You are on page 1of 69

Page 1 of 69

Application Notes for Ingate SIParator using SIP Trunking with ITSPs
Issue: Date: Authors: 1.1 April 29, 2009 Scott Beer (Ingate) and Ciaran William OShaughnessy (3Com) In this application, the 3Com VCX solution is the IPPBX and SIP Domain Server. It is the call control server processing the phone features and PBX functionality required for an enterprise. It resides on the private LAN segment of enterprise, away from the Internet and protected by the Ingate from any malicious attacks. The Ingate SIParator sits on the Enterprise network edge, providing a security solution for data and SIP communications with E-SBC functionality. It is responsible for all SIP communications security by providing Policy and Routing Rules to allow specific SIP traffic intended for the Enterprise. The SIP Trunking Service Providers, or Internet Telephony Service Providers (ITSP) can be of any vendor type, located anywhere across the Internet or any remote networks. These Service Providers offer access to the PSTN over a SIP Trunk.

Abstract:

3Com Open Network Solutions Lab Application Notes

Page 2 of 69 Table of Contents Revision History .................................................................................................... 4 References ........................................................................................................... 4 Objective ............................................................................................................... 5 Ingate Systems ..................................................................................................... 6 Ingate Product Overview ................................................................................... 6 Ingate Firewalls.............................................................................................. 7 Ingate SIParators ........................................................................................... 7 Ingate add-on software modules and licenses ............................................... 7 Background.................................................................................................... 7 Technical Specifications .................................................................................... 7 Ingate SIParator Models 19, 50, 55, 65 and 90 .......................................... 7 Ingate SIParator Technical Details ................................................................ 9 Ingate SIParator Pictures ............................................................................. 10 Ingate SIParator Product Features: ............................................................. 11 Configuration Technical Details .......................................................................... 13 How it Works ................................................................................................... 13 Software Revisions ............................................................................................. 15 Software Requirements ................................................................................... 16 Tool Requirements .......................................................................................... 16 Installation Overview ........................................................................................... 16 Network Topology ............................................................................................... 18 Testing Observations .......................................................................................... 18 Configuration Details........................................................................................... 19 <3COM Product Name> Configuration file ...................................................... 19 Ingate Configuration Details ............................................................................ 19 Ingate Startup Tool ...................................................................................... 39 Connecting the Ingate SIParator.................................................................. 40 Using the Startup Tool ................................................................................. 42 Configure the Unit for the First Time ............................................................ 42 Change or Update Configuration ................................................................. 45 Network Topology ........................................................................................ 49 Product Type: Standalone .......................................................................... 50 Product Type: DMZ SIParator..................................................................... 52 Product Type: DMZ-LAN SIParator ............................................................ 55 Product Type: LAN SIParator ..................................................................... 57 IP-PBX ......................................................................................................... 60 ITSP ............................................................................................................. 62 Upload Configuration ................................................................................... 65 Verification Tests ................................................................................................ 67 Product Support .................................................................................................. 68 Ingate Product Support: .................................................................................. 68 3Com Open Network Solutions Lab Application Notes

Page 3 of 69 3COM product support: ................................................................................... 68 Conclusion .......................................................................................................... 69

3Com Open Network Solutions Lab Application Notes

Page 4 of 69

Revision History
Revision 1.0 1.1 Date 12/02/2009 4/29/2009 Author Scott Beer C OShaughnessy Reason for change Doc Creation Content Audit and added 3Com configuration

References
Date Document Name Revision Company

3Com Open Network Solutions Lab Application Notes

Page 5 of 69

Objective
The 3Com VCX solution offers organizations from 100s to 1,000s of phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The platform's practical design and affordability help businesses replace antiquated PBXs with VoIP solutions that handle unified voicemail/email messaging (a standard feature), support a full range of IP phones and interoperate with Internet Telephony Service Providers for PSTN access. The 3Com VCX solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. Ingate offers SIParators is an Enterprise level SIP Session Border Controller (ESBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology. In this application, above and beyond the E-SBC capabilities that the Ingate products provide, the SIParator is providing a number of additional features to enable SIP Trunking connectivity to the 3Com VCX solution. The Ingate products offer the use of the SIP Trunking Module, where there are features such as Dial Plan, Routing Rules, B2BUA, Proxy, SIP Security Policies and much more. These features allow the Ingate to overcome various integration issues on between the variety of ITSPs and their deployment of SIP Trunking to the 3Com VCX solution.

3Com Open Network Solutions Lab Application Notes

Page 6 of 69

Ingate Systems
Ingate Systems AB is a Stockholm, Sweden based high-tech Company that designs, develops, manufactures and markets leading data communications products for trusted Unified Communications. Ingate designed the worlds first Session Initiation Protocol (SIP)-capable firewalls and SIParators, products that enable Unified Communications over the Internet. Unified Communications, with applications such as Internet telephony, presence indication, instant messaging, and audio/video conferencing, are modern and powerful business tools that enable enterprises to maintain reliable IPcommunications internally and externally. As more businesses utilize these applications, service providers are offering SIP trunks to connect Local Area Networks to the outer world via Internet and/or dedicated, managed IP-lines. The enterprise Session Border Controller (Firewall) needs to manage all incoming and outgoing traffic securely. Authorized traffic based on SIP needs to pass through the Session Border Controller in a controlled manner reaching SIP units inside and outside the LAN. Ingate's Session Border Controllers are compatible with existing networks, and allow businesses to utilize the cost and time saving benefits of IP-based real-time communications with minimum investment. Ingates leading products are marketed through world leading distributors, Value Added resellers and OEMs on all continents. Ingate has development facilities in Linkping, Sweden and a wholly owned subsidiary in the United States. We work long-term on our development projects and customer relations, as well as in the development and training of our employees.

Ingate Product Overview


Ingate SIParators are compatible with all existing networks and come standard with a SIP proxy and a SIP registrar. They have support for NAT and PAT as well as for TLS and SRTP to encrypt both SIP signaling and media, eliminating the security issue most commonly associated with using enterprise VoIP. Ingate Firewalls and SIParators come in a range of sizes to meet enterprise needs from home office to large enterprise, and have been cited by users and media for ease of use.

3Com Open Network Solutions Lab Application Notes

Page 7 of 69 The flexible system of add-on software modules allows any enterprise to create the firewall/SIParator solution that exactly fits the need of the company for the moment.

Ingate Firewalls
Ingate Firewalls are cost effective and prevent unauthorized access to and from enterprise networks while allowing SIP-based communications. All messages entering and leaving the network are routed through the Ingate Firewall, which examines each packet and blocks those not explicitly authorized to pass.

Ingate SIParators
The Ingate SIParator is a device that connects to an existing firewall to seamlessly allow the traversal of SIP-based communications. Ingate SIParators are compatible with all existing firewalls and operating systems.

Ingate add-on software modules and licenses


Ingate's suite of software modules and the flexible licensing system give any enterprise the flexibility to create the firewall/SIParator that solves their specific need for the moment. All modules and licenses can be added at any time.

Background
Ingate's security technology dates back to 1996, and since 2001 SIP has been in focus when designing our award winning firewall products, making Ingate the only choice for enterprises planning for a secure, flexible and interoperable communication solution. Ingate products are a perfect fit for any SIP based VoIP/UC installation.

Technical Specifications
Ingate SIParator Models 19, 50, 55, 65 and 90
The Ingate SIParator 19 has three ports and with different units can be scaled up to 6 ports with two Fiber ports on the SIParator 90, this provides a scalable solution to meet the needs of any size enterprise environments. The management interface for the products is the same Web-based Graphical User Interface (GUI) that has been cited by Ingate customers and the media for easeof-use.

3Com Open Network Solutions Lab Application Notes

Page 8 of 69 All Ingate SIParators are fully featured, supporting stateful inspection and packet filtering with rules defined and maintained by the network security administrator utilizing the GUI. The SIParators can be configured as a part of the DMZ or in a standalone mode. In both cases, the benefits of SIP-based communications can be added to the network quickly and easily. Trusted Network Security for VoIP The Ingate SIParator SIP Proxy architecture grants fully secure traversal of the SIP traffic. The ports for the media streams are only opened between the specific parties of a call and only for the duration of the call. The SIP proxy inspects the SIP packets before sending them on. TLS and SRTP encryption ensures privacy when communicating, making call eavesdropping, call hijacking and call spoofing harder to do. Ingate also supports authentication of users and servers. Support for SIP Trunking More and more Internet Service Providers offer a SIP trunk a combined Internet and voice connection. For enterprises using an IP-PBX, SIP trunks are an ideal cost-saving solution as they no longer need local PSTN gateways or costly PRIs/BRIs. The service provider provides the PSTN connection. However, in order for SIP trunks to be successful, SIP traffic (as well as all other data traffic) must be able to traverse the enterprise firewall. Ingates SIP Trunking software module, available for Ingate SIParators, enables firewall and NAT traversal using the built-in SIP proxy, allowing the enterprise to connect to the SIP trunk. In addition, Ingate SIParators and the Ingate SIP proxy deliver advanced security for all SIP communications, including those via a SIP trunk. Ingate products also help ease compatibility issues between the IP-PBX and Internet telephony service provider. Choose the Right Features for Your Network Ingate offers several other add-on software modules that allow you to tailor the SIParator to meet the specific demands of your business. Ingate Quality of Service (QoS) sets priorities to different kinds of data and allocates bandwidth for varied purposes for instance, giving priority to VoIP. Ingate Remote SIP Connectivity extends the SIP capabilities of the enterprise to employees working remotely (home office workers, road warriors, etc.). Remote SIP Connectivity manages the traversal of the remote NAT from the central Ingate SIParators and also includes a STUN server. Ingate Enhanced Security Module provides Intrusion Detection and Intrusion Prevention for SIP as well as encryption of the communication. The SIP Registrar Module allows for making the Ingate Registrar the primary registration server. 3Com Open Network Solutions Lab Application Notes

Page 9 of 69

Add Global VoIP Connectivity to your IP-PBX The SIParators opens up a world of possibilities and cost savings when used with a SIP based IP-PBX. Businesses can route telephone calls via IP, not only between branch offices and home workers, but also to offices and other users using SIP-based Internet telephony. No longer limited to telephony voice, communication can also include video, instant messaging, presence and more. In addition, the SIParators makes it possible for home workers, road warriors and even branch offices to belong the same central IP-PBX with the highest level of security. The SIParators also affords the possibility to set up a private VoIP network, if preferred. Advanced IP-PBX functions are supported, including such as call transfer, call hold, and voicemail.

Ingate SIParator Technical Details

3Com Open Network Solutions Lab Application Notes

Page 10 of 69

Ingate SIParator Pictures

Ingate SIParator 19

Ingate SIParator 50, 55 and 65

Ingate SIParator 90

3Com Open Network Solutions Lab Application Notes

Page 11 of 69

Ingate SIParator Product Features:


Product Specifications Physical Interface WAN 10/100Base-T ports (RJ-45) LAN 10/100Base-T ports (RJ-45) VoIP Protocol SIP Protocol SIP Proxy SIP B2BUA SIP Registrar SIP NAT/PAT Traffic TLS Transport SRTP Encryption Far End NAT Traversal Advance SIP Routing VoIP Survival Number of Concurrent RTP Sessions Number of Concurrent Encrypted RTP Sessions Quality of Service DiffServ Packet Marking and Recognition Call Adminsion Control Traffic Monitoring VLAN (802.1 p/q) Administration CLI Web-based GUI Email Alerts (SMTP) SNMP v3 SYSLOG Logging DHCP Client Server Relay Tested Features

Yes Yes Yes Yes Yes Yes Yes N/T N/T Yes Yes N/T 40 (Model 19) N/T N/T N/T N/T N/T Yes Yes N/T N/T N/T N/T N/T N/T

3Com Open Network Solutions Lab Application Notes

Page 12 of 69 Product Specifications Security Firewall Stateful Inspection Firewall DoS Protection SIP Traffic IDS/IPS Access Control Lists ALGs Network Address Translation Basic NAT (1:1), NAPT (Many:1), and Port Translation NAT-compatible SIP ALG Secure Management Multi-level access control RADIUS AAA Port Authentication (802.1x) SSH CLI VPN IPSec Tunnel Encryption 3DES AES NULL MD5 SHA1 Authentication Mechanisms XAUTH Digital certificates Pre-Shared Keys Secure ID PPTP Server Number of VPN Tunnels Troubleshooting PING Traceroute TCPdump utilities Packet Capture System Logging Tested Features Yes Yes N/T Yes Yes (SIP) Yes Yes Yes N/T Yes N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T N/T Yes Yes Yes Yes Yes

3Com Open Network Solutions Lab Application Notes

Page 13 of 69

Configuration Technical Details


How it Works
A SIP trunk is a service offered by an ITSP (Internet Telephony Service Provider) that permits businesses that have an IP-PBX installed to use Voice-over-IP (VoIP) also outside the enterprise network by using the same connection as the Internet connection. The ITSPs permits businesses to adopt Voice-over-IP (VoIP) and remain in touch with others who rely on the PSTN as the enterprise IP-PBX is connected to the service providers gateways.

The 3Com VCX solution offers organizations from 100s to 1,000s of phone users an economical IP telephony and messaging platform that delivers powerful phone features and supports multimedia communications based on Session Initiation Protocol (SIP). The Ingate becomes a trusted endpoint within the 3Com VCX Connect IP-PBX for all ITSP SIP Trunking communication from various ITSPs. The 3Com VCX solution allows for the connectivity and use of a wide variety of SIP Phones, both desk phones and soft-phones. These SIP Phones can be located both on the Enterprise LAN or abroad over the Internet, and in Remote/Home Offices. Ingate offers SIParators is an Enterprise level SIP Session Border Controller (ESBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and 3Com Open Network Solutions Lab Application Notes

Page 14 of 69 other IP-based communications while maintaining current investments in security technology. The Ingate provides a number of solutions for the 3Com VCX for problems when connecting to various service providers. 1) NAT/Firewall Traversal of SIP Protocol - SIP traffic cannot traverse traditional enterprise firewalls and NAT devices, thus the Ingate control both incoming and outgoing communications and route the communication to the intended peers. 2) SIP Protocol Normalization Every ITSP delivers SIP with unique deployment requirements and attributes. Ingate contains a B2BUA to provide features to customize and facilitate ITSP integrations. 3) Advanced SIP Routing - Ingate can provide a seamless connection to and from the provider, and handle authentication at the service provider to validate the enterprise as the correct user of the SIP trunk. 4) SIP Security Ingate provides advanced filtering, verification, authentication and routing, as well as dynamic control of the opening and closing of media ports. Example Call Flow In this example, the ITSP is located on the Internet, the Ingate SIParator has one interface on the Internet and interface on the Private LAN, the 3Com VCX is also on the LAN. 1) Incoming Call The ITSP will send and INVITE to the Ingates WAN IP Address with a SIP URI that has the DID@Ingate_WAN_IP or 6135552000@123.123.123.20. The Ingate with a Dial Plan and other features looks for this incoming SIP URI and routes the call to the 3Com VCX Connect LAN IP Address. In the process, the INVITE SIP URI is changed to 6135552000@VCX_LAN_IP. As the Ingates LAN IP Address is a trusted endpoint within the VCX the VCX routes the call internally to various applications or phones. 2) Outgoing Call The VCX Connect will send and INVITE to the Ingates LAN IP Address with a SIP URI that has the DID@Ingate_LAN_IP or 4165554444@10.10.10.1. The Ingate with a Dial Plan and other features looks for this outgoing SIP URI and routes the call to the ITSP WAN IP Address. In the process, the INVITE SIP URI

3Com Open Network Solutions Lab Application Notes

Page 15 of 69 is changed to 4165554444@ITSP_WAN_IP. As the Ingates WAN IP Address is a trusted endpoint within the ITSP, it routes the call to the PSTN.

Software Revisions
Vendor Ingate Systems 3Com 3Com Polycom Product Model SIParator 19 VCX 3102 Business Phone 302 SIP Phone Version 4.7.1 7.1.21c and 8.0.7e n/a

3Com Open Network Solutions Lab Application Notes

Page 16 of 69

Software Requirements
Vendor CounterPath Product Model X-Lite Version 3.0 Build 47546

Tool Requirements
Vendor Wireshark Foundation Bandwidth.com Product Model Wireshark Version 1.0.6

Installation Overview
In this application the 3Com VCX is located on the private LAN network of the enterprise. Within this enterprise the 3Com VCX is servicing applications such as User Extensions, Call Center applications, PSTN access, User Voicemail, Auto-Attendant/IVR applications and more. Local Users are being serviced by the 3Com VCX on the private LAN network. The 3Com VCX becomes the SIP Domain Server for all of the SIP Phones. In this application, the ITSPs are located outside of the private LAN of the enterprise and provide PSTN access using SIP Trunking and deliver this service to the 3Com VCX. This extends the ability of the 3Com VCX to provide PSTN access any where over the Internet or remote network. These ISTPs are not co-located with the 3Com VCX but are accessible over any network. SIP Trunking is used as a cost effective solution over T1/PRI and essentially extend PSTN access for the 3Com VCX to Remote Offices, Home Offices, and Road Warriors. Ingate SIParator is an Enterprise level SIP Session Border Controller (E-SBC) and SIP Security device. A powerful tool that offers enterprises a controlled and secured migration to VoIP (Voice over IP) and other live communications, based on Session Initiation Protocol (SIP). With the SIParator, even the largest of businesses, with branch offices around the world and remote workers, can easily harness the productivity and cost-saving benefits of VoIP and other IP-based communications while maintaining current investments in security technology.

3Com Open Network Solutions Lab Application Notes

Page 17 of 69 In this application, the Ingate SIParators are utilizing E-SBC capabilities to ensure SIP VoIP communications with the ITSP to provide PSTN access to the 3Com VCX. The Ingate products are providing E-SBC functionality such as SIP Routing Rules, SIP Security Policies, SIP Protocol compliance, Near End NAT Traversal and more to provide reliable SIP communications with the SIP Trunking Service Providers.

3Com Open Network Solutions Lab Application Notes

Page 18 of 69

Network Topology
Ingate SIParator Topology

Testing Observations
<Insert a list of observations or elements investigated to prove the solution as valuable>

3Com Open Network Solutions Lab Application Notes

Page 19 of 69

Configuration Details
The following configuration details represent the configuration under test. The Ingate SIParator provides Telco communications for all outbound and inbound PSTN calls. In addition the SIParator provided NAT translation services for any remote phones or Teleworkers wanting to register a phone to their work extension. The VCX is configured with the SIParator IP address as a trusted endpoint. Therefore no authentication or registration is needed between these 2 devices. The SIParator is configured with the both the VCX Primary and Secondary IP addresses as the SIP Proxy. All inbound Telco calls i.e. DIDs are redirected by the SIParator to VCX. Remote phone are configured to use the SIParator public IP address as their SIP Proxy address. All phone SIP registrations received by the SIParator are forwarded to the VCX for authentication. Once authenticated these remote phones can make outbound calls using their office extension and receive inbound calls to their office extension at home, all of these calls are carried over their office Telco connection.

VCX Configuration
Defining a device on the VCX 8.0.7e as a Trusted Endpoint can now be done using the Web interface. Note: In versions prior to 8.x, creating a trusted endpoint was a 2 step process please refer to documentation for these version for details Using VCX Web Configuration GUI 1. Point a browser to VCX Server IP address (e.g.:http://158.101.74.100) The VCX login screen appears. Select the Central Management Console option.

3Com Open Network Solutions Lab Application Notes

Page 20 of 69

3Com Open Network Solutions Lab Application Notes

Page 21 of 69 2. Enter a VCX username and password with administrative access. (New VCX installations have a default username admin and password besgroup.) Click Submit.

3Com Open Network Solutions Lab Application Notes

Page 22 of 69

3. Select the site name you wish to work on.

4. Select Directory from the top menu

3Com Open Network Solutions Lab Application Notes

Page 23 of 69

3Com Open Network Solutions Lab Application Notes

Page 24 of 69 5. Click Trusted End Points Tab on Right of the screen to add a device IP addresses

3Com Open Network Solutions Lab Application Notes

Page 25 of 69 a. Click the Add Trusted End Point button.

b. Enter the endpoint configuration as follows: IP Address: IP address of SIParator Netmask: Use Host mask of 255.255.255.255 6. Click End Points Tab on Right of the screen to add a device name for each i.e. Aspect to the list as an endpoint a. Select Add End Point button

3Com Open Network Solutions Lab Application Notes

Page 26 of 69

3Com Open Network Solutions Lab Application Notes

Page 27 of 69 b. The endpoint configuration window is displayed

c. Enter the endpoint configuration as follows: Type: Set to Gateway Active: Set to Yes. Name: Enter the name of the device i.e. SIParator B2BUA Description: Enter a description of the device i.e. Ingate Site Id: Enter your VCX site ID. IP Address: Enter the SIParator IP address Port Number: port number (usually 5060) Click the Save button. d. The List of End Points table appears, listing the new endpoint.

3Com Open Network Solutions Lab Application Notes

Page 28 of 69

3Com Open Network Solutions Lab Application Notes

Page 29 of 69 6. Click Routes Tab to create a Route with one or more endpoints

a. Select the Add Route button and give it a name i.e. SIParator B2BUA and select Save

3Com Open Network Solutions Lab Application Notes

Page 30 of 69

b. Select the End Points button on Right

3Com Open Network Solutions Lab Application Notes

Page 31 of 69

c. Select the Assign End Points button

3Com Open Network Solutions Lab Application Notes

Page 32 of 69

d. From the list of available endpoints put a check mark next to SIParator B2BUA and select the Assign Selected button

3Com Open Network Solutions Lab Application Notes

Page 33 of 69

e. Confirm the OK

3Com Open Network Solutions Lab Application Notes

Page 34 of 69

f. The Endpoint Aspect should be listed as shown

3Com Open Network Solutions Lab Application Notes

Page 35 of 69

7. Click Patterns Tab and create a pattern if needed that a call must match in order for VCX to send the call to the SIParator server. Note: This step was skipped because the most common patterns are already defined by default on the VCX. Therefore an existing pattern of 81* was used in testing 8. Click Routes Tab, and create a route that lets VCX send calls to Aspect Unified IP. Click the Add Route Plan button.

3Com Open Network Solutions Lab Application Notes

Page 36 of 69

3Com Open Network Solutions Lab Application Notes

Page 37 of 69

a. In the Name field, enter a name for the routes i.e. Outbound SIP Trunk b. Under Pattern field select the pattern 81* c. Under Route field select the route SIParator B2BUA just created d. Under Active select the button to enable with a check mark.

3Com Open Network Solutions Lab Application Notes

Page 38 of 69

8. Click save which will return back to the Routes screen where the route Aspect should now be displayed

3Com Open Network Solutions Lab Application Notes

Page 39 of 69

Ingate Configuration Details


Ingate Startup Tool
The Ingate Startup Tool is an installation tool for Ingate Firewall and Ingate SIParator products using the Ingate SIP Trunking module or the Remote SIP Connectivity module, which facilitates the setup of complete SIP Trunking solutions or remote user solutions. The Startup Tool is designed to simplify the initial out of the box commissioning and programming of the Network Topology, SIP Trunk deployments and Remote User deployments. The tool will automatically configure a users Ingate Firewall or SIParator to work with the 3Com VCX solution, this will setup all the routing needed to enable remote users to access and use the enterprise 3Com VCX. Thanks to detailed interop testing, Ingate has been able to create this tool with pre-configured setups for the 3Com VCX solutions with use with remote phones. Download Free of Charge: The Startup Tool is free of charge for all Ingate Firewalls and SIParators. Get the latest version of the Startup Tool at http://www.ingate.com/Startup_Tool.php For more detailed programming instructions consult the Startup Tool Getting Started Guide, available here: http://www.ingate.com/appnotes/Ingate_Startup_Tool_Getting_Started_G uide.pdf Make sure that you always have the latest version of the configuration tool as Ingate continuously adds new vendors once interoperability testing is complete. The Startup Tool will install and run on any Windows 2000, Windows XP, Windows Vista, and Wine on Linux operating systems. Keep in mind, this Ingate Startup Tool is a commissioning tool, not an alternate administration tool. This tool is meant to get an out of the box Ingate started with a pre-configured setup, enough to make your first call from 3Com VCX to any Remote SIP Phone. Additional programming and administration of this Ingate unit should be done through the Web Administration.

3Com Open Network Solutions Lab Application Notes

Page 40 of 69

Connecting the Ingate SIParator


From the factory the Ingate SIParator does not come preconfigured with an IP address or Password to administer the unit. Web administration is not possible unless an IP Address and Password are assigned to the unit via the Startup Tool or Console port. The following will describe a process to connect the Ingate unit to the network then have the Ingate Startup Tool assign an IP Address and Password to the Unit. Configuration Steps: 1) 2) Connect Power to the Unit. Connect an Ethernet cable to Eth0. This Ethernet cable should connect to a LAN network. Below are some illustrations of where Eth0 are located on each of the Ingate Model types.

Ingate SIParator 19 (Back)

Ingate SIParator 50/55/65

Ingate SIParator 90

3Com Open Network Solutions Lab Application Notes

Page 41 of 69 3) The PC/Server with the Startup Tool should be located on the same LAN segment/subnet. It is required that the Ingate unit and the Startup Tool are on the same LAN Subnet to which you are going to assign an IP Address to the Ingate Unit. Note: When configuring the unit for the first time, avoid having the Startup Tool on a PC/Server on a different Subnet, or across a Router, or NAT device, Tagged VLAN, or VPN Tunnel. Keep the network Simple.

4)

Proceed to Section: Using the Startup Tool for instructions on using the Startup Tool.

3Com Open Network Solutions Lab Application Notes

Page 42 of 69

Using the Startup Tool


There are three main reasons for using the Ingate Startup Tool. First, the Out of the Box configuring the Ingate Unit for the first time. Second, is to change or update an existing configuration. Third, is to register the unit, install a License Key, and upgrade the unit to the latest software. Configure the Unit for the First Time From the factory the Ingate SIParator does not come preconfigured with an IP address or Password to administer the unit. Web administration is not possible unless an IP Address and Password are assigned to the unit via the Startup Tool or Console port. In the Startup Tool, when selecting Configure the unit for the first time, the Startup Tool will find the Ingate Unit on the network and assign an IP Address and Password to the Ingate unit. This procedure only needs to be done ONCE. When completed, the Ingate unit will have an IP Address and Password assigned. Note: If the Ingate Unit already has an IP Addressed and Password assigned to it (by the Startup Tool or Console) proceed directly to Section: Change or Update Configuration. Configuration Steps: 1) 2) Launch the Startup Tool Select the Model type of the Ingate Unit, and then click Next.

3Com Open Network Solutions Lab Application Notes

Page 43 of 69 3) In the Select first what you would like to do, select Configure the unit for the first time.

4)

Other Options in the Select first what you would like to do,

3Com Open Network Solutions Lab Application Notes

Page 44 of 69 a. b. Select Configure SIP Trunking if you want the tool to configure SIP Trunking with the 3Com VCX server and ITSP. Select Register this unit with Ingate if you want the tool to connect with www.ingate.com to register the unit. If selected, consult the Startup Tool Getting Started Guide. Select Upgrade this unit if you want the tool to connect with www.ingate.com to download the latest software release and upgrade the unit. If selected, consult the Startup Tool Getting Started Guide. Select Backup the created configuration if you want the tool to apply the settings to an Ingate unit and save the config file. Select Creating a config without connecting to a unit if you want the tool to just create a config file. Select The tool remembers passwords if you want the tool to remember the passwords for the Ingate unit.

c.

d.

e. f.

5)

In the Inside (Interface Eth0), a. Enter the IP Address to be assigned to the Ingate Unit. b. Enter the MAC Address of the Ingate Unit, this MAC Address will be used to find the unit on the network. The MAC Address can be found on a sticker attached to the unit.

6)

In the Select a Password, enter the Password to be assigned to the Ingate unit.

3Com Open Network Solutions Lab Application Notes

Page 45 of 69 7) Once all required values are entered, the Contact button will become active. Press the Contact button to have the Startup Tool find the Ingate unit on the network, assign the IP Address and Password.

8)

Proceed to Section: Network Topology.

Change or Update Configuration


When selecting the Change or update configuration of the unit setting in the Startup Tool the Ingate Unit must have already been assigned an IP Address and Password, either by the Startup Tool Configure the unit for the first time or via the Console port. In the Startup Tool, when selecting Change or update configuration of the unit, the Startup Tool will connect directly with the Ingate Unit on the network with the provided IP Address and Password. When completed, the Startup Tool will completely overwrite the existing configuration in the Ingate unit with the new settings. Note: If the Ingate Unit does not have an IP Addressed and Password assigned to it, proceed directly to Section: Configure the Unit for the First Time. Configuration Steps: 1) Launch the Startup Tool 3Com Open Network Solutions Lab Application Notes

Page 46 of 69 2) Select the Model type of the Ingate Unit, and then click Next.

3)

In the Select first what you would like to do, select Change or update configuration of the unit.

4)

Other Options in the Select first what you would like to do,

3Com Open Network Solutions Lab Application Notes

Page 47 of 69

a.

b.

c.

d.

e. f.

Select Configure Remote SIP Connectivity if you want the tool to configure Remote Phone access to the 3Com VCX server. Select Register this unit with Ingate if you want the tool to connect with www.ingate.com to register the unit. If selected, consult Startup Tool Getting Started Guide. Select Upgrade this unit if you want the tool to connect with www.ingate.com to download the latest software release and upgrade the unit. If selected, consult Startup Tool Getting Started Guide. Select Backup the created configuration if you want the tool to apply the settings to an Ingate unit and save the config file. Select Creating a config without connecting to a unit if you want the tool to just create a config file. Select The tool remembers passwords if you want the tool to remember the passwords for the Ingate unit.

5)

In the Inside (Interface Eth0), a. Enter the IP Address of the Ingate Unit.

3Com Open Network Solutions Lab Application Notes

Page 48 of 69

6)

In the Enter a Password, enter the Password of the Ingate unit.

7)

Once all required values are entered, the Contact button will become active. Press the Contact button to have the Startup Tool contact the Ingate unit on the network.

8)

Proceed to Section: Network Topology.

3Com Open Network Solutions Lab Application Notes

Page 49 of 69

Network Topology
The Network Topology is where the IP Addresses, Netmask, Default Gateways, Public IP Address of NATed Firewall, and DNS Servers are assigned to the Ingate unit. The configuration of the Network Topology is dependent on the deployment (Product) type. When selected, each type has a unique set of programming and deployment requirements, be sure to pick the Product Type that matches the network setup requirements.

Configuration Steps: 1) In the Product Type drop down list, select the deployment type of the Ingate SIParator.

Hint: Match the picture to the network deployment. 2) When selecting the Product Type, the rest of the page will change based on the type selected. Go to the Sections below to configure the options based on your choice. Select: DMZ SIParator, DMZLAN SIParator, LAN SIParator, and Standalone SIParator.

3Com Open Network Solutions Lab Application Notes

Page 50 of 69

Product Type: Standalone


When deploying an Ingate SIParator in a Standalone configuration, the SIParator resides on a LAN network and on the WAN/Internet network. The Default Gateway for SIParator resides on the WAN/Internet network. The existing Firewall is in parallel and independent of the SIParator. Firewall is the primary edge device for all data traffic out of the LAN to the Internet. The SIParator is the primary edge device for all voice traffic out of the LAN to the Internet.

Configuration Steps: 1) In Product Type, select Standalone SIParator.

2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.

3Com Open Network Solutions Lab Application Notes

Page 51 of 69 3) Define the Outside (Interface Eth1) IP Address and Netmask. This is the IP Address that will be used on the Internet (WAN) side on the Ingate unit. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.

4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.

Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.

3Com Open Network Solutions Lab Application Notes

Page 52 of 69

Product Type: DMZ SIParator


When deploying an Ingate SIParator in a DMZ configuration, the Ingate resides on a DMZ network connected to an existing Firewall. The Ingate needs to know what the Public IP Address of the Firewall. This existing Firewall must be the Default Gateway for the DMZ network; the existing Firewall is the primary edge device for all data and voice traffic out of the LAN and DMZ to the Internet. SIP Signaling and Media must be forwarded to the Ingate SIParator, both from the Internet to the SIParator and from the DMZ to the LAN.

Configuration Steps: 1) In Product Type, select DMZ SIParator.

2) Define the IP Address and Netmask of the DMZ (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the DMZ network side on the existing Firewall.

3Com Open Network Solutions Lab Application Notes

Page 53 of 69 3) Define the LAN IP Address Range, the lower and upper limit of the network addresses located on the LAN. This is the scope of IP Addresses contained on the LAN side of the existing Firewall.

4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.

5) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT.

6) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.

3Com Open Network Solutions Lab Application Notes

Page 54 of 69 7) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator c. If necessary; provide a Rule that allows the SIP Signaling on port 5060 using UDP/TCP transport on the DMZ network to the LAN network d. If necessary; provide a Rule that allows a range of RTP Media ports of 58024 to 60999 using UDP transport on the DMZ network to the LAN network.

3Com Open Network Solutions Lab Application Notes

Page 55 of 69

Product Type: DMZ-LAN SIParator


When deploying an Ingate SIParator in a DMZ-LAN configuration, the Ingate resides on a DMZ network connected to an existing Firewall and also on the LAN network. The Ingate needs to know what the Public IP Address of the Firewall. This existing Firewall must be the Default Gateway for the DMZ network; the existing Firewall is the primary edge device for all data and voice traffic out of the LAN and DMZ to the Internet. SIP Signaling and Media must be forwarded to the Ingate SIParator, from the Internet to the SIParator. The voice traffic from the LAN is directed to the SIParator then to the existing Firewall.

Configuration Steps: 1) In Product Type, select DMZ-LAN SIParator.

2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network. 3Com Open Network Solutions Lab Application Notes

Page 56 of 69

3) Define the IP Address and Netmask of the DMZ (Interface Eth1). This is the IP Address that will be used on the Ingate unit to connect to the DMZ network side on the existing Firewall. a. A Static IP Address and Netmask can be entered b. Or select Use DHCP to obtain IP, if you want the Ingate Unit to acquire an IP address dynamically using DCHP.

4) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.

5) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT.

6) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses.

3Com Open Network Solutions Lab Application Notes

Page 57 of 69

7) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator

Product Type: LAN SIParator


When deploying an Ingate SIParator in a LAN configuration, the Ingate resides on a LAN network with all of the other network devices. The existing Firewall must be the Default Gateway for the LAN network; the existing Firewall is the primary edge device for all data and voice traffic out of the LAN to the WAN/Internet. SIP Signaling and Media must be forwarded to the Ingate SIParator, from the Internet to the SIParator. The 3Com Open Network Solutions Lab Application Notes

Page 58 of 69 voice traffic from the LAN is directed to the SIParator then to the existing Firewall.

Configuration Steps: 1) In Product Type, select LAN SIParator.

2) Define the IP Address and Netmask of the inside LAN (Interface Eth0). This is the IP Address that will be used on the Ingate unit to connect to the LAN network.

3Com Open Network Solutions Lab Application Notes

Page 59 of 69 3) Enter the Default Gateway for the Ingate SIParator. The Default Gateway for the SIParator will be the existing Firewalls IP Address on the DMZ network.

4) Enter the existing Firewalls external WAN/Internet IP Address. This is used to ensure correct SIP Signaling and Media traversal functionality. This is required when the existing Firewall is providing NAT. 5) Enter the DNS Servers for the Ingate Firewall. These DNS Servers will be used to resolve FQDNs of SIP Requests and other features within the Ingate. They can be internal LAN addresses or outside WAN addresses. 6) On the Existing Firewall, the SIP Signaling Port and RTP Media Ports need to be forwarded to the Ingate SIParator. The Ingate SIParator is an ICSA Certified network edge security device, so there are no security concerns forwarding network traffic to the SIParator. On the existing Firewall: a. Port Forward the WAN/Internet interface SIP Signaling port of 5060 with a UDP/TCP Forward to the Ingate SIParator b. Port Forward the a range of RTP Media ports of 58024 to 60999 with a UDP Forward to the Ingate SIParator

3Com Open Network Solutions Lab Application Notes

Page 60 of 69

IP-PBX
The IP-PBX section is where the IP Addresses and Domain location are provided to the Ingate unit. The configuration of the IP-PBX will allow for the Ingate unit to know the location of the 3Com VCX as to direct SIP traffic for the use with SIP Trunking. The IP Address of the 3Com VCX server must be on the same network subnet at the IP Address of the inside interface of the Ingate unit. Ingate has confirmed interoperability with the 3Com VCX.

Configuration Steps: 1) In the IP-PBX Type drop down list, select the 3Com vendor. Ingate has confirmed interoperability the 3Com VCX, the unique requirements of the vendor testing are contained in the Startup Tool.

3Com Open Network Solutions Lab Application Notes

Page 61 of 69 2) Enter the IP Address of the 3Com VCX. The IP Address should be on the same LAN subnet as the Ingate unit.

3) This solution requires the use of a FQDN for the SIP Domain of the 3Com VCX. This domain name is used to route SIP Requests to the 3Com VCX associated with that domain. Select Use domain name and enter the FQDN

3Com Open Network Solutions Lab Application Notes

Page 62 of 69

ITSP
The ITSP section is where all of the attributes of the SIP Trunking Service Provider are programmed. Details like the IP Addresses or Domain, DIDs, Authentication Account information, Prefixes, and PBX local number. The configuration of the ITSP will allow for the Ingate unit to know the location of the ITSP as to direct SIP traffic for the use with SIP Trunking. Ingate has confirmed interoperability many of the leading ITSP vendors.

Configuration Steps: 1) In the ITSP drop down list, select the appropriate ITSP vendor. Ingate has confirmed interoperability several of the leading ITSP vendors, the unique requirements of the vendor testing are contained in the Startup Tool. If the vendor choice is not seen, select Generic ITSP.

3Com Open Network Solutions Lab Application Notes

Page 63 of 69 When you select a specific ITSP vendor, the Startup Tool will have the individual connection requirements predefined for that ITSP, the only additional entries may be the specific site requirements. 2) Service Providers come in one of two flavors, either they have a trusted IP deployment or they require a Registration account. a. In the case where the Service Provider uses a Trusted IP deployment, all that is required is to enter the IP Address or Domain of the Service Providers SIP Server or SBC. Enter the IP Address here, or select Use domain name and enter the FQDN of the Service Provider.

b. In the case where the Service Provider requires the Ingate to Register with the Service Providers SIP Server or SBC, select Use Account. When Use Account is selected, the Registration Account information from the Service Provider is required. Information such as Username/DID, Service Providers Domain, Authentication Username, and Authentication Password.

3Com Open Network Solutions Lab Application Notes

Page 64 of 69 i. Enter a DID (Username) in which the Ingate will register with the Service Provider. The Startup Tool also has the ability to program a sequential range of DIDs.

ii. Registrations often require the use of an Authentication Username and Password. Also enter the Domain or IP Address of the Service Provider.

3) The Ingate has the ability to add/remove digits and characters from the Request URI Header. A typical scenario is the addition/removal of ENUM character +. Many IP-PBX and ITSPs either need to add or remove this character prior to sending or receiving SIP requests. Here you can enter values to Match and remove from the Request URI.

3Com Open Network Solutions Lab Application Notes

Page 65 of 69

Upload Configuration
At this point the Startup Tool has all the information required to push a database into the Ingate unit. The Startup Tool can also create a backup file for later use.

Configuration Steps: 1) Press the Upload button. If you would like the Startup Tool to create a Backup file also select Backup the configuration. Upon pressing the Upload button the Startup Tool will push a database into the Ingate unit.

3Com Open Network Solutions Lab Application Notes

Page 66 of 69 2) When the Startup has finished uploading the database a window will appear and once pressing OK the Startup Tool will launch a default browser and direct you to the Ingate Web GUI.

3) Although the Startup Tool has pushed a database into the Ingate unit, the changes have not been applied to the unit. Press Apply Configuration to apply the changes to the Ingate unit.

4) A new page will appear after the previous step requesting to save the configuration. Press Save Configuration to complete the saving process.

3Com Open Network Solutions Lab Application Notes

Page 67 of 69

Verification Tests
1.
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. Remote SIP Phone Registration Basic Call Local Extension calls Remote SIP Phone Basic Call PSTN Trunk calls Remote SIP Phone Basic Call Remote SIP Phone calls Local Extension Basic Call Remote SIP Phone calls PSTN Trunk Attended Transfer Local Extension calls Remote SIP Phone, Remote Phone Transfers Local Extension to PSTN Trunk Attended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Local Extension Attended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Remote SIP Phone Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to PSTN Trunk Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Local Extension Attended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Remote SIP Phone Unattended Transfer Local Extension calls Remote SIP Phone, Remote Phone Transfers Local Extension to PSTN Trunk Unattended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Local Extension Unattended Transfer Local Extension calls Remote SIP Phone, Remote SIP Phone Transfers Local Extension to another Remote SIP Phone Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to PSTN Trunk Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Local Extension Unattended Transfer Remote SIP Phone calls Local Extension, Local Extension Transfers Remote SIP Phone to another Remote SIP Phone Conference Local Extension calls Remote SIP Phone, Remote Phone Conferences Local Extension to PSTN Trunk Conference Local Extension calls Remote SIP Phone, Remote SIP Phone Conference Local Extension to another Local Extension Conference Local Extension calls Remote SIP Phone, Remote SIP Phone Conferences Local Extension to another Remote SIP Phone Conference Remote SIP Phone calls Local Extension, Local Extension Conferences Remote SIP Phone to PSTN Trunk Conference Remote SIP Phone calls Local Extension, Local Extension Conferences Remote SIP Phone to another Local Extension Conference Remote SIP Phone calls Local Extension, Local Extension Conference Remote SIP Phone to another Remote SIP Phone Message Waiting DTMF - PSTN DTMF - Voicemail

3Com Open Network Solutions Lab Application Notes

Page 68 of 69

Product Support
Product support can be obtained from the respective product suppliers.

Ingate Product Support:


Main Ingate Support link: http://www.ingate.com/Helpdesk.php
Europe, Middle East, Asia Pacific and Africa Monday Friday, 8:00am 5:00pm (GMT+1) Telephone: +46-13-21 08 52 Fax : +46-13-21 08 51 E-mail: support@ingate.com North America, Latin America and South America Monday Friday, 8:00am 6:00pm (EST) (GMT-5) Telephone: +1-866-809-0002 E-mail: support@ingate.com

3COM product support:


Main 3COM Support link: http://www.3com.com/products/en_US/support/index.html <3COM Product Specific Link> <Insert Hyperlink>
Asia Pacific Telephone: +65 6543 6645 Fax: +65 6543 6518 E-mail: ap_service@3com.com Europe, Middle East and Africa Telephone: +44 (0)1442 435529 (Option 4) Fax : +44 (0)1442 435811 E-mail: focalpoint_services@3com.com North America and Latin America Telephone: 866-326-6222 (Option 3) Fax : 408-326-7140 E-mail: ecso_contracts@3com.com

3Com Open Network Solutions Lab Application Notes

Page 69 of 69

Conclusion
In this application, the 3Com VCX solution is the IP-PBX and SIP Domain Server. It is the call control server processing the phone features and PBX functionality required for an enterprise. It resides on the private LAN segment of enterprise, away from the Internet and protected by the Ingate from any malicious attacks. The Ingate SIParator sits on the Enterprise network edge, providing a security solution for data and SIP communications with E-SBC functionality. It is responsible for all SIP communications security by providing Policy and Routing Rules to allow specific SIP traffic intended for the Enterprise. The SIP Trunking Service Providers, or Internet Telephony Service Providers (ITSP) can be of any vendor type, located anywhere across the Internet or any remote networks. These Service Providers offer access to the PSTN over a SIP Trunk.

3Com Open Network Solutions Lab Application Notes