Avaya Aura Session Border Controller Rel 7 Installation and Setup Workshop 1
Session Border Controller Applies Policies to Signalling and Media streams passing through it Acts to secure the traffic Monitors Attack from external sources Hides internal network from Public view. Usually Deployed in DMZ of Enterprise Can be used within Enterprise Network 2
Three Options Portwell Dedicated unit Avaya SBCE 1xPublic i/f 2xPrivate i/f 1xManagement i/f (EMS) Limited throughput Single Server EMS & SBCE Co-resident 2 x Public 2 x Private 2 x Management High Availability 2 x SBCE servers 1 x EMS server 2 x Public 2 x Private 2 x Management 3
VM Ware Deployment of SBCE SBCE is fully VMWare compatible and the OVA can be run from esxi as shown here 4
OVF Template Startup On loading the OVA you will be asked to accept the License and Name the VM you are creating. 5
Selection of SBCE System It is important to select the correct type of installation you require. We will use a Small SBC where the EMS and SBC co-reside on one server. For a Large or HA SBC you would have a separate server for the EMS 6
DataStore& Network Selection Here we are selecting the type of installation and where the Data will be stored. Also the Network connection is allocated as shown. NOTE:- Avaya recommendations should be followed at all times for VMWare installations. 7
Start VM to Install System On startup of the VM it will start an install Shell and prompt for the input method. Select 2 TEXT MODE. Use the ARROW and TAB keys to select the correct options before pressing the ENTER key. 8
9 Install Combined EMS & SBCE
EMS-Name & Mgmt Address Select the fist option and TAB to SELECT to open it. Add the DNS setting. Select the Mgmt I/F option and enter the Management IP Address information. 10
Time Zone & Certificate Select the correct Time Zone and move to the Certificate option. 11 Enter the Certificate Data and when complete use BACK to return to the Config/Ops menu and select DONE.
root & ipcspasswords The system will prompt for the correct Time and Date and then proceed to Password Entry Enter Passwords for root / root_1st1 ipcs / ipcs_1st1 postgres / PostGres_1 Installation will then proceed When the installation is complete test the new logins before proceeding. 12
WebLMLogin Web browse the the WebLM address and login. admin weblmadmin. If it s the first time it will prompt for a new password. 13
License Install The license file is then uploaded to the WebLM so it will be available to the SBC. 14
SSH to SBC on Port 222 Ensure at this point you can login to the Management interface using SSH on Port 222 with the ipcs account. 15
ifconfig& clipcs You can see here that the only interface at this point is the Management M1. Run the clipcs command to check the EMS is running. 16
Initial Login to EMS Web browse the M1 address of the SBC. e.g. https://192.168.0.10/sbc Login with ucsec/ucsec and change the password. usec/usec_2nd1 17
Initial Login to EMS Note the License is still not available and also the only device running is the EMS. 18
Add additional Admin User Select Administration from the Menu and add an additional admin user. 19
System Management Install Select System Management from the menu to complete the installation and bring the SBC online. Click on the INSTALL link which will start the INSTALL WIZARD. 20
Add Public Interface & DNS Here you will add the Public interface to the SBC. Also the DNS info and license Allocations (Right) are entered. Once entered and completed the Wizard dialogue below will be displayed. Because we are using GAMMA trunks we need to add the EXTERNAL PUBLIC address where arrowed so GAMMA can validate the call. 21
SBC Commisioned The SBC now shows as Commissioned and by selecting the NETWORK MANAGEMENT option we can add the Private Interface. 22
Add the Private Interface & Enable Here we add the Private Address on the A1 I/F. Now enable both the A1 and B1 interfaces from the INTERFACES Tab. Check they are live with a ping from your PC. 23
Add WebLMServer for License https://<ip Address of WebLM>:52233/WebLM/LicenseServer Returning to the SYSTEM MANAGEMENT option add the Address of the WebLM server which will supply the license for the SBC. 24
Backup & Restore The SBC allows you to take a Snapshot of the configuration either manually or automatically so you can restore to a known point. With the SBC Commissioned and the interfaces added etc. take a manual snapshot so you can restore to it should the need arise in the future. 25
Setup SBC for SIP Trunks from IPO Prepare the SBC for SIP Trunks We are going to configure the SBC to carry SIP trunks from GAMMA to the IP Office. Server Flow The schematic shows the relationship of the different Forms we need to complete to setup the SIP trunk Server Flow Server Profile Signaling Interface Media Interface End-Point Policy Group Routing Profile Topology Hiding Profile 26 Interworking Profile Application Rule Security Rule Signaling Rule Media Rule URI Group
Topology Hiding Select TOPOLOGY HIDING from the GLOBAL PROFILES menu and after selecting DEFAULT use the CLONE button to create a TH profile for the IP Office - IPO-TH as shown below. Click the EDIT Button to change settings 27
Topology Hiding Settings Amlex. Amlex. Amlex. Amlex. Here we can change what s seen by the outside world i.e Hiding our details. Use the OVERWRITE option for TO/FROM/REQUEST-LINE and enter your domain as the value. For the TRK-TH just clone the DEFAULT 28
Server Interworking Interworking sets how we respond to different SIP options Clone avaya-ru (Avaya- Remote User) for the IP Office (IPO-IW). Then on the GENERAL tab select EDIT to change the settings 29
Add T.38 & Edit TIMERS On the GENERAL TAB edit form select T.38 SUPPORT and FINISH. Select the TIMERS TAB and click on EDIT 30
Trans ExpireTimerto 4 Clone IPO-IW to TRK-IW Change the TRANS EXPIRE timer to 4 and then click FINISH to complete the IPO-IW. CLONE the IPO-IW profile for the Trunk server (TRK-IW). 31
Server Configuration The SERVER entries define the endpoints of the trunk we are configuring. Under GLOBAL PROFILES/SERVER CONFIGURATION click ADD and give it a name (IPO). Set the Type to CALL SERVER and then add the IP address and port/transport as shown ( 5060/UDP as that s what Gamma Expects) 32
Authentication -Heartbeat -IW Here we are leaving Authentication unchecked. And the HEARTBEAT. Later we will look again at these Finally select the INTERWORKING PROFILE for the IP Office ( IPO-IW ). 33
TRK Server Profile The Trunk server is much the same as the IP Office (Call Server) with the relevant IP Address and URI settings. 34
URI Groups URI Groups can be used to group calls together. Here we can see the default EMERGENCY URI Group. To add an Entry click the ADD button shown and then select the type and add the URI We don t need a specific URI Group but once the trunk is working return here to experiment. 35
IPO Route To add a Routing profile to direct calls correctly select the ADD button and enter a Name (IPO-UDP in this case). Finally add the PRIORITY and then the NEXT HOP ADDRESS by selecting with the drop down menus. 36
Trunk Route The Trunk route is very similar but points to the Trunk Server as shown. As shown below you should end up with a Route in each direction. 37
Signalling Interfaces Here we are adding the Signalling interfaces, one for each side Public & Private. Selection of the Addresses is done from the drop down menus. In the screenshot we are adding both TCP & UDP signalling but we only actually need UDP at this point for GAMMA.!! NOTE!! When adding or changing the Signalling interfaces it is best to RESTART APPLICATION from the SYSTEM MANAGEMENT menu. 38
Media Interfaces Media Interfaces are added similar to the Sig Interfaces. Again one each for Private and Public. These as you would expect are to carry the RTP (Voice Packets) via the SBC. 39
Application Rules Clone the DEFAULT Application Rule and set the SESSION Limits as shown. These should match the license. Repeat the process for the Trunk AR so you have both as shown here. 40
Media Rules Clone the DEFAULT LOW-MED rule and then select the MEDIA QOS tab to enable RTCP and to set the QOS Marking to DSCP Expedited Forwarding ( EF ). Finally CLONE the IPO-MR to create the TRK-MR. 41 NOTE:- here we are using RTP for Media.
Security Rules The Security Rules for Trunk & IPO are created by cloning the DEFAULT-LOW rule. No other edits are done 42
Signalling Rules Clone the DEFAULT Signalling Rule and then edit the Signalling QoS Tab to enable DSCP AF41. Clone the IPO-SigR rule to create the Trunk server rule (TRK-SigR). 43
Use the ADD button to create Policy Groups for the IPO and Trunk Server. The PG brings the rules created before together as shown. Endpoint Policy Group Add the Trunk PG as shown below. 44
IPO Server Flow The Server Flow brings together the Profiles, Rules and Interfaces created previously. Use the ADD button to create flows for both the IPO and the Trunk Server 45
IPO & Trunk Server Flows 46 Here you can see the different elements combined into the final server flows which will allow our trunk to carry calls in a secure manner.
Server Flows NOTE:- These are Server flows not Subscriber flows which we will use later for the Remote Workspace. 47
Configure the IP Office for SIP Line 48 Open the IP Office configuration and Add a SIP Line Enter the ITSP Domain Name. We now need to configure the IP Office with a SIP trunk and point it to the SBC.
SIP Credential 49 For the Workshop configuration the Login credential are not required but could be necessary in other setups and would be added here. We will use the Username and Contact info in the SIP URI tab. Also the SIP Advanced and Engineering tabs should be left at default unless specifically required for interconnection.
Configure Transport & SIP URI Add the IP Address of the SBC A1 Interface under TRANSPORT ITSP PROXY and set the PROTOCOL as UDP. Set the SIP URI as shown and add an INCOMING/OUTGOING GROUP number which is used for the Short Code and incoming route. 50
VoIP Settings On the VoIP tab the Codecs should all be pre selected but we should add the RE_INVITE SUPPORTED and ALLOW DIRECT MEDIA PATH options. You may also want to add the option to support PRACK /100REL. (PRACK = Pre Acknowledge) 51
Short Code & Incoming Call Route INCOMING CALL ROUTE For outbound calls we have a SHORT CODE 9N; (Edit or remove existing if necessary) which then sends the dialled number to the SIP Line group. You can use the ARS table for this rather than just a short code. 52 INCOMING CALL ROUTE Finally we need an INCOMING CALL ROUTE to allow calls to be directed on the IP Office. Here is a simple option to forward the call to a specific extension.
Test it Works Public Side Call from an external line to your first Gamma Number Does call complete to your IPO? If not Why? Add config to allow your second number to ring in. Private PC Register Communicator to IPO. (Use TCP) Enter the IP Address of the IPO for Domain and Presence server. Dial 9 plus an external number (Mobile?) to test. Does call complete? If not why? 53
Alarms Logs -Incidents In the event of a problem with your SBC start by checking the INCIDENTS reported on the dashboard as shown. In addition there are links to the ALARMS/STATUS/LOGS/DIAGNOSTICS at the top of the SBC web page. 54
SBC Trace There is a TRACE option on the SBC under DEVICE SPECIFIC SETTINGS/TROUBLESHOOTING which will allow you to create a trace of the events occurring. Use the PACKET CAPTURE screen to define the Trace required and to start and stop it. Trace files are listed on the CAPTURES tab and can be downloaded as shown in PCAP format. 55
WireSharkTrace As the Trace Capture is already in PCAP format it is immediately accessible by WireShark for further analysis. 56
Trace SBC The tracesbc command line programme is based on the Session Manager tracesm feature and works in a similar fashion with some different options. Use Putty to SSH on port 222 to the Mgmt Address of the SBC to run tracesbc login with ipcs. Use sudo tracesbc or su to root to use tracesbc Below you can see a trace of the SIP messages for a Trunk call via the SBC. 57
Setup Remote Workspace Allows Remote Workers to connect to the Enterprise Communication System without the use of a VPN. Secure protocols (TLS/SRTP) from Client ensure privacy. Remote Client connects to the SBC which then Proxies the connection to the Private systems. Expands the reach to Mobile workers e.g. One X Mobile. 58
Reset the SBC We can run both the Trunks and Remote Workspace by adding more IP addresses to the A1/B1 interfaces but for our labs we ll reset the SBC and start again. Restore the SBC to the Snapshot taken just after adding the interfaces and WebLM. Once the system has reset you can start adding the configuration again. 59
Topology Hiding Select TOPOLOGY HIDING from the GLOBAL PROFILES menu and after selecting DEFAULT use the CLONE button to create a TH profile for the IP Office - IPO-TH as shown below. Click the EDIT Button to change settings 60
Topology Hiding Settings Here we can change what s seen by the outside world i.e Hiding our details. Use the Overwrite for TO/FROM/REQUEST-LINE as shown. For the TRK-TH just clone the DEFAULT 61
Server Interworking Clone avaya-ru (Avaya- Remote User) for the IP Office (IPO-IW). Then on the GENERAL tab select EDIT to change the settings 62
Add T.38 & Edit TIMERS On the GENERAL edit form select T.38 SUPPORT and FINISH Select the TIMERS Tab and click on EDIT 63
Trans ExpireTimerto 4 Change the TRANS EXPIRE timer to 4 and then click FINISH to complete the IPO-IW. 64
Server Configuration Under GLOBAL PROFILES/SERVER CONFIGURATION click ADD and give it a name (IPO). Only the IP Office is required for the Remote Workers to register Set the Type to CALL SERVER and then add the IP address and port/transport as shown (5060/TCP as we re now using Remote Worker) 65
Authentication -Heartbeat -IW Here we are leaving Authentication unchecked. And the HEARTBEAT. Finally ENABLE GROOMING which allows us to support multiple connections and select the INTERWORKING PROFILE for the IP Office ( IPO-IW ). 66
IPO Route Click to add a new route and name it IPO-TCP Add a Priority of 1 and the NEXT HOP address using the drop down menu as shown. 67
Install Avaya Demo Certificates As we want secure connections we need to add certificates to enable TLS. First install the Self Signed CA Certificate as shown here NOTE:- We are using the COMPROMISED AVAYA Demo Certificates which should not be used in a production environment. 68
Install Avaya Demo Certificates Install the Certificate as shown along with the Key File. 69
Create Client TLS Profile Once the Certificates are installed the Client and Server Profiles can be created. Select the Certificate first then highlight the CA Certificate as PEER VERIFICATION and set the VERIFICATION DEPTH. Ensure you select TLS 1.1 & 1.0 for these Certs to work. 70
Create Server TLS Profile The Server Profile is added in a similar fashion to the Client. PEER VERIFICATION is optional for the Server Profile but here its been selected. 71
Add Signalling Interfaces The Internal Signalling Interface is set to support UDP & TCP as we don t need to be secure on the private network. The External Signalling Interface is set to support TLS & TCP as we really want all communications to be secure. When the TLS is setup we can remove the TCP support so only secure packets are supported. 72
Add Media Interfaces Similar to the Signalling Interfaces we need Media Interfaces to support the RTP traffic. Here we ve just taken the default PORT RANGE. 73
Media Rule Capability Negotiation Here we are creating a Media Rule that will try to connect using SRTP as its first option and if it cant will fall back to RTP for both Audio & Video. We also need to allow CAPABILITY NEGOTIATION, Turn off MEDIA SILENCING and set the Media QoS to DSCP EF. 74
75 Media Rule Capability Negotiation
End Point Policy Group We now need to add a Policy Group to bring together some of the settings we have created specifically here the Negotiation Media Rule. 76
77 Subscriber Flow Because Remote Users are single entities we need a Subscriber Flow to Route heir connections through the SBC. Note we are accepting connections on the SIG-Ext-RU before passing them to the IPO.
Server Flow To accompany the Subscriber flow we need a Server Flow to send packets back to the remote user. Here we are connecting the IPO to the Remote User Signalling & Media Interfaces. 78
Change Port Range To allow us to test the Remote Workspace we need to add some Application Relays to forward the XMPP traffic to the IP Office Server. One of the Ports we need to forward is 9443 so first we need to change the default Port Ranges as shown here from 9000-9999 to 9445-9999. 79 Alternatively this traffic could be routed via a Firewall to reduce load on the SBC.
Application Relays The Application Relays will allow us to forward the XMPP traffic from the Avaya Communicator for Windows so that the Presence and Instant Messaging can function. The XMMP Ports that need to be forwarded are 5222 & 9443. 80
81 Application Relays
Test it Works Use Communicator for Windows on a remote PC ( i.e. connected to the internet) Set the Server and Presence server to the FQDN for your system e.g. D1onex.Amlex.co.uk e.g. Set the Domain to Amlex.co.uk Set the protocol to TCP. Check it registers correctly Change the protocol to TLS Install the Certificates for the SBC to the PC so it will register. Use winscp to download them from the SBC AvayaSBCCA.crt /usr/local/ipcs/cert/ca AvayaSBC.crt /usr/local/ipcs/cert/certificate 82