E-SBC functionality. It is responsible for all SIP communications security by providing Policy and Routing Rules to allow specific SIP traffic intended for the Enterprise.

The SIP Phones can be of any vendor type, located anywhere across the Internet or any remote networks.

of 78

Authors: Scott Beer


Table of Contents

Revision History .................................................................................................... 4 References ........................................................................................................... 4 Objective ............................................................................................................... 5 Ingate Systems ..................................................................................................... 6

Ingate Product Overview ............................................................................................................. 7 Ingate SIParators ........................................................................................... 7 Ingate add-on software modules and licenses ............................................... 7 Background.................................................................................................... 7

Technical Specifications .............................................................................................................. 8 Ingate SIParator Models 19, 50, 55, 65 and 90 .......................................... 8 Ingate SIParator Technical Details .............................................................. 10 Ingate SIParator Pictures ............................................................................. 11 Ingate SIParator Product Features: ............................................................. 12

Configuration Technical Details .......................................................................... 14 How it Works ............................................................................................................................. 14

Software Revisions ............................................................................................. 16 Software Requirements ............................................................................................................. 16 Tool Requirements .................................................................................................................... 16

Installation Overview ........................................................................................... 17 Network Topology ............................................................................................... 19 Testing Observations .......................................................................................... 20 Configuration Details ........................................................................................ 22

VCX Configuration .................................................................................................................. 22 Ingate Configuration Details ...................................................................................................... 45

Ingate Startup Tool ...................................................................................... 45 Connecting the Ingate Firewall/SIParator .................................................... 46 Using the Startup Tool ................................................................................. 48 Configure the Unit for the First Time ............................................................ 48 Change or Update Configuration ................................................................. 51 Network Topology ........................................................................................ 55 Product Type: Firewall ................................................................................ 56 Product Type: Standalone .......................................................................... 58 Product Type: DMZ SIParator ..................................................................... 60 Product Type: DMZ-LAN SIParator ............................................................ 63 Product Type: LAN SIParator ..................................................................... 66 IP-PBX ......................................................................................................... 68 Upload Configuration ................................................................................... 70 Manual Configuration Steps......................................................................... 72

Verification Tests ................................................................................................ 76 Product Support .................................................................................................. 77

Ingate Product Support: ............................................................................................................ 77

of 78

Authors: Scott Beer


3COM product support: ............................................................................................................. 77 Conclusion .......................................................................................................... 78

of 78

Authors: Scott Beer


Revision History

Revision Date Author Reason for change

1.0 11/02/2009 Scott Beer Doc Creation

References

Date Document Name Revision Company

of 78

Authors: Scott Beer


Objective The 3Com VCX Connect solution offers organizations with up to 250 phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The platform's practical design and affordability help businesses replace antiquated PBXs with VoIP solutions that handle unified voicemail/email messaging (a standard feature). The 3Com VCX Connect solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be 3Com Business Phones or a number of different vendors. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. In this application, the focus is towards the support of the Remote/Home Office SIP Phone support. Ingate SIParators, an Enterprise level SIP Session Border Controller (E-SBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator, even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology. In this application, above and beyond the E-SBC capabilities that the Ingate products provide, the SIParator is providing a number of additional features to enable remote SIP Phones connectivity to the 3Com VCX Connect solution. The Ingate products offer the use of the Remote SIP Connectivity Module, where there are features such as Far End NAT Traversal and a STUN Server. These features allow the Ingate to overcome NAT issues on the far end of the call.

of 78

Authors: Scott Beer


Ingate Systems Ingate Systems AB is a Stockholm, Sweden based high-tech company that designs, develops, manufactures and markets leading data communications

Session Initiation Protocol (SIP)-capable firewalls and SIParators, products that enable Unified Communications over the Internet. Unified Communications, with applications such as Internet telephony, presence indication, instant messaging, and audio/video conferencing, are modern and powerful business tools that enable enterprises to maintain reliable IP-communications internally and externally. As more businesses utilize these applications, service providers are offering SIP trunks to connect Local Area Networks to the outer world via Internet and/or dedicated, managed IP-lines. The enterprise Session Border Controller (Firewall) needs to manage all incoming and outgoing traffic securely. Authorized traffic based on SIP needs to pass through the Session Border Controller in a controlled manner reaching SIP units inside and outside the LAN. Ingate's Session Border Controllers are compatible with existing networks, and allow businesses to utilize the cost and time saving benefits of IP-based real-time communications with minimum investment.

Ingate has development facilities in Linkping, Sweden and a wholly owned subsidiary in the United States. We work long-term on our development projects and customer relations, as well as in the development and training of our employees.

of 78

Authors: Scott Beer


Ingate Product Overview

Ingate SIParators are compatible with all existing networks and come standard with a SIP proxy and a SIP registrar. They have support for NAT and PAT as well as for TLS and SRTP to encrypt both SIP signaling and media, eliminating the security issue most commonly associated with using enterprise VoIP. Ingate SIParators come in a range of sizes to meet enterprise needs from home office to large enterprise, and have been cited by users and media for ease of use. The flexible system of add-on software modules allows any enterprise to create the SIParator solution that exactly fits the need of the company for the moment.

Ingate SIParators

The Ingate SIParator is a device that connects to an existing firewall to seamlessly allow the traversal of SIP-based communications. Ingate SIParators are compatible with all existing firewalls and operating systems.

Ingate add-on software modules and licenses

Ingate's suite of software modules and the flexible licensing system give any enterprise the flexibility to create the firewall/SIParator that solves their specific need for the moment. All modules and licenses can be added at any time.

Background

Ingate's security technology dates back to 1996, and since 2001 SIP has been in focus when designing our award winning firewall products, making Ingate the only choice for enterprises planning for a secure, flexible and interoperable communication solution. Ingate products are a perfect fit for any SIP based VoIP/UC installation.

of 78

Authors: Scott Beer


Technical Specifications

Ingate SIParator Models 19, 50, 55, 65 and 90

The Ingate SIParator 19 has three ports and with different units can be scaled up to 6 ports with two Fiber ports on the SIParator 90, this provides a scalable solution to meet the needs of any size enterprise environments. The management interface for the products is the same Web-based Graphical User Interface (GUI) that has been cited by Ingate customers and the media for ease-of-use. All Ingate SIParators are fully featured, supporting stateful inspection and packet filtering with rules defined and maintained by the network security administrator utilizing the GUI. The SIParators can be configured as a part of the DMZ or in a standalone mode. In both cases, the benefits of SIP-based communications can be added to the network quickly and easily. Trusted Network Security for VoIP The Ingate SIParator SIP Proxy architecture grants fully secure traversal of the SIP traffic. The ports for the media streams are only opened between the specific parties of a call and only for the duration of the call. The SIP proxy inspects the SIP packets before sending them on. TLS and SRTP encryption ensures privacy when communicating, making call eavesdropping, call hijacking and call spoofing harder to do. Ingate also supports authentication of users and servers. Support for SIP Trunking More and more Internet Service Providers offer a SIP trunk a combined Internet and voice connection. For enterprises using an IP-PBX, SIP trunks are an ideal cost-saving solution as they no longer need local PSTN gateways or costly PRIs/BRIs. The service provider provides the PSTN connection. However, in order for SIP trunks to be successful, SIP traffic (as well as all other data

software module, available for Ingate SIParators, enables firewall and NAT traversal using the built-in SIP proxy, allowing the enterprise to connect to the SIP trunk. In addition, Ingate SIParators and the Ingate SIP proxy deliver advanced security for all SIP communications, including those via a SIP trunk. Ingate products also help ease compatibility issues between the IP-PBX and Internet telephony service provider.

of 78

Authors: Scott Beer


Choose the Right Features for Your Network Ingate offers several other add-on software modules that allow you to tailor the SIParator to meet the specific demands of your business. Ingate Quality of Service (QoS) sets priorities to different kinds of data and allocates bandwidth for varied purposes for instance, giving priority to VoIP. Ingate Remote SIP Connectivity extends the SIP capabilities of the enterprise to employees working remotely (home office workers, road warriors, etc.). Remote SIP Connectivity manages the traversal of the remote NAT from the central Ingate SIParators and also includes a STUN server. Ingate Enhanced Security Module provides Intrusion Detection and Intrusion Prevention for SIP as well as encryption of the communication. The SIP Registrar Module allows for making the Ingate Registrar the primary registration server. Add Global VoIP Connectivity to your IP-PBX The SIParators opens up a world of possibilities and cost savings when used with a SIP based IP-PBX. Businesses can route telephone calls via IP, not only between branch offices and home workers, but also to offices and other users using SIP-based Internet telephony. No longer limited to telephony voice, communication can also include video, instant messaging, presence and more. In addition, the SIParators makes it possible for home workers, road warriors and even branch offices to belong the same central IP-PBX with the highest level of security. The SIParators also affords the possibility to set up a private VoIP network, if preferred. Advanced IP-PBX functions are supported, including such as call transfer, call hold, and voicemail. Global connectivity is assured with the Remote SIP Connectivity Module for providing Far End NAT Traversal solutions.

of 78

Authors: Scott Beer


Ingate SIParator Technical Details

of 78

Authors: Scott Beer


Ingate SIParator Pictures

Ingate SIParator 19

Ingate SIParator 50, 55 and 65

Ingate SIParator 90

of 78

Authors: Scott Beer


Ingate SIParator Product Features:

Product Specifications Tested Features

Physical Interface

WAN

-T ports (RJ-45) Yes

LAN

-T ports (RJ-45) Yes

VoIP Protocol

Yes

SIP Proxy Yes

SIP B2BUA Yes

SIP Registrar Yes

SIP NAT/PAT Traffic Yes

TLS Transport N/T

SRTP Encryption N/T

Far End NAT Traversal Yes

Advance SIP Routing Yes

VoIP Survival N/T

40 (Model 19)

N/T

Quality of Service

N/T

N/T

N/T

N/T

Administration

Yes

-based GUI Yes

N/T

N/T

Logging N/T

DHCP

N/T

N/T

N/T

of 78

Authors: Scott Beer


Security

Firewall Yes

Yes

SIP Traffic IDS/IPS N/T

Yes

Yes (SIP)

Network Address Translation

Yes

-compatible SIP ALG Yes

Secure Management

-level access control Yes

N/T

Yes

N/T

VPN

Tunnel N/T

N/T

3DES N/T

AES N/T

NULL N/T

MD5 N/T

SHA1 N/T

N/T

XAUTH N/T

Digital certificates N/T

Pre-Shared Keys N/T

Secure ID N/T

N/T

Tunnels N/T

Troubleshooting

Yes

Yes

Yes

Yes

Yes

of 78

Authors: Scott Beer


Configuration Technical Details

How it Works

The 3Com 3102 Business Phone are SIP Phones and can be deployed anywhere over the internet, in Branch Offices, Home Offices and Road Warriors. Other SIP Phone vendors can also be used as SIP is an open standard. The VCX Connect IP-PBX is the SIP Domain Server, meaning that all SIP Phones communicate with the VCX Connect IP-PBX for communication services. The VCX Connect IP-PBX has a SIP Domain that should be Fully Qualified Domain Name (FQDN), for example vcx.sipdomain.com, allows SIP Phones and devices to resolve the FQDN to an IP address and directs them to the VCX Connect for communication services. But the VCX Connects IP Address is a Private IP Address on the Enterprise LAN. The Ingate is the enterprise Session Border Controller (Firewall) that manages all incoming and outgoing SIP traffic from the Internet. Authorizing traffic based on SIP policies to pass through the Session Border Controller in a controlled manner reaching SIP Phones and IP-PBXs inside and outside the LAN. Over the Public Internet the VCX Connect IP-PBX SIP Domain FQDN resolves to the Ingate public interface on the Internet, as the VCX Connect IP-PBX is located on the private LAN of the Enterprise. The Ingate then controls the VCX Connects SIP Domain and forwards SIP traffic for this domain to the VCX Connect IP-PBX and out to the various remote phones. The Ingate SIParator performs one additional function to assist in remote Branch Office, Home Office, and Road Warriors. Remote SIP Connectivity Module offers a Far End NAT Traversal feature to allow SIP Phones and devices to connect through remote NAT Firewalls.

of 78

Authors: Scott Beer


Example Network Configuration 3Com VCX Connect Primary Controller

Domain: vcx.sipdomain.com IP Address: 10.51.77.11

3Com VCX Connect Secondary Controller

Domain: vcx.sipdomain.com IP Address: 10.51.77.22

Ingate SIParator Domain: vcx.sipdomain.com WAN IP Address: 66.253.67.112 (For Remote 3Com Business Phones) Domain: vcx2.sipdomain.com WAN IP Address: 66.253.67.113 -------- LAN IP Address: 10.51.77.100 LAN IP Address: 10.51.77.101

3Com Business Phones Primary Server: 66.253.67.112 Secondary Server: 66.253.67.113 Other SIP Phones SIP Server: vcx.sipdomain.com

of 78

Authors: Scott Beer


Software Revisions

Vendor Product Model Version

Ingate Systems SIParator 19 4.7.1

3Com VCX

3Com 3102 Business Phone

Software Requirements


Tool Requirements


Wireshark Foundation Wireshark 1.0.6

of 78

Authors: Scott Beer


Installation Overview The 3Com VCX Connect solution offers organizations with up to 250 phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The platform's practical design and affordability help businesses replace antiquated PBXs with VoIP solutions that handle unified voicemail/email messaging (a standard feature), support a full range of IP phones and interoperate with the PSTN. In this application the 3Com VCX is located on the private LAN network of the enterprise. Within this enterprise the 3Com VCX is servicing applications such as User Extensions, Call Center applications, PSTN access, User Voicemail, Auto-Attendant/IVR applications and more. Local Users are being serviced by the 3Com VCX on the private LAN network. The 3Com VCX becomes the SIP Domain Server for all of the SIP Phones. The 3Com VCX Connect solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be from a number of different vendors, such as 3Com, Polycom, Aastra, Counterpath and GrandStream. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. In this application, these SIP Phones are located outside of the private LAN of the enterprise but continue to be serviced by the 3Com VCX. This extends the ability of the 3Com VCX to provide user extensions remotely any where over the Internet. Although these SIP Phones are not co-located with the 3Com VCX they behave and appear to be, essentially extending the features of the 3Com VCX to Remote Offices, Home Offices, and Road Warriors. Ingate SIParators, an Enterprise level SIP Session Border Controller (E-SBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator, even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology.

of 78

Authors: Scott Beer


In this application, the Ingate SIParators are utilizing E-SBC capabilities to ensure SIP VoIP communications with the remote SIP phones to provide access to the 3Com VCX. The Ingate products are providing E-SBC functionality such as SIP Routing Rules, SIP Security Policies, SIP Protocol compliance, Far End & Near End NAT Traversal and more to provide reliable SIP communications with the remote SIP phones.

of 78

Authors: Scott Beer


Network Topology Ingate SIParator Topology

Ingate SIParator Topology with 3Com Business Phones

of 78

Authors: Scott Beer


Testing Observations 1. SIP Trunking and Remote 3Com SIP Phone Deployment Overlap Issues For SIP Trunking Applications the Ingate is a Trusted Endpoint on the VCX Connect IP-PBX. This ensures that incoming SIP Trunking traffic from the various ITSPs via the Ingate are not authenticated by the 3Com VCX Connect IP-PBX. The overlap is that Remote SIP Phones should be authenticated by the VCX Connect IP-should not be a Trusted Endpoint. As a result of deploying SIP Trunking and Remote SIP Phone on the same Ingate, special configuration is required to have SIP Trunking as a Trusted Endpoint and Remote SIP Phone support as a Non-Trusted Endpoint. An additional WAN IP Address on the Ingate is needed to separate the handling of the SIP Trunking traffic and the handling of the Remote 3Com SIP Phone traffic. With two WAN IP Addresses the SIP Trunking is directed to one IP address and the Remote SIP Phone traffic is directed to the other. Then the Ingate can apply other Routing policies to change the source IP address from the Ingate to the VCX Connect based on the WAN IP addresses. 2. No FQDN Support on 3Com Business Phones The 3Com Business Phones are unable to enter a FQDN as a SIP Server address, only an IP Address is allowed, thus the Public IP Address of the Ingate SIParator is entered. A Dial Plan or DNS Override for SIP Requests must be created to direct traffic from the WAN IP Address of the Ingate to forward to the VCX Connect IP-PBX.

Note Dial Plan and DNS Override are mutually exclusive; you program one or the other. DNS Override will take precedent over the Dial Plan.

Other SIP Phones, typically SIP Phones can program a complete FQDN as the SIP Domain or Server. In this case the Ingate can use DNS Override for SIP Requests to relay the VCX Connects SIP Domain to the VCX Connect IP-PBX IP address.

of 78

Authors: Scott Beer


3. Secondary VCX on 3Com Business Phones As previous, the 3Com Business Phones are unable to enter a FQDN as a SIP Server address, only an IP Address is allowed, thus the Public IP Address of the Ingate SIParator is entered for the Primary VCX Connect controller. For the Secondary VCX Controller, a second (different) Public IP Address is required. The Ingate will now have a WAN IP Address to direct traffic to the Primary VCX Connect Controller, and a second WAN IP Address to direct traffic to the Secondary VCX Connect controller.

Note Be sure these IP Addresses do not conflict with the Ingate WAN IP Address used for SIP Trunking

Other SIP Phones, typically SIP Phones can program a complete FQDN as the SIP Domain or Server. In this case the Ingate can use DNS Override for SIP Requests to relay the SIP Domain to the VCX Connect Primary controller IP address. And also have a Second for the same SIP Domain to forward to the secondary VCX controller.

of 78

Authors: Scott Beer


Configuration Details The following configuration details represent the configuration under test. The Ingate SIParator provides Telco communications for all outbound and inbound PSTN calls. In addition the SIParator provided NAT translation services for any remote phones or Teleworkers wanting to register a phone to their work extension. The VCX is configured with the SIParator IP address as a trusted endpoint. Therefore no authentication or registration is needed between these 2 devices. The SIParator is configured with the both the VCX Primary and Secondary IP

the SIParator to VCX. Remote phone are configured to use the SIParator public IP address as their SIP Proxy address. All phone SIP registrations received by the SIParator are forwarded to the VCX for authentication. Once authenticated these remote phones can make outbound calls using their office extension and receive inbound calls to their office extension at home, all of these calls are carried over their office Telco connection.

VCX Configuration

Defining a device on the VCX using the Web interface.

Note: In versions prior to 8.x, creating a trusted endpoint was a 2 step process please refer to documentation for these version for details

of 78

Authors: Scott Beer


Using VCX Web Configuration GUI 1. Point a browser to VCX Server IP address (e.g.:http://158.101.74.100)

The VCX login screen appears. Select the Central Management Console option.

of 78

Authors: Scott Beer


2. Enter a VCX username and password with administrative access. (New VCX installations have a default username admin and password besgroup.) Click Submit.

of 78

Authors: Scott Beer


3. Select the site name you wish to work on.

of 78

Authors: Scott Beer


4. Select Directory from the top menu

of 78

Authors: Scott Beer


5. Click Trusted End Points Tab on Right of the screen to add a device IP addresses

of 78

Authors: Scott Beer


a. Click the Add Trusted End Point button.

b. Enter the endpoint configuration as follows:

IP Address: IP address of SIParator

Netmask: Use Host mask of 255.255.255.255

of 78

Authors: Scott Beer


6. Click End Points Tab on Right of the screen to add a device name for to the list as an endpoint

a. Add End Point

of 78

Authors: Scott Beer


b. The endpoint configuration window is displayed

c. Enter the endpoint configuration as follows:

Type: Set to Gateway

Active: Set to Yes.

Name: Enter the name of the device i.e. SIParator B2BUA

Description: Enter a description of the device i.e. Ingate

Site Id: Enter your VCX site ID.

IP Address: Enter the SIParator IP address

Port Number: port number (usually 5060)

Click the Save button.

d. The List of End Points table appears, listing the new endpoint.

of 78

Authors: Scott Beer


of 78

Authors: Scott Beer


7. Click Routes Tab to create a Route with one or more endpoints

of 78

Authors: Scott Beer


a. button and give it a name i.e. SIParator

of 78

Authors: Scott Beer


of 78

Authors: Scott Beer


b.

of 78

Authors: Scott Beer


c.

of 78

Authors: Scott Beer


d. From the list of available endpoints put a check mark next to

of 78

Authors: Scott Beer


of 78

Authors: Scott Beer


e.

of 78

Authors: Scott Beer


3com Ingate Open Network Integration Notes -Application Notes for Ingate SIParator Using Remote...

Documents

Transcript of 3com Ingate Open Network Integration Notes -Application Notes for Ingate SIParator Using Remote...