ICMPR V2.01 FEATURES NS1000. SESSION BORDER CONTROLLER (EASY UT INSTALLATION)

ICMPR V2.01 FEATURESNS1000

SESSION BORDER CONTROLLER(EASY UT INSTALLATION)

3.0 Session Border Controller (SBC) – Overview

•Easy connection of remote KX-UT Series SIP phones to the NS1000 can be realized by using a Mediatrix 501 Series Session Border Controller (Firmware V5.35-M4).•Once the KX-UT phone is suitable programmed, it can be connected to the LAN at the remote office and connection will be established with the NS1000 at the main office.

Session Border Controller

InternetMain Office Remote Office

Mediatrix 501 SBC

NS1000

The SBC device assists in the NAT-Traversal process and can allow the connection of remote KX-UT terminals to the NS1000 without the need for a VPN.

The SBC device assists in the NAT-Traversal process and can allow the connection of remote KX-UT terminals to the NS1000 without the need for a VPN.

NB: The SBC/NS1000v2 supported configuration is for the SBC to sit BEHIND the Perimeter Router/Firewall (i.e. LAN Interface Only)

Perimeter Router

Session Border Controller3.1 Session Border Controller (SBC) – Specification

•KX-UT Series SIP Phones and 3rd Party SIP Phones which support Early Media functionality can be connected via the SBC.•One NS1000 can be connected to one SBC device only•One SBC Device can support up to 20 remote connections (Simultaneous RTP Streams)•The NS1000 can support Max 20 HTTP/HTTPS Sessions (required to manage the Remote Extension)•eSBC501 is available in 5/10/20 session versions;(It is possible to register 20 Remote extension on the NS1000 and use a 5 Session SBC, however only 5 simultaneous call paths will be supported through the SBC)

SIP/TR069(CWMP)/NTP

NS1000

KX-UTxxx(Max 20

simultaneous connections.)

Remote Office

Mediatrix eSBC 501

NB: If CA or other Applications are required at the Remote Office, a VPN will be required. The SBC supports KX-UT / SIP Phones only. IP-PTs (KX-NT3xx etc) and SIP Based DECT are NOT Supported by the SBC.NB: If CA or other Applications are required at the Remote Office, a VPN will be required. The SBC supports KX-UT / SIP Phones only. IP-PTs (KX-NT3xx etc) and SIP Based DECT are NOT Supported by the SBC.

KX-UT supported s/w: V1.160KX-UT supported s/w: V1.160

Session Border Controller3.1.1 Session Border Controller (SBC) – Specification

Supported Features (Using V-UTEXT32 Card)

•Making and receiving a call• Extension numbers are displayed• External Caller ID is displayed (depending on system Settings)

•Conversation with G.729, G.711 and G.722 (depending on Codec Priority settings)

•Placing and retrieving a call on HOLD

•Call TRANSFER

•Call FORWARD (V-UTEXT32 Only)

Session Border Controller3.2 Session Border Controller (SBC) – Router Programming

•No special programming is required for the Remote Office Router.•The Main Office Router needs Port Forwarding set for SIP(UDP), RTP(UDP), T069(CWMP) and NTP.

Internet

Main Office Remote Office

SBC

NS1000

NB: No Additional A/K is required in the NS1000 for SBC.NB: No Additional A/K is required in the NS1000 for SBC.

No additional programming

required.

Port Forwarding required.

LAN1:192.168.1.254

LAN2:192.168.0.254

PBX Extension

SIP Extension

Mediatrix SBC

LAN1:192.168.1.1

Router requires Port forward settings to allow incoming traffic to the SBC.e.g.SIP(UDP) 15060 ---> 192.168.1.254RTP(UDP) 12000 – 12031 ---> 192.168.1.254

*WAN1: 61.xxx.xxx.xxx(Provided by ISP)

InternetInternet

MPR:192.168.1.101DSP:192.168.1.102 (RTP)Netmask:255.255.255.0DGW:192.168.1.1SIP Extension Server:192.168.1.101:15060

*WAN2:210.xxx.xxx.xxx(Provided by ISP)

Remote OfficeHead Office

Settings from Remote Office router (DHCP); IP:192.168.0.1 Netmask:255.255.255.0 DGW:192.168.0.254Manual settings * SIP Server 61.xxx.xxxx.xxx : 15060

*NB: IP addresses shown here are an example. In deployment, these addresses must be changed to the Global IP addresses provided by the ISP.*NB: IP addresses shown here are an example. In deployment, these addresses must be changed to the Global IP addresses provided by the ISP.

Session Border Controller3.3 Session Border Controller (SBC) – Network Diagram Example

The example below shows a typical deployment

Session Border Controller3.4 Session Border Controller (SBC) – What is does(1).

The example below shows what the SBC device does to allow NAT Traversal.

Mediatrix SBC

InternetInternet

LANWAN

LAN2:192.168.0.254

*WAN1: 61.xxx.xxx.xxx(Provided by ISP)

*WAN2:210.xxx.xxx.xxxx(Provided by ISP)

Settings from Remote Office router (DHCP); IP:192.168.0.1 Netmask:255.255.255.0 DGW:192.168.0.254Manual settings * SIP Server 61.xxx.xxx.xxx : 15060

LAN1:192.168.1.254

LAN1:192.168.1.1

MPR:192.168.1.101DSP:192.168.1.102 (RTP)Netmask:255.255.255.0DGW:192.168.1.1SIP Extension Server:192.168.1.101:15060

EXT201

EXT301

The typical problem for this scenario is that the necessary LAN IP addresses are embedded into the VoIP packet.The Routers add their own Global (WAN) IP addresses with the result that the audio is not delivered correctly between the extensions(1-way voice etc).The SBC and PBX record the communication path and the SBC adds information to the packet so that the audio can be routed correctly. In this way, the problem scenario can be overcome.

Session Border Controller3.4 Session Border Controller (SBC) – What is does(2).

The packet capture below illustrates how the SIP Message Header is used to route the call.

Remote Router

HO SBC

HO EXT201NS1000

1. Call arrives from Remote side, but has both Global and local IP Address.

1. Call arrives from Remote side, but has both Global and local IP Address.

2. SBC adds ‘VIA’ information and starts ‘managing’ the call.2. SBC adds ‘VIA’ information and starts ‘managing’ the call.

3. NS1000 can route call correctly based on local IP Address3. NS1000 can route call correctly based on local IP AddressNB: This is an EXAMPLE – actual

process is more complex!NB: This is an EXAMPLE – actual

process is more complex!

Session Border Controller3.5 Session Border Controller (SBC) – NS1000 Programming(1) – Port Numbers.Port Number parameters (UDP/HTTP/HTTPS etc) is set as Site Property.

Configuration -> Slot -> Virtual -> Site Property -> Main-> Port Number.Configuration -> Slot -> Virtual -> Site Property -> Main-> Port Number.

NB: The values shown here are the ‘default’ values programmed in the NS1000 Unit.

3.5 Session Border Controller (SBC) – NS1000 Programming (2) – SIP Extension Ports / Server IP Address.‘Remote’ extension parameters (Head office Router IP Address etc) is set as Site Property.

Set WAN side IP address of HQ’s Router

In this example;

66.199.255.186

Set WAN side IP address of HQ’s Router

In this example;

66.199.255.186

Set port forward to SBC (Default)Set port forward to SBC (Default)

Set port forward to NS1000 (Default)Set port forward to NS1000 (Default)

61.xxx.xxx.xxx

61.xxx.xxx.xxx

61.xxx.xxx.xxx


Configuration -> Slot -> Virtual -> Site Property -> Main-> SIP Extension.Configuration -> Slot -> Virtual -> Site Property -> Main-> SIP Extension.

Session Border Controller3.5 Session Border Controller (SBC) – NS1000 Programming(3) – Remote Extension Setting.

Up to 20 KX-UT Extensions can be designated as ‘Remote’. These Extensions will be controlled via the SBC.ALL RTP traffic for the Remote Extension will pass through the SBC (No P2P)

MAX 20 EXT can be assigned as remote terminal.MAX 20 EXT can be assigned as remote terminal. Remote Enable HTTPS

Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Remote Place.Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Remote Place.

Session Border Controller3.5 Session Border Controller (SBC) – NS1000 Programming(4) – Remote Extension Setting.

Please consider the Bandwidth requirements / availability of the Remote Location – It may be better to use a Codec which requires less bandwidth – such as G.729.

Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Option.Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Option.

3.5 Session Border Controller (SBC) – NS1000 Programming(5) – Remote Extension Setting.Enable ‘Bandwidth Control’ for the P2P Group that the Remote Extension belongs to.


3. Group -> 10. P2P Group -> Bandwidth Control3. Group -> 10. P2P Group -> Bandwidth Control

Click ‘OK’Click ‘OK’

3.5 Session Border Controller (SBC) – NS1000 Programming(6) – Remote Extension Setting.Configure the Codec priority to be used by the Remote Extension. -Please consider the available bandwidth at the remote site (G.729 uses less bandwidth than G.711)!


Configuration -> 2. System -> 9. System Options-> Option 7.Configuration -> 2. System -> 9. System Options-> Option 7.

Click ‘Apply’Click ‘Apply’

3.6 Session Border Controller (SBC) – UT Programming(1) – Remote Extension Deployment.

There are TWO methods available for UT Deployment;

1.Register the Remote UT Extension locally at the NS1000 site and then move the extension to the remote location.When the UT phone is registered at the NS1000 site, the UT phone downloads its configuration (including SBC and WAN settings etc) will be downloaded directly from the NS1000.

2. Transfer the Configuration file stored on the NS1000 to the UT Phone which is ALREADY located at the remote site.

The two methods are described in the following slides;



Method 1 – Local Registration to NS1000

1.Register desired the UT Extension to the NS1000, using a V-UTEXT32 card.

2. After configuring the UT Settings described in the previous slides, ‘APPLY’ the settings and then RESET the UT Phone (Either by IP RESET on the Phone display or by Power OFF/ON).The UT will then restart and download the updated configuration from the NS1000.

3. The UT Phone will display;

4. The UT Phone can now be transferred to the Remote Site and connected to the Local Router. When Connected, the UT Phone will display (Example)


Connection Error (90002)

Check Server and Set it.

29 OCT 12:00 SUN

351

Session Border Controller3.6 Session Border Controller (SBC) – UT Programming(3) – Remote Extension Registration.

‘Remote’ extensions will have the same IP Address as the SBC device.

192.168.1.254

Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Main.Configuration -> Slot -> Virtual -> VUTEXT32 -> Port Property -> Main.


Method 2 – Remote Registration using NS1000 Configuration File (1)

1.After configuring the UT Settings described in the previous slides, “Save” the settings to the NS1000. (NB: The UT does not need to be registered to the NS1000 at this time)

2. The “UT_ACS_HTTPS_01NS1000.cfg” file must now be generated by the NS1000. This is only done at system Startup, so you must now Restart (Reset) the NS1000.


Maintenance -> System Control-> 4. System Reset -> Backup -> “OK”Maintenance -> System Control-> 4. System Reset -> Backup -> “OK”



3. After the NS1000 has restarted, the “UT_ACS_HTTPS_01NS1000.cfg” file will have been created. This file can now be transferred PBX -> PC

4.


Maintenance -> Utility-> 2. File Transfer PBX to PC-> “Transfer” Maintenance -> Utility-> 2. File Transfer PBX to PC-> “Transfer”



5. Connect the UT phone at the remote site and turn-on the in-built Web-Portal using the keys [#,5 ,3, 4] and select ‘ON’.

6. Using the Browser of you PC, access the UT Web-Portal (Example http://192.168.10.1)The Default Installer Logon Details areUsername: instoperatoruseridPassword: instpass

7. Using the ‘Maintenance’ Tab, Browse to the Config file and click ‘Import’


http://192.168.10.1/



8.The UT phone can now be registered to the NS1000 system using the standard ‘Manual’ or ‘Automatic’ Registration methods (NB: UT Phones do not support Extension Number Registration).

Example;


NAT - CWMP Server IP Address WAN Side IP address / Name of Router for CWMP None

NAT - CWMP Server (HTTP) Port No. WAN Side Port No. for CWMP 7547(1-65535)

NAT - CWMP Server (HTTPS) Port No. WAN Side Port No. for CWMP 37457(1-65535)

NAT - SIP-MLT Data Download Server (HTTP) Port No. WAN Side Port No. for Data Download 7580(1-65535)

NAT - SIP-MLT Data Download Server (HTTPS) Port No. WAN Side Port No. for Data Download 37580(1-65535)

NAT - SIP Proxy Server IP Address WAN Side IP address/Name for SIP None

NAT - SIP Proxy Server Port No. WAN Side Port No. for SIP 5060(1-65535)

NAT - NTP Server IP Address WAN Side IP address for NTP None

NAT - NTP Server Port No. WAN Side Port No. for NTP 123(1-65535)

NAT - Keep Alive Packet Type NAT – Keep Alive packet type for SIP Blank UDP/ Register / None

NAT - Keep Alive Packet, Sending Interval Time (s) NAT – Keep Alive send interval 20(10-86400)Sec

NAT - SIP Register Expire Time (s) NAT – Register Expire time

Session Border Controller3.7 Session Border Controller (SBC) – NS1000 Programming(Reference)).

The following parameters will be set to the KX-UT when it has been registered to the NS1000.

a. Setting parameters of Remote SIP-MLT

Session Border Controller3.7 Session Border Controller (SBC) – NS1000 Programming(Reference).

‘The following parameters will be set to the KX-UT when it has been registered to the NS1000 (Cont..).

NAT - CWMP Server (HTTP) Port No. WAN Side Port No. for CWMP 7547(1-65535)

NAT - CWMP Server (HTTPS) Port No. WAN Side Port No. for CWMP 37547(1-65535)

NAT - SIP Proxy Server IP Address WAN Side IP Address/Name for SIP none

NAT - SIP Proxy Server Port No. WAN Side Port No. for SIP 5060(1-65535)

PERIODIC Ability PERIODIC Setting For Remote Terminal Enable/Disable

PERIODIC Packet Sending Interval Time (s) PERIODIC Setting For Remote Terminal 30(30-3600)Sec

b. Networking Survivability, assigned to Remote SIP-MLT ( for Secondary NS )

c. Control Condition of Remote SIP-MLT

Session Border Controller3.7 Session Border Controller (SBC) – NS1000 Programming(Reference).

Port Setting for the NS1000 PBX

Configuration -> Slot -> Virtual -> Site Property -> Main-> Port Number.Configuration -> Slot -> Virtual -> Site Property -> Main-> Port Number.

Item Source Port Destination IP Address

Port Forward SIP UDP 15060 SBC Private IP Address

　 RTP UDP 35000-35999 SBC Private IP Address

TR-069 TCP 7547 PBX ICMPR Address

TR-069 TCP 37547 PBX ICMPR Address

http TCP 7580 PBX ICMPR Address

http TCP 37547 PBX ICMPR Address

NTP UDP 123 PBX ICMPR Address

Session Border Controller3.8 Session Border Controller (SBC) – Head Office Router Programming(1).

The following port forwarding needs to be set in the Head Office Router.

NB: If the Port Forward settings are not made correctly, Calling problems and/or Audio problems will occur!


Troubleshooting (1):There are two common problems associated with Perimeter Router configuration;1. Denial Of Service (DOS) Attacks (Also known as FLOOD attacks)

What happens, is that the attacker sends many REGISTER requests, and the PBX gets tied-up responding with “404 – Not Found” messages.

Countermeasure: Do not use 5060 as the standard SIP receiving port (Use a less well known number.


Troubleshooting (2):

2. One-Way or No Audio Problems

Symptom: One-way voice or no voice can occur after several calls.Reason: The RTP ports are not set correctly in the Port forwarding settings in the Router. Countermeasure: This setting should be applied on SBC port settings (Use 35000 to 35999). It is also required that these ports should be port-forwarded to the SBC by the main Router.

Session Border Controller3.10 Session Border Controller (SBC) – SBC Programming(1).

The following items need to be set in the Mediatrix SBC:•PBX IP address, SIP EXT Port No.•SBC LAN IP Address/Subnet mask•Main Router LAN IP Address/WAN IP Address•Port Setting SIP/RTP•Firewall allow SIP/RTP packet

NB:All documents are available online on the Mediatrix Download Portal at https://support.mediatrix.com/DownloadPlus/Download.asp. Or on the web site at the following link http://www.mediatrix.com/en/sessionbordercontroller Under the documentation tab.

https://support.mediatrix.com/DownloadPlus/Download.asp

http://www.mediatrix.com/en/sessionbordercontroller


The SBC (LAN Only Mode) is used as a ‘device on a stick’. Only one port (ET1 ~ ET4) needs to be connected to the LAN.The ET0/WAN Port is NOT used and should not be connected to the Network.(The ET0/WAN port is ‘virtualised’ and used internally by the SBC when configured in LAN SIParator mode.)

NB: Do not Connect the ET0/WAN port at any time!


The SBC needs to be configuration needs to be changed from its default mode to LAN SIParator mode.Due to the programming limitations of the device, the following sequence must be used

1.Login to the SBC using the default IP Address (192.168.0.1)2.Change the LAN Port IP-Address from 192.168.0.1 to 192.168.20.1 (Example)The reason for this is because the SBC will not allow it’s ET0/WAN port to share the same IP Address range as its LAN ports (ET1~4), so we must change the LAN port setting before proceeding with the configuration.3. Set the SBC to LAN SIParator Mode(Ports ET1~ET4 will now share the same IP-Address as set for ET0/WAN – example 192.168.0.1)

4. The necessary SIP configuration can now be set


1.Login to the SBC using the default IP Address (192.168.0.1)

User Name: adminPassword: admin


2. Select ‘Network’ and change the LAN IP Address from default to 192.168.20.1 (Example)

1. Change LAN IP Address from default value.

1. Change LAN IP Address from default value.

2. Click ‘Apply’2. Click ‘Apply’


3. Re-configure your PC so that lies within the same network as the SBC (192.168.20.10 Example) and re-connect to the SBC (192.168.20.1) using your Web Browser. Then Change the Active Profile.

1. Click to permanently save changes1. Click to permanently save changes

5. Click to permanently save changes5. Click to permanently save changes

2. Select ‘Overview’2. Select ‘Overview’

3. Change profile to ‘Low’3. Change profile to ‘Low’4. Click ‘Change’4. Click ‘Change’


4. Change the SBC Operating mode to LAN SIParator

1. Select ‘Network’1. Select ‘Network’

2. Select ‘LAN SIParator’ Mode

2. Select ‘LAN SIParator’ Mode

3. Set the IP Address and Subnet Mask of the SBC3. Set the IP Address and Subnet Mask of the SBC 4. Set the DNS and Default

Gateway Address (Outside Router)

4. Set the DNS and Default Gateway Address (Outside

Router)

5. Set SIP RTP Ports (35000~35999) and the External (WAN) IP Address

of the Outside Router.

5. Set SIP RTP Ports (35000~35999) and the External (WAN) IP Address

of the Outside Router.


5. The SBC will now reconfigure itself to LAN SIParator mode;

1. Select ‘Save & Reboot’1. Select ‘Save & Reboot’

The SBC will now reconfigure itself (approx 3min)The SBC will now reconfigure itself (approx 3min)

Session Border Controller3.10 Session Border Controller (SBC) – SBC Programming(8).6. Now that the SBC Mode and Network settings have been configured, the SIP Server settings can now be made.Login to the SBC using the newly configured IP Address (192.168.0.1 Example)

1. Select ‘Applications’ and SIP Server.1. Select ‘Applications’ and SIP Server.

2. Select ‘All’ and check the box.2. Select ‘All’ and check the box.

3. Click Apply.3. Click Apply. 4. Save ‘Permanently’

Session Border Controller3.10 Session Border Controller (SBC) – SBC Programming(9).7. Configure the ‘Authorised User’ credentials

1. Select ‘Applications’ and SIP Switch Advance.1. Select ‘Applications’ and SIP Switch Advance.

3. Set the SIP Address, User ID and Password for each Remote User.3. Set the SIP Address, User ID and Password for each Remote User.


Example:EXT: 301/ SIP Address: [email protected]/ User ID: 301/ Password: pass301Where 192.169.0.101 is the IP-Address of the NS1000

Session Border Controller3.10 Session Border Controller (SBC) – SBC Programming(10).8. Configure the ‘Far End NAT Traversal’ options

1. Select ‘Applications’ and SIP Advanced.1. Select ‘Applications’ and SIP Advanced.

2. Configure as shown..2. Configure as shown..

Session Border Controller3.10 Session Border Controller (SBC) – SBC Programming(11).9. Configure the SIP Server UDP Port Number and advanced settings.

NB: 5060 is not chosen as the SIP UDP port in order to reduce the risk of DOS/FLOOD attacks.

NB: 5060 is not chosen as the SIP UDP port in order to reduce the risk of DOS/FLOOD attacks.

1. Change the SIP UDP Port to ‘15050’1. Change the SIP UDP Port to ‘15050’

2. Configure as shown..2. Configure as shown..

Session Border Controller3.10 Session Border Controller (SBC) – SBC Programming(11).10. Disable the ‘Trusted Networks’ parameter

1. Uncheck the box.1. Uncheck the box.


The SBC Configuration is now complete!

THE END.

Documents

ICMPR V2.01 FEATURES NS1000. SESSION BORDER CONTROLLER (EASY UT INSTALLATION)