Allstream NGNSIP Security Recommendations

Similar documents
Abstract. Avaya Solution & Interoperability Test Lab

Avaya PBX SIP TRUNKING Setup & User Guide

Network Configuration Guide

Application Note. ShoreTel / Ingate / Verizon Business SIP Trunking. 09 June 2017 Version 1 Issue 2

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution Issue 1.

SV9100 SIP Trunking Service Configuration Guide for Cable ONE Business

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS32 Version 1.5) VozTelecom SIP Trunk service with Built-in Router

EarthLink Business SIP Trunking. Allworx 6x IP PBX SIP Proxy Customer Configuration Guide

SBC Site Survey Questionnaire Forms

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS32 Version 1.5) Peoplefone SIP Trunk service with External Router

Proximus can't be held responsible for any damages due to the use of an outdated version of this specification.

Implementation and Planning Guide

EarthLink Business SIP Trunking. Toshiba IPEdge 1.6 Customer Configuration Guide

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS824 Version 1.5) LCR SIP Trunk service with Built-in Router

EarthLink Business SIP Trunking. ShoreTel 14.2 IP PBX Customer Configuration Guide

Application Notes for Configuring SIP Trunking between Global Crossing SIP Trunking Service and an Avaya IP Office Telephony Solution Issue 1.

Draft Version. Setup Reference guide for KX-HTS Series (Tested with HTS824 Version 1.5) Netia SIP Trunk service with External Router

DMP 128 Plus C V DMP 128 Plus C V AT

Application Notes for Configuring CenturyLink SIP Trunking with Avaya IP Office Issue 1.0

Application Notes for Avaya IP Office Release 8.0 with AT&T Business in a Box (BIB) over IP Flexible Reach Service Issue 1.0

EarthLink Business SIP Trunking. Asterisk 1.8 IP PBX Customer Configuration Guide

BT SIP Trunk Configuration Guide

RP-FSO522 2-Line FXO, 2-Line FXS SIP IP Gateway. Feature

Unofficial IRONTON ITSP Setup Guide

DMP 128 Plus C V DMP 128 Plus C V AT. Avaya Aura Configuration Guide REVISION: DATE: MARCH 7 TH 2018

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Spectrum Enterprise SIP Trunking Service NEC Univerge SV9100 IP PBX Configuration Guide

Recommended Network Configurations

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Implementing Cisco Voice Communications & QoS (CVOICE) 8.0 COURSE OVERVIEW: WHO SHOULD ATTEND: PREREQUISITES: Running on UC 9.

Application Notes for Configuring Tidal Communications tnet Business VoIP with Avaya IP Office using SIP Registration - Issue 1.0

Broadvox Fusion Platform Version 1.2 ITSP Setup Guide

KX-NCP500/KX-NCP1000: PBMPR

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

Spectrum Enterprise SIP Trunking Service NEC Univerge SV8100 IP PBX Configuration Guide

Xchange Telecom SIP Trunk Setup

Configuration guide for Switchvox and PAETEC

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0

Page 2 Skype Connect Requirements Guide

CUCM 10.5 / CUBE 9.5. BT SIP Trunk Configuration Guide. 1 BT SIP Trunk Configuration Guide

AT&T IP Flexible Reach And IP Toll Free Cisco Unified Communication Manager H.323 Configuration Guide. Issue /3/2008

Broadvox Fusion SIP Trunks Configuration Guide PBX Platform: KX-TDA50

NEC: SIP Trunking Configuration Guide V.1

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Table of Contents. CRA-200 Analog Telephone Adapter 2 x Ethernet Port + 2 x VoIP Line. Quick Installation Guide. CRA-200 Quick Installation Guide

USER GUIDE. Alcatel OmniPCX Office OXO-Fusion 360 SIP Trunk Programming Guide 11/07/2017

Comparative table of the call capacity of KMG 200 MS: Number of SBC calls Maximum TDM channels Total calls Bridge**

Abstract. Avaya Solution & Interoperability Test Lab

Application Notes for Configuring SIP Trunking between Bandwidth.com SIP Trunking Solution and an Avaya IP Office Telephony Solution Issue 1.

CompTIA Network+ Study Guide Table of Contents

HIGH DENSITY MEDIA GATEWAY WITH MODULAR INTERFACES AND SBC. Comparative table for call capacities of the KMG SBC 750:

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Application Notes for Configuring Windstream SIP Trunking with Avaya IP Office - Issue 1.0

Application Notes for Configuring the XO Communications SIP Trunking Service with Avaya IP Office 10.0 Issue 1.0

SIP Trunking Application Notes V2.0

UX5000 With Cbeyond s. BeyondVoice Setup P/N Rev 6, August 2009 Printed in U.S.A. Technical Support Web Site:

Application Note Configuration Guide for ShoreTel and Ingate

Mitel Technical Configuration Notes HO858

Implementing Cisco IP Telephony & Video, Part 1 (CIPTV1) 1.0

Cisco Webex Cloud Connected Audio

BandTel SIP Trunk Setup

SIP TRUNKING CARRIER CERTIFICATION OXE-SIP configuration

Application Note Configuration Guide for ShoreTel and Ingate with PAETEC

IMPLEMENTING CISCO VOICE COMMUNICATIONS AND QOS

DMP 128 Plus C V DMP 128 Plus C V AT. Avaya Aura Configuration Guide REVISION: 1.1 DATE: SEPTEMBER 1 ST 2017

Thank you for purchasing a Panasonic Pure IP-PBX. Please read this manual carefully before using this product and save this manual for future use.

CUCM XO SIP Trunk Configuration Guide

Overview of SIP. Information About SIP. SIP Capabilities. This chapter provides an overview of the Session Initiation Protocol (SIP).

Avaya IP Office 4.1 SIP Customer Configuration Guide For use with AT&T IP Flexible Reach. Issue th April 2008

nexvortex Setup Guide

VoIP Basics. 2005, NETSETRA Corporation Ltd. All rights reserved.

EarthLink Business SIP Trunking. Cisco CME IP PBX Customer Configuration Guide

This guide assists users to configure the Allworx VoIP Phone System and XO SIP Services.

Application Notes for Configuring SIP Trunking between CenturyLink SIP Trunk (Legacy Qwest) Service and Avaya IP Office R8.0 (16) Issue 1.

2.2 Interface Capabilities Supported

Application Notes for Configuring Windstream using Genband G9 SIP Trunking with Avaya IP Office Issue 1.0

Application Notes for Configuring EarthLink SIP Trunk Service with Avaya IP Office using UDP/RTP - Issue 1.0

Course Outline: Implementing Cisco IP Telephony & Video, Part 1 (CIPTV1)

Abstract. Avaya Solution & Interoperability Test Lab

TT11 VoIP Router 1FXS/1FXO TA User Guide

PassReview. PassReview - IT Certification Exams Pass Review

Abstract. Avaya Solution & Interoperability Test Lab

Abstract. Avaya Solution & Interoperability Test Lab

DMP 128 Plus C V DMP 128 Plus C V AT. Cisco CUCM Configuration Guide REVISION: DATE: MARCH 7 TH, 2018

Abstract. Avaya Solution & Interoperability Test Lab

Configuration Note for Rauland Responder 5 and Avaya Session Manager

Cisco Unified MeetingPlace Integration

Application Notes for Configuring SIP Trunking between Cincinnati Bell Any Distance evantage and Avaya IP Office Issue 1.0

Introduction to Quality of Service

Application Notes for Configuring Net2Phone SIP Trunking Service with Avaya IP Office R9.1 - Issue 0.1

Abstract. Avaya Solution & Interoperability Test Lab

Leveraging Amazon Chime Voice Connector for SIP Trunking. March 2019

Abstract. Avaya Solution & Interoperability Test Lab

Cisco Unified Communications Manager Trunks

Patton Electronics Co Rickenbacker Drive, Gaithersburg, MD 20879, USA tel: fax:

Session Border Controller

ThinkTel ITSP with Registration Setup

Telecommunications Glossary

Cisco Unified IP Phone Settings

Application Notes for Windstream SIP Trunking Service using Broadsoft Platform with Avaya IP Office Issue 1.0

Transcription:

Allstream NGN SIP Trunking Quick Start Guide We are confident that our service will help increase your organization s performance and productivity while keeping a cap on your costs. Summarized below is some important technical information that you or your integrator must know regarding how SIP Trunking works, and parameters that your equipment needs to adhere to in order to effectively work with the service. Please ensure that your equipment is configured to support these parameters. If you have any further questions or require assistance, please contact your Account Representative. Allstream NGNSIP Security Recommendations A VoIP switch is a crucial component of your business that much like a server with critical data requires attention to ensure its operation and availability is not impacted by hackers, hacktivists, competitors and others attempting to gain access to free services or impact the services you have. It s essential that the PBX manufacturer s hardening recommendations be followed when connecting your PBX to public or Internet resources such as NGN SIP trunks or phones. Included are some initial recommendations. Suffice it to say that connecting your PBX directly to the Internet without a firewall or SBC (Session Border Controller) is not manufacturer recommended except for the very few PBX s that come equipped with such capabilities. Doing so will most likely result in possible fraudulent long distance charges as well as costly professional services to properly re-configure or re-install and harden the PBX. Administration - Remove any direct external (public/internet) access to administration features - Use complex non-dictionary passwords - Change passwords every quarter - Ensure external/public admin access is only available via secure (IPSec, SSL-VPN, etc) authenticated connection to the firewall or other security device Internet Access - Enable firewall features on PBX if available - Add or connect to the Internet via a stateful firewall or SBC - Add filters to only allow connectivity to and from NGN SIP provider System - Disable unused services where applicable - If Wireless is available used WPA2 with complex password - Monitor system regularly for Fraud Operations - Upon deployment, scan your Internet presence (ie. IP range) for vulnerabilities - Repeat vulnerability scans every quarter - Patch and secure the PBX as recommended by the manufacturer Remote Users - Cell phones/ tablets to have automatic lockouts to prevent fraudulent use if lost or stolen - Laptops are to have screen lockout and drive encryption where possible - Limit remote user capabilities such as forwarding features - Where possible encrypt voice connections to reduce unauthorized monitoring Page 1 of 6

1 Prepare your LAN for VoIP When moving to a converged environment running both voice and data over IP, your LAN environment must be prepared to carry real-time voice traffic. This preparation typically focuses on two key areas: 1. Establishment of Virtual LANs (VLANs) for voice traffic, and 2. Establishment of Class of Service (CoS) handling for voice traffic. Figure 1: LAN environment using Virtual LANs and Class of Service It is highly recommended that voice and data packets be separated into distinct VLANs within the LAN environment. This improves utilization of system resources by reducing broadcast traffic, and prevents possible congestion conditions of one traffic type from affecting other traffic. Not utilizing VLANs may result in poor voice quality, high packet loss, client to server communication issues, and lost call control. Use of Class of Service (CoS) marking for traffic in the LAN is also recommended when preparing for a VoIP implementation. Layer 2 Ethernet switches must support the IEEE 802.1p standard to provide CoS. This standard is part of the IEEE 802.1Q (IEEE, 2005) which defines the architecture of virtual bridged LANs (VLANs). CoS allows switches to distinguish packets and packet flows from each other, assigning labels to indicate the priority of packets. CoS enables packets to comply with configured resource limits and provides preferential treatment in situations where resource contention occurs. Without CoS enabled in the LAN switch, bandwidth contention may contribute to packet loss and latency resulting in poor VoIP performance. 2 Environment set-up for NGN SIP Trunking over Internet Allstream NGN SIP Trunking Service architecture allows enhanced reliability of geographically redundant connection. Customers can benefit from this by configuring the IP PBX to connect to a primary NGN SIP Proxy Server (Allstream Session Border Controller (SBC)) and a secondary NGN SIP Proxy server (A SBC at a different physical location). Customers located in Ontario and eastward will use the Markham SBC as the primary interface and Calgary SBC as secondary interface. Customers located in Manitoba and westward will use the Calgary SBC as the primary interface and Markham SBC as secondary. Page 2 of 6

2.1 PBX Connectivity set-up The following three configurations are supported for Customer LAN deployment with Allstream NGN SIP Trunking: 2.1.1 Configuration 1: PBX Connectivity using Public IP no NAT In this scenario, the PBX or VoIP equipment is accessible via the public Internet. The customer is not using NAT for VoIP traffic, so no NAT compensation occurs between the Allstream SBC cluster and the customer PBX. The following diagram is an illustration of this scenario. Static and Public IP Address 74.13.23.2 IP PBX 74.13.23.1/30 Internet Allstream SBCs Router Figure 1: PBX Connectivity using Public IP no NAT The public IP address used by the customer must be static, and the subnet is assigned by the ISP. The IP address and subnet information of the Allstream-facing VoIP equipment must be provided as part of the NGN SIP Trunking Internet order. 2.1.2 Configuration 2: PBX Connectivity using NAT with Application Layer Gateway (ALG) Some customers may deploy an Application Layer Gateway (ALG). The primary purpose of an ALG is to manipulate or translate IP address information in the application layer. More specifically, the function of the ALG would replace the private IP address in the NGN SIP Invite and SDP message with the NAT d public IP address for any outgoing traffic. Similarly, for any incoming traffic from the PSTN to the customer network, the ALG would replace the public IP address information in the NGN SIP Invite and SDP with the private IP address information. In this configuration, the static public IP address of the Allstream-facing router (in this example 74.13.23.1) must be provided to Allstream with the NGN SIP Trunking Internet order. Static and Private IP Address Private Subnet assigned by NAT Router Example: 192.168.1.0/24 IP PBX.35.15.16 Private IP: 192.168.1.1 74.13.23.1/30 Router with NAT and ALG (modifies layer 3 and 7 information) Internet Allstream SBCs Figure 2: PBX Connectivity using NAT with ALG Page 3 of 6

2.1.3 Configuration 3: PBX Connectivity using NAT without ALG In this configuration, the customer does not have their own ALG, and uses a router that performs NAT at layer three. All outgoing (private) traffic is NAT d to a public IP address assigned by the customer s ISP (typically the IP of the WAN Interface on the router, or an unused IP address in the provided block). For this configuration, the private IP of the customer PBX (in this example 192.168.1.35) must also be provided to Allstream in order for the Allstream SBC to communicate with the PBX. Therefore, both the static public IP address of the Allstream-facing router (in this example 74.13.23.1) AND the static private IP address of the VoIP equipment must be provided as part of the NGN SIP Trunking Internet order. Static and Private IP Address Private Subnet assigned by NAT Router Example: 192.168.1.0/24 IP PBX.35.15.16 Private IP: 192.168.1.1 74.13.23.1/30 Router with NAT and no ALG (modifies layer 3 information only) Internet Allstream SBCs Figure 3: PBX Connectivity using NAT without ALG 2.2 Firewall Set-up If your environment is protected from the Internet by a firewall, settings must be configured on your firewall to allow for NGN SIP Trunking signaling and media to pass through. Adjust firewall to allow signaling and media to be received from the Allstream Session Border Controller at the IP address ranges provided in section above. Allow for NGN SIP signaling utilizing UDP on port 5060. Allow for RTP media utilizing UDP on ports 16000 to 64000 3 Environment set-up for NGN SIP Trunking over MPLS VPN Allstream NGN SIP Trunking platform comprises of two fully redundant pairs of SBCs located at geographically diverse locations (Markham and Calgary) and dedicated for NGN SIP Trunks established over MPLS VPN. This architecture provides unparalleled robustness, reliability and security. Each SBC appears like another site in the customer VPN. Public IP addresses assigned for the SBC NGN SIP interface are not advertised and are not accessible over public Internet. Each customer s NGN SIP traffic over MPLS stays totally private through dedicated VRFs /VLANs. Page 4 of 6

3.1 PBX Connectivity Setup 3.1.1 Configuration 1: PBX Connectivity via Private IP VPN Network In this configuration, the PBX communicates with the Allstream SBC over a private MPLS VPN. This arrangement is similar to Configuration 1 above, since no NAT is required, and all addressing is contained in a private customer VPN. Customer LAN addressing may be statically assigned or assigned via DHCP. Figure 4: PBX Connectivity via Private IP VPN Network 4 DHCP Considerations VoIP requires that all endpoints including phones are assigned unique IP addresses. When using NAT, customer must ensure that all endpoints are assigned either static IP addresses or addresses via Dynamic Host Configuration Protocol (DHCP) within the LAN environment. Allstream does not provide DHCP services from the CE router. If customer is not using NAT (using public addresses for the VoIP network), ensure that all NGN SIP endpoints which will communicate directly with Allstream SBCs are assigned static IP addresses within the subnet provided by the ISP. 5 Programming the IP PBX Refer to the manufacturer s documentation for specific instructions on how to program and configure your IP PBX. Allstream can provide configuration guides for equipment that is pre-certified with Allstream NGN SIP Trunking. Speak to your Sales Engineer for more details. Ensure that you program your IP PBX to use the same voice codec that you used when calculating required bandwidth for your order. Failure to do this may result in call degradation due to bandwidth congestion. Please note the following notes for all new NGN SIP Trunking installations: The PBX may be programmed to outpulse either 10 digits (NPA-NXX-XXXX) or 11 digits (1+NPA+NXX- XXXX) for North American calls as desired. Page 5 of 6

Local calls to 211, 311 municipal services will not be supported. For any calls to these services, the IP PBX must be programmed to outpulse the appropriate local telephone number. 6 SIP and Media Specifications NGN Signaling Specifications Protocol SIP RFC 3261 Transport UDP port 5060 Caller ID P-Asserted-ID header (as per RFC3325) A valid 10-digit Caller Identification must be sent Caller ID Blocking Privacy id header (per RFC3325) Supported SIP methods ACK, BYE, CANCEL, INVITE, OPTIONS, INFO, NOTIFY, PRACK, UPDATE SIP Headers: P-Asserted-ID per RFC3325 Privacy Re-Invite to 0.0.0.0 or a=sendonly are supported for on-hold SIP Authentication Session border controller authenticates the customer PBX by using the PBX s Other Service Characteristics Error Condition Treatment static IP address Early SDP INVITE without SDP Unknown header: "Unknown" Anonymous header: "Anonymous" Supported Extensions: 100rel, timer Unassigned Number - SIP 404 (no audio message) SIP sessions Max out SIP 503 Voice codec P-time miss-match - SIP 488 Session-Expires header is too small - SIP 422 Signaling Parameters maxsipmsgsize: 2048 Session timer: MIN-SE 600 Session timer: Session Expire (default): 3600 retransmissiont1: 500 retransmissiont2: 4000 retransmissiont4: 5000 QoS SIP REFER DiffServ: DSCP for signaling is CS5 (real-time class) Yes Media Specifications Protocol RTP RFC1889, RFC3264 Transport UDP port range 16000-64000 DTMF Support RTP In-band and via RFC2833 Codecs G.711a/µ: Frame (packet) time: 20ms (50 packets per second) G.729: 8 Kbps, 20ms frame size G.722: 20ms (High Definition Voice Codec) Network Transcoding Yes Voice Activity Detection No Early Media Support Yes Fax G.711 pass-through, T.38 QoS DiffServ: DSCP for media is EF (real-time class) Page 6 of 6

7 Service Features 99.999% VOIP core network redundancy Reserve DID number TN (Telephone Number) porting Trunk Overflow to TN Trunk Failover to TN Multi-endpoint failover Multi-endpoint overflow Traffic Load-Sharing (Maximum 2 endpoints) Call Routing 911 service Local Directory Services (411) Repair Service 611 Message Relay Service (MRS) 711 Account codes 14.4 modem Basic Listings Collect Calls E.164 Page 7 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback