Professional Documents
Culture Documents
Application Notes for Ingate SIParator using SIP Trunking with ITSPs
Issue: Date: Authors: 1.1 April 29, 2009 Scott Beer (Ingate) and Ciaran William OShaughnessy (3Com) In this application, the 3Com VCX solution is the IPPBX and SIP Domain Server. It is the call control server processing the phone features and PBX functionality required for an enterprise. It resides on the private LAN segment of enterprise, away from the Internet and protected by the Ingate from any malicious attacks. The Ingate SIParator sits on the Enterprise network edge, providing a security solution for data and SIP communications with E-SBC functionality. It is responsible for all SIP communications security by providing Policy and Routing Rules to allow specific SIP traffic intended for the Enterprise. The SIP Trunking Service Providers, or Internet Telephony Service Providers (ITSP) can be of any vendor type, located anywhere across the Internet or any remote networks. These Service Providers offer access to the PSTN over a SIP Trunk.
Abstract:
Page 2 of 69 Table of Contents Revision History .................................................................................................... 4 References ........................................................................................................... 4 Objective ............................................................................................................... 5 Ingate Systems ..................................................................................................... 6 Ingate Product Overview ................................................................................... 6 Ingate Firewalls.............................................................................................. 7 Ingate SIParators ........................................................................................... 7 Ingate add-on software modules and licenses ............................................... 7 Background.................................................................................................... 7 Technical Specifications .................................................................................... 7 Ingate SIParator Models 19, 50, 55, 65 and 90 .......................................... 7 Ingate SIParator Technical Details ................................................................ 9 Ingate SIParator Pictures ............................................................................. 10 Ingate SIParator Product Features: ............................................................. 11 Configuration Technical Details .......................................................................... 13 How it Works ................................................................................................... 13 Software Revisions ............................................................................................. 15 Software Requirements ................................................................................... 16 Tool Requirements .......................................................................................... 16 Installation Overview ........................................................................................... 16 Network Topology ............................................................................................... 18 Testing Observations .......................................................................................... 18 Configuration Details........................................................................................... 19 <3COM Product Name> Configuration file ...................................................... 19 Ingate Configuration Details ............................................................................ 19 Ingate Startup Tool ...................................................................................... 39 Connecting the Ingate SIParator.................................................................. 40 Using the Startup Tool ................................................................................. 42 Configure the Unit for the First Time ............................................................ 42 Change or Update Configuration ................................................................. 45 Network Topology ........................................................................................ 49 Product Type: Standalone .......................................................................... 50 Product Type: DMZ SIParator..................................................................... 52 Product Type: DMZ-LAN SIParator ............................................................ 55 Product Type: LAN SIParator ..................................................................... 57 IP-PBX ......................................................................................................... 60 ITSP ............................................................................................................. 62 Upload Configuration ................................................................................... 65 Verification Tests ................................................................................................ 67 Product Support .................................................................................................. 68 Ingate Product Support: .................................................................................. 68 3Com Open Network Solutions Lab Application Notes
Page 4 of 69
Revision History
Revision 1.0 1.1 Date 12/02/2009 4/29/2009 Author Scott Beer C OShaughnessy Reason for change Doc Creation Content Audit and added 3Com configuration
References
Date Document Name Revision Company
Page 5 of 69
Objective
The 3Com VCX solution offers organizations from 100s to 1,000s of phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The platform's practical design and affordability help businesses replace antiquated PBXs with VoIP solutions that handle unified voicemail/email messaging (a standard feature), support a full range of IP phones and interoperate with Internet Telephony Service Providers for PSTN access. The 3Com VCX solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. Ingate offers SIParators is an Enterprise level SIP Session Border Controller (ESBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology. In this application, above and beyond the E-SBC capabilities that the Ingate products provide, the SIParator is providing a number of additional features to enable SIP Trunking connectivity to the 3Com VCX solution. The Ingate products offer the use of the SIP Trunking Module, where there are features such as Dial Plan, Routing Rules, B2BUA, Proxy, SIP Security Policies and much more. These features allow the Ingate to overcome various integration issues on between the variety of ITSPs and their deployment of SIP Trunking to the 3Com VCX solution.
Page 6 of 69
Ingate Systems
Ingate Systems AB is a Stockholm, Sweden based high-tech Company that designs, develops, manufactures and markets leading data communications products for trusted Unified Communications. Ingate designed the worlds first Session Initiation Protocol (SIP)-capable firewalls and SIParators, products that enable Unified Communications over the Internet. Unified Communications, with applications such as Internet telephony, presence indication, instant messaging, and audio/video conferencing, are modern and powerful business tools that enable enterprises to maintain reliable IPcommunications internally and externally. As more businesses utilize these applications, service providers are offering SIP trunks to connect Local Area Networks to the outer world via Internet and/or dedicated, managed IP-lines. The enterprise Session Border Controller (Firewall) needs to manage all incoming and outgoing traffic securely. Authorized traffic based on SIP needs to pass through the Session Border Controller in a controlled manner reaching SIP units inside and outside the LAN. Ingate's Session Border Controllers are compatible with existing networks, and allow businesses to utilize the cost and time saving benefits of IP-based real-time communications with minimum investment. Ingates leading products are marketed through world leading distributors, Value Added resellers and OEMs on all continents. Ingate has development facilities in Linkping, Sweden and a wholly owned subsidiary in the United States. We work long-term on our development projects and customer relations, as well as in the development and training of our employees.
Page 7 of 69 The flexible system of add-on software modules allows any enterprise to create the firewall/SIParator solution that exactly fits the need of the company for the moment.
Ingate Firewalls
Ingate Firewalls are cost effective and prevent unauthorized access to and from enterprise networks while allowing SIP-based communications. All messages entering and leaving the network are routed through the Ingate Firewall, which examines each packet and blocks those not explicitly authorized to pass.
Ingate SIParators
The Ingate SIParator is a device that connects to an existing firewall to seamlessly allow the traversal of SIP-based communications. Ingate SIParators are compatible with all existing firewalls and operating systems.
Background
Ingate's security technology dates back to 1996, and since 2001 SIP has been in focus when designing our award winning firewall products, making Ingate the only choice for enterprises planning for a secure, flexible and interoperable communication solution. Ingate products are a perfect fit for any SIP based VoIP/UC installation.
Technical Specifications
Ingate SIParator Models 19, 50, 55, 65 and 90
The Ingate SIParator 19 has three ports and with different units can be scaled up to 6 ports with two Fiber ports on the SIParator 90, this provides a scalable solution to meet the needs of any size enterprise environments. The management interface for the products is the same Web-based Graphical User Interface (GUI) that has been cited by Ingate customers and the media for easeof-use.
Page 8 of 69 All Ingate SIParators are fully featured, supporting stateful inspection and packet filtering with rules defined and maintained by the network security administrator utilizing the GUI. The SIParators can be configured as a part of the DMZ or in a standalone mode. In both cases, the benefits of SIP-based communications can be added to the network quickly and easily. Trusted Network Security for VoIP The Ingate SIParator SIP Proxy architecture grants fully secure traversal of the SIP traffic. The ports for the media streams are only opened between the specific parties of a call and only for the duration of the call. The SIP proxy inspects the SIP packets before sending them on. TLS and SRTP encryption ensures privacy when communicating, making call eavesdropping, call hijacking and call spoofing harder to do. Ingate also supports authentication of users and servers. Support for SIP Trunking More and more Internet Service Providers offer a SIP trunk a combined Internet and voice connection. For enterprises using an IP-PBX, SIP trunks are an ideal cost-saving solution as they no longer need local PSTN gateways or costly PRIs/BRIs. The service provider provides the PSTN connection. However, in order for SIP trunks to be successful, SIP traffic (as well as all other data traffic) must be able to traverse the enterprise firewall. Ingates SIP Trunking software module, available for Ingate SIParators, enables firewall and NAT traversal using the built-in SIP proxy, allowing the enterprise to connect to the SIP trunk. In addition, Ingate SIParators and the Ingate SIP proxy deliver advanced security for all SIP communications, including those via a SIP trunk. Ingate products also help ease compatibility issues between the IP-PBX and Internet telephony service provider. Choose the Right Features for Your Network Ingate offers several other add-on software modules that allow you to tailor the SIParator to meet the specific demands of your business. Ingate Quality of Service (QoS) sets priorities to different kinds of data and allocates bandwidth for varied purposes for instance, giving priority to VoIP. Ingate Remote SIP Connectivity extends the SIP capabilities of the enterprise to employees working remotely (home office workers, road warriors, etc.). Remote SIP Connectivity manages the traversal of the remote NAT from the central Ingate SIParators and also includes a STUN server. Ingate Enhanced Security Module provides Intrusion Detection and Intrusion Prevention for SIP as well as encryption of the communication. The SIP Registrar Module allows for making the Ingate Registrar the primary registration server. 3Com Open Network Solutions Lab Application Notes
Page 9 of 69
Add Global VoIP Connectivity to your IP-PBX The SIParators opens up a world of possibilities and cost savings when used with a SIP based IP-PBX. Businesses can route telephone calls via IP, not only between branch offices and home workers, but also to offices and other users using SIP-based Internet telephony. No longer limited to telephony voice, communication can also include video, instant messaging, presence and more. In addition, the SIParators makes it possible for home workers, road warriors and even branch offices to belong the same central IP-PBX with the highest level of security. The SIParators also affords the possibility to set up a private VoIP network, if preferred. Advanced IP-PBX functions are supported, including such as call transfer, call hold, and voicemail.
Page 10 of 69
Ingate SIParator 19
Ingate SIParator 90
Page 11 of 69
Yes Yes Yes Yes Yes Yes Yes N/T N/T Yes Yes N/T 40 (Model 19) N/T N/T N/T N/T N/T Yes Yes N/T N/T N/T N/T N/T N/T
Page 12 of 69 Product Specifications Security Firewall Stateful Inspection Firewall DoS Protection SIP Traffic IDS/IPS Access Control Lists ALGs Network Address Translation Basic NAT (1:1), NAPT (Many:1), and Port Translation NAT-compatible SIP ALG Secure Management Multi-level access control RADIUS AAA Port Authentication (802.1x) SSH CLI VPN IPSec Tunnel Encryption 3DES AES NULL MD5 SHA1 Authentication Mechanisms XAUTH Digital certificates Pre-Shared Keys Secure ID PPTP Server Number of VPN Tunnels Troubleshooting PING Traceroute TCPdump utilities Packet Capture System Logging Tested Features Yes Yes N/T Yes Yes (SIP) Yes Yes Yes N/T Yes N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T Yes Yes Yes Yes Yes
Page 13 of 69
The 3Com VCX solution offers organizations from 100s to 1,000s of phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The Ingate becomes a trusted endpoint within the 3Com VCX Connect IP-PBX for all ITSP SIP Trunking communication from various ITSPs. The 3Com VCX solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. Ingate offers SIParators is an Enterprise level SIP Session Border Controller (ESBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and 3Com Open Network Solutions Lab Application Notes
Page 14 of 69 other IP-based communications while maintaining current investments in security technology. The Ingate provides a number of solutions for the 3Com VCX for problems when connecting to various service providers. 1) NAT/Firewall Traversal of SIP Protocol - SIP traffic cannot traverse traditional enterprise firewalls and NAT devices, thus the Ingate control both incoming and outgoing communications and route the communication to the intended peers. 2) SIP Protocol Normalization Every ITSP delivers SIP with unique deployment requirements and attributes. Ingate contains a B2BUA to provide features to customize and facilitate ITSP integrations. 3) Advanced SIP Routing - Ingate can provide a seamless connection to and from the provider, and handle authentication at the service provider to validate the enterprise as the correct user of the SIP trunk. 4) SIP Security Ingate provides advanced filtering, verification, authentication and routing, as well as dynamic control of the opening and closing of media ports. Example Call Flow In this example, the ITSP is located on the Internet, the Ingate SIParator has one interface on the Internet and interface on the Private LAN, the 3Com VCX is also on the LAN. 1) Incoming Call The ITSP will send and INVITE to the Ingates WAN IP Address with a SIP URI that has the DID@Ingate_WAN_IP or 6135552000@123.123.123.20. The Ingate with a Dial Plan and other features looks for this incoming SIP URI and routes the call to the 3Com VCX Connect LAN IP Address. In the process, the INVITE SIP URI is changed to 6135552000@VCX_LAN_IP. As the Ingates LAN IP Address is a trusted endpoint within the VCX the VCX routes the call internally to various applications or phones. 2) Outgoing Call The VCX Connect will send and INVITE to the Ingates LAN IP Address with a SIP URI that has the DID@Ingate_LAN_IP or 4165554444@10.10.10.1. The Ingate with a Dial Plan and other features looks for this outgoing SIP URI and routes the call to the ITSP WAN IP Address. In the process, the INVITE SIP URI
Page 15 of 69 is changed to 4165554444@ITSP_WAN_IP. As the Ingates WAN IP Address is a trusted endpoint within the ITSP, it routes the call to the PSTN.
Software Revisions
Vendor Ingate Systems 3Com 3Com Polycom Product Model SIParator 19 VCX 3102 Business Phone 302 SIP Phone Version 4.7.1 7.1.21c and 8.0.7e n/a
Page 16 of 69
Software Requirements
Vendor CounterPath Product Model X-Lite Version 3.0 Build 47546
Tool Requirements
Vendor Wireshark Foundation Bandwidth.com Product Model Wireshark Version 1.0.6
Installation Overview
In this application the 3Com VCX is located on the private LAN network of the enterprise. Within this enterprise the 3Com VCX is servicing applications such as User Extensions, Call Center applications, PSTN access, User Voicemail, Auto-Attendant/IVR applications and more. Local Users are being serviced by the 3Com VCX on the private LAN network. The 3Com VCX becomes the SIP Domain Server for all of the SIP Phones. In this application, the ITSPs are located outside of the private LAN of the enterprise and provide PSTN access using SIP Trunking and deliver this service to the 3Com VCX. This extends the ability of the 3Com VCX to provide PSTN access any where over the Internet or remote network. These ISTPs are not co-located with the 3Com VCX but are accessible over any network. SIP Trunking is used as a cost effective solution over T1/PRI and essentially extend PSTN access for the 3Com VCX to Remote Offices, Home Offices, and Road Warriors. Ingate SIParator is an Enterprise level SIP Session Border Controller (E-SBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator, even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology.
Page 17 of 69 In this application, the Ingate SIParators are utilizing E-SBC capabilities to ensure SIP VoIP communications with the ITSP to provide PSTN access to the 3Com VCX. The Ingate products are providing E-SBC functionality such as SIP Routing Rules, SIP Security Policies, SIP Protocol compliance, Near End NAT Traversal and more to provide reliable SIP communications with the SIP Trunking Service Providers.
Page 18 of 69
Network Topology
Ingate SIParator Topology
Testing Observations
<Insert a list of observations or elements investigated to prove the solution as valuable>
Page 19 of 69
Configuration Details
The following configuration details represent the configuration under test. The Ingate SIParator provides Telco communications for all outbound and inbound PSTN calls. In addition the SIParator provided NAT translation services for any remote phones or Teleworkers wanting to register a phone to their work extension. The VCX is configured with the SIParator IP address as a trusted endpoint. Therefore no authentication or registration is needed between these 2 devices. The SIParator is configured with the both the VCX Primary and Secondary IP addresses as the SIP Proxy. All inbound Telco calls i.e. DIDs are redirected by the SIParator to VCX. Remote phone are configured to use the SIParator public IP address as their SIP Proxy address. All phone SIP registrations received by the SIParator are forwarded to the VCX for authentication. Once authenticated these remote phones can make outbound calls using their office extension and receive inbound calls to their office extension at home, all of these calls are carried over their office Telco connection.
VCX Configuration
Defining a device on the VCX 8.0.7e as a Trusted Endpoint can now be done using the Web interface. Note: In versions prior to 8.x, creating a trusted endpoint was a 2 step process please refer to documentation for these version for details Using VCX Web Configuration GUI 1. Point a browser to VCX Server IP address (e.g.:http://158.101.74.100) The VCX login screen appears. Select the Central Management Console option.
Page 20 of 69
Page 21 of 69 2. Enter a VCX username and password with administrative access. (New VCX installations have a default username admin and password besgroup.) Click Submit.
Page 22 of 69
Page 23 of 69
Page 24 of 69 5. Click Trusted End Points Tab on Right of the screen to add a device IP addresses
b. Enter the endpoint configuration as follows: IP Address: IP address of SIParator Netmask: Use Host mask of 255.255.255.255 6. Click End Points Tab on Right of the screen to add a device name for each i.e. Aspect to the list as an endpoint a. Select Add End Point button
Page 26 of 69
c. Enter the endpoint configuration as follows: Type: Set to Gateway Active: Set to Yes. Name: Enter the name of the device i.e. SIParator B2BUA Description: Enter a description of the device i.e. Ingate Site Id: Enter your VCX site ID. IP Address: Enter the SIParator IP address Port Number: port number (usually 5060) Click the Save button. d. The List of End Points table appears, listing the new endpoint.
Page 28 of 69
Page 29 of 69 6. Click Routes Tab to create a Route with one or more endpoints
a. Select the Add Route button and give it a name i.e. SIParator B2BUA and select Save
Page 30 of 69
Page 31 of 69
Page 32 of 69
d. From the list of available endpoints put a check mark next to SIParator B2BUA and select the Assign Selected button
Page 33 of 69
e. Confirm the OK
Page 34 of 69
Page 35 of 69
7. Click Patterns Tab and create a pattern if needed that a call must match in order for VCX to send the call to the SIParator server. Note: This step was skipped because the most common patterns are already defined by default on the VCX. Therefore an existing pattern of 81* was used in testing 8. Click Routes Tab, and create a route that lets VCX send calls to Aspect Unified IP. Click the Add Route Plan button.
Page 36 of 69
Page 37 of 69
a. In the Name field, enter a name for the routes i.e. Outbound SIP Trunk b. Under Pattern field select the pattern 81* c. Under Route field select the route SIParator B2BUA just created d. Under Active select the button to enable with a check mark.
Page 38 of 69
8. Click save which will return back to the Routes screen where the route Aspect should now be displayed
Page 39 of 69
Page 40 of 69
Ingate SIParator 90
Page 41 of 69 3) The PC/Server with the Startup Tool should be located on the same LAN segment/subnet. It is required that the Ingate unit and the Startup Tool are on the same LAN Subnet to which you are going to assign an IP Address to the Ingate Unit. Note: When configuring the unit for the first time, avoid having the Startup Tool on a PC/Server on a different Subnet, or across a Router, or NAT device, Tagged VLAN, or VPN Tunnel. Keep the network Simple.
4)
Proceed to Section: Using the Startup Tool for instructions on using the Startup Tool.
Page 42 of 69
Page 43 of 69 3) In the Select first what you would like to do, select Configure the unit for the first time.
4)
Other Options in the Select first what you would like to do,
Page 44 of 69 a. b. Select Configure SIP Trunking if you want the tool to configure SIP Trunking with the 3Com VCX server and ITSP. Select Register this unit with Ingate if you want the tool to connect with www.ingate.com to register the unit. If selected, consult the Startup Tool Getting Started Guide. Select Upgrade this unit if you want the tool to connect with www.ingate.com to download the latest software release and upgrade the unit. If selected, consult the Startup Tool Getting Started Guide. Select Backup the created configuration if you want the tool to apply the settings to an Ingate unit and save the config file. Select Creating a config without connecting to a unit if you want the tool to just create a config file. Select The tool remembers passwords if you want the tool to remember the passwords for the Ingate unit.
c.
d.
e. f.
5)
In the Inside (Interface Eth0), a. Enter the IP Address to be assigned to the Ingate Unit. b. Enter the MAC Address of the Ingate Unit, this MAC Address will be used to find the unit on the network. The MAC Address can be found on a sticker attached to the unit.
6)
In the Select a Password, enter the Password to be assigned to the Ingate unit.
Page 45 of 69 7) Once all required values are entered, the Contact button will become active. Press the Contact button to have the Startup Tool find the Ingate unit on the network, assign the IP Address and Password.
8)
Page 46 of 69 2) Select the Model type of the Ingate Unit, and then click Next.
3)
In the Select first what you would like to do, select Change or update configuration of the unit.
4)
Other Options in the Select first what you would like to do,
Page 47 of 69
a.
b.
c.
d.
e. f.
Select Configure Remote SIP Connectivity if you want the tool to configure Remote Phone access to the 3Com VCX server. Select Register this unit with Ingate if you want the tool to connect with www.ingate.com to register the unit. If selected, consult Startup Tool Getting Started Guide. Select Upgrade this unit if you want the tool to connect with www.ingate.com to download the latest software release and upgrade the unit. If selected, consult Startup Tool Getting Started Guide. Select Backup the created configuration if you want the tool to apply the settings to an Ingate unit and save the config file. Select Creating a config without connecting to a unit if you want the tool to just create a config file. Select The tool remembers passwords if you want the tool to remember the passwords for the Ingate unit.
5)
In the Inside (Interface Eth0), a. Enter the IP Address of the Ingate Unit.
Page 48 of 69
6)
7)
Once all required values are entered, the Contact button will become active. Press the Contact button to have the Startup Tool contact the Ingate unit on the network.
8)
Page 49 of 69
Network Topology
The Network Topology is where the IP Addresses, Netmask, Default Gateways, Public IP Address of NATed Firewall, and DNS Servers are assigned to the Ingate unit. The configuration of the Network Topology is dependent on the deployment (Product) type. When selected, each type has a unique set of programming and deployment requirements, be sure to pick the Product Type that matches the network setup requirements.
Configuration Steps: 1) In the Product Type drop down list, select the deployment type of the Ingate SIParator.
Hint: Match the picture to the network deployment. 2) When selecting the Product Type, the rest of the page will change based on the type selected. Go to the Sections below to configure the options based on your choice. Select: DMZ SIParator, DMZLAN SIParator, LAN SIParator, and Standalone SIParator.
Page 50 of 69
2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.
Page 51 of 69 3) Define the Outside (Interface Eth1) IP Address and Netmask. This is the IP Address that will be used on the Internet (WAN) side on the Ingate unit. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.
4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.
Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
Page 52 of 69
2) Define the IP Address and Netmask of the DMZ (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the DMZ network side on the existing Firewall.
Page 53 of 69 3) Define the LAN IP Address Range, the lower and upper limit of the network addresses located on the LAN. This is the scope of IP Addresses contained on the LAN side of the existing Firewall.
4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.
5) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT.
6) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
Page 54 of 69 7) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator c. If necessary; provide a Rule that allows the SIP Signaling on port 5060 using UDP/TCP transport on the DMZ network to the LAN network d. If necessary; provide a Rule that allows a range of RTP Media ports of 58024 to 60999 using UDP transport on the DMZ network to the LAN network.
Page 55 of 69
2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network. 3Com Open Network Solutions Lab Application Notes
Page 56 of 69
3) Define the IP Address and Netmask of the DMZ (Interface Eth1). This is the IP Address that will be used on the Ingate unit to connect to the DMZ network side on the existing Firewall. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.
4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.
5) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT.
6) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.
Page 57 of 69
7) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator
Page 58 of 69 voice traffic from the LAN is directed to the SIParator then to the existing Firewall.
2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.
Page 59 of 69 3) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.
4) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT. 5) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses. 6) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator
Page 60 of 69
IP-PBX
The IP-PBX section is where the IP Addresses and Domain location are provided to the Ingate unit. The configuration of the IP-PBX will allow for the Ingate unit to know the location of the 3Com VCX as to direct SIP traffic for the use with SIP Trunking. The IP Address of the 3Com VCX server must be on the same network subnet at the IP Address of the inside interface of the Ingate unit. Ingate has confirmed interoperability with the 3Com VCX.
Configuration Steps: 1) In the IP-PBX Type drop down list, select the 3Com vendor. Ingate has confirmed interoperability the 3Com VCX, the unique requirements of the vendor testing are contained in the Startup Tool.
Page 61 of 69 2) Enter the IP Address of the 3Com VCX. The IP Address should be on the same LAN subnet as the Ingate unit.
3) This solution requires the use of a FQDN for the SIP Domain of the 3Com VCX. This domain name is used to route SIP Requests to the 3Com VCX associated with that domain. Select Use domain name and enter the FQDN
Page 62 of 69
ITSP
The ITSP section is where all of the attributes of the SIP Trunking Service Provider are programmed. Details like the IP Addresses or Domain, DIDs, Authentication Account information, Prefixes, and PBX local number. The configuration of the ITSP will allow for the Ingate unit to know the location of the ITSP as to direct SIP traffic for the use with SIP Trunking. Ingate has confirmed interoperability many of the leading ITSP vendors.
Configuration Steps: 1) In the ITSP drop down list, select the appropriate ITSP vendor. Ingate has confirmed interoperability several of the leading ITSP vendors, the unique requirements of the vendor testing are contained in the Startup Tool. If the vendor choice is not seen, select Generic ITSP.
Page 63 of 69 When you select a specific ITSP vendor, the Startup Tool will have the individual connection requirements predefined for that ITSP, the only additional entries may be the specific site requirements. 2) Service Providers come in one of two flavors, either they have a trusted IP deployment or they require a Registration account. a. In the case where the Service Provider uses a Trusted IP deployment, all that is required is to enter the IP Address or Domain of the Service Providers SIP Server or SBC. Enter the IP Address here, or select Use domain name and enter the FQDN of the Service Provider.
b. In the case where the Service Provider requires the Ingate to Register with the Service Providers SIP Server or SBC, select Use Account. When Use Account is selected, the Registration Account information from the Service Provider is required. Information such as Username/DID, Service Providers Domain, Authentication Username, and Authentication Password.
Page 64 of 69 i. Enter a DID (Username) in which the Ingate will register with the Service Provider. The Startup Tool also has the ability to program a sequential range of DIDs.
ii. Registrations often require the use of an Authentication Username and Password. Also enter the Domain or IP Address of the Service Provider.
3) The Ingate has the ability to add/remove digits and characters from the Request URI Header. A typical scenario is the addition/removal of ENUM character +. Many IP-PBX and ITSPs either need to add or remove this character prior to sending or receiving SIP requests. Here you can enter values to Match and remove from the Request URI.
Page 65 of 69
Upload Configuration
At this point the Startup Tool has all the information required to push a database into the Ingate unit. The Startup Tool can also create a backup file for later use.
Configuration Steps: 1) Press the Upload button. If you would like the Startup Tool to create a Backup file also select Backup the configuration. Upon pressing the Upload button the Startup Tool will push a database into the Ingate unit.
Page 66 of 69 2) When the Startup has finished uploading the database a window will appear and once pressing OK the Startup Tool will launch a default browser and direct you to the Ingate Web GUI.
3) Although the Startup Tool has pushed a database into the Ingate unit, the changes have not been applied to the unit. Press Apply Configuration to apply the changes to the Ingate unit.
4) A new page will appear after the previous step requesting to save the configuration. Press Save Configuration to complete the saving process.
Page 67 of 69
Verification Tests
1.
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. Remote SIP Phone Registration Basic Call Local Extension calls Remote SIP Phone Basic Call PSTN Trunk calls Remote SIP Phone Basic Call Remote SIP Phone calls Local Extension Basic Call Remote SIP Phone calls PSTN Trunk Attended Transfer Local Extension calls Remote SIP Phone, Remote Phone Transfers Local Extension to PSTN Trunk Attended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Local Extension Attended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Remote SIP Phone Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to PSTN Trunk Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Local Extension Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Remote SIP Phone Unattended Transfer Local Extension calls Remote SIP Phone, Remote Phone Transfers Local Extension to PSTN Trunk Unattended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Local Extension Unattended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Remote SIP Phone Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to PSTN Trunk Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Local Extension Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Remote SIP Phone Conference Local Extension calls Remote SIP Phone, Remote Phone Conferences Local Extension to PSTN Trunk Conference Local Extension calls Remote SIP Phone, Remote SIP Phone Conference Local Extension to another Local Extension Conference Local Extension calls Remote SIP Phone, Remote SIP Phone Conferences Local Extension to another Remote SIP Phone Conference Remote SIP Phone calls Local Extension, Local Extension Conferences Remote SIP Phone to PSTN Trunk Conference Remote SIP Phone calls Local Extension, Local Extension Conferences Remote SIP Phone to another Local Extension Conference Remote SIP Phone calls Local Extension, Local Extension Conference Remote SIP Phone to another Remote SIP Phone Message Waiting DTMF - PSTN DTMF - Voicemail
Page 68 of 69
Product Support
Product support can be obtained from the respective product suppliers.
Page 69 of 69
Conclusion
In this application, the 3Com VCX solution is the IP-PBX and SIP Domain Server. It is the call control server processing the phone features and PBX functionality required for an enterprise. It resides on the private LAN segment of enterprise, away from the Internet and protected by the Ingate from any malicious attacks. The Ingate SIParator sits on the Enterprise network edge, providing a security solution for data and SIP communications with E-SBC functionality. It is responsible for all SIP communications security by providing Policy and Routing Rules to allow specific SIP traffic intended for the Enterprise. The SIP Trunking Service Providers, or Internet Telephony Service Providers (ITSP) can be of any vendor type, located anywhere across the Internet or any remote networks. These Service Providers offer access to the PSTN over a SIP Trunk.