Configuring Avaya 96x1 Series IP Telephone VPN feature

RKD; Reviewed:

SPOC 6/24/2013

Solution & Interoperability Test Lab Application Notes

©2013 Avaya Inc. All Rights Reserved.

1 of 52

96x1VPNSCEPASA

Avaya Solution & Interoperability Test Lab

Configuring Avaya 96x1 Series IP Telephone VPN feature

with Cisco 5510 Adaptive Security Appliance using

Microsoft Windows Server 2008 Certificate Authority and

Network Device Enrollment Service with Simple Certificate

Enrollment Protocol - Issue 1.0

Abstract

These Application Notes describes the configuration steps required to configure the Avaya

96x1 IP Telephone VPN feature for Certificate Authentication using Cisco 5510 Adaptive

Appliance and Microsoft Certificate Authority. The Application Notes identifies how to

generate digital certificates using the Microsoft Certificate Authority and download these

certificates to the Avaya 96x1 Series IP Telephone and how to administer the Cisco Adaptive

Security Appliance to establish and terminate an IPSec VPN tunnel request from the Avaya

96x1 Series VPN enabled IP Telephone.

The validation test of the sample configuration was conducted at the Avaya Solution and

Interoperability Test Lab.

RKD; Reviewed:

SPOC 6/24/2013



2 of 52

96x1VPNSCEPASA

1. Introduction ...................................................................................................................... 3

2. Interoperability Testing .................................................................................................... 4 2.1. Test Description and Coverage ........................................................................................ 4 2.2. Test Results and Observations .......................................................................................... 4

3. Test Configuration ............................................................................................................ 5 4. Equipment and Software Validated .................................................................................. 6 5. Configure Cisco 5510 Adaptive Security Appliance ....................................................... 7

5.1. Configure Trustpoint ........................................................................................................ 8 5.2. Configure IPSec Remote Access .................................................................................... 10

6. Configuration of Avaya 96x1 IP Telephones ................................................................. 12 6.1. Configuration of 46xxsettings ........................................................................................ 12 6.2. Upload Certificates to 96x1 IP Telephone ..................................................................... 14

7. Verification Steps ........................................................................................................... 15

8. Conclusion ...................................................................................................................... 16 9. Additional References .................................................................................................... 16

10. Appendix A - Configure Avaya Aura® Communication Manager .............................. 17 10.1. Verify System Capacities and Licensing .................................................................... 17

10.2. Configure Trunk-to-Trunk Transfers.......................................................................... 19 10.3. Configure IP Codec Set .............................................................................................. 19 10.4. Configure IP Network Region .................................................................................... 20

10.5. Configure Node Names and IP Addresses ................................................................. 20 10.6. Configure SIP Signaling Groups and Trunk Groups .................................................. 20

10.7. Configure Route Pattern ............................................................................................. 24 10.8. Administer Private Numbering Plan ........................................................................... 25 10.9. Administer Dial Plan .................................................................................................. 26

10.10. Administer Uniform Dialplan ..................................................................................... 27

10.11. Add Coverage Path ..................................................................................................... 28 10.12. Add Hunt Group ......................................................................................................... 28 10.13. Save Translations ........................................................................................................ 28

11. Appendix B - Configure Avaya Aura® Session Manager ............................................ 30 11.1. Define SIP Domains ................................................................................................... 31

11.2. Define Locations ......................................................................................................... 32 11.3. Define SIP Entities ..................................................................................................... 34

11.4. Define Entity Links .................................................................................................... 35 11.5. Define Routing Policies .............................................................................................. 36 11.6. Define Dial Pattern ..................................................................................................... 37 11.7. Synchronize Changes with Avaya Aura® Communication Manager ........................ 38

12. Appendix C - Configure Avaya Aura® Messaging ...................................................... 39

12.1. Configure Sites ........................................................................................................... 39 12.2. Configure Telephony Integration ............................................................................... 40

12.3. Configure Dial Rules .................................................................................................. 41 12.4. Configure Class of Service ......................................................................................... 42 12.5. Configure Subscribers ................................................................................................ 43

Appendix D - Configuration of the Cisco Adaptive Security Appliance 5510 ............................ 45

RKD; Reviewed:

SPOC 6/24/2013



3 of 52

96x1VPNSCEPASA

1. Introduction The Microsoft Certificate Authority (CA) can issue multiple certificates in the form of a tree

structure. A root certificate is the top most certificate of the tree, the private key of which is used

to sign other certificates. All certificates immediately below the root certificate inherit the

trustworthiness of the root certificate. A signature by a root certificate is somewhat analogous to

notarizing an identity in the physical world. Certificates further down the tree also depend on the

trustworthiness of the intermediates often known as subordinate certification authorities. Many

software applications assume these root certificates are trustworthy on the user's behalf.

The 96x1 Series IP Telephones use built in Avaya certificates for trust management. Trust

management involves downloading certificates for additional trusted Certificate Authorities

(CA) and the policy management of those CAs. Identity management is handled by Simple

Certificate Enrollment Protocol (SCEP) with phone certificates and private keys. Simple

Certificate Enrollment Process applies to the VPN operation or to standard enterprise network

operation. The Simple Certificate Enrollment Protocol is the protocol used by the Microsoft CA

to securely transport key information and digital certificates to network devices, such as the

Avaya 96x1 IP telephone and Cisco Adaptive Security Appliance. For the Microsoft CA to

support SCEP, the Microsoft Network Device Enrollment Service (NDES) role must be installed.

Information on how to install and configure Microsoft CA and NDES is included in Reference 6

Section 9 of these Application Notes.

http://en.wikipedia.org/wiki/Certificate_authority

http://en.wikipedia.org/wiki/Tree_structure

http://en.wikipedia.org/wiki/Tree_structure

RKD; Reviewed:

SPOC 6/24/2013



4 of 52

96x1VPNSCEPASA

2. Interoperability Testing Avaya Aura® Communication Manager serves as an Evolution Server within the Avaya Aura®

architecture and supports Avaya 9600 Series and 96x1 Series SIP endpoints registered to Avaya

Aura® Session Manager. Avaya 9600 Series and 96x1 Series IP Deskphones (H.323) phones are

also supported by Avaya Aura® Communication Manager. Only 96x1 IP Telephones using

H.323 support VPN.

Testing was limited to station to VPN, station calls and supplemental features. Voice Messaging

was used to validate MWI and DTMF. Interoperability was verified for SIP trunks between

Avaya Aura® Session Manager Release 6.3, Avaya Aura® Communication Manager Release

6.3 and Avaya Aura® Messaging 6.2 SP2.

2.1. Test Description and Coverage

Interoperability testing included making bi-directional calls between several different types of

stations on both telephony systems with various features including hold, transfer, 3 way

conference and forwarding.

For VPN Interoperability testing Phase I and Phase II re-keying was observed as well as IP

phone registration and IPSec tunnel persistence.

2.2. Test Results and Observations

All tests passed. No unusual behavior was noted.

RKD; Reviewed:

SPOC 6/24/2013



5 of 52

96x1VPNSCEPASA

3. Test Configuration The configuration used in these Application Notes is shown in Figure 1. The Avaya Aura®

Communication Server 6.3 and Avaya Aura® Session Manager 6.3 were installed and

configured under VMware. Avaya Aura® System Manager 6.3 and Avaya Aura® Messaging 6.2

were installed on Avaya Servers. The 96x1 H.323 IP telephones register to Avaya Aura®

Communication Manager and are administered as H.323 stations. The 96x1 SIP IP telephone

registers to Avaya Aura® Session Manager. The Microsoft Windows Server 2008 R2 Certificate

Authority is used to generate the digital certificates used by the 96x1 Series IP Telephone and

Cisco Adaptive Security Appliance. Only 96x1 IP Telephones using H.323 support VPN. The

Microsoft CA in the sample configuration is used in the enterprise network as a private

certificate server for internal use. The Cisco Adaptive Security Appliance is configured for

automatic certificate enrollment.

Figure 1: Avaya Aura® Session Manager, Avaya Aura® Communications Manager and

Avaya Aura® Messaging with the Cisco Adaptive Security Appliance and Windows Server

2008 R2

RKD; Reviewed:

SPOC 6/24/2013



6 of 52

96x1VPNSCEPASA

4. Equipment and Software Validated The following equipment and software were used for the sample configuration provided:

Equipment Software

Avaya Aura® Session Manager under

VMware 5.1 Release 6.3 (Build 6.3.2.0.83005)

Avaya Aura® System Manager on HP

360 G7 Release 6.3 (Build 6.3.0.8.923)

Avaya Aura® Communication Manager

under VMware 4.1 Release 6.3 (Build 6.3.0.120.0)

Avaya G430 Gateway Firmware 32.26.0

Avaya Aura® Messaging on Dell R610 6.2 SP2 (Build 06.2-02.0.823.0-109)

Avaya 9641G IP Telephone (H.323) Release 6.2.3.13



Avaya 9641G IP Telephone (SIP) Release 6.2.2r5

Cisco 5510 Adaptive Security

Appliance

Release 9.0(2)

Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2, Enterprise

Edition

RKD; Reviewed:

SPOC 6/24/2013



7 of 52

96x1VPNSCEPASA

5. Configure Cisco 5510 Adaptive Security Appliance The Cisco 5510 ASA was configured using the CLI. The following steps describe how to

generate a keypair, create and authenticate a Trustpoint and enroll the TrustPoint with the

Microsoft Certificate Authority. It also describes the steps needed to create the IPSec ACLs,

crypto maps, VPN tunnel and VPN user accounts. It is assumed that all CLI based configuration

commands are done while in configuration mode (configure terminal or conf t).

Initial access to the Cisco ASA is via console interface using a Cisco console cable with serial (9

pin RS-232) interface and RJ-45 connectors. Use a putty serial interface set to 9600-N-8-1.

After initial configuration of the management interface, the Cisco ASA can be accessed via the

CLI by a telnet session to the management interface. The IP Address of the management

interface 0/0 was 10.129.112.82.

Type help or '?' for a list of available commands.

ciscoasa> enable

Password: *****

ciscoasa#

To set the Cisco 5510 ASA to sync with an NTP server enter configuration mode with conf t.

Type help or '?' for a list of available commands.

ciscoasa> enable

Password: *****

ciscoasa# conf t

ciscoasa(config)# ntp server 10.129.112.30

ciscoasa(config)# ntp server 10.9.1.2

ciscoasa(config)#

RKD; Reviewed:

SPOC 6/24/2013



8 of 52

96x1VPNSCEPASA

5.1. Configure Trustpoint

Step 1. The Cisco ASA Key Pair

The Cisco ASA must have its own private and public keys. The public key will be sent to the

Microsoft CA during enrollment. To generate an RSA keypair called ASA-RSA-Key with a

2048 bit key:

ciscoasa(config)#

ciscoasa(config)#

ciscoasa(config)# crypto key generate rsa label ASA-RSA-Key modulus 2048

INFO: The name for the keys will be: ASA-RSA-Key

Keypair generation process begin. Please wait...

ciscoasa(config)#

Step 2. Create a TrustPoint

To create a TrustPoint called ASA5510-trust:

ciscoasa# conf t

ciscoasa(config)#

ciscoasa(config)#

ciscoasa(config)# crypto ca trustpoint ASA5510-trust

ciscoasa(config-ca-trustpoint)# enrollment url

http://10.129.1129.20/certserv/mscep/mscep.dll

ciscoasa(config-ca-trustpoint)# enrollment retry period 5

ciscoasa(config-ca-trustpoint)# enrollment retry count 3

ciscoasa(config-ca-trustpoint)# keypair ASA-RSA-Key

ciscoasa(config-ca-trustpoint)# password Interop

ciscoasa(config-ca-trustpoint)# fqdn ciscoasa.avaya.com

ciscoasa(config-ca-trustpoint)# exit

ciscoasa(config)#

RKD; Reviewed:

SPOC 6/24/2013



9 of 52

96x1VPNSCEPASA

Step 3. Authenticate a TrustPoint

To authenticate the Trustpoint with the Windows Server 2008:

ciscoasa# conf t

ciscoasa(config)#

ciscoasa(config)# crypto ca authenticate ASA5510-trust

INFO: Certificate has the following attributes:

Fingerprint: 495f47ea 574fb851 a70cf818 a0f61341

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

ciscoasa(config)#

Step 4. Enroll a Trustpoint with Microsoft CA

To enroll a Trustpoint:

ciscoasa# conf t

ciscoasa(config)# crypto ca enroll ASA5510-trust

%

% Start certificate enrollment

% The fully-qualified domain name in the certificate will be:

ciscoasa.avaya.com

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

ciscoasa(config)# The certificate has been granted by CA!

ciscoasa(config)#

RKD; Reviewed:

SPOC 6/24/2013



10 of 52

96x1VPNSCEPASA

5.2. Configure IPSec Remote Access

Configuration for remote access requires the following steps:

Step 1. Enable IKEv1 on the Outside (Public) Interface

ciscoasa# conf t

ciscoasa(config)# crypto ikev1 enable outside

ciscoasa(config)#

Step 2. Create the IKEV1 Policy

To create a new crypto policy that uses aes-128 and sha:

ciscoasa# conf t

ciscoasa(config)#

ciscoasa(config)# crypto ikev1 policy 65535

ciscoasa(config-ikev1-policy)# authentication rsa-sig

ciscoasa(config-ikev1-policy)# encryption aes

ciscoasa(config-ikev1-policy)# hash sha

ciscoasa(config-ikev1-policy)# group 2

ciscoasa(config-ikev1-policy)# lifetime 86400

ciscoasa(config-ikev1-policy)# exit

ciscoasa(config)#

Step 3. Setup Tunnel and Group Policies

Create a VPN group policy called VPNPHONE and set the DNS, VPN tunnel protocol and

default domain attributes.

ciscoasa# conf t

ciscoasa(config)# group-policy VPNPHONE internal

ciscoasa(config)# group-policy VPNPHONE attributes

ciscoasa(config-group-policy)# dns-server value 10.129.112.70

ciscoasa(config-group-policy)# vpn-tunnel-protocol ikev1

ciscoasa(config-group-policy)# default-domain value avaya.com

ciscoasa(config-group-policy)# exit

ciscoasa(config)#

Step 4. Define the IPSec Policy

The transform set is an IPSec Policy that defines the type of encryption and authentication that

will be used. The IPSec Policy is named ESP-AES-128-SHA.

ciscoasa# conf t

ciscoasa(config)# crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes

esp-sha-hmac

ciscoasa(config)#

RKD; Reviewed:

SPOC 6/24/2013



11 of 52

96x1VPNSCEPASA

Step 5. Assign Local Address Pool

Define an IP address pool that will be used to assign a private IP address to each IP telephone

using VPN.

ciscoasa# conf t

ciscoasa(config)# ip local pool vpnphone-ip-pool 10.129.112.56-10.129.112.62 mask

255.255.255.248 ciscoasa(config)#

Step 6. Create Crypto Maps

Only 1 dynamic and 1 static crypto map can be defined for each interface.

ciscoasa# conf t

ciscoasa(config)#

ciscoasa(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

ciscoasa(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set

ikev1 transform-set ESP-AES-128-SHA

ciscoasa(config)# crypto dynamic-map inside_nat0_outbound 65535 set pfs

ciscoasa(config)# crypto dynamic-map inside_nat0_outbound 65535 set ikev1

transform-set ESP-AES-128-SHA

ciscoasa(config)# crypto map outside_map 65535 ipsec-isakmp dynamic

SYSTEM_DEFAULT_CRYPTO_MAP

ciscoasa(config)# crypto map outside_map interface outside

ciscoasa(config)#

Step 7. Configure Access Lists

This section describes the steps to create the access control lists which define protected traffic.

ciscoasa# conf t

ciscoasa(config)#

ciscoasa(config)# access-list SYSTEM_DEFAULT_CRYPTO_MAP standard permit

192.145.131.0 255.255.255.0

ciscoasa(config)# access-list inside_nat0_outbound extended permit ip any4

10.129.112.56 255.255.255.248

ciscoasa(config)#

RKD; Reviewed:

SPOC 6/24/2013



12 of 52

96x1VPNSCEPASA

6. Configuration of Avaya 96x1 IP Telephones The Avaya IP Telephones must undergo staging before being deployed to a remote location.

Staging consists of accessing a HTTP server and downloading new firmware, 46xxsettings.txt

file and the certificate to each Avaya IP Telephone. For this sample configuration a Linux server

with HTTP enabled was used. Files needed are:

current handset firmware file, unzipped

46xxsettings.file

Certificate file. To download the certificate file see Reference 6 in Section 9.

6.1. Configuration of 46xxsettings

The 46xxsettings file controls the behavior of the 96x1 IP telephone. For a detailed description of

these settings see Reference 1 in Section 9.

SET NVVPNMODE 1

This variable dictates when the VPN Client is started. If the value is 1, VPN Client is started

immediately after TCP/IP stack is initialized, If the value is 0, VPN Client is disabled.

SET NVVPNCFGPROF 8

For Cisco authentication with certificates choose option number 8.

The following variables are set to specified values when NVVPNCFGPROF is set to 8:

NVIKECONFIGMODE 1

NVIKEIDTYPE 11

NVIKEXCHGMODE 1

SET NVSGIP 192.145.131.1

Specifies a list of IP addresses for VPN security gateways. Addresses can be in dotted-decimal

or DNS name format, separated by commas without any intervening spaces. The list can contain

up to 255 characters; the default value is null ("").

SET NVVPNPSWDTYPE 1

This variable determines how a password should be treated. By default, password type is set to 1.

You must set this variable to 3 or 4 if using One Time Password such as SecureID from RSA.

SET NVVPNCOPYTOS 1

The value of this variable decides whether TOS bits should be copied from inner header to outer

header or not. If the value is 1, TOS bits are copied otherwise not. By default TOS bits are not

copied from inner header to outer header. Some Internet Service Providers do not route the IP

packets properly if TOS bits are set to anything other than 0.

SET NVVPNENCAPS 0

Specifies type of UDP encapsulation method to use if there is a NAT device between phone and

the security gateway. By default UDP Encapsulation 4500-4500 is used.

RKD; Reviewed:

SPOC 6/24/2013



13 of 52

96x1VPNSCEPASA

SET NVIKEID VPNPHONE

Phone uses this string as IKE Identifier during phase 1 negotiation. Some XAuth documentation

refer to this variable as group name because same IKE Id is shared among a group of user and

individual user authentication is done using XAuth after establishing IKE phase 1 security

association. The default value is "VPNPHONE".

SET NVIKEXCHGMODE 2

Specifies the exchange method to be used for IKE Phase 1.

1 Aggressive Mode (default)

2 Main Mode

SET NVIKEDHGRP 2

This variable contains the value of the DH group to use during phase 1 negotiation.

1 Diffie-Hellman Group 1

2 Diffie-Hellman Group 2 (default)




SET NVPFSDHGRP 2

This variable contains the value of the DH group to use during phase 2 negotiation for

establishing IPsec security associations also known as Perfect Forward Secrecy. By default PFS

is disabled.

0 No PFS (default)






SET NVIKEP1ENCALG 1

Security Gateway picks the algorithm mandated by administrator.

0 ANY

1 AES-128

2 3DES

3 DES

4 AES-192

5 AES-256

SET NVIKEP2ENCALG 1 Security Gateway picks the algorithm mandated by administrator.

0 ANY

1 AES-128

2 3DES

3 DES

4 AES-192

5 AES-256

RKD; Reviewed:

SPOC 6/24/2013



14 of 52

96x1VPNSCEPASA

SET NVIKEP1AUTHALG 2

0 ANY

1 MD5

2 SHA1

SET NVIKEP2AUTHALG 2

0 ANY

1 MD5

2 SHA1

SET TRUSTCERTS 96x1vpn_cert.cer

List of trusted certificates to download to phone. This parameter may contain one or more

certificate filenames, separated by commas without any intervening spaces. Files may contain

only PEM formatted certificates.

SET MYCERTKEYLEN 2048

Specifies the bit length of the public and private keys generated for the SCEP certificate request.

4 ASCII numeric digits, "1024" through "2048"; the default value is "1024".

SET MYCERTWAIT 0

Specifies whether the telephone will wait until a pending certificate request is complete, or

whether it will periodically check in the background.

SET MYCERTURL http://10.129.112.20/certsrv/mscep/mscep.dll

URI used to access SCEP server.

6.2. Upload Certificates to 96x1 IP Telephone

To upload the exported certificates to the 96x1 IP telephone the 46xxsettings file is used. The

96x1 IP telephone begins the uploading of the certificates to the IP telephone. The SCEP timeout

is displayed on the 96x1 IP telephone as the certificates are uploaded.

SCEP 10 secs

The 96x1 IP telephone has begun requesting the certificates from the Microsoft CA and will

continue requesting the certificate for 60 minutes until the certificate is issued.

The following screen is displayed on the 96x1 IP telephone.

SCEP Successful

http://10.129.112.20/certsrv/mscep/mscep.dll

RKD; Reviewed:

SPOC 6/24/2013



15 of 52

96x1VPNSCEPASA

7. Verification Steps The following verification steps were tested using the sample configuration.

From Communication Manager, verify the IP telephones registered to Avaya Communication

Manager as shown below.

list registered-ip-stations

REGISTERED IP STATIONS

Station Ext Set Type/ Prod ID/ TCP Station IP Address/

or Orig Port Net Rgn Release Skt Gatekeeper IP Address

------------- --------- ---------- --- ---------------------------------------

2005 9640 IP_Phone y 10.129.113.50

1 3.105S 10.129.112.25

2006 9608 IP_Phone y 10.129.113.61

1 6.2313 10.129.112.25

2008 9641 IP_Phone y 10.129.112.57

1 6.2313 10.129.112.25

2009 9611 IP_Phone y 10.129.112.58

1 6.2313 10.129.112.25

Verify calls can be made with clear audio from an Avaya VPN telephone to a second VPN

telephone. The VPN telephone extension 2009 registered with IP Address 10.129.112.58 places a

call to VPN telephone extension 2008 registered with IP Address 10.129.112.57. Use status

station 2009 and go to page 4 to see Call Control Signaling.

status station 2009 Page 4 of 9

CALL CONTROL SIGNALING

Port: S00016 Switch-End IP Signaling Loc: PROCR H.245 Port:

IP Address Port Node Name Rgn

Switch-End: 10.129.112.25 1720 procr 1

Reg Set End:10.129.112.58 4063 1

Alt Set End:not applicable

H.245 Near:

H.245 Set:

Do the same for extension 2008.

status station 2008 Page 4 of 9

CALL CONTROL SIGNALING

Port: S00016 Switch-End IP Signaling Loc: PROCR H.245 Port:

IP Address Port Node Name Rgn

Switch-End: 10.129.112.25 1720 procr 1

Reg Set End:10.129.112.58 4063 1

Alt Set End:not applicable

H.245 Near:

H.245 Set:

RKD; Reviewed:

SPOC 6/24/2013



16 of 52

96x1VPNSCEPASA

8. Conclusion These Application Notes describe the administration steps required to configure an Avaya 96x1

IP Telephone VPN feature for Certificate Authentication using Cisco Adaptive Appliance and

Microsoft Certificate Authority with Avaya Aura® Communication Manager.

9. Additional References This section references the documentation relevant to these Application Notes.

For Avaya, additional product documentation is available at http://support.avaya.com.

1. VPN Setup Guide for 9600 Series IP Telephones Release 3.1 and 6.2, January 2013, Doc ID

16-602968

2. Administering Avaya Aura® Communication Manager, Release 6.2, Doc ID 03-300509,

Issue 7.0, February 2012

3. Administering Avaya Aura® Messaging, Release 6.2, September 2012, CID 156479

Avaya Application Notes

4. Configuring an IPSec Tunnel between Avaya 96xx Series IP Phones and the Cisco Adaptive

Security Appliance 5510

5. Configuring Avaya 9600 Series IP Telephone VPN feature for Certificate Authentication

using Cisco 5510 Adaptive Security Appliance and Microsoft Certificate Authority with

Avaya Aura™ Communication Manager

6. Configuring Microsoft Windows Server 2008 R2 Certificate Authority and Network Device

Enrollment Service with Simple Certificate Enrollment Protocol for use with Avaya 96x1 IP

Telephones in VPN Mode

Product documentation for Cisco products may be found at http://www.cisco.com

7. Cisco ASA Series CLI Configuration Guide, Software Version 9.0, Updated February 25,

2013

Product documentation for Microsoft products may be found at http://www.microsoft.com

8. Introducing Windows Server 2008 R2, by Charlie Russell and Craig Zacker with the

Windows Server Team at Microsoft, e-book published by Microsoft, 2010.

9. Windows Server 2008 and Windows Server 2008 R2, http://technet.microsoft.com/en-

us/library/dd349801(v=ws.10).aspx

http://support.avaya.com/

https://support.avaya.com/css/P8/documents/100068662

http://www.cisco.com/

http://www.microsoft.com/

http://technet.microsoft.com/en-us/library/dd349801(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/dd349801(v=ws.10).aspx

RKD; Reviewed:

SPOC 6/24/2013



17 of 52

96x1VPNSCEPASA

10. Appendix A - Configure Avaya Aura® Communication Manager

This section describes the steps needed to configure Communication Manager to route and

receive calls over the SIP trunk to Session Manager to support calls between Communication

Manager and Avaya Aura® Messaging. While this configuration is needed to route calls within

an enterprise, there is no specific configuration in this section related to connecting the Avaya

96x1 IP telephones to the Cisco ASA via a VPN. These instructions assume the Avaya G430

Media Server is already configured on Communication Manager. For more information

describing these additional administration steps, see Section 9.

This section describes the administration of Communication Manager using a System Access

Terminal (SAT). Some administration screens have been abbreviated for clarity.

The following administration steps will be described:

Verify System Capacities and Licensing

Configure Trunk-to-Trunk Transfers

Configure IP Codec Set

Configure IP Network Region

Configure Node Names and IP Addresses

Configure SIP Signaling Groups and Trunk Groups

Configure Route Pattern

Administer Private Numbering Plan

Administer Dial Plan

Administer Uniform Dialplan

Add Coverage Path

Add Hunt Group

Save Translations

10.1. Verify System Capacities and Licensing

This section describes the procedures to verify the correct system capacities and licensing have

been configured. If there is insufficient capacity or if a required feature is not available, contact

an authorized Avaya sales representative to make the appropriate changes.

Step 1: Verify SIP Trunk Capacity is sufficient for the expected number of calls. Verify the

system is licensed to support IP Telephones.

On Page 2 of the display system-parameters customer-options command, verify an adequate

number of SIP Trunk Members are administered for the system as shown below.

RKD; Reviewed:

SPOC 6/24/2013



18 of 52

96x1VPNSCEPASA

display system-parameters customer-options Page 2 of 11

OPTIONAL FEATURES

IP PORT CAPACITIES USED

Maximum Administered H.323 Trunks: 500 0

Maximum Concurrently Registered IP Stations: 2400 40

Maximum Administered Remote Office Trunks: 4000 0

Maximum Video Capable IP Softphones: 0 0

Maximum Administered SIP Trunks: 4000 20

Step 2: Verify AAR/ARS Routing features are Enabled on system.

To simplify the dialing plan for calls between telephony systems, verify the following AAR/ARS

features are enabled on the system.

On Page 3 of the display system-parameters customer-options command, verify the following

features are enabled.

ARS? Verify “y” is displayed.

ARS/AAR Partitioning? Verify “y” is displayed.

ARS/AAR Dialing without FAC? Verify “y” is displayed.

display system-parameters customer-options Page 3 of 11

OPTIONAL FEATURES

A/D Grp/Sys List Dialing Start at 01? n CAS Main? n

Answer Supervision by Call Classifier? n Change COR by FAC? n

ARS? y Computer Telephony Adjunct Links? y

ARS/AAR Partitioning? y Cvg Of Calls Redirected Off-net? y

ARS/AAR Dialing without FAC? y DCS (Basic)? y

ASAI Link Core Capabilities? y DCS Call Coverage? n

…

Step 3: Verify Private Networking feature is Enabled.

On Page 5 of the display system-parameters customer-options command, verify the Private

Networking feature is set to “y”. display system-parameters customer-options Page 5 of 11

OPTIONAL FEATURES

Uniform Dialing Plan? y

Private Networking? y Usage Allocation Enhancements? y

Processor and System MSP? y

Processor Ethernet? y Wideband Switching? n

…

RKD; Reviewed:

SPOC 6/24/2013



19 of 52

96x1VPNSCEPASA

10.2. Configure Trunk-to-Trunk Transfers

Use the change system-parameters features command to enable trunk-to-trunk transfers. This

feature is needed when an incoming call to a SIP station is transferred to another SIP station. For

simplicity, the Trunk-to-Trunk Transfer field on Page 1 was set to “all” to enable all trunk-to-

trunk transfers on a system wide basis.

Note: Enabling this feature poses significant security risk by increasing the risk of toll fraud, and

must be used with caution. To minimize the risk, a COS could be defined to allow trunk-to-trunk

transfers for specific trunk group(s). For more information regarding how to configure Avaya

Communication Manager to minimize toll fraud, see Section 9.

change system-parameters features Page 1 of 19

FEATURE-RELATED SYSTEM PARAMETERS

Self Station Display Enabled? n

Trunk-to-Trunk Transfer: all

Automatic Callback with Called Party Queuing? n

Automatic Callback - No Answer Timeout Interval (rings): 3

…

10.3. Configure IP Codec Set

Use the change ip-codec-set n command where n is the number used to identify the codec set.

Enter the following values:

Audio Codec: Enter “G.711MU” and “G.729” as supported types.

Silence Suppression: Retain the default value “n”.

Frames Per Pkt: Enter “2”.

Packet Size (ms): Enter “20”.

Media Encryption: Enter the value based on the system requirement. For the

sample configuration, “none” was used.

change ip-codec-set 1 Page 1 of 2

IP Codec Set

Codec Set: 1

Audio Silence Frames Packet

Codec Suppression Per Pkt Size(ms)

1: G.711MU n 2 20

2: G.729 n 2 20

Media Encryption

1: none

RKD; Reviewed:

SPOC 6/24/2013



20 of 52

96x1VPNSCEPASA

10.4. Configure IP Network Region

Use the change ip-network-region n command where n is an available network region.

Enter the following values and use default values for remaining fields.

Authoritative Domain: Enter the correct SIP domain for the configuration.

For the sample configuration, “avaya.com” was used.

Name: Enter descriptive name.

Codec Set: Enter the number of the IP codec set configured in

Section 5.3.

Intra-region IP-IP Direct Audio: Enter “yes”.

Inter-region IP-IP Direct Audio: Enter “yes”.

change ip-network-region 1 Page 1 of 20

IP NETWORK REGION

Region: 1

Location: Authoritative Domain: avaya.com

Name: Main Network Region MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes

Codec Set: 1 Inter-region IP-IP Direct Audio: yes

UDP Port Min: 2048 IP Audio Hairpinning? n

UDP Port Max: 3329

…

10.5. Configure Node Names and IP Addresses

Use the change node-names ip command to add the node-name and IP Addresses for the

“procr” interface on Avaya Communication Manager and the SIP signaling interface of Avaya

Session Manager, if not previously added.

In the sample configuration, the node-name of the SIP signaling interface for Avaya Session

Manager is “sm63-1” with an IP address of “10.129.112.17”.

change node-names ip Page 1 of 2

IP NODE NAMES

Name IP Address

sm63-1 10.129.112.17

default 0.0.0.0

procr 10.129.112.25

10.6. Configure SIP Signaling Groups and Trunk Groups

This section provides the configuration of SIP trunk between Avaya Communication Manager

and Avaya Session Manager. In the sample configuration, trunk group “10” and signaling group

“10” were used for connecting to Avaya Session Manager.

Step 1: Add Signaling Group for SIP Trunk

Use the add signaling-group n command, where n is an available signaling group number.


RKD; Reviewed:

SPOC 6/24/2013



21 of 52

96x1VPNSCEPASA

Group Type: Enter “sip”

IMS Enabled: Enter “n”

Transport Method: Enter “tls”

Peer Detection Enabled? Enter “y”.

Peer Server: Use default value.

Near-end Node Name: Enter “procr” node name from Section 10.5.

Far-end Node Name: Enter node name for the Avaya Session Manager

defined in Section 10.5.

Near-end Listen Port: Verify “5061” is used

Far-end Listen Port: Verify “5061” is used

Far-end Network Region: Enter network region defined in Section 10.4.

Far-end Domain: Enter domain name for Authoritative Domain

field defined in Section 10.4.

DTMF over IP: Verify “rtp-payload” is used

Direct IP-IP Audio Connections? Enter “y”

Direct IP-IP Early Media? Enter “y”

add signaling-group 10 Page 1 of 2

SIGNALING GROUP

Group Number: 10 Group Type: sip

IMS Enabled? n Transport Method: tls

Q-SIP? n

IP Video? n Priority Video? n Enforce SIPS

URI for SRTP? n

Peer Detection Enabled? y Peer Server: SM

Near-end Node Name: procr Far-end Node Name: sm63-1

Near-end Listen Port: 5061 Far-end Listen Port: 5061

Far-end Network Region: 1

Far-end Domain: avaya.com

Bypass If IP

Threshold Exceeded? n

Incoming Dialog Loopbacks: eliminate RFC 3389 Comfort

Noise? n

DTMF over IP: rtp-payload Direct IP-IP Audio Connections? y

Session Establishment Timer(min): 3 IP Audio Hairpinning? n

Enable Layer 3 Test? n Direct IP-IP Early Media? y

H.323 Station Outgoing Direct Media? n Alternate Route Timer(sec):

RKD; Reviewed:

SPOC 6/24/2013



22 of 52

96x1VPNSCEPASA

Step 2: Add SIP Trunk Group

Add the corresponding trunk group controlled by the signaling group defined in Step 1 using the

add trunk-group n command where n is an available trunk group number.


Group Type: Enter “sip”.

Group Name: Enter a descriptive name.

TAC: Enter an available trunk access code.

Direction: Enter “two-way”.

Outgoing Display? Enter “n”.

Service Type: Enter “tie”.

Signaling Group: Enter the number of the signaling group added in Step 1.

Number of Members: Enter the number of members in the SIP trunk (must be

within the limits for number of SIP trunks configured in

Section 10.1).

Note: once the add trunk-group command is completed, trunk members will be automatically

generated based on the value in the Number of Members field.

add trunk-group 10 Page 1 of 21

TRUNK GROUP

Group Number: 10 Group Type: sip CDR Reports: y

Group Name: SIP trunk to sm63-1 COR: 1 TN: 1 TAC: #10

Direction: two-way Outgoing Display? n

Dial Access? n Night Service:

Queue Length: 0

Service Type: tie Auth Code? n

Member Assignment Method: auto

Signaling Group: 10

Number of Members: 20

RKD; Reviewed:

SPOC 6/24/2013



23 of 52

96x1VPNSCEPASA

On Page 3, enter the following values and use default values for remaining fields.

Numbering Format Enter “private”.

Show ANSWERED BY on Display Enter “y”.


TRUNK FEATURES

ACA Assignment? n Measured: none

Maintenance Tests? y

Numbering Format: private

UUI Treatment: service-provider

Replace Restricted Numbers? n

Replace Unavailable Numbers? n

Show ANSWERED BY on Display? y

On Page 4, enter the following values and use default values for remaining fields.

Support Request History Enter “y”.

Telephone Event Payload Type Enter “101”.


PROTOCOL VARIATIONS

Mark Users as Phone? y

Prepend '+' to Calling Number? n

Send Transferring Party Information? n

Network Call Redirection? n

Send Diversion Header? n

Support Request History? y

Telephone Event Payload Type: 101

RKD; Reviewed:

SPOC 6/24/2013



24 of 52

96x1VPNSCEPASA

10.7. Configure Route Pattern

This section provides the configuration of the route pattern used in the sample configuration for

routing calls to stations supported by Cisco Unified Communications Manager.

Use change route-pattern n command where n is an available route pattern.


Grp No Enter a row for the trunk group defined in Section 10.6.

FRL Enter “0”.

Numbering Format Enter “lev0-pvt”.

In the sample configuration, route pattern “10” was created as shown below.

change route-pattern 10 Page 1 of 3

Pattern Number: 10 Pattern Name: to sm63-1

SCCAN? n Secure SIP? n

Grp FRL NPA Pfx Hop Toll No. Inserted DCS/ IXC

No Mrk Lmt List Del Digits QSIG

Dgts Intw

1: 10 0 n user

2: n user

3: n user

…

BCC VALUE TSC CA-TSC ITC BCIE Service/Feature PARM No. Numbering LAR

0 1 2 M 4 W Request Dgts Format

Subaddress

1: y y y y y n n rest lev0-pvt none

2: y y y y y n n rest none

3: y y y y y n n rest none

…

RKD; Reviewed:

SPOC 6/24/2013



25 of 52

96x1VPNSCEPASA

10.8. Administer Private Numbering Plan

Extension numbers used for SIP Users registered to Avaya Session Manager must be added to

either the private or public numbering table on Communication Manager. For the sample

configuration, private numbering was used and all extension numbers were unique within the

private network. However, in many customer networks, it may not be possible to define unique

extension numbers for all users within the private network.

Use the change private-numbering n command, where n is the length of the private number.

Fill in the indicated fields as shown below.

Ext Len: Enter length of extension numbers. In the sample configuration, “4”

was used.

Ext Code: Enter leading digit (s) from extension number. In the sample

configuration, “20” was used for stations on Communication

Manager.

Trk Grp(s): Enter trunk group defined in Section 10.6.

Private Prefix: Leave blank unless an enterprise canonical numbering scheme is

defined in Avaya Session Manager. If so, enter the appropriate

prefix.

Total Length: Enter “4”.

change private-numbering 11 Page 1 of 2

NUMBERING - PRIVATE FORMAT

Ext Ext Trk Private Total

Len Code Grp(s) Prefix Len

4 20 10 4 Total Administered: 2

4 90 10 4 Maximum Entries: 540

RKD; Reviewed:

SPOC 6/24/2013



26 of 52

96x1VPNSCEPASA

10.9. Administer Dial Plan

Use the change dialplan analysis command.

In the sample configuration, 4-digit extension numbers starting with “20” are used for stations

supported by Communication Manager.

Fill in the indicated fields as shown below and use default values for remaining fields.

Dialed String Enter digit pattern for extension numbers on Communication

Manager.

Total Length Enter length of extension numbers. For the sample configuration,

“4” was used.

Call Type Enter “ext”.

change dialplan analysis Page 1 of 12

DIAL PLAN ANALYSIS TABLE

Location: all Percent Full: 0

Dialed Total Call Dialed Total Call Dialed Total Call

String Length Type String Length Type String Length Type

20 4 ext

*8 2 fac

*9 2 fac

# 3 dac

RKD; Reviewed:

SPOC 6/24/2013



27 of 52

96x1VPNSCEPASA

10.10. Administer Uniform Dialplan

This section provides the configuration of the Uniform Dialplan pattern used in the sample

configuration for routing calls between the telephony systems.

Note: Other methods of routing may be used.

Use the change uniform-dialplan n command where n is the first digit of the number assigned

to a station supported by Communication Manager. In the sample configuration, the numbers on

Communication Manager start with digits “20”.

Fill in the indicated fields as shown below and use default values for remaining fields.

Matching Pattern Enter the number Communication Manager matches to dialed

numbers. Accepts up to seven digits.

Len Enter the number of user-dialed digits the system collects to match

to this Matching Pattern value.

Del Enter number of digits to delete before routing the call.

Net The server or switch network used to analyze the converted

number. The converted digit-string is routed either as an extension

number or through its converted AAR address, its converted ARS

address, or its ENP node number. In the sample configuration

“aar” was used.

Conv Enables or disables additional digit conversion.

change uniform-dialplan 1 Page 1 of 2

UNIFORM DIAL PLAN TABLE

Percent Full: 0

Matching Insert Node

Pattern Len Del Digits Net Conv Num

20 4 0 aar n

RKD; Reviewed:

SPOC 6/24/2013



28 of 52

96x1VPNSCEPASA

10.11. Add Coverage Path

A coverage path is a list of one to six alternate answering positions. The system sequentially

accesses the coverage points when the called party or the called group is unavailable to answer

the call. To add a coverage path for a voicemail hunt group:

add coverage path 1 Page 1 of 1

COVERAGE PATH

Coverage Path Number: 1

Cvg Enabled for VDN Route-To Party? n Hunt after Coverage? n

Next Path Number: Linkage

COVERAGE CRITERIA

Station/Group Status Inside Call Outside Call

Active? n n

Busy? y y

Don't Answer? y y Number of Rings: 2

All? n n

DND/SAC/Goto Cover? y y

Holiday Coverage? n n

COVERAGE POINTS

Terminate to Coverage Pts. with Bridged Appearances? n

Point1: h99 Rng: Point2:

Point3: Point4:

Point5: Point6:

10.12. Add Hunt Group

To add a hunt group for voicemail: add hunt-group 99 Page 1 of 60

HUNT GROUP

Group Number: 99 ACD? n

Group Name: voicemail Queue? n

Group Extension: 2900 Vector? n

Group Type: ucd-mia Coverage Path:

TN: 1 Night Service Destination:

COR: 1 MM Early Answer? n

Security Code: Local Agent Preference? n

ISDN/SIP Caller Display:

10.13. Save Translations

Configuration of Communication Manager Evolution Server is complete. Use the save

translation command to save these changes.

RKD; Reviewed:

SPOC 6/24/2013



29 of 52

96x1VPNSCEPASA

Note: After making a change on Communication Manager which alters the dial plan or

numbering plan, synchronization between Communication Manager and System Manager must

be completed and SIP telephones must be re-registered.

See Section 11.7 for more information on how to perform an on-demand synchronization.

RKD; Reviewed:

SPOC 6/24/2013



30 of 52

96x1VPNSCEPASA

11. Appendix B - Configure Avaya Aura® Session Manager This section describes the procedures for configuring Avaya Aura® Session Manager to route

calls to/from Communication Manager. While this configuration is needed to route calls within

an enterprise, there is no specific configuration in this section related to connecting the Avaya

96x1 IP telephones to the Cisco ASA via a VPN.

These instructions assume other administration activities have already been completed such as

defining SIP entities for Session Manager, defining the network connection between System

Manager and Session Manager and defining SIP users. For more information on these additional

actions, see Section 9.

The following administration activities will be described:

Define SIP Domains

Define Locations

Define SIP Entities

Define Entity Links

Define Routing Policies

Define Dial Pattern

Synchronize Changes with Avaya Aura® Communication Manager

Note: Some administration screens have been abbreviated for clarity.

Configuration is accomplished by accessing the browser-based GUI of Avaya Aura® System

Manager, using the URL “http://<ip-address>/SMGR”, where “<ip-address>” is the IP

address of Avaya Aura® System Manager. Log in with the appropriate credentials.

RKD; Reviewed:

SPOC 6/24/2013



31 of 52

96x1VPNSCEPASA

11.1. Define SIP Domains

Expand Elements Routing and select Domains from the left navigation menu.

Click New (not shown). Enter the following values and use default values for remaining fields.

Name Enter the Authoritative Domain Name specified in Section 10.4.

For the sample configuration, “avaya.com” was used.

Type Select “sip” from drop-down menu.

Notes Add a brief description. [Optional].

Click Commit to save. The screen below shows the SIP Domain defined for the sample

configuration.

RKD; Reviewed:

SPOC 6/24/2013



32 of 52

96x1VPNSCEPASA

11.2. Define Locations

Locations are used to identify logical and/or physical locations where SIP Entities or SIP

endpoints reside, for purposes of bandwidth management or location-based routing.

Expand Elements Routing and select Locations. Click New (not shown).

In the General section, enter the following values and use default values for remaining fields.

Name: Enter a descriptive name for the location.

Notes: Add a brief description. [Optional].

In the Location Pattern section, click Add and enter the following values.

IP Address Pattern Enter the logical pattern used to identify the location.

For the sample configuration, “10.129.112.79” was used.

Notes Add a brief description. [Optional]

Click Commit to save. The screen on the next page shows the Location used for the CM

system in the sample configuration.

RKD; Reviewed:

SPOC 6/24/2013



33 of 52

96x1VPNSCEPASA

RKD; Reviewed:

SPOC 6/24/2013



34 of 52

96x1VPNSCEPASA

11.3. Define SIP Entities

A SIP Entity must be added for each telephony system connected over a SIP trunk to Avaya

Session Manager.

Expand Elements Routing and select SIP Entities from the left navigation menu.

Click New (not shown). In the General section, enter the following values and use default values

for remaining fields to define a SIP Entity for CM system.

Name: Enter an identifier for new SIP Entity.

FQDN or IP Address: Enter IP address of CM system.

Type: Select “CM”.

Location: Select Location defined in Section 11.2.

Time Zone: Select appropriate time zone.

Notes: Enter a brief description. [Optional].

In the SIP Link Monitoring section:

SIP Link Monitoring: Select “Use Session Manager Configuration”.

Click Commit to save SIP Entity definition. The following screen shows the SIP Entity

defined for the Cisco Unified Communications Manager system.

RKD; Reviewed:

SPOC 6/24/2013



35 of 52

96x1VPNSCEPASA

11.4. Define Entity Links

A SIP trunk between Avaya Session Manager and each telephony system is described by an

Entity Link.

To add an Entity Link, expand Elements Routing and select Entity Links from the left

navigation menu.

Click New (not shown). Enter the following values.

Name Enter an identifier for the link to CM system.

SIP Entity 1 Select SIP Entity defined for Avaya Session Manager.

SIP Entity 2 Select the SIP Entity defined in Section 11.3 for

Communication Manager.

Protocol After selecting both SIP Entities, select “TCP” as the

required protocol.

Port Verify Port for both SIP entities is “5061”.

Connection Policy Select Trusted.

Notes Enter a brief description. [Optional].

Click Commit to save Entity Link definition.

The following screen shows the Entity Link defined between Session Manager and


RKD; Reviewed:

SPOC 6/24/2013



36 of 52

96x1VPNSCEPASA

11.5. Define Routing Policies

Routing policies describe the conditions under which calls will be routed to the SIP Entities

specified in Section 11.4. A routing policy must be added for Communication Manager.

To add a routing policy, expand Elements Routing and select Routing Policies.

Click New (not shown). In the General section, enter the following values.

Name: Enter an identifier for policy being added for CM system.

Disabled: Leave unchecked.


In the SIP Entity as Destination section, click Select. The SIP Entity List page opens (not

shown).

Select the SIP Entity defined for CM system in Section 11.3 and click Select.

The selected SIP Entity displays on the Routing Policy Details page.

Use default values for remaining fields. Click Commit to save Routing Policy definition.

Note: the routing policy defined in this section is an example and was used in the sample

configuration. Other routing policies may be appropriate for different customer networks.

The following screen shows the Routing Policy defined in the sample configuration for routing

calls to CM system.

RKD; Reviewed:

SPOC 6/24/2013



37 of 52

96x1VPNSCEPASA

11.6. Define Dial Pattern

Define dial patterns to direct calls to the appropriate telephony system. In the sample

configuration, 4-digit extensions beginning with “20” reside on Communication Manager.

To define a dial pattern, expand Elements Routing and select Dial Patterns.

Click New (not shown). In the General section, enter the following values and use default values

for remaining fields.

Pattern: Enter the dial pattern associated Communication Manager

system.

Min: Enter the minimum number digits that must to be dialed.

Max: Enter the maximum number digits that may be dialed.

SIP Domain: Select the SIP Domain from drop-down menu or select “ALL”

if Avaya Session Manager should accept incoming calls from

all SIP domains.


In the Originating Locations and Routing Policies section, click Add.

The Originating Locations and Routing Policy List page opens (not shown).

In Originating Locations table, select “ALL” .

In Routing Policies table, select the appropriate Routing Policy defined for CM

system in Section 11.5.

Click Select to save these changes and return to Dial Patterns Details page.

Click Commit to save the new definition. The following screen shows the Dial Pattern

defined for routing calls to CM.

RKD; Reviewed:

SPOC 6/24/2013



38 of 52

96x1VPNSCEPASA

11.7. Synchronize Changes with Avaya Aura® Communication Manager

If changes are made on Communication Manager which alters the dial plan or numbering plan,

perform on-demand synchronization to synchronize the data between System Manager and


Expand Elements Inventory Synchronization and select Communication System.

On the Synchronize CM Data and Configure Options page, expand the Synchronize CM

Data/Launch Element Cut Through table and select the row associated with Avaya

Communication Manager as shown below.

Click to select Incremental Sync data for selected devices option. Click Now to start the

synchronization.

Use the Refresh button in the table header to verify status of the synchronization.

Verify synchronization successfully completes by verifying the status in the Sync. Status

column is “Completed”.

RKD; Reviewed:

SPOC 6/24/2013



39 of 52

96x1VPNSCEPASA

12. Appendix C - Configure Avaya Aura® Messaging Messaging was configured for SIP communication with Session Manager and also to add

Communication Manager Subscribers. The procedures include the following areas:

Configure Sites

Configure Telephony Integration

Configure Dial Rules

Configure Class of Service

Configure Subscribers

Please note that while this configuration is needed to route calls within an enterprise, there is no

specific configuration in this section related to connecting the Avaya 96x1 IP telephones to the

Cisco ASA via a VPN.

See references in Section 9 for standard installation and configuration information. General

knowledge of the configuration tools and interfaces is assumed.

12.1. Configure Sites

A Messaging Access number and a Messaging Auto Attendant number needs to be defined. Log into

the Avaya Aura Messaging System Management Interface (SMI) and go to Administration

Messaging Messaging System (Storage) Sites.

For the Default Site, in the right panel, fill in the following:

Internal Messaging access number Enter internal messaging access number

External Messaging access number Enter external messaging access number

RKD; Reviewed:

SPOC 6/24/2013



40 of 52

96x1VPNSCEPASA

12.2. Configure Telephony Integration

A SIP trunk needs to be configured from Messaging to Avaya Session Manager. Log into the

Messaging System Management Interface (SMI) and go to Administration Messaging

Telephony Settings (Application) Telephony Integration. In the right panel fill in the

following:

Under Basic Configuration:

Switch Integration Type: SIP

Under SIP Specific Configuration:

Transport Method: “TCP”

Connection 1: Enter the Session Manager signalling IP address and

TCP port number

Messaging Address Enter the Messaging IP address and TCP port number

SIP Domain Enter the Messaging and Session Manager domain

names

Click Save to save changes. See below.

RKD; Reviewed:

SPOC 6/24/2013



41 of 52

96x1VPNSCEPASA

12.3. Configure Dial Rules

Navigate to Administration Messaging Server Settings (Application) Dial Rules to configure

the dial rules. Set the Dial plan handling style: Site definition based, as shown below.

Next select the Edit Dial-Out Rules button to verify the appropriate parameters for outbound

dialling from Avaya Aura® Messaging were set above. These dial rules help Avaya Aura®

Messaging send the correct number and combination of digits when originating a call to Avaya

Communication Manager, whether the call is destined for another extension or ultimately expected to

be routed to the PSTN. For the sample configuration, 4-digit extensions were used on Avaya

Communication Manager so any time Avaya Aura® Messaging originates a call to an extension it

should send the 4-digit number and not attempt to insert or delete any digits.

Scroll down to the section titled Dial-out Test Numbers. As shown below the number 2001 is

treated as an internal number and is dialed intact, whereas the test number 408-555-7086 is

treated as a long-distance national number which requires a 9 prefixed as an access code.

RKD; Reviewed:

SPOC 6/24/2013



42 of 52

96x1VPNSCEPASA

12.4. Configure Class of Service

Verify Messaging Waiting is enabled for all subscribers.

Use Administration Messaging Messaging System (Storage) Class of Service.

Select Standard from the Class of Service drop-down menu.

Under General section, enter the following value and use default values for remaining fields.

Dial-out privilege: Long Distance.

Set Message Waiting Indicator (MWI) on user’s desk phone: Checked.

Under Greetings section, Select Personal and optional greetings

Click Save (not shown) to save changes. The following screen shows the settings defined for the

“Standard” Class of Service in the test configuration.

RKD; Reviewed:

SPOC 6/24/2013



43 of 52

96x1VPNSCEPASA

12.5. Configure Subscribers

Log into the Messaging System Management Interface (SMI) and go to Administration

Messaging. In the left panel, under Messaging System (Storage) select User Management. In

the right panel fill in the following:

First Name Enter first name

Last Name Enter last name

Display Name Enter display name

ASCII name Enter the ASCII name

Site Enter site defined in Section 12.1

Mailbox Number Enter desired mailbox number i.e. “2005”

Internal identifier Enter the name for internal use

Numeric address Enter the mailbox number

Extension Enter desired extension number i.e. “2005”

Class of Service Select a Class of Service

MWI Enabled Select “Yes” to enable the MWI light on phones

New Password/Confirm Password Enter desired extension password

Next logon password change Select the Checkbox

Click Save to save changes. See next page.

RKD; Reviewed:

SPOC 6/24/2013



44 of 52

96x1VPNSCEPASA

RKD; Reviewed:

SPOC 6/24/2013



45 of 52

96x1VPNSCEPASA

Appendix D - Configuration of the Cisco Adaptive Security Appliance 5510

Appendix D contains the complete configuration for the Cisco 5510 Adaptive Security

Appliance. The ASA 5510 was configured from the CLI.

ASA Version 9.0(2)

!

hostname ciscoasa

domain-name avaya.com

enable password 2KFQnbNIdI.2KYOU encrypted

xlate per-session deny tcp any4 any4




xlate per-session deny udp any4 any4 eq domain




passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool vpnphone-ip-pool 10.129.112.56-10.129.112.62 mask 255.255.255.248

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.145.131.1 255.255.255.0

!


description VLAN 3000

nameif inside

security-level 100

ip address 10.129.112.52 255.255.255.192

!


shutdown

no nameif

no security-level

no ip address

!


shutdown

no nameif

no security-level

RKD; Reviewed:

SPOC 6/24/2013



46 of 52

96x1VPNSCEPASA

no ip address

!

interface Management0/0

description VLAN 3001

management-only

nameif management

security-level 100

ip address 10.129.112.82 255.255.255.224

!

boot system disk0:/asa902-k8.bin

ftp mode passive

clock timezone MST -6

clock summer-time MDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.129.112.20

domain-name avaya.com

same-security-traffic permit intra-interface

object network obj-10.129.112.56

subnet 10.129.112.56 255.255.255.248

access-list SYSTEM_DEFAULT_CRYPTO_MAP standard permit 192.145.131.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any4 10.129.112.56 255.255.255.248

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any management

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,any) source static any any destination static obj-10.129.112.56 obj-10.129.112.56 no-

proxy-arp

route outside 0.0.0.0 0.0.0.0 192.145.131.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

RKD; Reviewed:

SPOC 6/24/2013



47 of 52

96x1VPNSCEPASA

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

http server enable

http 10.129.112.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set

ESP-AES-128-SHA

crypto dynamic-map inside_nat0_outbound 65535 set pfs

crypto dynamic-map inside_nat0_outbound 65535 set ikev1 transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASA5510-trust

enrollment retry period 5

enrollment retry count 3

enrollment url http://10.129.112.20:80/certsrv/mscep/mscep.dll

fqdn ciscoasa.avaya.com

password *

keypair ASA-RSA-Key

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASA5510-trust

certificate 14f8930500000000004c

308205cd 308204b5 a0030201 02020a14 f8930500 00000000 4c300d06 092a8648

86f70d01 01050500 30643113 3011060a 09922689 93f22c64 01191603 636f6d31

15301306 0a099226 8993f22c 64011916 05617661 79613118 3016060a 09922689

93f22c64 01191608 61766179 6173696c 311c301a 06035504 03131361 76617961

73696c2d 57494e44 4e53302d 4341301e 170d3133 30343138 32313030 35395a17

0d313530 34313832 31313035 395a3023 3121301f 06092a86 4886f70d 01090213

12636973 636f6173 612e6176 6179612e 636f6d30 82012230 0d06092a 864886f7

0d010101 05000382 010f0030 82010a02 82010100 e9b9e821 c903a3fd f1880484

da20e61e a268ba50 b438ae83 c41a62e0 e431ff74 b443a93c 236f4cce 0f7aa0b2

b1820dc1 67ed7482 7e11cb84 ef6b44c3 08e9a7c0 9ae28ff2 d26b5e6a ac38e5cd

671f14d6 314ef2a8 ab8bacb4 67b1f530 069632fc f94ce99e cdb49835 b2c833b5

5214d08d 07cad477 3a663ba5 2ec2094e 86afe499 46ad79b9 0c4bc154 2a81a6bd

64065589 e63223e1 f5cf88d6 8be83887 4abd251f f01ee7df e1ea8790 1e3dff87

5876e7f2 9d706f2c 150a8d0c 69418443 87d74997 7170a0f2 3941e71b e2f9649e

14a5d2a0 36c36ef8 cd815ee0 21d547ea 80092348 2e76bdfb 1b24aab1 3bc25673

29445779 0957afc1 5861785f b8909a16 2aee5e9b 02030100 01a38202 c0308202

bc300e06 03551d0f 0101ff04 04030205 a0301d06 03551d11 04163014 82126369

73636f61 73612e61 76617961 2e636f6d 301d0603 551d0e04 1604144f 6e3f94b3

RKD; Reviewed:

SPOC 6/24/2013



48 of 52

96x1VPNSCEPASA

9752b1b6 60666e94 3ab7c8dd a4784a30 1f060355 1d230418 30168014 04959f26

19134522 c0697e5d b979475a 1286151f 3081db06 03551d1f 0481d330 81d03081

cda081ca a081c786 81c46c64 61703a2f 2f2f434e 3d617661 79617369 6c2d5749

4e444e53 302d4341 2c434e3d 77696e64 6e73302c 434e3d43 44502c43 4e3d5075

626c6963 2532304b 65792532 30536572 76696365 732c434e 3d536572 76696365

732c434e 3d436f6e 66696775 72617469 6f6e2c44 433d6176 61796173 696c2c44

433d6176 6179612c 44433d63 6f6d3f63 65727469 66696361 74655265 766f6361

74696f6e 4c697374 3f626173 653f6f62 6a656374 436c6173 733d6352 4c446973

74726962 7574696f 6e506f69 6e743081 cf06082b 06010505 07010104 81c23081

bf3081bc 06082b06 01050507 30028681 af6c6461 703a2f2f 2f434e3d 61766179

6173696c 2d57494e 444e5330 2d43412c 434e3d41 49412c43 4e3d5075 626c6963

2532304b 65792532 30536572 76696365 732c434e 3d536572 76696365 732c434e

3d436f6e 66696775 72617469 6f6e2c44 433d6176 61796173 696c2c44 433d6176

6179612c 44433d63 6f6d3f63 41436572 74696669 63617465 3f626173 653f6f62

6a656374 436c6173 733d6365 72746966 69636174 696f6e41 7574686f 72697479

303d0609 2b060104 01823715 07043030 2e06262b 06010401 82371508 85e8ce2f

84d7af5c 85c9830b 8485c90d 839f984f 0d81bbdc 208590a9 35020164 02010430

27060355 1d250420 301e0608 2b060105 05070301 06082b06 01050508 02020608

2b060105 05070302 30330609 2b060104 01823715 0a042630 24300a06 082b0601

05050703 01300a06 082b0601 05050802 02300a06 082b0601 05050703 02300d06

092a8648 86f70d01 01050500 03820101 00ca6e17 de745b27 c1333d8b fd853312

7226fca8 30b70aa4 ed72a676 47d2acbc 669d220d b313bb57 87b29561 d747095f

fd65e653 e223f05a 4d68a2d5 6dd5fab9 f6e8b78d 98849f0d 1d82fafa e3b0d6fc

a7c0b78d f39a21d9 a862ef18 01fbbe41 0243903e 36a968a0 fe6a9763 c7677c06

b71bb7d4 5919878e e0913875 97fb07fe 9049dfc8 467e3795 1e19dc90 5bc12e1b

a650391b c762539d f5d7eda3 9be05f7e 502081b9 51219919 43e0881e 22249e22

ef4f393d 5bc9e46b 9d79dba1 38921b92 2eac6dd2 ce8edd20 51cc1989 b4ee54c8

8d32e3b4 06ea23e1 f1cc8783 35d8e01e 84ca321b 84c256f8 6e945373 773d92b9

5fe50094 a654ee94 d3646031 485f550a 74

quit

certificate ca 22adfd0c11bd03a945f4324e1d3bd43b

308203a3 3082028b a0030201 02021022 adfd0c11 bd03a945 f4324e1d 3bd43b30

0d06092a 864886f7 0d010105 05003064 31133011 060a0992 268993f2 2c640119

1603636f 6d311530 13060a09 92268993 f22c6401 19160561 76617961 31183016

060a0992 268993f2 2c640119 16086176 61796173 696c311c 301a0603 55040313

13617661 79617369 6c2d5749 4e444e53 302d4341 301e170d 31333034 31313134

32343031 5a170d31 38303431 31313433 3430305a 30643113 3011060a 09922689

93f22c64 01191603 636f6d31 15301306 0a099226 8993f22c 64011916 05617661

79613118 3016060a 09922689 93f22c64 01191608 61766179 6173696c 311c301a

06035504 03131361 76617961 73696c2d 57494e44 4e53302d 43413082 0122300d

06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100cd fee44235

4fbadc5e c5b2a0a8 c4c7082b 2fa7052c c68b3719 027bc06a 64484abb b00458d3

445c7f07 48f8ae27 c2e7391e ec0cd69b 18512d7e d872cb33 44a3f46f d44ad638

09b93f9d d5adec52 04a95fb3 4882fa3d 2c645036 6ad107ec 283f64ef 11014bb7

e0c5d4e0 40bb9b0d 6742d06c 67668f80 a90abb54 27662433 d284ec66 cbc286d5

b8bbafbb ba833285 f81b2a48 2755b62f b8e1ce0e 62ac8066 2fc064b9 1c03d721

RKD; Reviewed:

SPOC 6/24/2013



49 of 52

96x1VPNSCEPASA

2f68dc70 42badfb6 5d89468c edab9732 977996fe e3032b28 5cd1de67 c56032a0

ba210725 dd106d27 e3c9d183 142e4ac9 0ddfaa11 9a0fb53c ef09e29a b402afc4

c8b17418 2debf421 8f785f3d ec9fc0c3 80f6e2e4 05c6d14d 731bd302 03010001

a351304f 300b0603 551d0f04 04030201 86300f06 03551d13 0101ff04 05300301

01ff301d 0603551d 0e041604 1404959f 26191345 22c0697e 5db97947 5a128615

1f301006 092b0601 04018237 15010403 02010030 0d06092a 864886f7 0d010105

05000382 01010056 7e522219 c427451a 505dc249 0440a765 fcba33bd 56441010

486023aa 53379fd1 10069e5d 004766c4 c3149e03 bf44cd79 425ced4e 89e4a549

69cba47a ee02d845 4d07819a 3944ce69 668dbcb9 edb69a08 7a40a0d1 1aa9b105

08779bee a89a66b3 c41472b8 31ea80d5 ea24f87c a132c3e5 a4d9d334 1b834b65

b7f9a3b6 07e4f4fc 51ec1408 fe4ab466 f72862c3 c11e1033 b7a54bce 86e12acf

7005129a d573da5e 2a80fdec 8529c96d 3db51771 3046cf89 97c82aed a9d41504

b28e066a f01e53e6 64d1f719 f031c5a9 2be40093 ed320a9b 4fbf50e0 7313f971

2cc71e98 6d73f4c1 d89d5ebc 1ba4fb41 81f56258 89f81057 06a02894 91f85b79

b5353c69 5a04c8

quit

crypto ikev1 enable outside

crypto ikev1 policy 65535

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

client-update enable

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.129.112.30

group-policy DfltGrpPolicy attributes

vpn-idle-timeout 3

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

anyconnect ssl keepalive none

anyconnect dpd-interval client none

anyconnect dpd-interval gateway none

anyconnect ssl compression deflate

customization value DfltCustomization

group-policy VPNPHONE internal

group-policy VPNPHONE attributes

dns-server value 10.129.112.70

vpn-tunnel-protocol ikev1

RKD; Reviewed:

SPOC 6/24/2013



50 of 52

96x1VPNSCEPASA

default-domain value avaya.com

username 1adgjm password kBMTfTmCWSZ4t1CY encrypted

username 1adgjm attributes

vpn-group-policy VPNPHONE

username 123456 password P8dZ7nOjjJPDoTgI encrypted

username 123456 attributes

vpn-group-policy VPNPHONE

username sil password 6bUugr4eBousoqAg encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool vpnphone-ip-pool

tunnel-group DefaultRAGroup ipsec-attributes

peer-id-validate nocheck

ikev1 trust-point ASA5510-trust

tunnel-group VPNPHONE type remote-access

tunnel-group VPNPHONE general-attributes

address-pool vpnphone-ip-pool

default-group-policy VPNPHONE

tunnel-group VPNPHONE ipsec-attributes

ikev1 trust-point ASA5510-trust

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

RKD; Reviewed:

SPOC 6/24/2013



51 of 52

96x1VPNSCEPASA

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:a990d7efb553df3a7babbba30c2a8c45

: end

RKD; Reviewed:

SPOC 6/24/2013



52 of 52

96x1VPNSCEPASA


Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and

™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks

are the property of their respective owners. The information provided in these Application

Notes is subject to change without notice. The configurations, technical data, and

recommendations provided in these Application Notes are believed to be accurate and

dependable, but are presented without express or implied warranty. Users are responsible for

their application of any products specified in these Application Notes.

Please e-mail any questions or comments pertaining to these Application Notes along with the

full title name and filename, located in the lower right corner, directly to the Avaya Solution &

Interoperability Test Lab at [email protected]

mailto:[email protected]

Documents

Configuring Avaya 96x1 Series IP Telephone VPN feature