Network Integration Guide Planning

Similar documents
Administration Guide Configuration and Operation

Hardware Installation Guide Installation (x3350)

Siebel CRM. Siebel Security Hardening Guide Siebel Innovation Pack 2015 E

Cisco Expressway with Jabber Guest

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

e-commerce Study Guide Test 2. Security Chapter 10

Broadcast Server User Guide Configuration and Operation

W H I T E P A P E R : O P E N. V P N C L O U D. Implementing A Secure OpenVPN Cloud

The Applications and Gaming Tab - Port Range Forward

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

H3C SecBlade SSL VPN Card

Oracle Communications Services Gatekeeper

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

VII. Corente Services SSL Client

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

HikCentral V1.3 for Windows Hardening Guide

Campus Network Design

Network Security and Cryptography. 2 September Marking Scheme

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Oracle Hospitality Inventory Management Security Guide Release 9.1 E

HikCentral V.1.1.x for Windows Hardening Guide

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

HP Instant Support Enterprise Edition (ISEE) Security overview

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

Configuring Request Authentication and Authorization

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Network Security and Cryptography. December Sample Exam Marking Scheme

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

WHITEPAPER. Security overview. podio.com

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

Avaya Converged Platform 130 Series. idrac9 Best Practices

CallPilot 5.0 Library Listing

How to Configure Authentication and Access Control (AAA)

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Configuring SSL CHAPTER

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

IBM SmartCloud Notes Security

Cloud Link Configuration Guide. March 2014

Abstract. Avaya Solution & Interoperability Test Lab

Configuring SSL. SSL Overview CHAPTER

Security SSID Selection: Broadcast SSID:

CTS2134 Introduction to Networking. Module 08: Network Security

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Installation and Configuration Guide for Visual Voic Release 8.5

BCM50 Rls 6.0. Router - IP Firewall. Task Based Guide

PCI DSS Compliance. White Paper Parallels Remote Application Server

Overview. SSL Cryptography Overview CHAPTER 1

Barracuda Link Balancer

CYAN SECURE WEB Installing on Windows

Chapter 11: Networks

Safeguarding Cardholder Account Data


Yealink VCS Network Deployment Solution

Xerox Mobile Print Solution

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Recommendations for Device Provisioning Security

Oracle Hospitality Cruise AffairWhere Security Guide Release E April 2017

Gigabit SSL VPN Security Router


Oracle Hospitality OPERA Property Management Security Guide Versions: Part Number: E

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Service Managed Gateway TM. Configuring IPSec VPN

Virtual private networks

Wave 5.0. Wave OpenVPN Server Guide for Wave 5.0

Three interface Router without NAT Cisco IOS Firewall Configuration

Enhancing VMware Horizon View with F5 Solutions

Inventory and Reporting Security Q&A

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Installation Guide. McAfee Web Gateway. for Riverbed Services Platform

Smart Agent Configuration Guide Release 2.1 (Service Pack)

Cisco Unified MeetingPlace Integration

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

WHITE PAPER. Good Mobile Intranet Technical Overview

Simple and Powerful Security for PCI DSS

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Configuring SSL. SSL Overview CHAPTER

DEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC

Sharing a Cisco Unity Voice Mail Box between Two or More IP Phones

Advanced iscsi Management April, 2008

Load Balancing Technology White Paper

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Digital Advisory Services Professional Service Description SIP SBC with Field Trial Endpoint Deployment Model

A company built on security

Unified Communications in RealPresence Access Director System Environments

Configuring a Zone-Based Firewall on the Cisco ISA500 Security Appliance

Message Networking 5.2 Administration print guide

Colubris Networks Configuration Guide

Security in the Privileged Remote Access Appliance

Extending the Domino System. Powered by Notes. The First Groupware and Server for the Net R E L E A S E

Syncplicity Panorama with Isilon Storage. Technote

Secure Industrial Automation Remote Access Connectivity. Using ewon and Talk2M Pro solutions

Microsoft Internet Security & Acceleration Server Overview

CCNA Exploration Network Fundamentals. Chapter 03 Application Functionality and Protocols

Accessing the Ministry Secure File Delivery Service (SFDS)

White paper. Keys to Oracle application acceleration: advances in delivery systems.

vcenter Operations Management Pack for NSX-vSphere

Transcription:

Title page Nortel Application Gateway 2000 Nortel Application Gateway Release 6.3 Network Integration Guide Planning Document Number: NN42360-200 Document Release: Standard 04.01 Date: October 2008 Year Publish FCC TM Copyright 2006 2008 Nortel Networks. All Rights Reserved. Sourced in Canada LEGAL NOTICE While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice. Nortel, the Nortel logo, the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.

Contents Audience v Organization v Conventions vi Related Documentation vi CHAPTER 1 Overview 1 Voice Office 1 Security 2 Deployment Planning 2 Network Impacts 3 CHAPTER 2 Security Planning 5 Application Gateway Security Overview 5 General Security Issues 7 Application Gateway Security Solutions 9 Authentication 9 Secure Socket Layer 10 Cookies and Secure Cookies 11 Other Security Features 11 CHAPTER 3 Deployment Planning 13 Overview 13 The Application Gateway Pre-Installation Checklist 14 Considerations for Integrating the Application Gateway into an IP Phone Enterprise 14 Location of Call Servers, IP Phones, and LDAP Servers 15 Location of Web/Intranet Content 15 Administration and Redundancy Requirements 15 Relative Performance of Network Segments 16 Quality of Service (QoS) 16 Sample Configurations 17 iii

Contents Application Gateway Location Relative to a Firewall or Router 17 Application Gateway Operation with a Router 18 CHAPTER 4 Network Impacts 19 I NDEX iv

Preface This preface describes who should read the Application Gateway Network Integration Guide, how it is organized, and its document conventions. Audience This installation guide is intended for IT professionals and other individuals responsible for determining how the Application Gateway is to integrate into a network. Organization This guide is organized as follows: Chapter Title Description Chapter 1 Overview Provides an executive summary of this guide. Chapter 2 Security Planning Provides a starting point for security planning and contains a general discussion of security issues. Chapter 3 Deployment Planning Discusses issues to consider when planning how to integrate the Application Gateway into your network and contains sample configurations. Chapter 4 Network Impacts Provides a summary of how Application Gateway operation impacts a network. v

Conventions This guide uses the following conventions: Convention boldface font boldface screen font Description Commands and HTML element names are in boldface. Information you must enter is in boldface screen font. Notes use the following conventions: Note Means reader take note. Notes contain helpful suggestions or other important information. Tips use the following conventions: Tip Means the following information will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information. Cautions use the following conventions: Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Related Documentation For additional information about the Application Gateway, refer to these guides: Application Gateway Hardware Installation Guide Application Gateway Administration Guide vi

Chapter 1 Overview This document discusses issues to consider when planning how the Application Gateway will integrate into your network. Topics covered include the basic functions and operation of the Application Gateway, with emphasis on security and the interactions between the Application Gateway and your network. This chapter provides an executive summary of network integration considerations. The Nortel Application Gateway delivers business applications to the screens and speakers of Internet-enabled IP telephones. Voice Office Voice Office is a suite of packaged telephony applications that requires no development work. The Voice Office Application Suite enables enterprises to further leverage their IP telephony investments and increase workforce productivity by delivering converged applications to the screens and speakers of IP phones. Voice Office applications include: Express Directory provides an LDAP-based, organization-wide directory with high-speed, real-time pruning. This new directory user interface reduces the time to look-up and dial in by 75% compared to current solutions. Zone Paging enables authorized users to page to groups of IP telephones in specific zones without the expense of installing an overhead paging system Broadcast Server delivers priority messages such as emergency, IT, and weather alerts in the form of text, graphics and audio alerts to IP telephones. 1

Chapter 1 Security Overview Security The Application Gateway is a transparent network appliance that implements and supports industry-standard security techniques. The Application Gateway sits behind a corporate firewall and is resistant to invasion. It has been tested to ensure that it has no high- or medium-risk security vulnerabilities, and no UNIX, Web server, URL, or port vulnerabilities. The Application Gateway fully complies with the security protocols used by IP telephones. For example, if your IP telephones support secure communications, the Application Gateway connection with the telephones will be secure. The Application Gateway uses only published interfaces to IP telephones and systems. For a more in-depth discussion of Application Gateway security, see Chapter 2, Security Planning. Deployment Planning The Application Gateway installs into any network infrastructure without requiring changes to the existing hardware or back-end software. The Application Gateway sits in front of content servers and works with other networking products such as cache engines, web servers, firewalls, and routers. 2

Chapter 1 Overview Network Impacts The Application Gateway is designed for flexible network deployment. The location of an Application Gateway in a network is largely based on the configuration of the existing network. Regardless of the network deployment chosen, the only requirements that must be met to ensure correct operation are as follows: The client devices (IP telephones) must be able to contact the Application Gateway on the network. The Application Gateway must be able to contact the servers that have the requested content. Content may be generated by servers on the local network and the Web. For a more information about Application Gateway deployment planning, see Chapter 3, Deployment Planning. Network Impacts Sending a page or broadcasting a message through the Voice Office applications occupies audio bandwidth at a rate of 85.6 Kilobits per second. For more information on Application Gateway network impacts, see Chapter 4, Network Impacts. 3

Chapter 1 Overview Network Impacts 4

Chapter 2 Security Planning Security is a major issue in conducting any business. This chapter provides an overview of Application Gateway security. This chapter is not intended to be a comprehensive guide to planning a security strategy, as these issues will vary by organization. However, this chapter provides a starting point for security planning and outlines how the Application Gateway is capable of addressing a wide range of business and enterprise policy requirements. The following topics describe Application Gateway security: Application Gateway Security Overview, page 5 General Security Issues, page 7 Application Gateway Security Solutions, page 9 Application Gateway Security Overview The Application Gateway is a transparent network appliance. It leverages existing security infrastructure to provide seamless, end-to-end, secure communication between devices and enterprise application servers. The Application Gateway sits behind a corporate firewall, uses standard security mechanisms, and is resistant to invasion. Many devices, including IP telephones, lack security and encryption features. The Application Gateway, when used with secure web and application servers, can reduce the potential security issues associated with using such equipment. Because IP phones themselves do not have security policies, communication between the Application Gateway and IP phones is over an insecure channel. However, the Application Gateway can be deployed behind a firewall to provide a secure gateway to protect IP telephone connections beyond the firewall. The Application Gateway uses standard protocols for IP phone requests and responses. 5

Chapter 2 Security Planning Application Gateway Security Overview The Application Gateway is a hardened application server and can be installed in any network with confidence that it introduces no additional security risks or liabilities. The Application Gateway has the following characteristics: It is not possible to determine what operating system is running on the Application Gateway. Is not general purpose. Only the processes that are running are externally visible. Unnecessary services (such as login and listener services) and unnecessary modules are removed from the Application Gateway operating system. All services interfaces are closed, providing nothing that a worm or virus could attack. As a result, the Application Gateway is not vulnerable to worms and viruses that are compiled for traditional operating systems and is fully protected against worms, viruses, and other Internet attacks. In this respect, the Application Gateway appliance is more like a closed router rather than a server. Cannot be logged into. You cannot log into the operating system, only the server software, if authenticated. Has few open ports and those ports send packets directly to Application Gateway processes. Uses only published interfaces to IP telephones and systems. Port requirements are detailed in the Pre-Installation Checklist. Can be fully configured only over an SSL channel that requires authentication. Minimal configuration is available through a serial port. Installation requires physical access to the device. Has cryptographically secure licensing. Supports 196-bit TLS SSL encryption, as well as lower and higher bit values defined in your certificate. You might prefer to lower the encryption if performance is more important than security. Provides SSL sessions, with support for HTTPS, IMAPS, POPS, and SSMTP. SSL support enables deployment of the Application Gatewaybehind a firewall in order to provide a secure gateway to protect IP telephone connections beyond the firewall. The Application Gateway relies on a customer-provided firewall for protection from Denial of Service (DoS) attacks. 6

Chapter 2 Security Planning General Security Issues Supports digital certificates in Privacy Enhanced Mail (PEM) format that include a private key. You should install on the Application Gateway a digital X.509 certificate that belongs to your company. This will ensure that all SSL transactions will pass with no error warnings to device users. For IP phone applications which require user authentication for use, the Application Gateway uses the authentication mechanism of the phone system. The Application Gateway passes authentication requests to the configured authentication server and returns authentication replies to the requesting IP phone. The Application Gateway does not manage or retain user credentials. Can be configured to allow only previously identified application data or specified URLs to pass through it, or to prevent any access to the Internet. Implements a unique and superior cookie management technique that ensures that cookies never leave the Application Gateway and are always maintained within the enterprise firewall. The Application Gateway provides virtual cookies for devices that do not natively support cookies. Supports proxy servers firewalls that reside on hardware other than a router. Stores data securely in a proprietary format. Has been tested to ensure that it has no high- or medium-risk security vulnerabilities and no UNIX, Web server, URL, or port vulnerabilities. White box testing includes verification of memory checking, buffer overflow, and open port utilization. General Security Issues Information traveling openly across a public network is exposed to potential risks and vulnerabilities such as theft or alteration of the transmitted data, invasion by destructive programs, and access by unauthorized users. Companies must identify the vulnerabilities they deem most important to address, and then select countermeasures to protect data as it travels to and from their site. The benefits of easy data transfer must be balanced against the protection of integrity and confidentiality. In addition, good 7

Chapter 2 Security Planning General Security Issues security involves more than technology. Employees and partners must be aware of security issues, trained in best practices, and reminded often of the importance of security to their organization. To achieve data security, an organization must provide effective methods to ensure the following: Authentication recognizing and verifying user identity Authentication can be accomplished through a username and password; however, passwords can be stolen or revealed. Organizations often require a more stringent authentication process such as a digital certificate issued and verified by a Certificate Authority as part of a public key infrastructure (PKI) that ensures mutual identification. Confidentiality limiting data access to authorized users only The confidentiality of sensitive information such as credit card numbers, telephone numbers, and addresses needs to be protected from access by unauthorized parties. Access control limiting access to data or services After authenticating a user, the network authorizes the user to transact his or her business. A user s access level can be monitored based on the user s identification and authentication level. Different users can be granted different levels of access as needed. Integrity ensuring that data has not been altered during transmission Non-repudiation preventing disavowal of a transaction once it is completed The integrity and non-repudiation functions ensure that information arrives as intended and remains intact throughout the entire process, that certain information is available only to authorized users, and that a transaction cannot be disavowed either by the parties or the record-keeping mechanism. Encryption protecting data using a cipher 8

Chapter 2 Security Planning Application Gateway Security Solutions Communications security is the protection of information during transmission from unauthorized or accidental modification, destruction, and disclosure. Since it can be difficult to prevent unauthorized access to signal transmissions, the best security often involves using some form of encryption. Privacy protecting user identification and location data An important aspect of security is ensuring that sensitive user information, such as location, is not compromised or misused. For example, location information may not be necessary for a particular transaction, but it could be very valuable and collecting it is subject to misuse. Application Gateway Security Solutions Authentication The Application Gateway supports the standard tools used to provide network security. The technologies discussed in the following sections comprise an essential and trustworthy infrastructure: Authentication, page 9 Secure Socket Layer, page 10 Cookies and Secure Cookies, page 11 Other Security Features, page 11 The Application Gateway supports administrator and user logins. To reach the Application Gateway administration interface, an administrator must provide valid credentials. Administrator accounts are managed through the administration interface and administrator credentials are stored on the Application Gateway as an inaccessible, one-way hash. For IP phone users, the Application Gateway uses the authentication mechanism of the phone system for any IP phone applications which require user authentication. The Application Gateway passes authentication requests to the configured authentication server and returns authentication replies to the requesting IP phone. The Application Gateway does not manage or retain user credentials. 9

Chapter 2 Security Planning Application Gateway Security Solutions Secure Socket Layer The Application Gateway also protects the passwords that must be entered for connections to devices needed for operations, such as LDAP servers, SMTP servers, and so on. Any password entry required for such servers is not echoed to the screen during entry or during subsequent viewing of the configuration data, either on screen or in the system logs. All passwords stored on the Application Gateway are stored as an inaccessible, one-way hash. The Secure Socket Layer (SSL) protocol ensures privacy between communicating applications and their users on the Internet. SSL uses a program layer located between the Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) layers. SSL is included in most browsers and Web server products. Developed by Netscape, SSL has also gained the support of Microsoft and other Internet client/server developers, becoming the standard. The Application Gateway provides SSL sessions, with support for HTTPS, IMAPS, POPS, and SSMTP. SSL support enables deployment of the Application Gateway behind a firewall in order to provide a secure gateway to protect IP telephone connections beyond the firewall. The socket part of the term Secure Socket Layer refers to the socket method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA Security, which also includes the use of a digital certificate. The Application Gateway supports digital certificates in Privacy Enhanced Mail (PEM) format that include a private key. You should install on the Application Gateway a digital X.509 certificate that belongs to your company. This will ensure that all SSL transactions will pass with no error warnings to device users. Certificates from Verisign and Thawte are supported. While the Application Gateway supports 196-bit TLS SSL encryption, you have the option to lower the encryption of the certificate if performance is more important than security. 10

Chapter 2 Security Planning Application Gateway Security Solutions Cookies and Secure Cookies Other Security Features Many Internet sites do not allow entry unless cookies are enabled; many IP phones have no ability to accept cookies. Other solutions address this cookie management problem by caching cookies on the server and using some unique identifier, such as the device ID, to associate cookies with a particular user. The cookie for that particular session is included in the URL and is valid only for that session. Once the session is terminated, the cookie is flushed from the cache. This approach offers no security since the packets can be intercepted by a third party and used to spoof the content-adaptation device into sending the data to the interloper. More importantly, this approach makes no distinction between unsecured and secure cookies. The Application Gateway implements a unique and superior cookie management technique that ensures that cookies are always maintained within the enterprise firewall, retained between the Application Gateway and the application server. The Application Gateway provides virtual cookies for devices that do not natively support cookies. The device user is never aware of the cookie. Products on LANs must control access to unauthorized sites and addresses via ftp, telnet and other services. IP phone Voice Applications access only the sites configured for the applications. The Application Gateway also: Has a configurable buffer size, to control the amount of data that can be pulled into the Application Gateway before being sent to the client. If an object exceeds the maximum buffer size, the Application Gateway drops the object. Supports the upload of software upgrades over a secure SSL-protected channel. All access to the Application Gateway can be secured with SSL connections. Provides system logs that can be secured when used with a secure syslog server. 11

Chapter 2 Security Planning Application Gateway Security Solutions 12

Chapter 3 Deployment Planning The following topics describe issues to consider when planning how to integrate the Application Gateway into your network and contain sample configurations for delivering applications to IP phones: Overview, page 13 Considerations for Integrating the Application Gateway into an IP Phone Enterprise, page 14 Overview One or more Application Gateways can be installed within a LAN environment at each customer location. Sites that want to use Broadcast Server and Zone Paging across IP phones associated with multiple Application Gateways must group the Application Gateways into a cluster. An Application Gateway cluster enables the IP phones to send alerts and pages to distribution lists and zones that include phones from all Application Gateways in the cluster. For more information about clusters, refer to the Application Gateway Administration Guide. The Application Gateway sits in front of content servers and works with other networking products such as cache engines, web servers, firewalls, Virtual Private Network (VPN) solutions, and routers. Regardless of the network deployment chosen, the only requirements that must be met to ensure correct operation are as follows: The client devices (IP telephones) must be able to see the Application Gateway on the network. The Application Gateway must be able to see the requested content. Content may be generated by servers on the local network and the Web. To satisfy those requirements, you can specify gateways and static routing during Application Gateway configuration. 13

Chapter 3 Deployment Planning Considerations for Integrating the Application Gateway into an IP Phone Enterprise The Application Gateway administration interface includes a variety of standard Linux monitoring applications to help you understand the networking from the Application Gateway to other devices. The monitoring applications include My traceroute, the Ethereal Network Analyzer, and xnettools. The Application Gateway Pre-Installation Checklist As one of the first steps in planning Application Gateway deployment, we recommend that you review the Pre-Installation Checklist that is provided with the Application Gateway. The checklist includes information such as the following: The software release requirements for your phone system. A list of all incoming and outgoing ports required to be open for Application Gateway usage. A list of all information that must be collected before Application Gateway installation, including the IP address and port numbers of connected devices such as LDAP servers and call servers. Considerations for Integrating the Application Gateway into an IP Phone Enterprise The choice of the best Application Gateway deployment model depends on a number of factors, including these considerations discussed in the following sections: Location of Call Servers, IP Phones, and LDAP Servers, page 15 Location of Web/Intranet Content, page 15 Administration and Redundancy Requirements, page 15 Relative Performance of Network Segments, page 16 Quality of Service (QoS), page 16 14

Chapter 3 Deployment Planning Considerations for Integrating the Application Gateway into an IP Phone Enterprise Location of Call Servers, IP Phones, and LDAP Servers Voice application operation requires that the Application Gateway is deployed on VLAN(s) that can connect to the following services simultaneously: call servers, call management servers, IP phones, and the LDAP servers used by the Application Gateway. The Application Gateway is typically installed on the T-LAN. Most customers treat the Application Gateway as another telephone server (just like signaling servers for example). The Application Gateway is rarely installed on the C-LAN and even more rarely installed on the E-LAN. In some cases, installing on a T-LAN requires that you use both Network Interface Cards of the Application Gateway. For example, perhaps the T-LAN is completely segmented from the rest of the network and cannot talk to the LDAP server, or perhaps communications with the Call Pilot server is blocked with Access Control Lists (ACLs). Location of Web/Intranet Content If the target content, applications, and/or the IP telephones are distributed, you may want to distribute the Application Gateway as well. It is, for example, often desirable to place an Application Gateway as close to the source of content as possible (a centralized installation) when delivering application content. The Application Gateway greatly reduces the amount of content transmitted to IP telephones, resulting in lower bandwidth demands, improved server, or both. This configuration may also minimize the number of Application Gateway deployed depending on the number of phones and the demand for content delivery. On the other hand, as discussed below, it may be desirable to deploy additional Application Gateway at remote sites as a means of improving security of transmitted data. Administration and Redundancy Requirements These factors are highly dependent on requirements of the enterprise, and the Application Gateway is adaptable to these needs. It can be centrally administered or controlled from distributed locations. 15

Chapter 3 Deployment Planning Considerations for Integrating the Application Gateway into an IP Phone Enterprise Phone service redundancy is also a consideration in the design of an installation. If a centralized soft switch topology fails due to a hardware or network outage, the IP telephones will be unable to see the IP address of the soft switch. Without survivable remote telephony features for voice, or a redundant network infrastructure, both voice and data transmission will fail in this scenario, independent of Application Gateway redundancy. Note Providing Application Gateway redundancy does not imply that the phone services themselves are redundant. Relative Performance of Network Segments Quality of Service (QoS) An important function of an Application Gateway is that it reduces the amount of content sent, and therefore, the bandwidth needed to transmit data to an IP telephone. This may mean that it is advantageous to deploy as close to the application content as is possible, depending on network speed. The relative performance of network segments may also impact Quality of Service (QoS) considerations, as discussed below. An IP Telephony installation using dedicated Voice VLANs, and which also allows the IP telephones to access applications through an Application Gateway, must provide for at least limited data traffic. The only connection the IP telephones have is the Voice VLAN. This means that the QoS of the network may need to be adjusted to ensure that the Application Gateway has sufficient bandwidth to operate effectively. A number of variables may be involved including the volume of data requested and the response expected by users. Phone service requests and responses over HTTP are not marked. If QoS is implemented in the enterprise, the HTTP traffic coming from the IP telephone will be marked as best effort. Phone service traffic, unless implemented by the application, cannot guarantee timely HTTP content delivery to the IP telephone. 16

Chapter 3 Deployment Planning Considerations for Integrating the Application Gateway into an IP Phone Enterprise Sample Configurations The configuration samples included in this section describe how the Application Gateway operates in a some common network configurations. The network environment in which you are placing the Application Gateway will ultimately determine the best placement for the Application Gateway. Application Gateway Location Relative to a Firewall or Router When connecting the Application Gateway to your network, you typically place it either inside of a firewall, inside of a router, or straddling a firewall. An Application Gateway that supports Voice Office applications is typically connected to a firewall or router through one of its two Application Gateway interfaces. If the Application Gateway straddles networks, you will need to use both Application Gateway interfaces to connect the Application Gateway to the networks. One interface will connect to the DMZ (external) connection and one interface will connect to the LAN (internal) connection. 17

Chapter 3 Deployment Planning Considerations for Integrating the Application Gateway into an IP Phone Enterprise When the Application Gateway straddles a firewall or is in front of a router, it will need routes for reaching any subnets that are not automatically available through your Default Gateway. You can configure the Application Gateway so that it uses your routing tables or the routes that you specify. Application Gateway Operation with a Router The following illustration shows an Application Gateway connected to a application servers through a router in an IP phone enterprise. Note The application servers in the illustration represent the variety of devices that the Application Gateway will connect to, including application and Web servers, LDAP servers, and call servers. When an IP phone requests application content, the Application Gateway accepts the request from the device and requests the content from the back-end servers. 18

Chapter 4 Network Impacts For best performance, the Application Gateway should be placed on the data VLAN. Voice Office traffic over the data VLAN will be prioritized lower than phone calls, which go over the voice VLAN. Use of Voice Office applications will have the following network impacts: Telephone registration with the Application Gateway is the equivalent of a standard web request. Browsing in Express Directory generates minimal noise. Sending a page to a zone occupies audio bandwidth at a rate of 85.6 Kilobits per second (Kbps). If a page is sent to a zone that contains 100 phones, the page is sent 100 times (to each phone separately), just like a phone call to each phone. However, a page goes over the data VLAN, so it is prioritized lower than phone calls, which go over the voice VLAN. To determine expected bandwidth impact of paging, use the following formula: (Number of pages in the busy hour) x (Average number of recipients) x (Average length of a page, in seconds) x 85.6 Kbps Suppose that 5 pages are sent during the busy hour to 10 recipients and that the pages average 60 seconds in length. The bandwidth impact for the paging would be 5 x 10 x 60 x 85.6, or 256,800 Kbps. Broadcasting a message occupies audio bandwidth at a rate of 85.6 Kbps. The message size is determined by multiplying the size of the data (voice/text/image) times the number of phones to which the broadcast is pushed. To determine expected bandwidth impact of broadcasting a message, use the following formula: 19

Chapter 4 Network Impacts (Number of broadcast messages in the busy hour) x (Average number of recipients) x (Average broadcast size, in bytes) x 85.6 Kbps Suppose that 5 broadcasts are sent during the busy hour to 10 recipients and that the broadcasts average 30 bytes in size. The bandwidth impact for the broadcasts would be 5 x 10 x 30 x 85.6, or 128,400 Kbps. 20

Index A access control 8 Application Gateway and authentication 7 buffer 11 clusters 13 cookie management 7 forced secure connections 11 interfaces 6 network impact 19 network location 2 operating system 6 operation with router 18 application server connection, illustrated 18 authentication 8 IP phones 9 requests from applications 7 solutions 9 B Broadcast Server 2 network impact 19 C certificate support 7, 10 clusters 13 confidentiality 8 cookie management 7 cookies 11 D deployment overview 2, 13 with firewall 17 with router 17 with server load balancer 17 digital certificate support 7, 10 E encryption 8 TLS SSL 6, 10 Express Directory 1 F firewall connection, illustrated 17 I integrity 8 IP phone enterprise application server connection, illustrated 18 authentication 9 21

Index N network impacts 19 non-repudiation 8 P passwords 9 port requirements 6 Pre-Installation Checklist 14 privacy 9 proxy servers 7 V Voice Office applications 1 Z Zone Paging 1 network impact 19 S security application authentication 7 features 6 IP phones 5 of software upgrades 11 overview 2 system logs 11 server load balancer connection, illustrated 17 SSL and performance 10 session support 6, 10 22

Family Product Manual Contacts Copyright FCC notice Trademarks Document number Product release Document release Date Publish Nortel Application Gateway 2000 Network Integration Guide Planning Copyright 2006 2008 Nortel Networks. All Rights Reserved. LEGAL NOTICE While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice. Nortel, the Nortel logo, the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks. All other trademarks are the property of their respective owners. Publication number: NN42360-200 Document release: Standard 04.01 Date: October 2008 Sourced in Canada To provide feedback or report a problem in this document, go to www.nortel.com/documentfeedback.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback