You are on page 1of 290

Administrator and User Manual

for the
Comdasys Convergence series
&
Comdasys FMC series

Comdasys AG
Rüdesheimer Str. 7
D – 80686 München
Tel.: +49.89.5484333-0
Fax: +49.89.5484333-29
support@comdasys.com
http://www.comdasys.com

Disclaimer
We have taken all possible care to ensure that this manual contains correct, accurate informa-
tion. However, the manufacturer cannot assume liability for any possible errors. In addition,
the manufacturer cannot guarantee that the hardware will meet the purpose you require.
Comdasys reserves the right to make changes according to technical progress at any time.
Brand names may be registered trademarks and must be treated as such.
Copyright
c 2005-2008
Comdasys AG
80686 München, Germany
All rights reserved. No part of this manual may be reproduced, processed or distributed in any
form (print, photocopy, microfilm or any other process) or processed by an electronic system
without prior written permission from the manufacturer.
User Manual edition: May 2008

Contents

2005-2008
c Comdasys AG 3

1 Overview

1.1 Scope of delivery (Convergence 4600 / FMC 4800)

1. Convergence (compare figure ??) with built-in redundant power supply
2. 2 Power cords for redundant power supply
3. Network cable
4. Crossover network cable
5. Mounting brackets for 19” racks
6. Handles for 19” rack usage
7. RS232 to RJ45 console cable
8. Quick reference sheet

Figure 1.1: Convergence 4600/FMC 4800

1.2 Scope of delivery (Convergence 3600 / FMC 3800)

1. Convergence (compare figure ??) with built-in power supply

2005-2008
c Comdasys AG 4

1.3 Scope of delivery (Convergence 30xx / 33xx)

2. Power cord
3. Network cable
4. Crossover network cable
5. Mounting brackets for 19” racks
6. RS232 console cable
7. Quick reference sheet

Figure 1.2: Convergence 3600/FMC 3800

1.3 Scope of delivery (Convergence 30xx / 33xx)

1. Convergence 30xx or 33xx with built-in power supply (the ports vary on what model you
purchased varying from 4+1 BRI ports to 2 E1/T1 ports)
2. Power cord
3. Network cable
4. Crossover network cable
5. Mounting brackets for 19” racks
6. RS232 console cable
7. Quick reference sheet

i Note that these devices are configured through an HTTP interface. The standard
configuration GUI is running on port 80. From there it is possible to configure everything
including the gateway components. It is possible to access the gateway configuration via a
separate GUI running on port 8080. Note however that any network setting you make there
will have no effect.

2005-2008
c Comdasys AG 5

RS232 console cable 7. Mounting brackets for 19” racks 6. Convergence (compare figure ??) with built-in power supply 2.4: Convergence 2600/FMC 2800 2005-2008 c Comdasys AG 6 . Quick reference sheet Figure 1. Power cord 3. Network cable 4. Crossover network cable 5.4 Scope of delivery (Convergence 2600 / FMC 2800) Figure 1. 1.4 Scope of delivery (Convergence 2600 / FMC 2800) 1.3: Convergence 30xx and 33xx 1.

5: Convergence 1600 1. Quick reference sheet Figure 1. 50-60 Hz AC-DC transformer 3. Network cable 5. Quick reference sheet 2005-2008 c Comdasys AG 7 . Convergence (compare figure ??) 2. Power cord 4. RS232 to RJ45 adapter cable (Convergence 650 only) 7. Network cable 5. Crossover network cable 6. 50-60 Hz AC-DC transformer 3.5 Scope of delivery (Convergence 1600) 1.5 Scope of delivery (Convergence 1600) 1. Power cord 4. Power supply 100-240 V. 1. Power supply 100-240 V.6 Scope of delivery (Convergence 550 and 650) 1. Crossover network cable 6. Convergence (compare figure ??) 2.

1.6 Scope of delivery (Convergence 550 and 650) Figure 1.6: Convergence 650 2005-2008 c Comdasys AG 8 .

Network protocol TCP/IP IP-Address 10. the correct protocol will HTTP.255.0.0.0. Please make sure this is enabled in your web browser.0.0. To continue the configuration you will have to accept this certificate for estab- lishing an encrypted connection to the Convergence . the IP address of your PC has to be set up to be in this subnet. your web browser must support frames. For starting configuration enter https://10.0. you need to configure your PC to an address in the same subnet.205 Subnetmask 255. For the Web configuration.255. 2005-2008 c Comdasys AG 9 .1 Prepare configuration The Convergence is configured by a web interface. Possibly your browser will ask you to accept a certificate and warn you that it is self- signed. that can be opened with the web browser of your choice. In order for this to work. as for example 10.205 to correctly connect. except you want to copy files or have command-line access. the Convergence configuration is independent of the operating system used and can for example be accessed from Linux. 2.0.2 Establish a connection to the Convergence 1. Please refer to the documentation of your operating system for more information on how to accomplish this. so you have to enter http://10. but nowadays this ap- plies to almost every modern browser.0.2 Basic configuration 2. The LAN1 interface of the Convergence is configured to the following parameters by default.205 in your browser’s address field. If you want to use the setup wizard you’ll also need JavaScript support.0 Therefore. Macintosh or Microsoft Windows computers. For some products. Therefore. Please refer to the Command Line Guide documentation for more information on that. It is also not necessary to install any special tools.206 . in order to be able to communicate with the Convergence .

The username is admin and the password in the state of basic configuration is sesam. You can change the language anytime on the Head. 2. Select your language.2 Establish a connection to the Convergence ! If you are dealing with a device that is equipped with a separate management inter- face. 2.2. Information on how this works can be found in section ??. After having logged in successfully you should see the HTML page in figure ??. Enter the username and password. Please refer to section ?? section for more information about this topic. you need to explicitly enable management access to the device via the LAN interface. Figure 2. you should change the default password as soon as possible. 3.1 Architcture of the WebGUI The WebGUI of the Convergence consist of different parts. For security reasons. These are • Page Header 2005-2008 c Comdasys AG 10 .1: Select your language 2.

1 Page Header The page header gives you information about the Convergence you are dealing with. This navigation gives you the major option to select. The number after this dot indicates the patchset number the product contains. you can find important product and software information on the bottom right hand side.2 Establish a connection to the Convergence • Top Menu Bar • Top Navigation • Main Frame 2.2 Top Menu Bar The Top Menu Bar is the top level navigation. you will always get to the status page. a submenu will open. 2005-2008 c Comdasys AG 11 .5 Bottom Menu Bar In the bottom line. 2. The most important thing is the software version which should be a four digit number. and Language. Select any of the top (main) menu points.1. 2. 2. 2.2.2.2. 2. The main frame will remain empty until you do that.2. Use the ?? to select what part of the Convergence you want to configure. 2. This number can be followed by a dot.1.2. You are now able to make a selection and by selecting any of these points the configuration will change. Note that Updates and Updates with included patches install and behave exactly the same way.4 Main Frame The main frame will always contain the currently selected configuration screen.1.3 Top (Main) Navigation The top navigation is a two level navigation. namely Home. When you do that. Apply Configuration (refer to ?? for more information).2 Home When clicking home.2.1. The numbering is just to indicate that this software version is based on some major revision and just contains additional patches.1. This manual is structured according to this navigation.

and basic sanity checks (do certain parameters exclude each other.2 Mandatory Values Mandatory values have to be configured.). If left empty.3 Apply Configuration The Convergence has a transaction based configuration mechanism. you will receive an error message asking you to set the value.). 2.2.2. Implicit ones are fields that can simply be left empty. 2. will only become active after applying the configuration changes.2. 2005-2008 c Comdasys AG 12 . The system will select an appropriate value for you. range checks (do entered numbers make sense). These checks include tpye checks (string or number.1 Default Values There are both explicit as well as implicit default values.4. you can identify them by the symbol behind the title.2.2. Understanding these is important for effec- tively working with it. 2. If you do not want to interrupt the operations of the Convergence . 2.4. The explicit ones are set by default in the WebGUI. 2. Please refer to the ?? for more information on this. Clicking the Apply Configuration options will finally store all changes made since you last applied and restart the services as necessary through the configuration changes.4 GUI concepts The GUI follows a number of design principles. You can leave all fields except the mandatory ones empty. This however cannot avoid misconfigurations since only basic sanity checks as well as a syntax checking of the entered values is performed.2 Establish a connection to the Convergence 2. etc. This means that any changes you make. etc. there is also a way of applying the configuration changes for individual services only. In the GUI.4.3 Erroneous Values The WebGUI does check the entered values for consistency and will not accept values failing this check.

. 3. 2.2 Establish a connection to the Convergence 2.2: Service Status 2005-2008 c Comdasys AG 13 .disabled Applying configuration changes for selected services only 1.2. The button with the label Reapply configuration: allows you to make sure that the corresponding parameters set in the Web interface are activated for the service. Make configuration changes and click Save . Go to the menu item for the service to configure. It is possible to start. stop or restart services individually by clicking on Start: . Figure 2. If you want to make smaller configuration changes to individual services without affecting the operation of all other services.inactive . Return to the status page and click in the status line of the respective service.5 Home Page (Status) Here you can see an alphabetical list of all services available on the Convergence.active . Stop: or Restart: . 2. Restart the service by clicking . The Status ”LEDs” show whether the corresponding service is (compare figure ??): . Then you come to this status page to apply the changes and restart the respective service. . you can make the appropriate changes and save them.

as already mentioned in this manual.3: Gateway Configuration 2. In addition to that.7 Convergence 4xxx The Convergence 4600 and 4800 provide an additional management interface for configu- ration. you will get to the configuration page shown in figure ??.2.0. please refer to the Mediatrix 3000 Series Digital Gateway documentation. The management interface is labeled FE on the front side of the appliance.2. First. This will bring you into the gateway config- uration. Here you will need to use the standard gateway credentials supplied with the gateway which is public as username with an empty password. When clicking this menu. there is an additional menu entry in the configuration menu by the name of Gateway. In order to get a description of the parameters there. you have to enter http://10. Figure 2.0. This menu point will bring you to the VoIP gateway configuration.6 Convergence 30xx and 33xx Note that the product with integrated gateway devices have some special properties. Due to 2005-2008 c Comdasys AG 14 .2 Establish a connection to the Convergence 2. Note that all menu points not making sense in the integrated product have been made inaccessible. This means that the product is using the HTTP protocol as its default interface.205 to correctly connect. 2.

2. 2005-2008 c Comdasys AG 15 .2 Establish a connection to the Convergence additional available network interfaces the port arrangement differs from the other Comdasys appliances. For the Convergence 4xxx series the default IP address is configured on the management interface instead of the primary lan interface.

g. for attaching a keyboard B1 GBIC Interface 1 B2 GBIC Interface 2 A1 LANA Interface A2 LANB Interface A3 DMZ Interface A4 WAN Interface 2005-2008 c Comdasys AG 16 .2 Establish a connection to the Convergence Please refer to the table below for the port mappings on the front side of your 4xxx Conver- gence series. Label Usage CON Connector for serial console FE Management Interface. e. Fast Ethernet Connector Key USB Connector. 2.

factory reset the unit. as we Network The network part lets the user configure all interfaces. update the unit. The configuration can be performed in any order. traffic shaping and other n VPN Security The security portion consists mostly of the firewall settings.3 Expert mode The Expert Mode assumes familiarity with the concepts of IP networking and if applicable with those of VoIP. you can configure all the system basics. System In the section. 2005-2008 c Comdasys AG 17 . In the expert mode you can find all configuration parameters structured in a two level menu. virtual interfaces.

3. 2005-2008 c Comdasys AG 18 .1. in contrast to the remain- ing items.1 System Voice-over-IP The VoIP settings contain all the Session Border Controller configurations. Note that changes here usually Diagnostics Changing menu items marked with ? will be applied immediately. specify a domain name server (DNS server) and a host name for the Convergence. Note that the date and time settings will be overridden by any NTP server settings. Using Apply configuration will cause all services to restart. It is not a crucial setting. The system name should be set for administrative purposes. There it is very helpful to see the system you are on. The system name is however shown as the command prompt when you access the system via command line interface. or the Reapply Configuration followed by a restart of the respective service in the Status page. If an NTP server is set. the clock is synchronized from there. which will only be applied after excecuting Apply configuration . Survivability functi Fixed Mobile Convergence This sections contains all FMC related settings. 3.1 System 3.1 Basic settings In this section you can adjust date and time.

The settings done here will also be saved in the hardware clock of the system and thus not be lost with a reboot.1 System Figure 3. Timezone Usually NTP servers utilize GMT (Greenwich Median Time). These are coded in the regional time zones (e. The GMT timezones simply define a fixed offset from GMT / UTC time. The change between normal and daylight savings time occurs at different times in different parts of the world. CET for Central 2005-2008 c Comdasys AG 19 . i The time and date setting will be applied immediately without the need of pressing Apply Configuration. There are two types of timezones that are supported by the device. The system time and date are important for using for example the logging facilities.g. Therefore to get the correct timezone on your device. all the other op- tions only after selecting Apply configuration.1: Basic settings Time and date Date and time will be applied immediately after pressing the button Save . you need to set the time zone where the device is located. This however does not include daylight savings time. The default values are the currently adjusted time and date respectively. 3.

If you connect to the internet with PPPoE and PPTP this value will often be substituted with a DNS server automatically assigned by the provider. You do not have to set this value in that case. The same holds of course true for all other services like VoIP where the specification of host names is possible. please use the CLI interface to avoid such browser problems.2 Change password With this menu item. The new password applies both for access over the web interface and over command line interface (serial console.g. you can only use IP addresses for all services configured on the Convergence. you will be asked for it to continue with the configuration. The chosen password should not contain whitespace. The default password is sesam. SSH). Non matching forward and reverse lookups as well as differing host names will cause problems with various services. Any system name you set here should correspond with any name you assinged in a DNS server. If you still want to set such a password. please check the Command Line Guide for information on how to safely accomplish this. if the remote client works with a dynamic DNS entry) a DNS server has to be specified. Domain name server For using debugging tools like ping. System name The entered name must not contain any whitespace or special characters. By clicking the button Save .1. since such a password might be man- gled by the used browser. 2005-2008 c Comdasys AG 20 . 3. the settings will be applied. This means that right after changing the password with your browser. 3.1 System European Time). If you want to use passwords with special characters. If you do not specify a DNS server here. It is highly recommended to change it before connecting the appliance to the Internet. traceroute and telnet with names instead of addresses and specifying names for the remote clients of VPN tunnels (e. ! The new password will be applied immediately. the password for accessing the Convergence can be changed. If you select such a timezone the switch to daylight savings time and back is done automatically by the device. By clicking the button Save the new password will be applied.

There are however ways to increase this limit (e. 3. by using RADIUS) . Please refer to the Command Line Guide for more information.1 System ! By default the password length is limited to 8 characters for the WebGUI administra- tion. Figure 3. or to use certificate based authentication.g. Excess characters will be ignored silently.2: Change the password 2005-2008 c Comdasys AG 21 .

Note that your browser might interrupt the upload quicker than that. aborted updates do not harm the Convergence or influence it in any way. the exact same thing can be done for a downgrade as well. ! You should not import old configurations into a more recent versions of the Conver- gence system.com. this upload can take up to several minutes.1. since this will only install the update into the flash.1 System 3. Note that you will have to reapply the configuration after rebooting the system when having downgraded.com. Having uploaded the update will have no effect on the running system. During the update process. These might contain special instructions to consider before upgrading to a certain version. 3. With this menu item. Users with special maintenance agreements will also get software upgrades providing additional functionality. i A timeout can occur while uploading an update. For unregistered users without special maintenance agreements. Only after reapplying the configuration this can be ensured. You can however perform this reboot at a later time. ! Please refer to the Release Notes before doing an Upgrade. If you are interested. please contact us via email: info@comdasys. 2005-2008 c Comdasys AG 22 . Note also that not all services might come up properly after a reboot. The Convergence has a hard set timeout of 2 hours. a local file on your PC can be selected and the update process can be started. The update can even fail if done over a low bandwidth WAN link. In order for the Update to take effect. there will not be an automatic reboot or restart of services.comdasys. Note that you should only use compatible configurations with older versions. It is not recommended to perform the update with a connection of less than 128 kbit/s. you will need to reboot your Convergence system. After the update process. This means that you can select an older version just as if you were uploading a more recent file. However. This means that any upload will abort after this time if it has not com- pleted. these can be downloaded from the web page http://www. i Although the approach has been documented for an Update here. Depending on the network connection.3 Install update Comdasys will publish regular system updates for their delivered systems. You should have the configuration on the Convergence prior to the update. this configuration will be converted. This can be accomplished by reverting to a saved configuration or by doing a factory reset.

1 System Figure 3.3: Install an update 2005-2008 c Comdasys AG 23 . 3.

Click the button Upload for upload and wait for the Update to complete. 2. 4. 2. Unpack this ZIP archive. but it is a full software update for the gateway component. 4. 5. 1. Click the button Upload for upload. Download the update and Readme (if applicable) file for the desired version and store it on your PC. Download the Gateway update bundle (GW Software Update) and store it on your PC..sh) and maybe some documentation and release notes. If necessary. Click Apply Configuration to adapt the configuration i After rebooting with the new software version. The current version of the Convergence can always be found in the right bottom corner of the web interface. Select the downloaded update file (muse.. If there is none. 5. The Gateway software update is packaged like a hotfix.sh) in the Upload Update Web Interface. and therefore it must be updated separately. 3. please make sure to click Apply Con- figuration to adapt the configuration to the new software version Installing an update for the Convergence 30xx/33xx wit Integrated Voice Gateway The Voice Gateway Software is separate from the system software. 2005-2008 c Comdasys AG 24 .. Reboot the system in order for update to take effect. Select the downloaded update file in the web interface. 3. 6. it will contain the software file (ending in . Reboot the system in order for update to take effect.1 System Installing an update 1. 3. do additional configuration steps as recommended in the enclosed Readme file. no special considerations have to be taken.

1. 3. Figure 3.1 System 3. Suffice to say that Provisioning facil- ities are present and can be used.1.4: Configuration of the Provisioning With that it is possible to create a more or less standard configuration plus a list of vari- ables that are different for the respective Convergence . Provisioning is always a very project specific topic where there is no real general answer. For further information please contact your reseller or support@comdasys.gz offered for download.com .4 Provisioning The Convergence features provisioning facilities that can be used for mass deployment. 2005-2008 c Comdasys AG 25 .cpio. the most important configuration files will be saved into an archive file configuration-<date>. By clicking the button Save . 3.5 Configuration backup In this section you can save or restore the configuration of the complete Convergence.

5: Configuration backup i Note that this configuration saving applies to all necessary parameters for the Con- vergence . ! The language of the GUI is also stored in the configuration archive. Click the button Send for Upload 3. Apply configuration Figure 3. This means if you restore a configuration later. the ISDN configuration.g. the language might change. Select the location of the backup file stored on your PC 2. It will hence include the complete FMC database snapshot at the time the backup is made. This includes all FMC data like users and configured hosts registrations. 3.1 System Restoring configuration 1. If you are using a product with integrated voice gateway functionality. since it is part of the configuration. this will also include e. 2005-2008 c Comdasys AG 26 .

1. The naming convention of the stored configurations is as follows: DATE-TIME. i Before doing bigger changes to your configuration.6 Configuration restore The Configuration Rollback enables you to revert the configuration of your box back to an ear- lier status. After performing a rollback. ’15’ or ’25’ stored configurations. This however does enable you to make a one-to-one restoration of a failed device. You have a choice between ’5’. This however does not necessarily apply if additional data has been manually copied to the system in CLI mode. i Every time you use the Apply Configuration the current configuration will be stored. you will always have to press Apply Configuration to activate it. Number of Configurations This field defines how many configurations should be stored on the system. before activating it. The date will be formatted as year month day always with two digits followed by a minus followed by the time in 24 hours format. To activate this configuration. Please do not use this for provisioning purposes by creating a default configura- tion and then replicating this to multiple devices. Saved configurations do only work on equal restoration devices. This will also provide you a chance to look at the restored configuration first. 3. 2005-2008 c Comdasys AG 27 . Do not use a saved configuration from one de- vice on a different device type unless this procedure has been okayed by the manufacturer! 3. The following is an example filename of a backup ( 080311-1423) done on March 11th 2008 at 14:23. It depends on when you last saved you configuration which ones you will be able to roll back to.1 System ! This mechanism is intended for backing up and restoring configurations on the same devices. you will need to select Apply Configuration . it is always wise to go to this page and save the current configuration. Note that also device specific files will be included in this archive that you do not want to replicate to arbitrary devices. Saving a configuration will fail if there is no space available on the system. Previous Configuration Select the configuration you want to restore here by using the drop-down box. The system however has been designed to provide enough space for all of the above mentioned settings. This will enable you to roll back to this conifguration at a later point in time.

3.6: Configuration restore 2005-2008 c Comdasys AG 28 .1 System Figure 3.

i The Backup will include all FMC settings. so you need to configure it first in order to use it. 3.1. Active You need to check this in order to enable the functionality. Note that you should use secure copy (SCP) whenever possible because the backed up configuration also includes passwords. Path You also need to specify a path on the server here. therefore you should be careful because for example newly created users will get lost. Type You can select between FTP and SCP.7 Remote Backup The Convergenceoffers functionality for providing an automated configuration backup to a remote system. but also note that using SCP needs some manual setup which is described below. The Backup can be done through FTP and SCP protocols and can be doned in scheduled intervals. Servername Specifiy the server to backup to here. 2005-2008 c Comdasys AG 29 . This path is usually relative to the default login directory of the specified user. where the files should be stored. I ! A restored configuration will not automatically be active after a reboot. A reboot is not necessary. If you are using hostnames here make sure the DNS server has been set on the Basic Settings page. 3. Afer the backup has completed you can refresh tha page and see the backup in the Previous Configuration selection list.1 System Configuration Save now By Pressing Save you can trigger an immediate backup of the configuration. The correct procedure it to always press Apply Configuration after performing a restore. Note that such a backup can take several seconds. By default this functionality is disabled. You can either specify an IP address or a hostname here.

3.7: Remote Backup Configuration 2005-2008 c Comdasys AG 30 .1 System Figure 3.

you need to log in to your Convergence via SSH. If Weekly is selected. Set the time in the Interval field. • OnChange: This will create a backup after every material change (this does not include changes to the FMC configuration) • Hourly: This will create a backup every hour. You will then be prompted for the password for that account. you need to run ssh-keygen -t dsa to generate an SSH key pair. Once that works you are ready to use SCP for remote backups. you should still specify some name here e. this field represents the time in full hours (24 hour time) when the backup should be performed. and is only relevant if you have set the Interval field to either Daily or Weekly. Select the day via the Interval field. you should hence use the Confguration Backup page. 2005-2008 c Comdasys AG 31 . In that case you should check your server logs to see if there is an authentication mismatch. some manual setup is needed.g. If Daily is configured there. This setting does not apply to SCP ! Interval You have a choice of different backup intervals here. The following settings are possible: • Daily: This will back up the configuration any day. the backup will fail. • Weekly: Backup every week. If not already done. After entering the password. 3. Time/Day of Week The setting in the field always has to be an integer. Password Specify the password of the defined user on the server. Then you need to setup up key-based login to your backup account on the backup host by running ssh-copy-id -i /root/.pub [backupuser]@[backuphost]. i The backup archive format of the automatic backup is identical with the backup format for the manual Configuration Backup. If the FTP server does not require authentication. In order to restore a backed up configuration. If this setting is incorrect.1 System Username You have to specify a username here. i To configure SCP. you should be able to log in to the backup account via ssh [backupuser]@[backuphost] without being asked for the password (the key will be used for authentication instead).ssh/id dsa. this is the day of the week where 1 is Monday. anonymous. See ?? for more information. There is no need for additional settings. First.

8: Restarting the System It may take up to two minutes until the Convergence is fully operational and reachable again. the Convergence will be rebooted.1 System 3. 3. 2005-2008 c Comdasys AG 32 .8 Restart system By clicking the button Restart .1. Depending on the configured WAN type and the number of possibly configured VPN tunnels. it can take even longer until all tunnels are available again. Figure 3.

Therefore. To Reset the database click the second Reset on the right side of the page. 3.1. • Reset ’Dualmode’ database (only FMC products) This action will empty the database.9 Port Numbers On this page it is possible to define the SSH and the HTTP/HTTPS port used for administra- tion. i Note that you do not need to change these values in most cases.0. To restore the basic configuration click the first Reset on the right side of the page. Most Open Source Software mandates that the license of the package is included with the product containing the software.205 and subnet mask is 255.10 Restore Factory Defaults The ’Restore the basic configurations’ page allows you to restore the basic configuration and / or reset the ’Dualmode’ database (only FMC products) on the factory state.iana. A mouse click on the package name shows the complete license text.1. as recommended by the Internet Assigned Numbers Authority (http://www. this page lists all licenses of Open Source packages contained in this Convergence .org/assignments/port-numbers). Refer to figure ?? on page ?? for more information on this. The Default values are 22 for SSH.255. 3.0. 443 for HTTPS (or port 80 for HTTP on systems that don’t use HTTPS).255.1 System 3.1. • Restore the basic configuration Restoring the basic configuration deleted all configured settings from the Convergence with the exception of the ’Dualmode database’. 2005-2008 c Comdasys AG 33 .11 Licenses This product contains Open Source Software. The database includs all ’Dualmode’ settings. Changing them is mostly done for security purposes if administration through the WAN interface is enabled. Using non standard ports makes it harder for scan programs to find these open ports. i After the restore / reset a restart of the system is needed! ! Ater ’Restore the basic configuration’ the default IP address is 10.0 3.

1 WAN interface The internet connection can be configured with the menu item WAN interface.2 Network Figure 3.2 Network 3. you have to choose IP and enter the information for your network. 2005-2008 c Comdasys AG 34 . Connection via PPPoE / PPTP If the Convergence is directly connected to the internet via a DSL modem. They will ship special software to install on the PC for being able to access their network. please make sure your provider does not make such restrictions. For the field Gateway you should enter the address of your router (default gateway) for the WAN connection. ISDN router. Note that some providers by default do not want you to connect a router for being able to connect multiple PCs.2. If you experience problems with the installation here. etc. you will have to select PPPoE and PPTP (depending on your provider) and enter the connection information given to you by your provider. 3.). There are the following parameters that can be set up (compare figure ?? on page ??).9: Reset basic configurations 3. Connection via IP If the Convergence is connected to the internet via a leased line or an internet router (xDSL router. Please also refer to your ISP on applicable additional configu- rations necessary to make with DSL routers.

3.2 Network Figure 3.10: Configuration of the WAN interface 2005-2008 c Comdasys AG 35 .

This approach is controlled by the MAC address that can be configured in the DHCP server. There are the following parameters that can be set up (compare figure ?? on page ??): Dynamic IP address Select this if you have a DHCP server in your LAN network that you want the Convergence to obtain its IP address from. Select the connection type: IP. 2. 2005-2008 c Comdasys AG 36 . ! Since the Convergence serves as a server for certain protocols such as SIP. Provide configuration details for the selected section as described above. Configuring WAN Interface 1. Please ask your provider or consult your DSL modem/router manual about the IP settings of your modem. VoIP) only. 3. Netmask The netmask for the IP address of the Convergence’s primary LAN interface. the IP address of the device must be known to the user. PPTP or choose Deactivated if you do not want to use WAN interface. A common IP address is 10.2. The IP of the Convergence has to be in the same network as the IP address of the modem. For the NAT parameter see the Static case.0.2 LAN interface 1 This menu item is used for configuring the primary LAN interface. 3.0.138.2 Network If the connection uses PPPoE. the related netmask (both should be known by your provider) and a matching IP address for your Convergence. You can have DHCP assign a fixed IP address to a device. Assigning a truly dynamic IP address hence does not make much sense. 3.g. DHCP however is frequently used as a tool for the central administation of IP addresses. Static IP address The IP address of the Convergence’s primary LAN interface. This only applies to bigger networks where the Convergence acts for certain dedicated functionality (e. the username and password is all you have to enter. PPPoE. Your changes will be applied after selecting Apply configuration. If the connection uses PPTP there is additional information needed: The internal IP address of your DSL modem. Save changes by clicking on Save .

2 Network Figure 3. 3.11: Configuration of the primary LAN interface 2005-2008 c Comdasys AG 37 .

They do not apply for the Convergence itself. If you do not want to configure a WAN interface and still have a default gateway. ! You cannot specify a default gateway here directly. In order to specify a default gateway for the product. The settings you see below are for the DHCP server and are only assigned to the hosts in the network. Please see ?? for more information.2 Network NAT This option should be chosen if there is an address translation required for the whole network traffic from this LAN to the Convergence’s WAN address. 2005-2008 c Comdasys AG 38 . please configure it with the WAN interface. 3. please configure a routing entry. if your provider does not provide official IP addresses for your LAN (the usual case) and your Convergence is used as an internet router. This only applies to outgoing traffic from the LAN to the WAN. Generally this is needed.

from IP. Do not confuse this with the above described DHCP client functionality. If you want Convergence to act as DHCP-Server or as a Standard Gateway. You should never configure a Static IP address in the range of your DHCP Server. Domain This is the DNS domain that will be assigned to the client. this option has to be selected. This address range must not contain IP addresses of any other configured computer configured with a static IP address within this LAN. the Convergence itself acts as a standard gateway. 2005-2008 c Comdasys AG 39 . 3. to IP If the Convergence is intended to be used as DHCP server you have to define the address range the DHCP server will assign to clients requesting an IP address. Those addresses will be transmitted and assigned to the computers that are using DHCP.2 Network DHCP server The Convergence is able to automatically assign IP addresses to computers connected to the primary LAN interface. If this functionality shall be used. IP. When using a hostname without domain in the DHCP client. You should also make sure that you have no other DHCP server running in your network since this can have very adverse effects. 3. Configuring LAN Interface 1 1. Both addresses have to be in the same subnet as the Convergence IP address. check them and provide configuration details for these sections as described above. you can optionally specify 2 DNS servers and up to 3 NTP servers. Another standard gateway can be set by ticking this checkbox and assigning an IP address below. Note that this option applies to DHCP server functionality. DNS and NTP If the Convergence acts as a DHCP server. the domain name will be attached as the default domain. Standard Gateway IP By default. The beginning and the end of the range of course also have to be in the same subnet. Check NAT if there is an address translation required for traffic from the LAN to the Convergence’s address. Select the connection type: Dynamic IP via DHCP if you have a DHCP server in your LAN or Static IP otherwise. since this could lead to an IP address conflict! 2.

Optionally you can specify DNS and NTP servers that will be transmitted and as- signed to the computers that are using DHCP. 5. Save changes by clicking on Save .2 Network 4. Your changes will be applied after selecting Apply configuration. 2005-2008 c Comdasys AG 40 . 3.

that is separate both from the internet and from the local network. etc. The secondary LAN interface serves for a so called demilitarized zone (DMZ). 2005-2008 c Comdasys AG 41 . It is mostly used for servers that shall be reachable from both the internal network and the internet.2. only the Convergence IP address and netmask in this DMZ has to be speci- fied. There are no more options left. a secure net- work area. 3. web server.2 Network 3. DMZ i This option is only available on Convergences which don’t feature a dedicated DMZ interface (see section ??).g. mail server. (e.) In this scenario.3 LAN interface 2 There are several options for configuring the secondary LAN interface (Compare figure ?? on page ??): Figure 3.12: Configuration of the secondary LAN interface Deactivated The secondary LAN interface will not be used.

the secondary interface will be treated exactly the same way as the primary one. 3. 2005-2008 c Comdasys AG 42 . The possiblities of configuration are therefore the same as in section ??.2 Network Internal net In this scenario.

Please refer to the Firewall section for more information on that. refer to the Firewall section for more information on that.). 2005-2008 c Comdasys AG 43 . we are not talking about full DMZ functionality. It is usually being used for servers that shall be reachable from both the internal network and the internet.2 Network 3. 2. 3600. mail server. The DMZ interface is deactivated by default. Your changes will be applied after selecting Apply Configuration .4 DMZ interface i This option is only available on a Convergence 2600. is separate from both the internet and from the local network. 3800. There are no more options left. etc. A DMZ will usually have official IP addresses. only the Convergence ’s IP address and netmask for this DMZ have to be specified. and 4600 and on FMC 2800. Save changes by clicking on Save . Configuring DMZ Interface 1. Typically you will want to restrict access to the DMZ. Select DMZ in order to activate DMZ Interface. Provide IP address and netmask for this DMZ. For more information on that. a secure network area. If you choose to activate it by selecting the radio-button DMZ. (e.g. but rather about port forwarding. 3. web server. 3. 4800 The DMZ interface can be used for implementing a so called demilitarized zone (DMZ). If you want to provide services to the internet and want the servers to have private IP addresses.2. To configure the DMZ.

3.2 Network Figure 3.13: DMZ interface 2005-2008 c Comdasys AG 44 .

The principle is very simple.2 Network 3.2. it is possible to make the Convergence reachable from the internet even if a dynamic IP address is assigned by your provider. Figure 3. the Convergence will post its current IP address each time it is assigned a new one. 3. This name and the essential username and password for updating must be specified here together with the provider of the service. This is the only possibility for setting up a VPN tunnel between two VPN routers without static IP addresses.5 Dynamic DNS With the help of this menu item. On this page you can manage the list of forwarders to be used.14: Dynamic DNS Table ?? shows the DynDNS operators currently supported.6 Name server The Convergence can run a name server in order to forward and resolve DNS queries. For being able to use a dynamic DNS service.2. 3. It will act as a caching server not 2005-2008 c Comdasys AG 45 . you have to register a name with such a service (most DynDNS providers offer this basic service free of charge). If a DynDNS provider is set up.

2 Network Provider Register at DHS http://www.org http://www.justlinix. Select the DynDNS Supplier. i This list can vary depending on the software release! Configuring Dynamic DNS 1. 2005-2008 c Comdasys AG 46 . 3.org DyNS http://www.dyndns. Save changes by clicking on Save . Enter your Username and Password and Hostname to be used.com ODS http://www. 2.cx easyDNS http://www.org DynDNS http://www.tzo.com http://www.dyns. Your changes will be applied after selecting Apply Configuration .net http://www.ez-ip.ods.hn.com EZ.easydns. 3.org TZO.com Table 3.dhs.com ZoneEdit http://www.2: Currently supported providers for dynamic DNS service.org JustLinux http://www.net HN.zoneedit.

2 Network Figure 3. 3.15: Name Server Configuration 2005-2008 c Comdasys AG 47 .

Select whether to use custom configuration file: Use existing configuration or to configure this service via web interface: Activate DNS query forwarding. this functionality can also be used for performance improvement with applications that do a lot of name server lookups. or as a forwarder for certain zones. 4. 2. Instead of configuring a forwarder for all requests. Choosing Deactivate DNS query forwarding will disable this service. Therefore. Configuring Name Server 1. The PCs should then no longer contact this server for DNS. but as an authoritative name server. Save changes by clicking on Save . Provide IP addresses of the Forwarders to be used. Note that the Convergenceacts as a slave server and you have to provide exact names of the zone files as they are set on the master server. 3. A simple configuration would be to enter the DNS server assigned by your Internet provider. These options should only be used by administrators familiar with the DNS protocol.2 Network forwarding each individual query but rather only query once for each domain name (requeries will be done according to the expiry times specified in the DNS names resovled). but the Convergence which would then act as a caching forwarder. add Zones and Forwarded zones that should be managed by this name server. If wished. 3. it would not only act as a caching proxy for certain zones. 2005-2008 c Comdasys AG 48 . Your changes will be applied after selecting Apply configuration. the DNS server can also be run as a slave server for certain zones. As slave server. They should not be required for standard scenarios.

3. 2005-2008 c Comdasys AG 49 .2. Note that 255. Note that you only set the routes for outgoing IP packets here.2 Network 3. Use to edit. Standard routes like the default route and routing between the different configured interfaces is generated automati- cally. Figure 3. This can also be a single host. Hence.255 will signify a host route. 2. this menu only has to be used for any additional routes desired. or to delete an existing entry. Netmask The netmask of the destination network.255. you have to make sure that the network towards the Convergence is handled correctly. Click Add to create new entry and specify configuration parameters as follows.255. In order to make the network behind the Convergence accessible from your network. Destination The destination network for the desired route.16: Routing Adding a new routing entry 1.7 Routing With this menu item you can configure additional routing entries. New routes are created by entering the matching values in the last row and can be applied by clicking the button New . 3.

The classes’ names are composed as following: <network interface>-<parentclass ids>:<class id> <parentclass ids> ::= (:<class id>)* 2005-2008 c Comdasys AG 50 . Traf- fic Shaping and QoS is very advanced functionality. If you have no WAN interface configured. 3. the default route is aut- matically set if the WAN interface is configured. i Please beware when setting a default route here. Specifying a default gateway works by using destination 0.0. The QoS configuration of the Convergence happens in so called classes.2. This address must be accessible via a local interface. concurrent internet traffic (e. the default route points to the gateway specified in the WAN interface configuration. the default gateway is usually assigned via DHCP. for browsing web pages) should not be shut down completely by too many concurrent real-time sessions. The following example will illustrate the concept: You want to give precedence to the traffic of realtime applications like Voice-over-IP or Video Conferencing. The bandwidth management functionality is also used in conjunction with other functionalities described later. Click Save to save the changes. 6. Gateway The address of the gateway router that connects the destination network with the local network. 3. Your changes will be applied after selecting Apply Configuration . At the same time.0. If you have established an ADSL connection.2 Network 4.g. you should specify a default gateway here.8 Bandwidth QoS and Bandwidth management makes it possible for you to exactly control your network traffic. Interface The interface to which the gateway is connected (directly or indirectly via one or more switches). as for example Call Admission Control. Usually.0 with netmask 0. An in-depth explanation of the concepts would however be beyond the scope of this document. This approach is called hierarchical token bucket packet scheduling (HTB). On the Internet.0 Compare figure ?? on page ??. It must of course by no means interfere with the performance of the prioritized service. the allocation of bandwidth for different services and computers in the network can be controlled with the available bandwidth management features.0. In that case. which are ordered hierarchically. there is lots of information available on QoS and Traffic Shaping. The gateway must hence represent the next hop that can be used for routing. For this purpose. 5. You should know what you are doing because you can easily prevent applications from functioning properly with misconfigurations here.0. because maintaining a constant and low-jitter bandwidth is very critical for the quality of these services.

The traffic limit of a child must be less than that of the parent.2 Network The class id has to be unique for all classes! The configuration sections for the network interfaces always exist. Figure 3. 2005-2008 c Comdasys AG 51 . 3. which will contain all of the data traffic not matched by any other class. the last number of the class’ ID. the sum of the bandwidths used by the children should not exceed that of the parent class. Starting from any class in the list.17: Bandwidth management overview The only parameter of a network interface is the default class. If a parent has multiple children. The table for entering the configuration data contains the following fields: Parent class Shows the name of the parent class for this class. Now press the following button on the right hand side of the respective class to get to the following mask. In that case. Often this class has only a small amount of bandwidth for itself since everything else is used by its children. as long as the interface is configured. you can arbitrarily create subclasses with the button on the right hand side of the respective class. but can make heavy use of excess bandwidth. it can only be changed but never deleted.

In root classes. 2005-2008 c Comdasys AG 52 . bps. that passes through this class will be shaped in a way. Ceiling This field defines the maximum amount of bandwidth this class can use at all. If this field is left blank. every class gets allotted a contingent proportional to their own rate. Rate The bandwidth that will be provided for this class. The unit is by default ”kilobit per second” but you can also enter Kbit. Kbps. The difference between rate and ceiling is the bandwidth that this class is allowed to “borrow” if there is unused bandwidth available in the parent class. Note: bps stands for ”bytes per second”.2 Network Figure 3. because a root class cannot borrow bandwith from a parent class. it makes no sense to define a ceiling. Mbit. All traffic. 3. this class will never borrow any bandwidth.18: Add new class Description Here you can enter a free description for making the setup easier to understand and main- tain. to not exceed this configured bandwidth limit. If more than one class is demanding unused bandwidth. Mbps.

The larger this value.e. Priority This field is used for setting the priority of the traffic for this class relatively to the classes on the same level (sister classes). size of a packet).g. The bigger that number the lower the priority. Furthermore. it can be used to cap bursts (i.2 Network Burst and Ceiling Burst These parameters define how much data is allowed to be sent with maximum (hardware) speed. This parameter will have a significant influence on the jitter behavior. so that the data rate will not exceed the value for ceiling. 3. If you set Ceiling Burst to a small value (e. Small values can however lead to packet fragmentation or large delays for very big packets. before trying to serve date from a different class. 2005-2008 c Comdasys AG 53 . a high data rate at the beginning of a connection) effectively. the more jitter can possibly be induced. classes with higher bandwidths are preferred in the assignment of available bandwith. not even for a very short period of time.

You can for example check the source and destination information of the packets. The format of such a entry is: [IP address[/subnet prefix]][:port[/port mask]] Legal values for instance are: 10. this is the value of MTU.2 Network Leaf Queuing Discipline The Leaf Queuing Discipline defines the queuing behavior for this class. 2005-2008 c Comdasys AG 54 . SQF is a simple. Filter These rules define how packets are classified. ! Never set a value smaller than MTU. If you choose None. Possible values are: None. all incoming packets of this class are forwarded in the order of their arrival.0/24:80 all packets of the network 10. since that will prevent larger packets from being forwarded in one piece! The parameter “Perturbation” defines the number of seconds after that SQF renews its hash function for queuing incoming packets randomly.1.1. Both FIFO queues have the parameter “Limit”. you can specify how many bytes are allowed to be taken from the queue (dequeued) until it is the next host’s turn.1. which indicates the length of the queue. Packet FIFO. which is appropriate for Ethernet based networks (default MTU value). 3. which is a useful method when you want to have one class’ traffic distributed equally over several different hosts and/or ser- vices in a fair fashion. With the parameter “Quantum”. MTU The maximum size of a packet. By default.1. efficiently computed. No single host will be able to use all bandwidth provided for a certain service then. probabilistic algorithm. The algorithm used here is first match. If the conditions defined here match. By default a value of 1500 is used. The default value is 10. Byte FIFO. A packet will fall in the first class for which the conditions match. used for tranfer rate calculation. SFQ.0 with port 80 :50 all packets with port 50 Compare figure ??. With Byte FIFO you can specify the value using the unit ”bytes” and with Packet FIFO the number of packets. the packet will be assumed to be in the respective class.

3. With this mechanism.2 Network Figure 3. or any other protocol to a certain value. it is possible to classify based on things like the DSCP tag. or the layer 7 protocol. This is a very powerful mechanism that can however be very complex to use. because they use dynamic ports and can use arbitrary IP addresses.19: Add new Filter An additional possibility to classify packets is a mark that can be assigned to a packet by the firewall. This can for example be useful for limiting FTP connections. It is however possible to limit the traffic used by FTP. 2005-2008 c Comdasys AG 55 .

9 Bandwidth Daemon The bandwidth daemon monitors the network traffic in order to determine the amount of free bandwidth. In this section you can specify three parameters that affect the bandwidth daemon. Number of samples together with the default sample rate value give a time window of 3 seconds. 3. number of samples and log-level. warning. Your changes will be applied as soon as you apply the current configuration.1 seconds. save your changes by clicking Save . Choosing none disables logging bandwidth daemon’s messages. note that the default values the bandwidth daemon is originally configured with do not need to be changed in most cases. These are sample rate. This allows for dynamic allocation of bandwidth for different services. The default value for this setting is 1 and this means that the daemon performs the checks every 0. info. Logging configuration for Convergence is desribed in section ??.2. 2005-2008 c Comdasys AG 56 . Log level You can view log messages created by the bandwidth daemon in the system logfiles by set- ting log level to error. Sample rate Specifies the frequency of the checks for available bandwidth in tenth of second. Please see section ?? for further information on bandwidth management. Number of samples Specifies number of samples to be taken in order to calculate the current average bandwidth. However.2 Network 3. Finally. 30 samples is the default. or debug.

Note that only very reliable and stable NTP servers should be given a preference.2.20: Configuration of NTP Server To add new entry to the list simply fill in name or IP address of an NTP server and click Add . Your changes will be applied after selecting Apply Configuration . Optionally you can check Preferred to prefer time information received from this server. 2. or to delete an existing entry. An NTP server can be also used with a preference by checking preferred. Use to edit. This means that an answer received from such server won’t be dropped but in case it differs significantly from other answers. Figure 3. You have to provide its IP address.10 NTP The table on this site contains one or more NTP servers Convergence should consult in order to set the system time. Click Add to add an NTP server to be use. 3. Check Active to enable NTP. 2005-2008 c Comdasys AG 57 .2 Network 3. Setting up NTP 1. Click Save to save you changes.

3.2 Network Figure 3.21: Adding an NTP Server 2005-2008 c Comdasys AG 58 .

The problem is that SNTP as used in some SIP phones and Windows clients is a stripped-down version of NTP which is less reliable and less accurate so it looks like the Windows Server 2003 is running correctly while in fact not being correctly set up to serve as a reliable NTP clock source. The w32time service has a few known issues which can cause the NTP server on Comdasys products to not synchronize correctly with it while SNTP clients can often successfully get their time from the Windows Server 2003. the internal system clock is not sufficient. It’s essential that the Windows Server 2003 itself is correctly synchronized against a reliable clock source.2 Network ! Comdasys uses full NTP4 which can cause trouble when trying to use the NTP service running on Windows Server 2003 (w32time) as a clock source. 3. 2005-2008 c Comdasys AG 59 . For more information about configuring w32time see the MicroSoft knowledge base entry 816042.

only the Master for each virtual router sends periodic VRRP Ad- vertisement messages. Physical routers standing by to take over from the master router in case something goes wrong are called backup routers. Please refer to ?? for more information on this. Virtual Router Redundancy Protocol (VRRP) is a non-proprietary redundancy protocol de- scribed in RFC 2338 designed to increase the availability of the default gateway servicing hosts on the same subnet. Huawei. Juniper and others. VRRP specifies an election protocol to provide the virtual router function described earlier.2 Network 3. VRRP is primarily intended to provide redundancy between two Convergence products. The virtual router MAC address is used as the source in all periodic VRRP messages sent by the Master router to enable bridge learning in an extended LAN. All protocol messaging is performed using IP multicast datagrams. with only one doing the actual routing at any given time. Two or more physical routers are then configured to stand for the virtual router. thus the protocol can operate over a variety of multiaccess LAN technologies supporting IP multicast. This eliminates service disruption unless a more preferred path becomes available. What VRRP offers is the possibility to have two Convergenceshare a virtual IP address where only one of them will be active at any point in time. This increased reliability is achieved by advertising a ”virtual router” (an abstract representation of master and backup routers acting as a group) as a de- fault gateway to the host(s) instead of one physical router. Each VRRP virtual router has a single well-known MAC address allocated to it.2. The only ex- ception is that a VRRP router will always become Master of any virtual router associated with addresses it owns. To minimize network traffic. 3. and may also be configured with additional virtual router mappings and priority for virtual routers it is willing to backup. A virtual router is defined by its virtual router identifier (VSID) and a set of IP addresses. If the Master becomes unavailable then the highest priority Backup will 2005-2008 c Comdasys AG 60 . There are different types of redundancy that depend on the exact scenario. but it can also be used in conjunction with any router providing this functionality such as Cisco. setting up VRRP however is not enough. If the current physical router that is routing the data on behalf of the virtual router fails. A VRRP router may associate a virtual router with its real addresses on an interface. It’s also possible to administratively prohibit all preemption attempts. This document currently only details the mapping to networks using the IEEE 802 48-bit MAC address. You need to use it in conjunction with the Database Synchronization feature. The mapping between VSID and addresses must be coordinated among all VRRP routers on a LAN. an arrangement is made for another physical router to automatically replace it. In the FMC case.11 VRRP VRRP is usually used for redundancy purposes in the Convergence. The phys- ical router that is currently forwarding data on behalf of the virtual router is called the master router. A Backup router will not attempt to pre-empt the Master unless it has higher priority.

3. 2005-2008 c Comdasys AG 61 . Specify the Interface that this VRRP virtual address should be assigned on. 2. VRRP allows you to define groups of virtual servers / routers that can provide redundancy for each other. and incorporates optimizations that reduce protocol complexity while guar- anteeing controlled Master transition for typical operational scenarios. The VRRP protocol design provides rapid transition from Backup to Master to minimize ser- vice interruption. 3. In order to add a virtual server you need to use the Add button. Set the VSID for the virtual service identifcation. minimal active protocol states. The optimizations re- sult in an election protocol with minimal runtime state requirements. Use to edit. Figure 3. and this number must be unique for the group of routers you want to provide redundancy for.2 Network transition to Master after a short delay. or to delete an existing entry. and a single message type and sender.The expected duration of Master election (from the pool of backup routers) in case of a failure is quite small ( ¡¡ 1 second ).22: VRRP Configuration Configuration of VRRP 1. providing a controlled transition of the virtual router responsibility with minimal service interruption. This must be a number.

3. Also see ?? 3.3 VPN 4. This means as soon as there are no more voice calls active on the slave. Your changes will be applied after selecting Apply Configuration . 6.g. SSH) to the currently active node will immediately break as soon as the master comes back up. for the FMC services on the Convergenceİn those cases the VRRP master will only brought back up. containing a public key and the matching private key. The priority value zero (0) has special meaning indicating that the current Master has stopped participating in VRRP. there are several steps to be taken: 2005-2008 c Comdasys AG 62 . The priority must be between 0 and 255 where these extrema have special meaning as described below. The default priority value for VRRP routers backing up a virtual router is 100 (decimal). The Priority field specifies the sending VRRP router’s priority for the virtual router. Click Save to save your changes. containing a public key (signed by a Cer- tification authority or self-signed). This can have undesired effects because any open session (e. Higher values equal higher priority. ! Note that whenever the Master in a VRRP group comes back up.509 certificates which can be used for both IPsec connections and OpenVPN connections. This behavior however can differ when using VRRP to provide redundancy e.3.1 Certificates This menu item is used for the administration of X. Note that you have to set this exact IP address on all devices with the same VSID in the same network segement. This is used to trigger Backup routers to quickly transi- tion to Master without having to wait for the current Master to timeout. once it is save to do so. VRRP routers backing up a virtual router MUST use priority values between 1-254 (decimal). Before using certificates for VPN tunnels. but after 4 hours at the very latest.g. it will immediately assume the virtual IP address configured here. Note that it is necessary to have such a certificate in place before creating a VPN connection using certificates. and complete certificate-key pairs. Provide the IP address. The priority value for the VRRP router that owns the IP address(es) associated with the virtual router MUST be 255 (decimal). This is the virtual IP address that should be used for this Virtual Server. You have to differentiate between plain certificates.3 VPN 3. 5.

2.e. The CA certificate that has just been created is shown in the list of installed CA certificates. Creation of a X. Login to the web interface of Box A and select the menu item Certificates. a form is shown below in which a new X.509 certificate can be created. Execute the script /etc/ssl/mkCAcert. Furthermore. Distribution of the certificate-key pairs to all VPN terminal stations. signed by an offical certification author- ity) X. 2005-2008 c Comdasys AG 63 .23: Certificate management 1. Distribution of the certificate (not the key!) to all VPN remote stations.sh "RootCA company" "/CN=Root-CA/O=company/C=DE" 3. 4. 2.3 VPN Figure 3. 4. The certificate and the key are automatically saved in the appropriate location. Example: /etc/ssl/mkCAcert.509 certificate-key pair.sh to create a self-signed CA cerificate-key pair. Download the CA certificate onto the local PC. Login to one of the two Convergences (call it Box A) (see Command Line Guide). For the setup of a VPN tunnel between two Convergences this means in detail: 1. 3. 3.509 certificate-key pair for every VPN tunnel terminal station and signing them using the CA-key. Creation of a self-signed or officially signed (i.

509 certificate (only if a private CA key is present on the Convergence. 9. the certificates needed for the connection setup are available on both Convergences. Upload the CA certificate previously saved on your local PC (see step 3).e. see step 2 above) 2005-2008 c Comdasys AG 64 . a certificate-key pair for each Convergence (Box A and Box B) has to be created. 8. On the menu page Certificates you will find the following forms: • Installed CA certificates • Installed X.509 certificates (i. Login to the web interface of Box B and select the menu item Certificates. 6. Download the certificate-key pair for Box B onto the local PC. Upload the X. After you have finished all these tasks. Thereby at least Common name. certificate-key pairs) • Create X. Click on Create certificate .509 certificate-key pair saved on your local PC (see step 6). In this form. Company/Organisation and Country must be entered. 3. 7.3 VPN 5.

Company/Organisation and Country must be entered as information. You can of course also use third party tools for creating these certificates. root certificates) are needed to create and to verify X. To ensure proper authentication. 3. After that.if they are also Convergence appliances . Managing X.g. X.sh is provided on the Convergence. For the creation of a CA certificate the script mkCAcert. that it has been created with mkCAcert. CA certificates can be imported. To ensure proper authentication. it is available in the list of the installed certificates.509 certificate at least Common name.509 certificates are used by the Convergence when performing the authentication of VPN connections. Creating X. the X.509 certificates can be imported. In this form. If the certificate was directly created on the Convergence. 2005-2008 c Comdasys AG 65 . All these partners can .e.509 certificates can be created within this menu page in case a CA key is available on the Con- vergence (see next subsection). For the creation of the X. it can be exported by clicking on on the right side of the listed certificate. It can now be used for the configuration of VPN connections.509 certificates. This script creates two files .sh). or use existing ones. computer.509 certificates This part of the menu is only available if there is a complete CA certificate-key pair present on the Convergence (i.3 VPN Managing CA certificates CA certificates (i. network. It is executed in the command line mode. exported and deleted in this part of the menu.509 certificates of all VPN partners must be signed with the same CA key.a private CA key and a public certificate.509 certificates X. The Common name should name the object (e.e. exported or deleted. campus) to be pro- tected by the Convergence and for which the certificate is being created. After creating the certificate. it can be distributed to all other VPN partners. the CA certificates stored on all VPN partner hosts must be the same.import the CA certificate here. Normally this needs to be done only once within an organization. X.

2005-2008 c Comdasys AG 66 .2 OpenVPN shared secrets OpenVPN shared secrets are simple shared secrets protecting an OpenVPN connection without the need of using certificates.24: OpenVPN Shared Secret Files The list Current shared secret files contains all local OpenVPN shared secret files present. You should use separate shared keys for each VPN connection to improve security. An OpenVPN shared secret file is created on the first Convergence involved. They can be exported by clicking on or can be deleted by clicking on . secure. 3. Adding a shared secret file 1. and effective way if you are with a small organization that only has to setup a few VPN tunnels. Provide a user-defined name and click on Create new file . The new OpenVPN shared secret file is being created containing a random encryption key.3. Thereafter it is beeing copied to the local PC via the web browser from where it is being uploaded to a second Convergence involved. It is necessary to create a shared secret before setting up the first VPN connection. All these steps are taken in this menu: Figure 3. This is a very simple.3 VPN 3.

3. Figure 3. 2005-2008 c Comdasys AG 67 . too . 3. Connections can be deactivated and activated by clicking on the status ”LED”. Click Load file to upload the file. Alternatively. Use to edit.3 VPN 2. or to delete an existing entry.3. If the connection is inactive the ”LED” will appear so.25: Managing VPN connections The active status ”LED” indicates whether the connection is active or inactive. click on Browse and select an existing OpenVPN shared secret file on the local PC (previously created by a different Convergence ). The list shown on this page contains all VPN tunnels configured so far.3 Connections In this menu the connection information of all configured VPN tunnels to remote hosts (other Convergences or third party products) is managed.

Click on New IPsec Connection and provide configuration details as follows. 2. Connection name Custom name of the new connection 3. One of the two terminal stations needs to have a static IP address. When configuring an IPSEC VPN connection. Partner IP. 7. Use compression Checkbox for enabling or disabling compression. IPsec has two limitations pertaining to the use of shared secrets: 1. you can define how the VPN remote host can be located: via its IP address or its name. Authentication IPsec can use two methods for authentication of VPN connections: certificates or com- mon passwords (Shared secrets). the option Partner unknown is right one to choose.3 VPN ! Unlike OpenVPN that supports both certificates and shared secrets in any combina- tion with static and dynamic IP addresses. If both partners are using dynamic IP addresses (e. Setting up a new IPsec connection 1. 5. only one partner should use dynamic IP addresses. 2. 6.g. You can also restrict the use of a VPN tunnel to just a single host with this function. This network will be protected by IPsec and can be accessed only through the tunnel. Partner unknown With these radio-buttons. ADSL) it is recommended to use OpenVPN in conjuction with a service for dynamic DNS (see ??). Partner name. 4. Partner network The local network behind the VPN remote host. The terminal station using a dynamic IP address cannot be accessed via a dynamic DNS name. 2005-2008 c Comdasys AG 68 . 3. VPN is locally connected to This allows you to choose whether the whole network behind the LAN interface 1 is allowed to use the IPsec connection or just a part of the network (defined IP range). If the remote station uses dynamic IP addresses. dial-in.

both partners must have X. When configuring a VPN connection. This label can be looked up in the web interface of the remote station in the menu Certificates if it’s a Convergence (see section ??). •Shared secret When choosing the authentication via a Shared secret. Connection name A custom name for the new connection. 3. This is the network that can be accessed through the VPN tunnel. you can define how the VPN remote host can be located: via its IP address or its name. Click on New OpenVPN Connection and provide configuration details as follows. the corresponding CA certificate must be available on both partner stations. If both partners use dynamic IP addresses (e. only one partner may have the parameter Partner unknown.509 certificate When choosing the authentication via X. the corresponding certificate is se- lected and the label of the certificate stored on the remote station is typed in. i When using Shared secrets for authentication.509 certificates. For the configuration of an IPsec connection. The option Partner unknown is not applicable in this case! Setting up a new OpenVPN connection 1. 4. If you are using third party equipment.509 certificates signed with the same CA key. Partner name. 2005-2008 c Comdasys AG 69 . you have to refer to that documentation for how to handle certificates. simply use the same pass- word and type it in on both partner stations. dial-in. The procedure to ensure this.g. a name has to be assigned to at least one of them by using a dynamic DNS service (see section ??). Furthermore. ADSL). You should however have a basic understanding of X.3 VPN •X. is described in section ??. Partner network The local network behind the VPN remote host. Partner unknown With these radio-buttons. the option "Partner unknown" is right one to choose.509 certificates when trying to set up such a connection in order to avoid potential security pitfalls. Partner IP. 2. 3. If the remote station uses dynamic IP addresses. This network will be protected by OpenVPN. both partners have to use either static IP addresses or names.

26: New IPsec Connection 2005-2008 c Comdasys AG 70 .3 VPN Figure 3. 3.

3. This port number must be the same on both connection partners. Authentication OpenVPN can use two methods of authentication for VPN connections: certificates. (OpenVPN Shared secret). Besides this the login-data for each user and PC is entered.509 certificates signed with the same CA key. All packets for this connection will then be exchanged via this port. Furthermore. For the setup of an OpenVPN connection using certificate authentication. the local IP address of one partner has to be the remote IP address of the other. This transfer network can be used for traffic shaping or firewalling. Using L2TP for such configurations is especially comfortable for clients running MS Windows 2000 or Windows XP as this type of connection is already part of the standard network connection schema of those operating systems. both partners must have X. or a common password file. 6.3 VPN 5. •X.i.3.509 certificates. It is hence mostly used for Roadwar- rior scenarios. It is important that both addresses entered here lie within a single network. the same OpenVPN Shared secret file simply has to be selected on both partners (see section ??). 3.4 L2TP server L2TP allows you to easily connect client hosts via VPN.e. That means every OpenVPN connection must have a unique port number. OpenVPN port OpenVPN works port-based. one of the connection partners has to be configured as TLS server and the other one as TLS client. •Shared secret When choosing the authentication via a Shared secret. Transfer net Enter two IP addresses that are to be used internally for transferring the VPN packets. 2005-2008 c Comdasys AG 71 . In this menu the server-side config- uration is set. The procedure to ensure this situation is described in the IPSEC section. 7.509 certificate When choosing the authentication via X. The addresses of the Transfer Net- work have to be reciprocally identical for two VPN hosts . the corresponding CA certificate must be available on both partner stations. It is also important to have matching entries on both sides of the VPN tunnel.

27: New OpenVPN connection Configuring L2TP server 1. This subnet must not occur anywhere else within the IP range of the clients. L2TP active With this checkbox. L2TP interface address 3. DNS server for clients 6. L2TP netmask 4. This can be convenient to temporarily shut down L2TP service for some time. You should hence use a private IP address range that is not in use for any interface or VPN tunnel. a DNS server and/or a WINS server can be assigned to clients connecting via L2TP. the clients can access internal resources via name instead of IP address. L2TP can be activated and deactivated without needing to reenter all data. IP range for clients (from and to address) These four parameters define the L2TP access network on the Convergence. Using this Option. The IP range has to be within the subnet defined by the netmask.3 VPN Figure 3. 2005-2008 c Comdasys AG 72 . 2. WINS server for clients With these two parameters. 3. 5.

password and the assigned IP address (must be part of the previously defined L2TP subnet) have to be entered. IPsec authentication When establishing a connection to computers running Windows 2000/Windows XP.509 certificates can be used. Please refer to the documentation of your device for more information. Figure 3. There are also L2TP/IPSEC client available for other platforms as for example PocketPC. To create a new user account click on New user and provide configuration details as follows (compare figure ??). the username. but assigning a fixed IP address to a specified user is highly recommended since it enables individually restricting the access with the help of the firewall. the L2TP packets are encrypted with IPsec. Corresponding to normal IPsec con- nections both Preshared secrets and X. Your changes will be applied after selecting Apply configuration. 3. Entering the IP address is optional.28: Configuring the L2TP server Adding a new L2TP user 1. 2005-2008 c Comdasys AG 73 . Click Save to save the parameters. Login-data To setup a new user. 2. 3.3 VPN 7.

3 VPN Figure 3.29: Adding a new L2TP user 2005-2008 c Comdasys AG 74 . 3.

In particular.509 certificates. Therefore.4 Security 3. The problem is that authentication in IPSEC is done via the remote IP address. We recommend using this setting if the location secured by the Convergence shall have ac- cess to the Internet only via a VPN tunnel connected to the remote partner-network. all computers have to authenticate with the same shared secret. the cor- responding CA certificate must be available on the client computer. a password has to be entered that must be the same on all clients running Windows XP connecting to this Convergence.509 Certificate in the menu IPsec authentication the X. you will have to use the Microsoft Management Console. Please refer to your Windows documentation on how to handle certificates on Windows systems. the fundamental level of security that shall be used by the Convergence is defined. Particularly it is not possible to access the Internet via the Convergence. to set up own firewall rules or Port-Forwardings using this setting. 6. Click Save to save account data. 3. Your changes will be applied after selecting Apply configuration. Un- less you habe special tools simplifying the process. Preshared secret If you select Shared secret in the menu IPsec authentication. Security as defined here only applies to the accessibility of the Convergence and the firewall settings. 5. access to the internet can be granted.509 cer- tificates on both sides have to be signed by the same CA key.509 certificate If you select X. This can be used for very restrictive branch connectivity solutions. access to the Convergence is limited to the permitted administration ports and the defined VPN tunnels.4 Security Windows XP supports both possibilities whereas Windows 2000 only supports X. X.1 Security level On this page.4. we cannot identify the remote computer at the IPSEC level. Furthermore. ports can be forwarded to certain computers connected to the LAN and your own custom firewall rules can be estab- lished. 2005-2008 c Comdasys AG 75 . 4. Since this address is arbitrary in our case. The option User defined allows you to make significantly more advanced and flexible con- figurations. By selecting Highest security. 3.

only the SSH connection could be openend.4 Security Figure 3. In conjunction with an insecure password. By switching the security option from User defined to Highest security. In order to increase the security. "for SSH" allows and denies access via command line using the SSH protocol. It is recom- mended that this access is kept open because you can essentially lock yourself out of the WebGUI by disabling this. It is possible to tunnel HTTPS access through SSH. By switching back to User defined they are available again. 2005-2008 c Comdasys AG 76 . i The Administration through the LAN1 interface is enabled by default. "for HTTPS" allows and denies configuration via web browser. The opening of the administrative ports can be done on a per interface basis.30: Adjusting the security level The configuration matrix ”Open administration ports via” enables the exact definition of the allowed locations from which configuration access shall be enabled. i Administration on the WAN interface should only be enabled if it is really necessary. firewall rules and Port-Forwardings that may already have been configured are deactivated but not deleted. Attention: The menu items Firewall and Port forwarding are only available if the security option User defined is selected. 3. The corresponding settings require intermediate knowl- edge of the TCP/IP protocol. this could put the device in jeopardy for attacks.

By default. 3. People changing these settings should hence know what they are doing.all necessary firewall rules are created automatically.4. 3. all ports for the basic services listed are opened.4 Custom Rules The custom rules of the firewall are executed top-down.e. By selecting the checkbox allow all outgoing connections. By clicking on the arrow-buttons ( and ) you can newly arrange the firewall rules. Creating a new custom firewall rule 1. these are disabled on the WAN interface. The more security relevant part however are the inbound connections. Thereby. Note that the first section deals with outbound connections. 2005-2008 c Comdasys AG 77 . Registered rules can be edited by clicking on or can be deleted by clicking on . different outgoing services (i. from the internal interface to the Internet) can be allowed just as data transfer between the two local networks. Wrong firewall rules can cause network applications to stop working.2. 3.1 Activate Basic Services It is possible to select the most important services needed .4. These options are only shown for the secondary LAN interface if this interface is configured (i.2 Firewall The firewall of the Convergence can be configured in two ways (also combined): 3.2.2.4 Security 3.4.4. very detailed rules. is not deactivated). Note that you need at least one signalling protocol (either TLS or SIP) plus the media stream protocol (RTP) for a working setup. Click Create rule at the appropriate position shown in figure ??.4.2 Custom Rules Besides this. it is possible to configure your own. Select the checkboxes of the appropriate basic services that shall be allowed for incoming and outgoing requests.2. 3. This way of configuration is recommended to be used only by experienced users and administrators. You can selectively enable the protocols.e.3 Activate basic services The basic services are defined for data traffic between two network interfaces. You can also choose to permit all outbound connections.

3.31: Firewall configuration 2005-2008 c Comdasys AG 78 .4 Security Figure 3.

4 Security Figure 3. Your changes will be applied after selecting Apply configuration. UDP. 3. 3.3 Port forwarding Port forwarding allows you to forward incoming data packets that arrive at the Convergence to a certain computer within the local network. Define the rule. But it’s impossible to reach all three computers via port 22 of the Convergence. 4. ICMP. Choose rule target (Filter policy) in order to specify what should happen to the traffic this rule applies for. Specify Protocol (TCP. SSH normaly uses port 22. 2005-2008 c Comdasys AG 79 .32: Add a new custom firewall rule 2. Example: Three computers within the LAN shall be accessed via SSH. Click Create rule to save your changes. It is being used in conjunction with NAT and is the only way to directly access a computer connected to the private LAN from the Internet. To reach several computers within the private LAN via the same protocol it is also possible to change the ports.4. Interfaces and IP details that this rule shall match. other). 3. Port forwarding is also often described as virtual server functionality.

3.5 Voice-over-IP 3. 4. In the WebGUI. Destination IP. Figure 3.5 Voice-over-IP With Port forwarding you can now define that e. the WebGUI has been geared towards 2005-2008 c Comdasys AG 80 . The most frequent use is as a SIP Proxy in front of another SIP server. Your changes will be applied after selecting Apply configuration. port 2022 of the Convergence is forwarded to port 22 of the first computer. 5. Destination port (compare figure ?? on page ??). Click Add in order to define a new port forwarding rule and specify Local port. this can be found under the Survivability template.33: Port forwarding 3. Setting a new port forwarding rule 1.5. port 2023 is forwarded to port 22 of the second computer and so on.g. 2. Local port is the port that will be provided to be forwarded by the Convergence . An SSH client connecting to port 2022 of the Convergence would actually be connected to port 22 of the first computer in the LAN. Destination port it the port of the internal computer to which the data shall be for- warded. For these applications. Click Save to save your chages. Destination IP is the IP address of the internal computer to which the data shall be forwarded. 3.1 Introduction to SIP Proxy and SBC Scenarios The SIP Proxy in the Convergence can be used in a variety of scenarios.

The latter is only supported by the bigger higher end Convergence . In these. 3. you will most likely want the Survivability Template. This setup replaces a local PSTN gateway on the customer premise. The second class of frequently used scenarios is SBC (Session Border Controller) Scenarios. The Branch SBC scenario is suited for branch connectivity scenarios where media handling or NAT traversal is a requirement. the Convergence will not only perform SIP signalling interworking. Branch SBC.5. The Convergence supports three different types of SBC scenarios. as for example some NAT router on the Internet. SIP Trunking. handle NAT between networks. For all types of branch office scenarios without the need for media handling. When acting in front of another SIP server. SBC. The SIP Trunking is a derived SBC scenario where you only have a single logical connection (that could of course consist of many individual SIP sessions) between an IP PBX and a Trunking Server usually offered by a carrier. or facilitate deployments in hosted scenarios. Some variants of the SBC scenarios are the SIP Trunking as well as ENUM. Check the Command Line Reference for more information on that. ENUM. and Central SBC. Both SIP messages as well as media would pass through two hosts in this scenario.5 Voice-over-IP telephony applications. You can switch templates without losing your configured parameters. Branch SBC. it is also possible to limit the number of permitted sessions based on bandwidth restrictions (Call Admission Control).2 Scenario Selection Before any parameters for the SIP Proxy can be configured. Explaining all usage scenarios would be far beyond the scope of this manual. and is hence a step towards a full IP-only customer premise connectivity. Cascaded SBC. This feature can be used to achieve a connection between two networks that do not have a routing connection (as for example customer premise network and data center network). 2005-2008 c Comdasys AG 81 . Other scenarios include stand-alone functionality where the Convergence Appliance will act as a small SIP Server forwarding certain sessions to another server or to a SIP gateway. you need to choose among the Survivability. This however is beyond the scope of this manual. or pro- tect a network from the outside world without destroying the ability to have VoIP connectivity. use devices from behind a NAT. This can be used to voice enable existing networks that have firewalls to separate segments. It is also possible to configure custom scenarios with the SIP Proxy. The Cascaded SBC is usually used on the way from a Branch SBC to an IP PBX to act as a media relay. or Custom template configurations. but it will also perform media handling for any SIP initiated sessions. Standalone. With its ENUM functionality the Convergence acts as an ENUM lookup gateway and as a Session Border Controller controlling calls coming in over the Internet. Cascaded SBC. Select a template and press Select to activate it. 3. You can however find a quick scenario descriptions the each of the sections below.

Call Admis- sion Control is about denying certain requests based on the defined bandwidth constraints. the phones can be reached via their full number or via their extension only. An example will illustrate this. Assume having a small/medium office with some WAN link. the Convergence will take over the functionality of the SIP server. using a single interface of the Convergence can be enough. The WAN link can either be an Internet line or some leased-line internal to the datacenter network. The second side to this scenario is Call Admission Control. This mechanism is essential for providing QoS for real-time communications. the following scenario is assumed.3. Under normal operations. The Survivability scenario is to provide telephony functionality to the small/medium office even if the central SIP server is unavailable due to a WAN failure. Once operation returns to normal. By knowing the Own Number of the branch. Usually.5 Voice-over-IP 3. The current status of the product can be seen in the Status Page described in ??. Internally. The registration with the SIP server and the SIP Proxy in our case here is performed with the full number. Let us assume that the branch office can be reached via the ”+49 89 4711” from the outside.g. it can freely decide on how to act upon certain requests.3 Survivability and Call Admission Control Template The typical survivability scenario is explained rather quickly. In such case. Once the SIP server is reachable again. 3.5. and hence being an IP PBX. 3. at the other side of this WAN link. the phones can be reached via two different numbers. this text display will disappear again. Internally you have the extensions ”100” and ”110”. The interface configuration has a significant impact on the parameters you need to set for the SIP Proxy here. Beside the VoIP Router Status display. This means that from the PSTN you can reach the phones by dialing ”+49 89 4711 100”. In the latter case.1 Survivability Parameter • Survivability Basic Settings – Own number (figure ?? on page ??) The Own Number field is intended for entering the phone number of the branch office without the extension. Both scenarios (single and multiple interface) are mentioned in the appropriate places in the following. The central SIP server usually used for VoIP telephony. It is your choice whether you use complete E.164 numbers here or work with e. the operation returns to normal. area code only. their complete PSTN number and internally by simply dialing an extension. you will see the text Survivability Mode.5. Since all SIP messages are routed through the appliance. is located in the datacenter. the Proxy upon receiving a call for an extension in Survivability mode can now prepend the number 2005-2008 c Comdasys AG 82 . if the product has detected a failure of the central SIP server. This comes naturally since the central SIP server by handling multiple branches can have many phones with the extension ”100”.

The Convergence will generate TLS keys automatically that can be downloaded for the use in Servers/Phones via SCP. This parameter is for entering the address of the central PBX. Please consult the Command Line Reference for more information on how to do that.5 Voice-over-IP of the branch and hence find the phone in the Registration database. simply leave this field blank. Note that entering a DNS or DNS SRV name can introduce more latency in forwarding messages to the IP PBX since the hostname has to be looked up first. This timeout value will be used to determine whether the IP PBX is online or not. The TCP and UDP types are straightforward and just specify the used protocol type. – PBX Address (figure ?? on page ??) As we have already described above. This means that extension dialing still works in survivability mode. – Timeout (figure ?? on page ??) The Timeout value is one of the most central parameters in the Survivability sce- nario. Since this is a very advanced topic. a host name or even as a DNS SRV address. You can enter ar- bitrary regular expressions here. 3. The type to use depends first and foremost on the used SIP server. Expressions for this can however be more complex than that. Usual 2005-2008 c Comdasys AG 83 . – SIP Transmit Type (figure ?? on page ??) The SIP Transmit Type parameter is the transmission type the proxy uses to contact the central SIP server. Usually. The Convergence supports 3 different SIP transport modes. TCP. It is the maximum time the proxy will wait for a response upon a request before falling to survivability mode. This prevents unavailable internal numbers from ending up in the PSTN and going somewhere unintentionally. Note that this mode will not lead to the fact that all SIP messages will be delayed by 2 seconds. UDP. There is a background checking algorithm running that will decide whether the IP PBX is available or not. – Prefix number (figure ?? on page ??) The Prefix number describes the prefix the number has if it is an outgoing call. For TLS additional things like the encryption keys are required. in Survivability Mode. the Convergence proxy only acts if the central PBX is not reachable. and the encrypted TLS variant. Only numbers having the correct prefix will be routed to the gateway in the survivability case. The only type requiring further explanation is TLS. this is just a simple digit as for example a ”0” for getting an outgoing line. this cannot be configured via the WebGUI as of yet. the DNS server has to be available upon a WAN failure or any other conditions the Survivability mode is intended to work in. It can either be entered in the form of an IP address. You also have to note that if you enter a DNS name. If you do not have such a scenario where you want to call the internal phones with a shortcut.

– Map to Office Prefix (figure ?? on page ??) This feature is used for both survivability and call admission control scenarios. – Enable Hunting (figure ?? on page ??) This feature only applies to scenarios where there are multiple fallback gateways present. Such a routing connection can be implemented in various ways. Node to determine their availability. In these cases. If you have multiple phones registered with the same number. This can be used for a variety of scenarios as for example stacking gateways or having gateways in multiple locations and applying Call Admission Control Parameters to them. The Map to office prefix function consists of two fields that 2005-2008 c Comdasys AG 84 . It will be used for both the PBX as well as the 2. If this parameter is not set. – Ignore Gateway during Register (figure ?? on page ??) This feature is only required if the Convergence is utilized with topology hiding which will prompt it to change the contact headers of SIP messages. The normal operation will not be impacted at all by this option. The redirection causes here are the same ones that are defined between the IP PBX and the first gateway. it might be desirable to have the product handle the messages from some local voice gateway. The decision parameters for the gateway hunting are configured with the gateways. 3. Some SIP servers also require this because they treat such gateways unlike regular clients.5 Voice-over-IP values for this timeout parameter range between 2-4 seconds. It is most often used in pure telephony scenarios where the user part of a SIP URI is always a number. This will be the case with the Force Return Route and Multiport Mapping features. The forwarding and number mapping will only be done in survivability mode. as for example port forwarding. the proxy will per- form SIP forking as per RFC 3261. only the first gateway will be considered in survivability mode or with CAC redirection. It is possible to use regular expressions here. but not to perform contact header manipulation on them. and everything will be interpreted as such. In that case it might be desirable that a gateway hunting is performed between these multiple gateways. hence the number of a really registered phone. ∗ Forwarding Target This is the forwarding target. • Survivability and Features – CFW / Forwarding Target (figure ?? on page ??) ∗ CFW in Survivability Mode Enter a number or a URI here that should be mapped to the target in surviv- ability mode. This should be the case whenever there is a routing connection from the central SIP server to the branch voice gateway in such a scenario.

the Convergence will map this prefix to the long office prefix as described below. The Convergence will then map this short prefix to the long version above. It could however also 2005-2008 c Comdasys AG 85 . The Short Prefix is a number that must match an incoming request. ∗ Short Prefix Prefix that has to match an incoming request. So let us assume you have a second prefix configured. 3. This is probably best explained by an example: Assume that you have a number range 123456789xx for the phones connected to the Convergence where xx stands for an arbitrary extension.34: Survivability: Basic Settings must both be filled in. If such a match is found. ∗ Map to Office Prefix Long office prefix that the above described short one will be mapped to. Since 123456789 is a very long prefix. there might be additional prefixes configured in your central softswitch. This Office Prefix including the extension should then match an actually registered phone to make the survivability function work properly. and only then perform all checks concerning CAC and survivability. say 58000xx where the xx is the same suffix as above.5 Voice-over-IP Figure 3. that you also want to be considered correctly concerning survivability and CAC.

the call from the source number to the destination number is blocked.35: Survivability: Basic Settings 2005-2008 c Comdasys AG 86 . – Class of Service (figure ?? on page ??) Sometimes it is usefull to set some restrictions to some phone numbers. With the Class of Service enhancements parameters it is possible to deny or allow some target numbers for special phones. ∗ Source This parameter should contain the phone number of the source phone. Figure 3. For example you can allow or deny national or international calls or even special numbers. ∗ Destination Put in here the destination number that is denied or allowed. For example. If this param- eter is set to deny.5 Voice-over-IP be mapped to a call that should be routed out through a gateway in the surviv- ability case. 3. all phone numbers beginning with 00 are allowed or denied depending on the policy parameter ∗ Policy The policy parameter can only contain the values allow or deny. if destination contains 00.

This is commonly described as keyset feature or multiline appearance. Towards the SIP endpoints. The check with pings should work with all servers as long as the underlying network supports this. this should be used for doing the alive check. Incoming calls in such multiline scenarios sometimes pose difficulties for gateways because the SIP proxy in the Convergence will fork the request. Other than that. the Convergence will terminate this call and only forward a single response to the gateway. a single non-response will not lead to the Convergence switching to survivability mode. If no response is received. It will also enable the Convergence to switch into survivability mode for situations in which the central SIP server is reachable. This will lead to the fact that multiple SIP responses are forwarded to the gateway which is a problem for some of them. The non-response to a single ICMP message will not lead to the Con- vergence switching into survivability mode. These messages will be sent with a default expires value. or a packet filter on the server itself prevents the Ping Echo Reply messages from getting back to the Convergence . This is usually the case except firewalls on the way. its own Call ID will be assigned. the Convergence will continue to behave as a SIP Proxy. Forking is necessary if you have multiple SIP endpoints with the same SIP username. the pings will be sent in intervals of around a minute. the Convergence switches to survivability mode. This monitor- ing can be applied at the network layer (via ICMP messages) or on the application layer with SIP OPTION requests. Usually. The interval can also vary if there are abnormal negative responses to requests forwarded to the server. this function will not be necessary if you have no forking. – Registration Timeout (figure ?? on page ??) The Registration Timeout value is only used during Survivablility mode. With the B2BUA feature enabled. – Alive check via SIP instead of ICMP ping (figure ?? on page ??) There are two ways the Convergence supports to check whether the SIP Server for which we are providing the survivability functionality is monitored. 3. Checking this box will make the Convergence behave like a B2BUA towards the voice gateway in survivability mode. In that mode.5 Voice-over-IP • Sip Settings – Enable B2BUA handling (figure ?? on page ??) This function is necessary for gateways that do not properly support SIP forking. but not responding correctly. the Convergence will acknowledge incoming Registers and Subscribes from the IP Phones. This interval can be shorter depending on the amount of SIP messages flowing through the Convergence . This will normally be the case in voice scenarios where you have multiple SIP endpoints with the same phone number. Whenever the SIP server supports SIP OPTIONS (please refer to RFC 3261 for more information on this SIP request type) requests. If this 2005-2008 c Comdasys AG 87 . This means that for each session from and to the gateway. Whenever we receive 5xx or 6xx responses from the central server for an OPTIONS request.

the Proxy will replace the domain part of the SIP URI of each message flowing through it with the SIP Domain (IP address or DNS name) of the SIP server. This however assumes properly behaving SIP endpoints and a properly behaving SIP servers. the function here will also disable the loose routing in survivability mode. loose routing can be disabled in normal operation (non survivability). it is easily possible to handle them correctly. Not – Force Return Route for NOTIFIES (figure ?? on page ??) While some SIP servers support an outbound proxy feature for addressing SIP messages to endpoints. This will lead to the fact. Most systems however work effortlessly 2005-2008 c Comdasys AG 88 . – Fix Broken Loose Routing (figure ?? on page ??) In contrast to the Disable Loose Routing function. but sent to the outbound proxy that then makes the final delivery. This should only be necessary for some broken endpoints with incomplete support for RFC3261. the danger is that upon return to normal operation. the IP PBX will get reregisters from the phones in this branch office very rapidly. Some SIP servers have problems accepting SIP messages for multiple domains or do not do so due to security reasons. – Disable Loose Routing (figure ?? on page ??) Loose routing is defined in RFC3261 and will make the Convergence route all in dialog messages the same way that the dialog setup was routed. where the messages are routed onwards. NOTIFIES. Since there is no such thing as a forking for these requests. where the endpoints are registered to a server. ACK. all messages specified in RFC3261 would be addressed to the endpoint. This parameter forces the phones to use a shorter registration timeout during survivability and hence to register more often. BYE and REFER messages.5 Voice-over-IP value is very long. Therefore. If you see in dialog messages like ACK and BYEs not flowing as expected. Once the connectivity comes back. they often do not fully implement the feature for additional messages beyond RFC3261. this works for most endpoints. similar to the Force Return Route feature. messages like SUBSCRIBE. In all other situations. PUBLISH are often treated differently. Enable this feature only if you really experience problems. – Mask Proxy Domain on Register (figure ?? on page ??) If set. the IP PBX will have lost the registration of many phones. This poses a special problem for NOTIFIES beacause they are sent depending on header fields in the SUBSCRIBE message. In simple scenarios. While this works well for INVITE. it is specifically possible to have the Convergence change the Contact information for SUBSCRIBE and NOTIFY requests. 3. In order to avoid that. With this mode of operation. that notify requests are always addressed to the Convergence acting as a SIP Proxy. A typical sign is ACKs or BYEs coming from the softswitch being directly returned to it. and where the proxy is on the return route in addition to that. With a survivability scenario. loose routing should work fine in survivability mode. the correct behavior of loose routing is not guaranteed with all devices.

In some scenarios. it will try to perform the specified rerouting. – Preset Record Route (figure ?? on page ??) The preset record route parameter allows influencing how the record route Header in the SIP message will be written. The record route header in SIP is for making sure that all messages belonging to a session go through all servers that were on the path of the original message. Explained in more detail. If the proxy receives a nega- tive reply for a session initiation request. It will not do any rerouting on the responses specified here. By default. 3. it can be quite significant what IP address is set in this record route field. If the Convergence is only used with a single interface and a single IP. the external IP address and the forwarded port have to be entered here. Alternatively. it is possible to explicitly configure this address and port to be used in the record route field. especially in those involving VPNs and NAT. Therefore. The possible response codes are listed below. this can however be the wrong one. you can completely disregard this field. This is necessary especially in conjunction with CAC. – No Rerouting on (figure ?? on page ??) The proxy will perform rerouting on a number of replies from the central softswitch.5 Voice-over-IP without such modifications. This parameter should hence only be used if you encounter problems pertaining to that. Also check any options that your server might offer to set domains aliases. Select all by pressing SHIFT and selecting them with a Cursor key. you can use CTRL + A to select all. the Convergence always selects the primary IP address of the interface the packet is going out on. ∗ 400 Bad Request ∗ 401 Unauthorized ∗ 402 PaymentRequired ∗ 403 Forbidden ∗ 404 Not Found ∗ 405 Method Not Allowed ∗ 406 Not Acceptable ∗ 408 Request Timeout ∗ 410 Gone ∗ 480 Temporarily Unavailable 2005-2008 c Comdasys AG 89 . It can also be interesting for scenarios where the Convergence is being used behind another firewall that performs port forwarding. If the Convergence however is used with a WAN and a LAN address. this means that the messages will go through all SIP entities on the way that marked the original message with a record route field. In that case.

If only the first node has failed. If such redundany precautions have been taken in the data center.5 Voice-over-IP ∗ 486 Busy Here ∗ 487 Request Terminated ∗ 504 Server Timeout ∗ 603 Decline ∗ 606 Not Acceptable Figure 3.36: Survivability Sip Settings • Redundancy (figure ?? on page ??) – 2. either transparent. Node have failed. in which case we do not have to handle anything exlicitly in the branch office. the Survivability function of the Convergence will only take over if both the PBX as well as the 2. messages will automatically be forwarded to the second node. There are two ways of implementing this clustering. or with two IP addresses. 3. In that case they are available through different WAN links thus increasing the robustness of the overall solution. This field is meant for the latter concept which is frequently being used if the 2 nodes of a cluster have been spatially separated. If this field is set. PBX Node Some IP PBXs / Softswitches support clustering or redundancy through a second host. 2005-2008 c Comdasys AG 90 . the branch equipment must also support this.

Node PBX pa- rameters.5 Voice-over-IP – PBX Alias The Survivability and Call Admission Control function will only be enabled for SIP messages that fall into the domain this SIP proxy is responsible for. – Failover Server Replication This parameter will replicate all Register messages to a second backup server. and which ones come from the client side. Please also refer to the Domains parameter. but especially clustered or load balanced servers could have messages coming from other IP addresses also. These can be messages coming from the IP address of the PBX and 2. So it is necessary to configure all source IP addresses or host names from where SIP messages of the PBX can originate from.37: Survivability Redundancy • Diagnostics (figure ?? on page ??) 2005-2008 c Comdasys AG 91 . This can either be a second Convergence operated in redundancy mode or any other type of SIP server that can be used as a backup. To correctly determine this. The usual scenario is that of a second Convergence being used in this mode. the proxy must also be aware what messages are coming from the Server side. Figure 3. 3. For correctly determining the direction of the mes- sages flowing. the proxy must be able to know what messages are coming from the PBX.

See the logging parameters in this document or refer to the Command Line Guide for more documentation on how to have a look at the logging. The SIP server will hence only see the contact information of the Convergence with 2005-2008 c Comdasys AG 92 . • Multiport Mapping (Caution: Do not use unless explictly needed) Multiport mapping makes the Convergence assign a unique port for each device con- nected behind it. please try explicitly setting this field. These can either be seen in CLI mode on the Convergence. This how- ever can sometimes be impossible especially when working with virtual interfaces. Figure 3. If you see that RTP packets are not coming from the interface or IP address you expect them to come from. It should be noted that this field is only relevant if the media handling through the Force RTP stream transition feature is enabled.5 Voice-over-IP – Debug This switch will make the SIP proxy write debug messages to the system log. this setting is unecessary because the appropriate interface and IP address is deter- mined automatically based on infomration obtained from the routing stack. Usually. The Convergence will also change all related fields in SIP messages. 3.38: Survivability Diagnostics • RTP Bind Address This field specifies the address where the media handler is sending /listening. It will always use this unique port number when communicating with the SIP server. or on the specified logging server. or multiple IP addresses per interface.

some phones need this dual registration approach to realize when they entered survivability mode. • Enable Dual Registration Support This will open a second SIP signalling port on port 5080. the Convergence would behave like a normal SIP server supporting call forwarding features. Therefore. The Convergence can emulate two different servers. If the PBX is able to correctly support an outbound proxy feature. While there are many phones that support this feature. where the requests already arrive forked from the server.5. These SIP signalling decisions can both be influenced for packets com- ing from the phone as well as coming from the central SIP server. This is feature should not be necessary. Some SIP phones have built- in functions for implementing survivability functionality. you can leave this checkbox disabled and still have the functionality.5 Voice-over-IP an individual port for each device. If all your phones and gateways are able to handle such responses themselves. However. This mode of operation is usually not required and is only necessary for special scenarios involving SIP forking (multiple devices with the same username part of the URI). This is the most desirable configuration and should be used whenever possible. In that case. where the forked request is addressed to the endpoint’s URI but sent to the Convergence neither the Force Return Route nor the multiport feature are required. It is then necessary to utilize this feature to put the Convergence in a situation where it can uniquely determine where to send the already forked request. these would be forked again by the Convergence . if you want to have call forwarding functionality in conjunction with incoming calls through a gate- way. If in such sceanrios. It should again be reiterated that this type of mes- sage routing somewhat bends the conventions of SIP. 3. This is necessary to adapt the feature handling to the reduced set available in survivability mode. gateways mostly do not. Real-time traffic can be 2005-2008 c Comdasys AG 93 . When activated. • Enable Call FW in Surv. 3.3. the Force Return Route feature is used to change the con- tact parts of the SIP messages. It is then possible to provision a second SIP server the phone should go to in case the first server stops responding. where the first one would stop responding to Registration requests of such phones in Survivability mode.2 Call Admission Controll Parameters The Convergence can use its built-in bandwidth management capabilities to influence the SIP signalling decisions. There is one notable exception. This feature is to enable processing of SIP 302 response messages in survivability mode. but it is required for the described scenario. the Convergence will intercept any SIP 302 response message and translate it into a new session with the forwarding target specified in the SIP response. since the Convergence implements a transparent survivability function. The destination port information where the SIP server sent the message is then used to correctly direct the message to the right SIP endpoint. you should activcate this feature.

or it can choose an alternative route (e. Figure 3. Based on the information obtained from measuring the traffic. 3. In case of a limit violation that would mean that a SIP 606 Not Acceptable message would be signalled to the central SIP server or the SIP endpoint. signal a Busy. the Convergence will assume that all Calls to and from non-local 2005-2008 c Comdasys AG 94 . These checks are enforced by the SIP Proxy.5 Voice-over-IP classified and measured while it is flowing through the box (refer to the Bandwidth Manage- ment Section ?? for more details). There are many variations to the parameters and also to the enforcement. The central server can then decide to e.39: Survivability and Call Admission Control (CAC Parameters continued) • CAC The CAC parameter indicates whether Call Admission Control shall be performed or not. through a locally present PSTN gateway)to avoid a network congestion.g. • CAC check if from IP network (strict checking) This parameter should be checked if there is a local PSTN in the branch office. Instead of signalling the Not Acceptable directly to the endpoint. Uncheck this in order to completely disable this feature. Call Admission checks against predefined policies can now be made. The limits for the different traffic bandwidth classes will be used as decision basis for either permitting or denying the establishment of new SIP ses- sions. If this pa- rameter is not checked.g. the session can also be just marked (by modifiying the request URI) to let the central SIP server do the enforcement.

The particular difficulty lies in the nature of how fax handling with T38 is done in SIP networks. Call Admission Control would be falsely performed although the Media Stream would stay in the local network.729 or a similar speech codec. it will initiate a codec renegotiation to the T38 codec. Moreover. the more severe is the impact of such an inaccuracy in the stream measurement. Once the gateway or ATA has detected that it is dealing with fax traffic. If there is only insufficient bandwidth for the T38 connection. This very special behavior needs to be handled specifically in CAC scenarios. but there is the danger of overbooking.711. the original call will already be rejected. and hence sets up an additional media stream for an existing session. • Bandwidth Reservation Bandwidth reservation determines the kind of call admission control done by the Con- vergence . Once the T38 connection is established. that does not have space once the fax traffic picks up again. the speech connection will not carry any data until the fax transmission is finished. It could lead to an additional connection being permitted. T38 media stream bandwidth can range anywhere from 10 kbit/s to 100 kbit/s depending on the nature of the page that is currently being faxed. a simple stream measurement as usually done for CAC is insufficient escpecially if talking about small branch offices where statistical effects will not mask such a varying bandwidth. there is the chance that at least some of these sessions are 2005-2008 c Comdasys AG 95 . even though the actual bandwidth use can vary greatly. The smaller the branch. If you are not using T38. the bandwidth required for T38 will already be reserved for the initial call setup. and the fewer the number of simultaneously possible connections. Faxing is done by first setting up a normal media stream with G. G. Therefore. the maximum number of possible calls can be fitted. If Bandwidth Reservation is disabled. going to the central PBX then coming back in to the Convergence. a page with complex shapes on the high side. you will not have to specify anything here. and hence they are not counted. This would however mean. A white page will be on the low end. and the T38 fax protocol. That way. • FAX URIs This function is especially important in conjunction with the Bandwidth Reservation. that for a Call coming in over the local gateway. Strict checking will additionally check the SDP header to determine how the RTP streams would flow to correctly perform the Call Admission Control. It works in conjunction with the FAX URI option that is explained below. • T38 Media Stream Measurement Enabling T38 stream measurement will make sure that enough bandwidth is reserved. This sessions have not been established yet. even if a compressed codec is used there. This renegotiation is done via INVITES. If this box is checked.5 Voice-over-IP destinations will go over the bottleneck link and hence require Call Admission Control (of course only if all other parameters like Link etc. the CAC will only count actually established calls. Therefore. this option should always be checked in small branch offices. Those are session that are for example in a ringing state. match). There are two types. 3. Overbooking in those cases can happen if you have a large number of potential sessions.

729 scenarions. This means that a call is counted as established as soon as the number is dialed. For G. the worse case is hence assumed. In pure VoIP sce- narions that would be 11000 bytes/second for G. The bandwidth check parameter here. In the latter case you should make sure that G. all these sessions can be established in overbook the link by the number of sessions in a transient state that get established minus one. identifies how much bandwidth must still be available in order to permit another session. the CAC checks will be based on the dialed number with the specified prefix being removed first.5 Voice-over-IP never completed (nobody picks up the phone).711 scenarios and 4000 bytes/second for G. as to whether a call should be permitted or not. Functions like these are often used by prefixing an access code to the actual number you want to dial. If not. Note that you have to enter the parameter manually. • CAC Bandwidth Check Each SIP session uses a certain average bandwidth depending on the codec being used. The other option is that of reserving bandwidth as soon as the call is setup. This prefix must of course not change the CAC assessment of where the call is going. This means that this parameter has to reflect the highest possible bandwidth that two endpoints can use after completing their codec negitiation.85 kbit/s including the overhead packets. the fallback codec would typically be G. with very many calls. • Ignore Prefix All prefixes specified here will be ignored for any CAC decision. This feature will only be used in telephony scenarios where special prefixes can be dialed to e. then renegotiated with another codec and denied there. This parameter can 2005-2008 c Comdasys AG 96 . For each Call Admission decision. but might waste bandwidth and thus prevent calls from being established that would theoretically have space especially in situation where calls are not picked up. 3. even though they might never lead to an established session. Until a limit is reached. simply add all possible prefixes that should be ignored to this list. since codices can be renegotiated during a session.711 for example the bandwidth required for each session is around 80 .. This kind of be- haviour would be very user unfriendly. Once permitted. Regular Expressions are allowed here for specifying a number of prefixes at once. additional sessions will be permitted. this windows will be very small so that ovebooking should not be an issue. In order to achieve this. etc. The Convergence does however detect SIP forking mechanism which are for example used for keyset operation in VoIP scenarios. In this window you can have some amount of sessions in a transient state(Session Progress. Note however that the special telephony prefixes ”*” or ”#” are interpreted normally when in the beginning of the regular expressions. This also means that sessions in a transient state are fully counted. This means that the CAC check is only done against the actually established connections. On a large site. A forked request will only be interpreted as a single session.729 is used by all phones. Ringing. This very conservative setup will completely prevent over- booking. This means that if you specify a prefix of xx here. enable the transmission of the Caller ID.g.711. Specifying the maximum used bandwidth here is important since otherwise it would mean that your session is permitted first.

This also means that characters having a predefined meaning in a regular expression must be escaped to match the real character. the rerouting to e. or because you maybe want to exclude emergency calls. • Prefix As already just described. Excluded calls can cause an overload on a link if you are not careful in configuring your bandwidth rules. as for ex- ample found in least cost routing features. In this case. Escaping can be done by adding a backslash before the character in question. a local gateway can be performed by the central IP PBX. 3. This does not require any Call Admission Control awareness of the central PBX. • Redirect to PBX If there is no more bandwidth for permitting an extra session. In telephony applications. The SIP Proxy can modify the dialled number by prefixing something to let the IP PBX know that the usual call routing path does not apply. Note that you can enter a regular expres- sion here and the above described functionality will apply to all extensions matching this expression. simple call routing features with multiple alternative routes. do suffice. In order to match the ”*9” used in the example above. there is a commonly offered feature named Pickup group. The central IP PBX can then route the call over the local gateway in the branch office. not ”bits/s”. you hence have to enter a ”\*9” into the field. the prefix will most likely be numeric. • CAC excluded Numbers All prefixes specified here will not be considered at all for a CAC decision. this prefix will be added to the dialled number to inform the central SIP server that an alternative routing needs to be performed. the Call can be either de- nied. No Admission Control will be performed on the extensions entered here. In Voice scenarios with a central IP PBX as a SIP server. This prefix can be any combination of alphanumeric characters and special characters like ”*” or ”#”. Note that this field is entered in ”bytes/second”. The field here specifies another possible action. Refer to the Command Line Reference for more information on regular expressions.5 Voice-over-IP also be used for deliberately leaving some room to the bandwidth limit by checking for a higher bandwidth than required.g. This can be used for excluding certain number ranges because you know that there will always be enough bandwidth. The difference would then remain unused which can be desirable under certain conditions. the Convergence must be told that the ”*9” is not a regular number but rather the special extension for that. 2005-2008 c Comdasys AG 97 . or it can be redirected to a gateway. In such a case. This permits using any telephone and dial a certain special extension like for example ”*9” in order to pick up the call of another ringing telephone inside this branch office. Regular expressions can be specified here. These actions will be discussed later in more detail. thus not generating traffic load on the bottleneck link.

the Convergence permits the specification of an action in the case of a limit violation. especially when using regular expressions. then press Add to add them to the list of Call Admission rules. Sometimes however it is inappropriate. The enforcement of the policy can be any action configurable in SIP. • CAC We have already explained the basic approach of how the Call Admission Control is handled. As for the configuration. In the bandwidth management. 3. Imagine for example a case where we can route a call over multiple links. In order to configure Call Admission control. Each CAC policy consists of a Limit Class. is defined inside a traffic class. as for example how much bandwidth is allowed to be used for voice. an Action. For the Limit definitions. The link definition here is done by entering the source and destination IP ranges. As we have already mentioned above. This second possible action is Redirect. since a reaction in case of an overload must be configured. See the ?? management section for more information on that. The properties of that link. The limit is enforced by the Call Admission Control functionality. After defining the link. the Bandwidth Man- agement Configuration is used where a traffic class with certain limits is defined. simply denying calls is the simplest of all actions that can be taken.5 Voice-over-IP ! This is a dangerous function since it can break CAC althogether. we will define the different parameters in more detail: – Limit Class The Limit Class definitions make the connection between the SIP and the IP layer. Be very careful that the expression specified here only matches the actual calls that you want to have filtered and no more. and a Link. Future versions will come with additional actions. For more informa- tion on the definition of the traffic rules refer to the section ?? of this handbook. Define the three parameters. we first need to define a link for which we want to do Call Admission Control. The other possibility is to use the TDM network via a gateway realizing a local breakout. In the following. – Link 2005-2008 c Comdasys AG 98 . These actions can also be configured in the Convergence Series. there might be an alternative route to the destination via a second link. – Action For each Call Admission rule definition. Since the Convergence is operating at the edge of one or more bottleneck links. All traffic class definitions are used for making assessments as to whether addi- tional calls can be accommodated. we now need to configure a policy. multiple voice traffic classes can be defined for each link. simply select the class representing the real-time traffic you want to limit with this rule definition. Choose one of the two from the Drop-Down list.

you should also specify the corresponding IP address (if possible) to avoid unnecessary DNS lookups. 3. the destination would most likely be the IP PBX. Other than that. The gateways are used in the Survivability scenario. In practice. Domain as used here refers to the rear part of a URI parameter. Otherwise it will simply perform a DNS lookup and forward the message appropriately. The mentioned IP addresses pertain to the SIP signalling traffic.3. This must be at least the IP address of the IP PBX and if used also any DNS names as well as aliases. This means that if you have some client send a SIP message for 500@foo.5.4 Gateway Parameters • Gateways (figure ?? on page ??) The gateway parameters are comparatively straightforward. The Convergence theoretically supports up to 15 gateways in a hunting configuration. both the IP address as well as the domain name must be specified here to enable the correct operation. 3. A link is closely associated with the routing functionality offered by the Convergence. 3.3 Domain Parameter The Domain list parameter is one of the most important parameters in the Convergence . 2005-2008 c Comdasys AG 99 . Simply enter the Source and Destination IP addresses or network addresses that you want have the limit and action applied to.5. Group 2 another. The source would for example be the local branch net- work. If a SIP message arrives with the DNS name replaced by the IP address only a quick comparison has to be performed instead of a DNS reverse lookup. The simplest case of a link is a physical network connection. If you specify DNS names here. anything more than 3 is very uncommon. Typically source and destination addresses are used for classifying packets as belonging to a certain link (matches the standard IP networking principles). The source address could for example be used to configure groups for the phones. the message will be routed correctly only if all applicable domains are entered here. and/or Session Border Controller logic to SIP messages directed at this domain.5 Voice-over-IP The notion of a link is fundamental to the way the Convergence does Call Admis- sion Control. The Convergence however does not stop there. For domain names where no reverse lookups are possible. Group 1 could get a range of IP ad- dresses.bar to the Convergence it will only act upon it in the way described if foo. They will however also be considered for the Call Admission Control since a call to a local phone is of course not subject to admission control. In that case it will behave like a standard stateful SIP Proxy. Call Admission Control. The Convergence will only apply the Survivability. the Convergence will use the parameters configured here for performing a local breakout. This means that for Survivability scenarios. Type a ”0” for any IP out of this range.3.bar can be found in the domain list.

Some restrictions concerning features available in the phones etc. Directly behind the IP-address. As already explained before. this URI manipulation would normally be performed by the SIP server. might however apply. There are many scenarios that are conceivable. This functionality is hence completely transparent to the gateway. TCP or TLS. The Call Admission Control parameters will allow limiting the number of calls going to the gateway. The same restrictions and possibilities as for the IP PBX apply. this will all be done by the PBX.5 Voice-over-IP – IP address The IP address is that of the PSTN gateway. – CAC It is possible to perform Call Admission Control in Survivability mode before the Call is being forwarded to a gateway. This could mean that in a backup case. Prefixing something would hence be necessary if the gateway expects numbers in a certain format. as is frequently the case. Under normal operation. In most cases however. If your DNS server is unavailable in such cases. Therefore you should only use DNS names if you are sure the DNS server is available in all scenarios the Survivability function has to work in. The Convergence can interact with any PSTN gateway that supports SIP as specified in RFC3261. putting the DNS name of the gateway here will result in total failure. Although the name of the field says otherwise. – Prefix numbers After a certain amount of digits has been removed. it can only be reached via some backup link. the Convergence will perform the necessary number manipulations. This is necessary since it cannot be assumed that the gateway is always locally connected to the LAN. so refer to the subsection Survivability Parameters on page ?? for more information on this. The gateway is hence unaware of the fact that it is operating in Survivability mode. This however is impossible in the Survivability case which is why the Con- vergence will perform this here. The most common case however with a gateway will be phone numbers where prefixes are commonly used. – Strip digits This parameter determines how many characters of the phone number must be re- moved in Survivability mode before passing the message on to the PSTN breakout gateway. it could also be any characters allowed in URIs. Survivability scenarios will be induced by WAN failures. you need to specify the transmit mode. it is also possible to specify DNS / DNS SRV names here. For more 2005-2008 c Comdasys AG 100 . 3. Note that the functionality here does of course not only apply to numbers. In survivability mode. This can again be either UDP. A possibility to achieve that is to use the DNS slave function in the Convergence where it can be a caching DNS slave for some configurable master and hence answer DNS queries even if the master is offline. it is possible to prefix any combination of digits before the call is forwarded by the gateway. It could be located off site.

That could for exam- ple be a scenario where the users in this branch offices are to be hooked up to a centralized softswitch. We will however point out the differences here. but for the description of the actual features we will often refer to the Survivability section.40: Gateways 3. This poses special challenges then. the Redirect will behave the same as a Deny. 2005-2008 c Comdasys AG 101 . If there is none. The Redirect action will make the Call Overflow to the next possible gateway. the Convergence will always do media handling in addition to the SIP sig- nalling handling. The main difference between the Branch SBC and the Survivability Template is the fact that with the former.5. and in fact it will also act as a survivability component in the network. because the peer-to-peer type communication of SIP endpoints con- cerning media handling actually requires such a network.4 Branch Session Border Controller (SBC) Functionality This template is very similar to the Survivability scenario. 3. Especially in bigger network it is however often impossible to provide a flatly routed network across all locations where users are to be connected to the softswitch. The Branch SBC scenario will usually be used in scenarios where you have a branch office that you want to equip with real-time communication. Therefore we will provide a general introduction here.5 Voice-over-IP information on Call Admission Control refer to the more detailed explanation in the general section. Figure 3.

3.5 Voice-over-IP Figure 3.41: Branch SBC: Basic Settings 2005-2008 c Comdasys AG 102 .

3.42: Branch SBC: SBC Settings 2005-2008 c Comdasys AG 103 .5 Voice-over-IP Figure 3.

3. • PBX Alias See ?? for a more detailed description. • PBX Address See ?? for a more detailed description.1 Branch SBC Parameter • Own number See ?? for a more detailed description. • Internal IP Since the Branch SBC will do media handling if a SIP session leaves the boundaries of the local branch office.5 Voice-over-IP 3.5. This netmask enables the Convergence to check whether two endpoints are actually local or not. all SDP bodies will contain this external IP address. there however must be a unique uplink interface through which outgoing media streams should be routed. • Alive check via SIP instead of ICMP See ?? for a more detailed description. • External IP All Convergence products support multiple virtual and non virtual interface.4. • Netmask This parameter describes the netmask for the above configured network IP address. the Convergence needs to know the internal network address for which it should not be doing media handling. When looking at the SIP messages that are leaving the branch SBC. 2005-2008 c Comdasys AG 104 . the media streams will continue to flow directly between the endpoints. • Timeout See ?? for a more detailed description. • Prefix Number See ?? for a more detailed description. For all session where both the source and the target are within this network. and hence all endpoint having a connection with some endpoint inside the Branch SBC will be sending their media streams to this external IP address. When acting as a branch session border controller. • Registration Timeout See ?? for a more detailed description.

• Debug See ?? for a more detailed description. • Disable Loose Routing See ?? for a more detailed description. 3. • Local Gateway This is another Branch SBC specific parameter. • RTP Bind Address See ?? for a more detailed description. the information in the field wiht the same name 3. • Failover Server Replication and Failover Server IP See ?? for a more detailed description. 2005-2008 c Comdasys AG 105 . but it will do the media handling in addition to that. the gateway is assumed to be external.2 Survivability Parameter • Survivability In the Branch SBC mode of operation. and media handling will be disabled for all calls between local endpoints and the local gateway. • CFW in Survivability Mode See ?? for a more detailed description. • Gateway DNS Alias If this checkbox is enabled. the gateway will be assumed to be local.4. This will enable media handling for all external calls. In this case.5 Voice-over-IP • RTP Proxy See ?? for a more detailed description. Survivability functionality must be separately enabled. If checked. the Convergence will behave exactly the same way as in Survivability mode. Check this box to activate survivability. If not checked. • Mask Proxy Domain on Register See ?? for a more detailed description.5.g. • Force Return Route See ?? for a more detailed description. e. You need to configure whether media handling should be done for calls to and from gateway calls. located at the central softswitch.

• CAC Bandwidth Check See ?? for a more detailed description. 2005-2008 c Comdasys AG 106 . To enable it.3 CAC • CAC The Convergence is able to do Call Admission Control in addition to Branch SBC func- tions.43: Branch SBC CAC Parameter • Bandwidth Reservation See ?? for a more detailed description. this functionality is however not enabled in this mode. By default. 3.5 Voice-over-IP • No ReRouting On See ?? for a more detailed description. simply activate this checkbox. Figure 3. 3.5.4.

the Cascaded SBC will act mostly as a media bridge. 3. the central SIP server cannot see the topology if the network. • PBX Alias See ?? for a more detailed description. 3.1 Cascaded SBC Parameter • PBX Address See ?? for a more detailed description. 2005-2008 c Comdasys AG 107 . 3.5.5. 3. See ?? for a more detailed description.4 Domain Parameter See ?? for a more detailed description. • CAC See ?? for a more detailed description. This means that the Convergence is deployed in the branch office with the Branch SBC Template.4. The central SBC may or may not serve as a media bridge for inter-branch calls.5 Gateways See ?? for a more detailed description. 3.5 Cascaded SBC (Session Border Controller) Template The cascaded SBC deployment allows the branch offices to connect to a protected SIP server while using their own private network. Please see ?? for a more detailed description of these parameters.5. the CAC functionality must be activated on the SBCs in order to ensure proper bandwidth management.5 Voice-over-IP • Redirect to PBX The fields Prefix and Redirect to PBX are related.5. As such.5. and centrally the Convergence is deployed with the Cascaded SBC template. Since in this configuration mode. • CAC Excluded Numbers See ?? for a more detailed description.4.

5 Voice-over-IP Figure 3. 3.44: Cascaded SBC Parmeter 2005-2008 c Comdasys AG 108 .

all SDP bodies will contain this external IP address. there however must be a unique uplink interface through which outgoing media streams should be routed. and hence all endpoint having a connection with some endpoint inside the Branch SBC will be sending their media streams to this external IP address.5 Voice-over-IP • Internal IP Since the Branch SBC will do media handling if a SIP session leaves the boundaries of the local branch office. When looking at the SIP messages that are leaving the branch SBC. • Mask Proxy Domain on Register See ?? for a more detailed description. • RTP Bind Address See ?? for a more detailed description. • Disable Loose Routing See ?? for a more detailed description. This netmask enables the Convergence to check whether two endpoints are actually local or not. • Failover Server Replication and Failover Server IP See ?? for a more detailed description. • Debug See ?? for a more detailed description. For all session where both the source and the target are within this network. • Force Return Route See ?? for a more detailed description. the media streams will continue to flow directly between the endpoints. When acting as a branch session border controller. the Convergence needs to know the internal net- work address for which it should not be doing media handling. 3. • Map Office Prefix to Branch SBC IP 2005-2008 c Comdasys AG 109 . • External IP All Convergence products support multiple virtual and non virtual interface. • RTP Proxy See ?? for a more detailed description. • Netmask This parameter describes the netmask for the above configured network IP address.

• CAC Excluded Numbers See ?? for a more detailed description. simply activate this checkbox. To enable it.5.g. • CAC Bandwidth Check See ?? for a more detailed description. SRTP termination as well as other functions in that mode. • Redirect to PBX The fields Prefix and Redirect to PBX are related. this functionality is however not enabled in this mode. The central SBC function is not available in all Convergence products. 3. but a securiy component providing a separation between networks. such as protocol trans- lation (e.5 Voice-over-IP 3. • CAC See ?? for a more detailed description. While the functionality will increase in the future. The Convergence currently performs.2 CAC • CAC The Convergence is able to do Call Admission Control in addition to Branch SBC func- tions.5. the Convergence is still positioned to be a pure SIP device. 2005-2008 c Comdasys AG 110 . 3. Please see ?? for a more detailed description of these parameters. It is not built to perform some other functions usually attributed to SBCs. to MGCP). A typical centralized Session Border Controller breaks down into two logically distinct pieces. NAT Traversal. The Convergence is still primarily built to fulfill these infrastructure functions. Contrary to the Branch SBC. • Signalling The Signaling SBC function controls access of VoIP signaling messages to the core of the network. the SBC function is not only an in- frastructure function.5. • Bandwidth Reservation See ?? for a more detailed description. By default.6 SBC (Session Border Controller) Template A Session Border Controller (SBC) is a VoIP session-aware device that controls call admis- sion to a network at the border of that network. and manipulates the contents of these messages.

1 Explanation NAT NATs are active network devices placed in the data path. This mapped address is used as the new source address for the outgoing packet. This template will act as a centralized session border controller. NATs are configured with a pool of public addresses. or in opposite direction. If the packet is being passed in the direction from the inside to the outside. The variant of the NAT commonly used today is the Port-Translating NAT. provides differentiated services and QoS for different media streams. where the NAT maps the local source address and source port number to a public source address and 2005-2008 c Comdasys AG 111 . and alters the IP and TCP header checksums in the packet at the same time to reflect the change of the address field. and when an ”inside” host first sends an outbound packet. This form of NAT is used in the context of TCP and User Datagram Protocol (UDP) sessions.” and undertake different operations on intercepted packets depending on whether the packet is going from inside to outside. The challenge is to make this work behind arbitrary firewall types including those typically found in public Internet Hotspots. we first need to do some explanation of the supported NAT networks. and a local session state is set up in the NAT unit for the mapping between the private and the public addresses. The header of an IP packet contains the source and destination IP addresses. the destination address is rewritten to a different value.5. and. in that they are topologically sensitive. They have an ”inside” and an ”outside.6. NATs are similar to firewalls. The most important function of a centralized SBC is hence the ability to enable clients behind a NAT firewall to do IP communication. in particular. The goal is enable ubiqitous IP communication while keeping the network inside the SBC to remain secure. When a packet is received from the outside destined to the inside. In order to properly understand this setup. handling all media streams emanating from client coming from the WAN network and being behind a firewall. and again the IP and TCP header checksums are recalculated. The inside (or ”local”) network may use addresses from private address blocks. an address is drawn from this pool and mapped as a temporary alias to the inside host’s local address. This type of pure NAT has become very uncommon nowadays. but it is still mentioned for completeness here. a NAT rewrites the source address in the packet header to a different value. The ”inside” does not necessarily use globally unique addresses to number every device within the network served by the NAT.5 Voice-over-IP • Media The Media SBC function controls access of media packets to the network. NATs are IP address translators. implying that the uniqueness of the address holds only for the site. and different from routers. 3. or NAPT (today the term NAT is frequently used to also refer to this type of NAT mapping). and avoid things like service theft. It can also be used to pro- vide security functions like SRTP termination to differentiate between different security zones. NATs are IP header translators. 3.

After the client has registered. the firewall will block those by default. the remote NAT mapping is learned by the Convergence so that it can send subsequent requests to this client. the remote NAT 2005-2008 c Comdasys AG 112 . In addition to that it will do far end NAT traversal. NAPTs allow concurrent outgoing sessions to be distinguished by the combination of the mapped address and mapped port value.535 concurrent mapped sessions. In addition to that with a large number of sessions. since each active SIP clients in a call state necessitates at least 2 active NAT mappings ! Note that if you want to use SIP endpoints across the WAN port. The connection to the media handling is done by modifying the SDP bodies of the SIP messages.5 Voice-over-IP a public-side port number for outgoing packets. Incoming packets addressed to this public address and port pair are translated to the corresponding local address and port. as well as in every media stream between two clients behind two distinct NATs. typically the Internet.6. but this has faded over time. A SIP OPTIONS message is sent periodically (typically every 30 seconds) to keep the remote NAT mapping alive and thus keep the remote client operational. Similarly to the SIP approach to handling remote NATs. Each NAT mapping is a pinhole in the firewall that can be used to sneak information into the protected network.5. 3. Again the NAPT is attempting to be transparent in terms of providing a consistent view of the session to each end. addi- tional semantic checks will be made on the SIP mesages based on the available information before forwarding them to the internal SIP server. malformed SIP messages will be detected and dropped. using a symmetric binding of a local address and port pair to an external address and port pair. the SBC will be in the middle of every media stream from a client to the inside network. With that modification. Please refer to the ?? section for more information about this topic. If your messages arrive on the WAN interface. In this way each unique external pool address may be used for up to 65. It should be noted that a large number of mapped sessions in a firewall can pose both a security as well as a performance problem.2 Media Handling The media handler will create its own session for each connection setup done via the sig- nalling handling. The SBC will also perform vali- dation of received SIP messages before forwarding them to the internal SIP server. you will need to use manually change security settings. With that approach. 3. In addition to that. For a while the terminology distinction between NATs and NAPTs was considered important. Signalling The Convergence will do signalling handling and provide Session Border Con- troller function between an inside and an outside network. the firewall might have to do a lot of comparisons for each arriving packet to check for the connection this packet belongs to. These restrictions especially pose problems in VoIP scenarios. It is however relatively easy to enable SIP and RTP traffic on the WAN interface.

This IP address will then be used both for signalling as well as media handling. Since this is a very advanced topic.5. The type to use depends first and foremost on the used SIP server. no redirection of the media streams are permitted. The Convergence supports 3 different SIP transport modes. • Internal IP The Convergence can have multiple interfaces as well as multiple IP addresses per interface. 3. • SIP Transmit Type The SIP Transmit Type parameter is the transmission type the Convergence uses to contact the SIP server. The only type requiring further explanation is TLS. • External IP The Convergence can have multiple interfaces as well as multiple IP addresses per interface. expept that is negotiated via SIP messages. With that function.3 Parameter Configuration: The following will explain the parameters that can be configured for the SBC template. the Convergence can perform SRTP termi- nation. Additionally. TCP. and the encrypted TLS variant. The TCP and UDP types are straightforward and just specify the used protocol type. It is therefore necessary to specify which IP address should be used for communicating with the SIP server. those devices will send plain RTP to the SBC which in turn will encrypt everything before sending it to the clients on the outside network. Once the media stream has been initiated in both directions. so that packets can be sent to the client behind the remote NAT. the Convergence will terminate all sessions emanting from clients on the outside network and send plain RTP to the SIP server or any connected equipment like gateways. Clients in that respect are the SIP endpoints registered from the outside of the network boundary the Session Border Controller is protecting. the source of the media stream packets is validated against the stored session parameters to avoid somebody from sending dummy packets to the respective port of the SBC and thus disrupting the session. The external IP address is the one the Convergence will use when communi- cating with the clients. For TLS additional things like the encryption keys are required. This protects the users from session hijacking. It also features a dead peer detection to clean up invalid sessions. 3. In addition to that. The Convergence will generate TLS keys automatically that can be downloaded for the use in Servers/Phones via SCP. UDP. 2005-2008 c Comdasys AG 113 . Please consult the Command Line Reference for more information on how to do that. In the reverse direction. All requests (passing security checks) coming from the external interface will be forwarded to this PBX.5 Voice-over-IP mapping is learned by the SBC.6. this cannot be config- ured via the WebGUI as of yet. This field is for entering the IP address or the DNS name of the PBX for which you want to act as a Session Border Controller.

it hence looks like a regular SSL session that could also be an https session. The modification will lead to the fact that the SIP server will send all subsequent messages intended for the phone to the SBC first. The simples form is certainly to use something like @foo that would match all URI in messages that have a foo in the host part of their URI. You can use more sophisticated expressions however that could for example match legal phone number ranges. It is safe to leave this field blank. If the SIP server has an outbound proxy feature. • TLS Port This enables you to specifiy the SIP port the Convergence should use for TLS SIP messages. the Conver- gence will run in a compatbility mode also accepting SSLv2 and SSLv3. If this feature is required depends on the SIP server. you should also check your firewall configuration that these ports are open. From a network standpoint. the SIP server would send the SIP messages through the Convergence no matter what the contact header looks like. • SIP Port This enables you to specifiy the SIP port the Convergence should use both for TCP as well as for UDP SIP messages. since the payload is not visible to anybody. RFC3261 mandates support for TLS Version 1. In those cases it often helps to fall back to the more established SSL protocol to get things working. See also SIP Port for a more detailed explanation as to why this should be necessary. Dual-way SIP signalling is essential for NAT scenarios. If you are using non-standard ports here. the Convergence will force TLS Version 1. There are however a lot of implementations still caus- ing problems with TLS Version 1. it will modify the contact header before forwarding the message. If a register is addressed at the Convergence . The importance of this should however decrease during time when TLS becomes more commonplace.5 Voice-over-IP • Internal URI match The Internal URI match is a parameter used to classify URIs and that helps to identify unwanted SIP messages. Using non standard ports is especially important in conjunction with some public hotspots that explicitly deny the standard SIP ports to prevent Voice-over-IP applications. 3. it should be noted that blocking TLS SIP traffic is almost impossible except for matching the port. • Force Return Route The force return route parameter pertains to the SIP signalling only. so checking this box should be okay with all com- pliant SIP endpoints and servers. 2005-2008 c Comdasys AG 114 . TLSv1 If this is enabled. a contact header modification will not be required. Otherwise any mes- sages sent to these ports would be denied by the firewall. As an addition. This field can be a regular expression and should match all those requests that can occur when connected to this SIP server. If disabled. • TLS Meth. In such a case.

The resolutions for this domain name should be the external IP address of the SBC for the clients. this will be impossible. and will only initiate encrypted sessions to the outside world. The media stream can of course still be directly passed to the voice gateway. In such cases it can happen that in dialog requests such as ACKs and BYEs are routed throught the SIP server instead of directly to the SBC.7 SIP Trunking Template SIP Trunking is another possibility of using the Convergence . This should only be relevant if you are using a SIP proxy type of server as your central SIP server. Therefore. 3. it is used to aid the correct SIP message modification. you can specify the IP address here. if a back-to-back user agent is used instead of a SIP Proxy as the central server. • PSTN Gateway IP This field is similar to the one for the Voicemal Server IP. If configured properly this way. SIP Trunking will mostly be used for telephony applications. the Conver- gence acts as a Topology Hiding Session Border Controller. the Route headers of the messages must be modified accordingly. All signalling to the gateway will then be handled by the B2BUA and the SBC will be completely unaware of this. As such. 3. The advantage of this is that your SIP server does not have to be aware of any presence functionality. as for example the SIP PUBLISH method separately from the standard SIP server. • Secure Media (SRTP) If this is enabled. and for the SIP server on the internal networks. and the SBC will rewrite this domain for all requests coming in from the outside network. but the Convergence can also support alternative media formats 2005-2008 c Comdasys AG 115 . you could have a separate SIP server and Presence server and let the SBC correctly separate the requests for these. This would force the SBC to handle presence requests. Internally. This is for special sce- narios where the voicemail server is also integrated via SIP and where it should be prevented that in dialog requests should also correctly flow through the SIP server. Again. • Mask Proxy Domain on Register / SIP Domain The SBC can hide the SIP domain towards the SIP server. this parameter is not necessary. the SBC will perform SRTP termination for all incoming sessions. while a completely different SIP domain can be used on the SIP server.5 Voice-over-IP • Presence Server IP If you have a separate presence server. The most elegant solution however is to use DNS names where both the SIP server as well as the clients coming from the outside network. This means that a different domain can be used towards the outside world. • Voicemail Server IP You can specify the IP address of your voicemail server here. If specified.5. In this scenario. RTP will still be used. Enter an IP address or a domain name here. because the SBC is already separating the requests.

45: Trunking Parmeter • Own Number • PBX This field is for entering the IP address or the DNS name of the PBX for which you want to implement SIP Trunking. Figure 3. 2005-2008 c Comdasys AG 116 . One can have the PBX register with the Trunking provider. Just the routing / switching between the PBX and the Convergence must be possible. In a SIP Trunking scenario. On the PBX. simply set the address of the internal interface of the Convergence as the SIP Trunking address. 3. Hence you do not have your PBX connected to any outside network. There are two different variants a PBX can behave.5 Voice-over-IP like video conferencing with the identical configuration. All requests coming from the Trunking provider will be forwarded to this PBX. For the explanation of the parameters. or use a static registration with the provider. we will however heavily rely on pure VoIP terminology. the Convergence will usually be placed at the edge of an office network.

3.5 Voice-over-IP Figure 3.46: Trunking Parmeter (continued) 2005-2008 c Comdasys AG 117 .

3. 5061 for the transmit type TLS. please refer to ?? for more information. The Convergence supports 3 different SIP transport modes. 2005-2008 c Comdasys AG 118 . Note however. and the encrypted TLS variant. – SIP Transmit Type The transmit type parameter has the same meaning as ?? towards the PBX. the only other op- tion to achieve some level of security is by using tunneling techniques likes VPNs to implement a secure channel across the Internet. If your provider supports TLS. The Convergence will generate TLS keys automatically that can be downloaded for the use in Servers/Phones via SCP. – PBX Port This field is for defining the port the Convergence will contact the SIP server under. as specified in RFC3261. The TCP and UDP types are straightforward and just specify the used protocol type. If a DNS SRV name is specified. Please consult the Command Line Reference for more information on how to do that. The type to use depends first and foremost on the used SIP server. The only type requiring further explanation is TLS. • Trunk Address The trunk address needs to be set to the IP address. and TLS again. the Convergence can do the termination for your PBX and return plain RTP while speaking SRTP towards the provider. port 5060 will be assumed for the transmit types UDP and TCP. this information will be ignored since the discovered values from the DNS server are used. In cases where this is not supported. This means that if your PBX supports SRTP. For TLS additional things like the encryption keys are required. you should try to use it for security reasons. If not. UDP. DNS name.5 Voice-over-IP – SIP Transmit Type The SIP Transmit Type parameter is the transmission type the Convergence uses to contact the central SIP server. Since SRTP and the key negotiation algortihms are not very standardized yet. The Convergence supports SRTP pass- through by default and can also support SRTP termination. It will specifiy the way. that this secu- rity only pertains to the signalling level. this cannot be configured via the WebGUI as of yet. or DNS SRV name of the SIP server of the trunking connection provider. The choices are UDP. the ?? must be enabled. ! If DNS SRV is enabled. Since this is a very advanced topic. the SIP messages are transmitted to your trunking provider. If left empty. the encrypted media can be passed through. TCP. TCP.

Both the TCP and TLS variant use the connection oriented Transport Control Pro- tocol for the transmission of the messages. This means that if this timer is set to 500 msec. the default SIP ports (5060 for TCP and UDP. – Retransmission Timer 1 This is the first retransmission timer and must be set in milliseconds. Com- monly the timers are increased with the default being (500 msec. which is also the default value. there should be no problem with lost packets on this side. All SIP requests mandate a response from the endpoint (in our case eihter the PBX or the trunking provider). ! If DNS SRV is enabled. 2005-2008 c Comdasys AG 119 .5 Voice-over-IP – Trunk Port This field specifies the port that should be used to contact the trunking provider. 5061 for TLS) will be used if nothing is specified. and 2000 msec). please enter them here. This means that there are error correction and retransmission mechanisms already built into the transport layer meaning that the SIP application layer does not have to handle retransmissions any more. 3. These timers set the interval that the Convergence waits for a response to a request before sending it again. where any message can get lost. the retransmission will occur in the interval between 450 msec and 550msec after the first request has been sent without a reponse arriving. The trunking provider connection however usually goes over the Internet where messages can easily be lost or delayed. If no response (both provisional 1xx responses as well as final ones will be accepted here) to a request is received within this time. This transport layer protocol ensures that all messages sent from some source reach the destination. • Retransmisson Timer The various retransmission timer settings are all tightly related and therefore will be ex- plained together. this information will be ignored since the discovered values from the DNS server are used. If non standard ports are used by your provider. The timer must also be set in milliseconds with the default being 1000 msec. 1000 msec. – Retransmission Timer 2 Also see above for a more detailed explanation. The accuracy of the retransmission will be around 50 msec. Since the PBX will usu- ally be connected through a local ethernet interface. The situation is quite different with UDP. a retransmission is initiated. The retrans- mission timers refer to SIP requests. Note that all the rentransmission logic only applies to the UDP variant of SIP. As always.

• Enable DNS SRV If DNS SRV is enabled. there however must be a unique uplink interface through which outgoing media streams should be routed. If it still does not respond even to the retransmission sequence. If DNS SRV is enabled. • Internal IP Since the Cascaded SBC will do media handling if a SIP session leaves the boundaries of a branch office connected to the Cascaded SBC. If DNS SRV is configured. or between a branch office and some central entity like a media server. In order to correctly local branch office. it will again be put into the penalty box. When acting as a branch session border controller. the failover mode will be entered and a DNS lookup to discover the secondary server will be initiated. Once that server has been discovered. The Convergence will only try to contact the primary one after the time specified here has expired. the Convergence can use it to discover a secondary server if the primary one is offline. When looking at the SIP 2005-2008 c Comdasys AG 120 . This means that it will handle all sessions where media streams flow between two connected branch offices. Once that has happened. DNS SRV is a protocol that allows you to define service classes for your domain. If a server has been considered to be offline. and no further attempts will be made. messages will be sent there instead of the primary server. all subsequent requests will go there again. If it is reachable. the media streams will continue to flow directly between the endpoints. and then will lookup the IP address for the discovered host. This time must be specified in seconds. the server IP will be put into a penalty box to avoid unnecessary timeouts for transmission to an offline server. The product will look for the SIP service class. The primary server will only be contacted after the penalty box has expired.5 Voice-over-IP – Retransmission Timer 3 Also see above for a more detailed explanation. – Final Retransmission Timer After the final retransmission timer hits. an attempt is made to contact the primary server. the request will be sent straight to a backup server. 3. The timer must also be set in milliseconds with the default being 2000 msec. the server will be considered down or un- reachable. DNS SRV is supported by all common DNS server products. • DNS SRV failover penalty This value that is set in seconds specifies the so called penalty box. the Convergence needs to know the internal network address for which it should not be doing media handling. For all session where both the source and the target are within this network. • External IP All Convergence products support multiple virtual and non virtual interface. Also see the explanations for the Retransmisson Timers as well as the DNS SRV failover penalty for more detailed information on this.

3.5 Voice-over-IP messages that are leaving the branch SBC. The Convergence can act as a mini SIP server. their complete PSTN number and internally by simply dialing an extension.5. 3. Figure 3. and hence all endpoint having a connection with some endpoint inside the Branch SBC will be sending their media streams to this external IP address. An example will illustrate this. thus providing basic call functionality and other basic functionalities supported by the SIP devices.8 Standalone Template The standalone template is the simplest template explained here. Internally you have the extensions ”100” and ”110”. PSTN gateways can be used for making external calls. the phones can be reached via two different numbers. Let us assume that the branch office can be reached via the ”+49 89 4711” from the outside. This 2005-2008 c Comdasys AG 121 . all SDP bodies will contain this external IP address. This template can also be used in conjunction with the B2BUA to use SIP carrier accounts as gateways.47: Standalone Basic Settings • Own number Under normal operations.

simply leave the field blank.48: Standalone SIP Settings • Timeout The timeout value is the maximum time the proxy will wait for a response from a gateway upon a request before falling into hunting mode. By knowing the Own Number of the branch. If you do not want to use this feature.5 Voice-over-IP means that from the PSTN you can reach the phones by dialling ”+49 89 4711 100”. The registration with the SIP server and the SIP Proxy in our case here is performed with the full number. This pre- vents unavailable internal numbers from ending up in the PSTN and going somewhere unintentionally. This means that extension dialling still works in survivability mode. This can be used to avoid having to do number manipulation in the gateway for incoming calls. Internally. If a negative response is received 2005-2008 c Comdasys AG 122 . Figure 3. • Prefix number The Prefix number describes the prefix the number has if it is an outgoing call. Usually this is just a simple digit as for example a ”0” for getting an outside line. You can enter arbitrary regular expressions here. Expressions for this can however be more complex than that. 3. Only numbers having the correct prefix will be routed to the gateway. the Proxy upon receiving a call for an extension in Survivability mode can now prepend the number of the branch and hence find the phone in the Registration database. the phones can be reached via their full number or via their extension only.

or on the specified logging server. These can either be seen in CLI mode on the Convergence.49: Standalone Diagnostics • Debug This switch will make the SIP proxy write debug messages to the system log. See the logging parameters in this document or refer to the Command Line Guide for more documentation on how to have a look at the logging. If this parameter is not set. 3. Figure 3. only the first gateway will be considered for outbound calls. 2005-2008 c Comdasys AG 123 .5 Voice-over-IP earlier. The others might however still be used for incoming calls since the SIP Proxy will of course handle their SIP requests just like he would those of any phone. The decision parameters for the gateway hunting are configured with the gateways. In that case it might be desirable that a gateway hunting is performed between these multiple gateways. • Enable Hunting This feature only applies to scenarios where there are multiple gateways present. the hunting will of course commence sooner. This can be used for a variety of scenarios as for example stacking gateways or having gateways in multiple locations and applying Call Admission Control Param- eters to them.

Please consult the Command Line Reference for more information on how to do that. Also see the firewall section for more details on this. The Con- vergence will try to convert the dialled phone number into an E. 3. Otherwise it will signal back a trunk busy to the IP PBX that should in turn try the next available trunk meaning it will route the call as before via PSTN. The IP PBX must be configured to forward all calls to the Convergence appliance.9 ENUM Template The Enum template is relatively straightforward to explain. it will forward the call via IP. TCP. If it successfully finds a SIP URI registered under this number. It can either be entered in the form of an IP address. An extensive discussion would however be beyond the scope of this book. this cannot be config- ured via the WebGUI as of yet. the Convergence can be integrated into the existing Voice infrastructure. There might be other usage scenarios. For TLS additional things like the encryption keys are required. where the ENUM template can be useful.8. These can either be seen in CLI mode on the Convergence. In that scenario. The Convergence supports 3 different SIP transport modes. The Convergence must of course also be configured to permit incoming calls.164 number to perform an ENUM lookup. 2005-2008 c Comdasys AG 124 . and the encrypted TLS variant. • Debug This switch will make the SIP proxy write debug messages to the system log. Note that entering a DNS or DNS SRV name can introduce more latency in forwarding messages to the IP PBX since the hostname has to be looked up first. The Convergence acts as an ENUM lookup server and as a Session Border Controller for incoming calls.5. • PBX Address This parameter is for entering the address of the connected IP PBX. a host name or even as a DNS SRV address. The TCP and UDP types are straightforward and just specify the used protocol type. by opening the firewall etc.5 Voice-over-IP 3. The type to use depends first and foremost on the used IP PBX. • SIP Transmit Type The SIP Transmit Type parameter is the transmission type the proxy uses to contact the IP PBX. Since this is a very advanced topic. or on the specified logging server.5. The Convergence will generate TLS keys automatically that can be downloaded for the use in the IP PBX via SCP. The typical usage scenario is the Convergence connected to the Internet externally and connected to a SIP Server / IP PBX internally. 3. UDP.1 Gateway Parameters See Survivability Configuration on page ?? for more information on the parameters here. The only type requiring further explanation is TLS.

50: ENUM Basic Configuration 2005-2008 c Comdasys AG 125 . 3.5 Voice-over-IP Figure 3.

5 Voice-over-IP Figure 3. 3.52: ENUM Diagnostics 2005-2008 c Comdasys AG 126 .51: ENUM Sip Settings Figure 3.

Please refer to the Command Line Reference on more information on how to create your custom SIP Proxy configuration script. This would be a ”1” for the USA. In Survivability and Branch SBC mode. In the US this is the ”011” in most European countries the ”00”. this information is only utilized for Survivability functionality and plays no role in normal mode.6 SIP Proxy Users This menu item lists any currently registered SIP proxy / Session Border Controller users.5. 3. In the US this is a ”1”. 3. 2005-2008 c Comdasys AG 127 . the ”49” for Germany. and then modify the script appropriately to suit your needs. In the SBC scenario.10 Custom Template The custom template allows you to use your own configuration script for the SIP Proxy. • International Prefix Enter the number you have to dial on your phone before making an international call. A user is represented by its URI and its name. 3. • City Code Enter the plain city code 3-digits in the US and other countries. It is also possible to use one of the above defined scenarios. where the name may be an alphanumeric string or a telephone number extention. in most European countries a ”0”. this information is quite important however because it is being used for the NAT detection. It can also be a number of variable length in many countries. i Note that the relevance of this information varies quite significantly. In the Cascaded SBC and SIP Trunking scenarios this infor- mation is not used at all.164 num- ber. The following parameters are all used to convert a telephone number into a full E. • Country Code Enter the Country Code for your country without any preceding digits.6 SIP Proxy Users See the logging parameters in this document or refer to the Command Line Guide for more documentation on how check the logging output. etc. • Long Distance Prefix Enter the number you have to dial on your phone before making a long distance call.

53: SIP Proxy Users 2005-2008 c Comdasys AG 128 .6 SIP Proxy Users Figure 3. 3.

Figure 3. if you do not want to setup authentication based on certificates. Otherwise you can ignore this section. Please refer to the Command Line Reference Guide for further information on the usage of serctl. 3. Settings for SIP proxy are described extensively in section ??. 3.54: SIP TLS configuration 2005-2008 c Comdasys AG 129 . there is no need to do any configuration here.7 SIP TLS configuration The SIP TLS configuration page is a simple tool to upload a TLS private key and a TLS certificate used to communicate with the client in TLS mode. Naturally this is only relevant if you have a client that is able to support SIP in TLS mode. Therefore.7 SIP TLS configuration More details on registered users are provided by the SER server command serctl ul show. The Convergencegenerates a new privat key and a certificate automatically while booting if noprivate key or certificate exists.

3.1 Upload Private Key and Certificate To upload a new TLS Private Key press the Browse button and select the new private key from your file system (Figure: ??).g. As such.7 SIP TLS configuration 3. In such a setup. it also handles the media sessions. Simply press Generate and the Convergencegenerates a new default TLS private key and TLS certificate. it is possible to have the B2BUA also act like a virtual gateway. The mapping between users and the SIP carrier accounts is done by a set of simple Call Routing Rules (see ??) that can be defined. These will be stored on the Convergenceand activated after pressing Apply Configuration . 2005-2008 c Comdasys AG 130 . you can also use the Conver- genceto create a key set. VPN. Not even the SIP messages will be forwarded before being completely parsed and reassembled. The procedure for the TLS certificate is essentially the same (Figure: ??).g. for Security Reasons). mobile users or home workers that you do not want to connect via e. In the next step press the Upload button and the new TLS private key will be saved onto the Convergence.7. In another scenario.7. people can be allowed to make calls from the Internet that will be handed to some device on the LAN without having a direct routing connection.g. The B2BUA must also support the media codecs. Incoming calls for a SIP carrier can then be mapped to arbitrary users or even to the SIP Proxy and hence an IP PBX. The B2BUA can emulate a phone being permanently connected to the SIP carrier.0. the B2BUA at the moment can only be used for Voice scenarios. Due to these reasons. the B2BUA routinely gets used in scenarios involving SIP carriers.7. This can be desirable for security purposes if you are having e.0. It is therefore a lot more relevant what types of sessions are being initiated.2 Create default private key and certificate If you do not have any keys to use for TLS communication. 3. The B2BUA will terminate the call coming from the outside and setup a new internal call. the B2BUA does not only handle the SIP signalling.1 B2BUA Contrary to the SIP Proxy. The biggest use of the B2BUA is for terminating calls coming from the Internet (e. SIP carriers usually expect a UA (User Agent like a SIP phone or a Softclient) to be on the other side. otherwise no TLS communication will be possible 3. ! The TLS certificate must fit the TLS private key.

3.7 SIP TLS configuration

Figure 3.55: The Back 2 Back User Agent

2005-2008
c Comdasys AG 131

3.7 SIP TLS configuration

3.7.1.1 SIP Carrier Accounts

Here, it is possible to define a SIP carrier account. Refer to your SIP carrier for obtaining the
necessary information. Note that some SIP carriers use the same ID for the phone number
and the User Name. It is possible to have a whole list of SIP carrier accounts by filling out
all necessary fields, then pressing Add . In the following, we will explain the meaning of the
different fields that are available.

Username: Enter the Username for your SIP carrier account here. This Username param-
eter is used for authenticating you at your SIP carrier. Every SIP carrier usually requires
authentication which means that you must enter a value here. Not entering a value here will
cause the system to malfunction.

Password: Enter the Password for your SIP carrier account here.

Phone Number: The phone number is the number given to the user by the SIP carrier
usually without any prefixes. This should be the number you are reachable under within the
SIP network of the carrier.

Host: The host is the SIP server provided by the carrier. Usually they will provide a host-
name, but it can of course also be an IP address. The SIP server is also often called Registrar
or Registry Server.

Domain: The domain tag is the domain name that will be used in the ”from” Header of all
requests and that is expected in that header. The B2BUA manages an internal domain. Most
SIP carriers however do require their domain name to appear in the Header field. For most
SIP carriers, this domain is equal to their DNS domain name. This field can also be an IP
address instead of a domain name. In that case, it will most likely equal the host field.

NAT: This setting indicates whether there is a NAT between the Convergence and the SIP
carrier. If the Convergence itself is performing the NAT, there is no NAT in between when
considered from the perspective of this setting. If this option is checked, the Convergence will
send SIP Pings to keep the SIP signalling channel to the SIP carrier open. The SIP Ping is a
simple SIP OPTIONS packet that most SIP carriers will respond to because this mechanism
is routinely used by other SIP phones as well. Checking this option while not behind a NAT
will cause no harm, it will only cause network traffic.

2005-2008
c Comdasys AG 132

3.7 SIP TLS configuration

Attempt direct Media Connection: This parameter controls whether the B2BUA should
allow the endpoints to establish a direct media connection. This can be useful for e.g. fax
transmission. It however also might cause security problems, because it will allow a user
inside your local area network to establish a direct connection to the SIP carrier. Furthermore,
the firewall settings in the Convergence must permit this. With the default settings, the firewall
will allow the outgoing media connection from the phone to the SIP carrier. Since we have an
established session then, the firewall will also admit packets coming from the SIP carrier.
If you leave this button unchecked, the B2BUA will terminate the connection from the SIP
carrier. If you forward this call to another user in the B2BUA, a second call leg will be set up.
This means that the media stream will flow from the SIP carrier to the Convergence and that
the Convergence will set up a second call internally to the user. This elegantly circumvents the
NAT problem. This setup is very secure and means that the B2BUA can perform transcoding.
This means that you can use compressed codecs that some SIP carriers support (e.g. GSM)
with a SIP phone that does not support such a codec. This setup can have problems with very
restrictive firewall settings. Usually the Stateful firewall will detect the media streams with their
associated ports and let them traverse the firewall. Better than relying on the firewall setting
not to change however is to explicitly allow this traffic. The simplest way to accomplish this
is to make sure that you permit incoming UDP Traffic for the Convergence. Please refer to
the ?? section for further documentation on how to accomplish this. You can also make more
restrictive firewall rules for this by e.g. only permitting UDP traffic from your SIP carrier.

3.7.1.2 Users

SIP user accounts are very similar to SIP carrier accounts. The difference is that the Con-
vergence is now a server when considered from the connected phone. This means that you
have to use the information here to configure your SIP UA (User Agent) device or Softclient.
As with SIP carriers, it is possible to manage a practically arbitrary number of SIP UAs here.
Fill in the desired parameters, then click Add . In the following, we will explain the meaning
of the different parameters:

Username: Enter the Username the phone has to use for authentication here. You can
leave this field blank and also leave the field in your UA blank. Your UA will then be able to
connect without authentication.

Password: Enter the Username the phone has to use for authentication here. You can leave
this field blank and also leave the field in your UA blank. Your UA will then be able to connect
without authentication.

2005-2008
c Comdasys AG 133

3.7 SIP TLS configuration

Host: Enter an IP address or hostname if your UA is using a fixed IP address. When entering
this IP address, the B2BUA will always try to contact your UA under the IP address specified.
It will completely ignore the data sent in the Registration request. If your UA is not sending
SIP REGISTER methods, you have to fill in the parameter here.

Dynamic Host: Check this box if you want to use the information obtained via a SIP REGIS-
TER message to contact the UA. If this option is checked, the B2BUA will always try to contact
the UA under the IP address contained within the last REGISTER message of this UA. If this
option is checked, the Host parameter is completely ignored.

NAT: Check this option if your UA can be behind a NAT firewall. This can be the case with
mobile users coming from the Internet side. If this option is checked, the B2BUA will ignore
the IP addresses contained within the SIP REGISTER message if it does not equal the IP
address the IP packet has been received from. This situation forces the B2BUA to conclude
that the UA is behind a NAT firewall. The B2BUA will try to contact the UA not via its private
address, but will send the SIP message to the official IP address the request was received
from. This approach is very efficient since it will in most cases make the use of STUN in
the UA unnecessary. If your UA supports NAT discovery mechanisms, you will probably not
need to check this option. It should be noted that this option however does no harm if the UA
happens not to be behind a firewall.

Attempt direct Media Connection: This parameter controls whether the B2BUA should
allow the endpoints to establish a direct media connection. This can be useful for e.g. fax
transmission. It however also might cause security problems, because it will allow a user
inside your local area network to establish a direct connection to another user on the Internet
or to a SIP carrier.
If you leave this button unchecked, the B2BUA will terminate the connection from the UA. If you
forward this call to another user in the B2BUA, a second call leg will be set up. This means that
the media stream will flow from the first user to the Convergence and that the Convergence
will set up a second call internally to the other user. While this might be undesirable for purely
internal connections, it can elegantly circumvent the NAT problem when having one internal
and one external user. For more information, you can also consult the SIP carrier section ??
on page ??.

Codecs: Check all codecs that should be allowed for the specified user. Any codec not
listed here will lead to a call rejection, or at least a codec negotiation until one of the codecs
mentioned here is used. This can also be used to enforce certain policies. You can for
example allow only compressed codecs for all users coming in from the WAN side in order to
preserve bandwidth. These WAN users will then not be able to set up a call with e.g. G.711.

2005-2008
c Comdasys AG 134

3.8 Diagnostics

3.7.1.3 Call Routing Rules

After the configuration of the users and the SIP carrier accounts, we now need to define some
call routing rules. These rules will be used for making the appropriate connections. You have
to understand that each rule defined here only applies to a single direction. If for example we
define a rule that all numbers starting with a ”0” should be routed to the SIP carrier account,
this does nothing to the other direction. In order to accept calls from the SIP carrier account,
we need to define a second rule. The structure of the rules is very simple. You simply define
a Source and a Target for each rule.

From: Enter the number where the call is coming from. This can only be one of two things,
either a SIP carrier account, or a regular expression (there is no full regular expression sup-
port) identifying a certain number range. If you have multiple rules, these will be evaluated in
a best fit manner. You can enter simple patterns here to work with any number of prefixes.
Enter ”0*” to denote all calls starting with ”0”. To denote a SIP carrier account use the number
entered in the phone number field.

To: Choose either a user or a SIP carrier account. Another option is to route the call to the
SIP proxy. In that case, you however need to specify a number to which extension connected
to the SIP Proxy you want to route the phone. For that, it is of no interest in what mode the
SIP Proxy is configured. If it is for example configured in survivability mode, the call will be
passed on to the central SIP server that then forwards to the phone with the number entered
in the Number field.

Number: Number to be dialled if a call is forwarded to the SIP Proxy. See the description of
the To field for more information.

3.8 Diagnostics

3.8.1 Syslog-File

This page displays the last lines of the Syslog output the Convergence produces. The output
of this file is explained in more detail in the Command Line Guide. The output also depends on
the Syslog settings and the mode that is configured there (see ?? for more detailed description
of the possible settings here). If Debug is used there, a lot of information will be displayed.
The output can be refreshed by pressing the Reload button. It is also possible to adapt the
number of lines displayed, by entering the desired number into the Number of Lines field.

2005-2008
c Comdasys AG 135

8 Diagnostics ! By default. This log rotation will compress the current syslog file. It supports both local and remote (i.g. you will have to specify the computer. This means that the information is lost after a reboot. 3. i The Convergence performs log rotation on a regular basis to avoid filling up the storage space. Syslog is a standard for logging system messages under Unix and Linux and meanwhile also many other platforms including Windows.e.2 Logging Here you can specify an external syslog server. In order to implement a persistent storage. All files are stored in the /var/log/ directory and can be accessed e. an external Syslog Server is recommended. If you wish to save system messages from the Convergence. via WinSCP. over the network) logging.8. the Syslog file is stored in a RAM disk on the device. on which all important messages from the Convergence are logged. where the messages should be sent to and the log level for which messages should be saved.56: Logging 2005-2008 c Comdasys AG 136 . This is especially recommended if the Convergence is operated as a firewall. 3. Figure 3. It is however possible to move the the log file to the flash from the CLI interface.

• Info: All messages. • Notice: All messages. that are important for the user are logged. 3. • Critical: All critical failure messages are logged. In order to enable the local logging. • Warning: All messages. please refer to the Command Line Guide for additional information. • Error: All error messages are logged. that describe failures are logged. or you can use the local logging on the Convergence. but real debugging messages are logged. • Alert: All messages that prevent a service from functioning properly are logged • Emergency: All messages that prevent a service from functioning are logged If there is no local computer that can act as a Syslog Server for saving these messages available. simply enable the Local Logfile checkbox.8 Diagnostics There are the following log levels in descending order: • Debug: All messages are logged. This logging is however limited to the space available on the Convergence. 2005-2008 c Comdasys AG 137 . For more information on the evaluation of such logs. you can either install a free syslog server available from the Comdasys website.

Once that fails. Figure 3. You can easily trace down the reason for connectivity problems by first trying to ping the first gateway on the way. that some routers will block this attempt.57: Debugging tools The following tools are available: 3. you will know exactly what link is the problem. 3. For this reason it is ap- plicable for instance to check whether the connection to a certain host is working. then the second and so forth. This program is able to examine if a computer is reachable or not.4 Ping Ping sends network packets to a computer and waits for the response while measuring the elapsed time until a response arrives. It can complement and expedite certain debugging approaches taken with ping.8. Note that when trying to trace routes over the internet.8 Diagnostics 3.5 Traceroute This program traces the path packets from the Convergence to a certain host on the take.8.3 Debugging tools The debugging tools allow you to easily track down the reasons for network connectivity prob- lems over the web interface without knowing any CLI commands. 3.8. You will then be unable to get the desired result for a traceroute although the network connection is working 2005-2008 c Comdasys AG 138 .

you have to define the IP address of your Convergence instead of your system name. traceroute is used after you have detected a specific network problem with the ping tool to further narrow down the reason. because in this case the DNS service could probably not be able to resolve system names. This means: if ping does not respond for several seconds. Usually.8 Diagnostics properly. 2005-2008 c Comdasys AG 139 . The output is shown in realtime line after line. 3. i If you assume that an internet connection is inoperable. the probability that the address is not reachable is very high.

6 SNMP This menu item contains configuration of the SNMP Daemon. diskspace usage and the CPU’s load average. • Enable SNMP trap sending This checkbox enables active monitoring. • Port Optional: The port on which the target machine is listening for snmp.8. Default is port 161 • Password The SNMP community string on the target machine. The SNMP Daemon will send traps in case of a process not running or low diskspace. • SNMP trap community name Specify the community name which will be used in traps. Beside this a trap is sent on starting and stopping of the SNMPD Daemon. There are following parameters that can be set up (compare figure ??): SNMP Basic Settings In this menu section you can toggle the SNMP service on-/ off and configure the basic setup. Following configuration settings are available: • IP address The IP-address of the machine to which the proxy should forward. Proxy This option enables the SNMP Daemon to act as a proxy. Trap destination Here you can specify one or more ip-addresses as a destination for SNMP traps. 3. This includes the surveillance of running processes. • Readonly password Specify a SNMPv1 or SNMPv2c community that will be allowed read-only access.8 Diagnostics 3. • Read-/Write password Specify a SNMPv1 or SNMPv2c community that will be allowed read-write access. 2005-2008 c Comdasys AG 140 . The SNMP Daemon offers basic system informations and a service to monitor the Conver- gence system status. passing certain requests to a SNMP service running on another machine.

Default is the whole OID tree . 3. Figure 3. Your changes will be applied after selecting Apply configuration. Check Active to enable SNMP daemon 2.8 Diagnostics • SNMP Version Choose between SNMP version 1 or 2c • Object-ID (OID) Optional: Part of the OID tree which should be passed through to the target machine. Click Save to save your changes.1. Use Add to add an entry and fill the form. or to delete an existing entry.3 Setting up the SNMP daemon 1. In addition to the Basic settings you can specify one or more Trap destinations and Proxies to be used by SNMP daemon. 3. Use to edit.58: SNMP Configuration 2005-2008 c Comdasys AG 141 . Provide configuration details for basic setup as described above.

You can see the over-all number and size of dropped packets and additional information of the matched rule (protocol. You can also reset firewall packet counters by clicking Reset . OUTPUT. 3. source and destination). and FORWARD. rules are joined in three chains INPUT.7 Firewall Report This section shows how many packets have been dropped and the matched firewall rule. Information about dropped packets may be helpful for testing connections or improving your firewall rules.8.59: Firewall report 2005-2008 c Comdasys AG 142 . The information shown on this page is a summary of packets dropped by the firewall and will be refreshed every time you choose this menu item or click Refresh . input/output interface.8 Diagnostics 3. Depending on the direction of packets. Figure 3.

This would trace SIP traffic (port 5060 and UDP by default) coming from host 10. in form of a packet trace created with a command line tool tcpdump.10 proto udp. •dst host 10.8 Trace File Network debugging would not be possible without analyzing network traffic. protocols. You can specify port numbers. In order to gather information from all interfaces. 3. however. A trace file created by tcpdump can be then viewed by a network packet analyzer such as Ethereal. as you would do on the com- mand line. •port 5060 This will introduce a filter into the trace and only the packets with source or desti- nation packets •src host 10. An example combining several of the above parameters would something like -s0 port 5060 src host 10. 2005-2008 c Comdasys AG 143 . This will trace only the packets with the specified packets. e.10.10. The entire packet including the payload will be visible in the trace file.10.8 Diagnostics 3.10. •-s0 Usually only the first 64 bytes of a packet will be traced.10.g. Select a network interface you want to listen on from the dropdown box. you can input some options for tcpdump.10 This will restrict the tracing to all packets coming from the specified host. This page offers a simple interface for tcpdump. icmp.10.10. Creating a new trace 1. Additionally. A prerequisite for performing such analysis. This reduced the size especially of long running traces.10. choose ANY. number of packets to be traced and many other options. •proto tcp You could also use protocols ip.10. udp here. However.8. Describing all options avail- able with tcpdump would go far beyond the scope of this manual.10 This will restrict the tracing to all packets going to the specified host. 2. The -s0 parameter will remove the 64 Byte limitation. is collecting information. an introduction to the network monitoring using these tools would be far beyond the scope of this manual. Note that traces especially on the LAN interface can get very large very quickly if no filters are specified.

3. Your trace will not be interrupted.60: Starting trace 2005-2008 c Comdasys AG 144 .g. whether the trace is already completed (e. Click on Start to start the trace. In order to stop and download the trace file. in case you have specified a maximum size of file or number of packets to be traced) click on Status . If you just want to check.8 Diagnostics 3. if it is still running. simply click on Stop and corfirm saving the file to your disk. Figure 3.

3.8 Diagnostics Figure 3.61: Downloading trace file 2005-2008 c Comdasys AG 145 .

The Convergence can also do transcoding to support specially optimized codecs on the WLAN side. The speech quality of WLAN calls does not differ significantly from the quality of calls set up via cellular. Getting onto an elevator is a frequently cited example for such a sudden loss of connectivity. A mid-call handover from cel- lular to WLAN and back is possible as the handset device supports dynamic detection of the sufficient WLAN network coverage. a Client and a Server.1 Introduction to Fixed-Mobile-Convergence for the Enterprise The vision of FMC is for people to use a single communication device with a single number. The goal of FMC is to break the paradox that arises from the fragmentation of communications channels and to make multiple channels (networks) appear and behave as a single channel thus restoring the core value of communications.4 Enterprise Mobility (Fixed Mobile Convergence) 4. In order for everything to work correctly. the Convergence will need to have control over the media stream at all times. while using gen- eral purpose codecs like G711 on the PBX side. The Convergence consists of two components. When doing transcoding. This situation is no different than commonly observed in contemporary cell networks. The Fixed-Mobile-Convergence functionality of the Convergence makes the use of handset device flexible and independent of the used network infrastructure. while enjoying widerang- ing mobility on existing Public Mobile Networks. According to the quality of the link over WLAN the Convergence handles media path for the ongoing calls and carries out the handover of the media stream. the client needs to be properly in- stalled on the handset. Refer to the separate client documentation for more information on that. the seamlessness cannot be guaranteed with an abrupt signal loss. as well as over cellular. improved productivity and reachability. The mobile device can then be used as a PBX extension both over the Wifi network. FMC should provide the subscriber a con- sistent user experience regardless of location and time-of-day with no interruption of service when roaming between fixed-line (through Wifi) and mobile networks. taking advantage of less expensive. high-speed WLAN connectivity. 2005-2008 c Comdasys AG 146 . This is achieved by con- necting the Convergence to the PBX system. While a handover will be successful in most scenarios. The Convergence in conjunction with the client will select the right codec and also otherwise do everything to guarantee the best possible voice quality.

fill the form and click Save to save your changes. This second host will be used for handling the callthrough calls. First you need to Configure a Number Profile. Callthrough Number You have to specify the dial-in (also called callthrough or tram- polin number) to be used for handling calls initiated from the GSM network. or to delete an existing entry. Note that you need to associate the user with a registration for him to be able to make calls via the PBX. Choose a meaningful name that re- flects the intended usage of this host to simplify the use in the other sections where this name will be reflected. Click Add to create a new entry.1. 4. or to delete an existing entry. Besides the basic call functionality with a single phone number that is supported both via WLAN and GSM Convergence provides a wide range of the standard enterprise PBX features. 2005-2008 c Comdasys AG 147 . Please refer to the more detailed descriptions of the menu points above. 5. 7. Configure Registrations. 8. Your changes will be applied after selecting Apply configuration.1 Introduction to Fixed-Mobile-Convergence for the Enterprise 4. There are several SIP and RTP related options to con- figure. Click Add to create new entry. For more information refer to ??. Click Add to create a new entry. If not done already install license file for Convergence (refer to ?? for further details on License Management). 3.2 Basic Configuration Steps for FMC Following configuration steps are necessary to configure your dual mode solution. A registration represents the link of a configured user with a user on the PBX. Having both sides equal can lead to weird behavior especially when using features. For detailed description of the configuration parameters please refer to ??. fill the form and click Save to save your changes. 2. that are first connected to the Enterprise and only then the actual called number is being dialed.1 Accessing PBX Features with FMC 4. You need to specify a PBX host and if applicable a sep- arate host for the incoming GSM callthrough calls. Configure Global Settings. Configure SIP Endpoints. Use to edit. Create User accounts. You will find detailed description of these in the sections above.1. fill the form and click Save to save your changes. Use to edit. or to delete an existing entry. Registrations. You can provide a name for each host which you will use later to associate e. Use to edit. For detailed description of the configuration parameters please refer to ??. For detailed description of the configuration parameters please refer to ??. 6. ! Note that the Numbers in the User account configuration must be unequal to the num- ber used in the Registration. ?? 4. 1.g.

The features described here equal the features usually provided in a SIP phone. the previous call is resumed. the server based SIP features are also available as described below. Many features in SIP PBXes are enabled / disabled by using access codes. Feature combinations that are not supported are not offered by the FMC client. It will be possible to access the features completely transparently from the handset. and via DTMF in cellular mode. but there are some rules to tell what features are available. 4. The implemented transfer mechanism is an unattended transfer with a fallback function in case the transfer is declined by the PBX. accessing some features requires using more complex DTMF signals than just a single digit. In order to make them usable through handoffs. i The transfer feature requires the PBX to support the SIP REFER message as de- fined in RFC 3515. The number and type of features are very dependent on the connected PBX.1 Introduction to Fixed-Mobile-Convergence for the Enterprise These features are signalled via SIP in WLAN. In addition to features enabled by access codes. All of these features can usually be fully used in conjunction with full dual mode operation. To avoid possible conflicts with systems provided by many operators such as VoiceMail systems. In addition to the emulated SIP phone features. The following is a list of features that are typically supported if the PBX supports this: • Pickup • Call Back • Call Forwarding 2005-2008 c Comdasys AG 148 . The dual mode client on the handset will make this fact completely transparent to the user. Following features are provided: • Hold • Toggle • Consultation • Conferencing (3pty) • Transfer • Combinations of the above i Note that the selectable features can vary depending on the client. some group features are also usable via the dual mode handset. the server side features of the PBX can be used. In addition to these typical SIP client side features. It should be noted that also combinations of these features are usable. as well as the used PBX. Any features described here will also work through handoffs in both directions. In that fallback case. client version. their implementation has been changed and distributed between the Convergence and the client.

com/mobile.com. the JID is structured like an e-mail address with a username and a DNS address for the server where that user resides separated by an at sign (@).1. Every user on the network has a unique Jabber ID (usually abbreviated as JID). Anyone may run their own XMPP server on their own domain. indicator lamps are however supported passively meaning that if a dual mode device shares a keyset line with an enterprise phone. This naturally does not only include voice communication. To avoid the need for a central server with a list of IDs. 4. It will register with the XMPP server under a configured user name and as mobile account. clients do not talk directly to one another) but de- centralized.1 Introduction to Fixed-Mobile-Convergence for the Enterprise • Hunting • Simultaneous Ringing • Call Groups • Boss Secretary • . XMPP (formerly known as Jabber) is the industry standard protocol for that. Depending on the implementation. The reason for that is that the necessary keys and indicator lamps are simple not present on a typical dual mode device. Each resource may have specified a nu- merical value called priority. keyset operation is also supported to a limited degree. the enterprise phone shows the inidcation that the other line is indeed busy. This is what the Convergence uses. Standard TCP port for Jabber is 5222. Messages that are sim- ply sent to username@domain. but also Instant Messaging and Presence. For example the full JID of a user’s mobile account would be username@domain. In order to understand this. which are not supported on the dual mode device. which identifies which of the user’s clients it is (for example home.. Since a user may wish to log in from multiple locations.3 Unified Communication Functions Besides the above described telephony functionality the Convergence has been designed to provide an overall and unified communication experience. and the Convergence support interacting with such a server much the same way this is done with the PBX. The assumption is.e. the server allows the client to spec- ify a further string known as a resource. The great exception here is any features including indicator lamps. such as username@domain. work and mobile). by design there is no central authoritative server. and a call is present on the dual mode device. we first have to explain some basic principles about XMPP / Jabber. 4.. as there is with services such as AOL Instant Messenger or MSN Messenger. Depending on the used PBX. but those sent 2005-2008 c Comdasys AG 149 .com will go to the client with highest priority. that an organization has its own XMPP Server. The Jabber network is server-based (i. This may then be included in the JID by adding a for- ward slash followed by the name of the resource.

4 FMC Interface and Port Handling The Convergence has multiple network interfaces. Now since the Mobile Client cannot always be online. First you may want to con- figure the Global Options followed by the Numbering Profiles. If you want to make use of these features. you need to utilize the Session Border Controller component of the Convergence . to provide a convenient way for the user to access these feature from his FMC client . The port range for this is 12000 and higher. the Callthrough 2005-2008 c Comdasys AG 150 . that can in principle all be used for the FMC application. Please refer to the section ?? for more information on how to configure this. meaning that for the XMPP server. This Session Border Controller component runs on all interfaces by default and uses the port 5062 for UDP/TCP signalling and 5061 as TLS signalling. etc.com/mobile will only go to the mobile client. The main interface that handles the connection towards the PBX is the LAN1 interface. 4. The same paradigms will be used as for the voice functionality. the Convergence will select a dynamic port for each SIP user.1. The default SIP port for Client registrations is 5060. ! The FMC application does not accept SIP signalling on port 5060 from any interface except for LAN1. you will need to point your client to these ports. 4.2 FMC Enterprise Configuration Introduction to username@domain. depending on the number of configured users. the Convergence will handle the for- warding. The FMC Server component will then take care of abstracting things like baseband. you should make sure to have correct certificates. the Endpoints. This component will provide security and NAT handling and ensures that all networks configured on the Convergence are cleanly separated. The configuration of the priority depends on the XMPP server configuration. provide NAT handling for registration of the FMC client behind NAT firewalls. you will need to make use of the above described SBC functionality. You can do this on the SIP TLS configuration section where you can either generate or upload appropriate certificates. For the server registrations. If clients are to be used in different networks. The Convergence will take care of terminating all this signalling towards the XMPP server. 4. The configuration settings are divided into several different groups. connection properties. ! If you intend to use TLS. If you use a different interface. the Convergence will act as the client. or behind NAT routers. etc.2 FMC Enterprise Configuration Introduction On the following pages you will find the detailed instruction of the setup of your FMC solution.

2005-2008 c Comdasys AG 151 . When setting up a call through the call through Interface. 4. The appliance acts with two different identities for each user. Otherwise you will hear silence until the other side is actually ringing. In this manual.3. i Note that the order of configuration does matter because certain information is re- quired in order to be able to configure certains things. whereas User Account describes the side towards the handset.1 Global Settings / General Options This part of configuration contains general settings concerning used PBX.3 Global Settings The following section contains global settings necessary for the FMC component on the sys- tem. but in the Convergence they mean fundamentally different things. On the one hand. For instance. This means that the menu items in the Dual Mode menu is order the same way it should be filled out. On the other side. you will also have to configure a GSM number for a user. the Registrations and the User Accounts.3 Global Settings Numbers. Note that various fields have to be filled in for the system to work properly. 4. These settings are essential for operating your Convergence properly. i Registrations and User accounts might sound alike. Enable Callthrough early media This feature supports the playback of progress indicator ringtones when using the call through functionality. it acts like a client towards the PBX. 4. Registration is always used to refer to the latter (the communication side with the PBX). The ringback tone for the other side will always be played back no matter if this feature is activated or not. it acts like a server for the FMC Client. It is now possible to play a progress indication during this time. The server will accept the call and use any extra digits or inband signalled DTMF digits to make a call to the destination. you do need a Regis- tration representing a PBX account in order to configure a dual mode user. SIP related features and media stream settings. the FMC client will first setup a call to the server via the callthrough (Trampoline) number. If you want to utilize the single number functionality.

1: Global Settings 2005-2008 c Comdasys AG 152 .3 Global Settings Figure 4. 4.

2: Global Settings 2005-2008 c Comdasys AG 153 .3 Global Settings Figure 4. 4.

A redetection is triggered by restarting the Dual Mode Server. Therefore. Through this audio stream. busy signals. If the peers does this.3 Global Settings Enable Client Early Media This will prompt the Convergence to respond to all requests from the client for a call setup by setting up an early media stream. the recommendation is to put this setting to On because it enables the most consistent user experience for both SIP and cellular calls. Contrary to that setting. The Convergence supports this toward the client. It is recommended to use RFC2833 if your equipment supports this. are played back inband. Some gateways or PBXes support RFC2833 fallback meaning that they will send DTMFs both inband and via RFC2833. Disable Passthrough of Session Progress Session progress is a message that can be signalled in SIP to show that the connection setup is progressing. It is some- thing that is solely negotiated between client and Server. By default. this one has no dependency on the utilized PBX. this option should always be checked to avoid wasting resources on the inband DTMF detection. This will lead to double detections on our side. If doing that. Note that this setting applies to connections toward the client only meaning that it es- sentially applies to SIP connections only. It can further- more consume quite some resources especially if the Convergence came to the conclusion that inband DTMF is being used. it is recommended that you always disable inband DTMF if anything else is supported by the peers. ! The correct detection of the used DTMF mode is not always possible. It leads to the setup of an audio stream even before the connection is completed. you have to check this box to suppress inband DTMF detection. For incoming calls that are extended to the cellular side as well as for callthrough calls you need to check the Enable Callthrough Early Media Setting. all DTMF tones will be detected automatically. Then all ringbacktones. etc. Once it has identified the used mode. The Convergence will automati- cally try to detect the DTMF mode the peers are using. tones can 2005-2008 c Comdasys AG 154 . In order to avoid such problems. it will continue to use it. The Convergence supports the following mechanisms for DTMF detection: • Inband signaling • Signaling according to RFC2833 • Signaling via SIP INFO method The Convergence does the automatic detection as follows. Disable Inband DTMF detection The Convergence supports three different mechanisms of detecting DTMF tones coming both from the Client as well as form the gateway or PBX through the callthrough trunk connection. It will do so after the connection has been initialized and it has seen the first DTMF coming from the peer. 4.

4.3 Global Settings be played back to give the user an audible feedback. This will however break the compaibility with former Client ver- sions. Some PBXs also do that towards their endpoints.12 2005-2008 c Comdasys AG 155 . you will hear both tones be played back. the number conversion process will be completely switched off.1 • fgVoIP V3. By default. The list below should give you an overview.0 • fgVoIP V3. As already noted. Those use different sequences that do not create this sort of problem. This leads to a delay of passing through the # sign. you have to check this option. that from the PBX as well as the one from the Convergence . If your PBX supports early media.0. Although the client can handle this. This problem was solved with more recent versions of the FMC client . The Convergence has to wait for additional digits after seeing a # sign. You can therefore check this item resulting in a better DTMF handling. This is not ideal since the # sign is frequently used in Interactive Voice Response systems. GSM features will then no longer work. the Convergence will however pass through the early media coming from the PBXs and forward them to the client. In that case the early media will be passed through from the client and you get the progress tones from you PBX or your media server. The other option is to not activate the early media towards the client and leave this box unchecked.11 • fgVoIP V3. and you want to activate early media towards the client on the Convergence . of the client versions that are using this old signalling specification: • fgVoIP V2. This means that any dialed number will be passed through straight to the PBX without any modification. the Convergence will also provide Early Media to the client if Enable Client Early Media (see ??) is enabled. Disable # as Feature Code Previous versions of the Convergence supported DTMF feature codes in GSM modes that started with the # sign. That conflicts with the early media sent by the Convergence . Disable Number Converter The Convergence supports a three stage number converting process: • Source pattern to target pattern mappings defined by explicit rules (see ?? for more information about this) • Considering numbers as internal depending on their length (see ??) • Automatic conversions based on the Number Profile settings performed here (see ??) When checking this option here.9.

External IP for NAT The external IP parameter specifies the IP address which will be used as the source IP ad- dress for all SIP messages when NAT handling should be done. 4. Note that some PBXs also reject registration with expiration timeouts that are too brief. If you pick up the GSM call leg.g. i If registrations fail. If you see registrations rejected with the error request Interval too Brief. 4. you should increase the timeout here. you might what to invoke a handover to GSM. This will make the appliance dial the configured GSM number for the respective user. By default. Reregistrations will be performed after half the time specified as this parameter. Registration expiration time You can specify the default amount of seconds for all outbound registrations. for testing purposes. In those cases. This is especially relevant for the registration behavior as well as the NAT handling in conjunction with the SBC component.3 Global Settings Enable DTMF invoked Handover This functionality is only required if you are using a non-supported client (as for example a softphone) which could be the case e. you can terminate the SIP call.2 SIP Options Options to be configured in this section affect the general behavior of the SIP related fea- tures. Note that this setting has absolutely no effect on the client side. If left blank. you will need to increase the timeout set here. the IP address of the first LAN interface will be used. you can use the following DTMF sequence to invoke a handover: **00. It will also be terminated automatically after a brief period of time. This implicitly defines the external interface used for the NAT handling. please make a SIP trace. Note that the PBX can always override the registration expiration timeout by returning an expires parameter in the Contact Header or a separate Expiry parameter of the OK response to the sent registration. many servers expect expirations timeouts between 1800 and 3600 seconds. It does not matter whether the interface for 2005-2008 c Comdasys AG 156 . Since the proprietary signalling is not supported by a generic SIP client.3. If this is the case. All messages orginating from the Convergence towards the PBX will contain the domain you specify here in the appropriate SIP header fields (in all places where you would normally find its IP address). It only specifies the registration interval towards the PBX / Server. Domains The SIP domain is sometimes important for digest authentication as well as for the request URI formatting towards some PBXs.

Port Ranges Due to the complexity of the product. Explicitly not doing NAT detection makes the communication over insecure links a little safer. or DMZ interface. Then the external SBC will perform the NAT handling. This can be done by checking for private IP address ranges and seeing if the source of the message matches the source in- dicated in the SIP signalling. For TLS there is no such distinction since there NAT detection will always be done by default (so port 5061 can always be used). When using TLS as a signalling protocol. The follwoing will provide some information on the utilized port ranges. This means that all messages must be returned through the firewall pinhole that the message came from. The Convergence can easily check whehter a NAT is involved. NAT handling will be performed. i The Convergence when doing NAT handling will utilize a built-in Session Border Controller for handling clients behind NATs. i Note that it is also possible to make use of an external Session Border Controller. WAN. The mechanisms needed to perform the NAT handling can increase the liklyhood of such attacks as session hijacking. The same holds true for the media stream. 2005-2008 c Comdasys AG 157 . the client needs to be registered via port 5062. this risk is not there because the signalling is done through a secure channel. For all messages arriving through this interface on port 5062 (or port 5061 for TLS). NAT handling has to be performed. In those cases. Should this not be the case. 4. There is no need for the configuration of any special handling on the client side. For that purpose simply configure the Convergence as a SIP server in the used Session Border Controller and have the SBC forward the SIP messages to port 5060 of the Convergence. This distinction is due in part to security concerns. The addresses in the SIP header and the SDP body will then in part not be considered. the possibility to change the used port ranges has been restricted to expert mode.3 Global Settings the IP address specified here is a LAN.

ports 5061 should be used for TLS and 5062 for NAT handling (always towards the client). The media stream from the FMC Server towards the internal SBC component. Trying to register with port 5060 will fail because no NAT handling is performed there. Every configured registration will use its own port. Other than that everything will remain the same as without an outbound proxy. This option will not really change the message routing of the messages except for adding this static routing entry. The media handling port range towards the PBX is also 16384 .3 Outbound Proxy This enables you to statically specify the next hop for all SIP messages towards the PBX. Note that a call can have up to 6 different legs in a callthrough scenario. A call requiring NAT handling will use a port in the 16384 and up range in addition to a port above 35000 from where the media stream is forwarded to the appropriate PIN hole. Address SRV name. Port The port number will be ignored in the case you have specified a DNS SRV name. it must be registered with port 5062 (or 5061 with TLS) which is where the Session Border Controller component is currently running. For the media streams the port range 16384 . or IP address of the outbound SIP Proxy (DNS SRV excluding the SRV prefix). ! When using a client from behind a NAT firewall. 4. This is often used for placing SIP Proxies or Session Border Controllers on the network edge for protecting the Convergence and / or the PBX. the ports 12000 and up are being used. Otherwise. In the SIP signalling towards the PBX. 2005-2008 c Comdasys AG 158 . When configured. the Convergence will add a static route header to accomodate this statically defined next hop. so externally only the stream from port 35000+ can be seen. As noted above. please refer to RFC 3261. Note that the highest port used depends on the number of simulatenously open connections. Please make sure the DNS settings in the Convergence are correct in case you are using hostnames here. This usage of different ports is necessary because some PBX have problems if multiple distinct registrations are coming from the same port and IP address. hostname. When using TLS. the internal loopback interface is used.22384. For NAT handling the ports 35000-36500 are used.22384 is used. 4.3. the SIP messages will be sent out to the port specified here. If you want more information about outbound proxies. The port used for callthrough is also 5060.3 Global Settings i Port Ranges for Signalling and Media Streams: For signalling the client must use port 5060 towards the server. NAT detection is always performed automatically.

This is usually done to make use of the cheaper rates when making a call from fixed line to the mobile phone as compared to the other direction. simply invoke a callback. i The client needs to support the callback functionality in order to be able to comfort- ably use it. it can still be used manually by calling the callback number. If the client does not support it. this feature will work only from GSM numbers known to the Conver- gence . In order to avoid that. i Callback is usually utilized in scenarios where the user is travelling abroad having bought a national SIM card (e. 4. In those cases you will often find some device offering survivability services in the branch office. and the incoming call will be free (or just airtime) on the phone. all SIP messages have to be routed through this device.3 Global Settings i This setting will usually be used in conjunction with a large network where the Con- vergence is for example placed into a branch office that is only connected to the PBX through a WAN link. • The FMC client will pick up the incoming call and dial the actual number via DTMF (the Convergence will play back ringtones etc. This is registered into the system.4 Callback Number Configure the phone number for invoking the callback functionality here.) • The call is connected if the other party picks up For security reasons. It must have the same format as the number arriving from the PBX when a callback is invoked. The callback feature tries to revert the direction of a call. Now the direction of the call is reversed. When making a callthrough call you would then however need to pay international call rates be- cause the callthrough number is in the home country.3. 2005-2008 c Comdasys AG 159 . prepaid card). 4. In order to be able to use this service. This means that only configured users will be able to utilize the callback functional- ity. waiting for the incoming call and then dial the desired number. In those cases simply specify the survivable proxy device as an outbound proxy here. The following section explains the basic functionality of the callback feature: • User dials a certain number in GSM mode (simply enters the number into the FMC client and presses callback) • The FMC client will initiate a call to the configured callback number • The Convergence will reject this call and initate a call to back to the Client.g.

the client will hence attempt to initiate a call to a preconfigured number.3 Global Settings 4. 4.5 IMS Handover IMS stands for IP Multimedia Subsystem and is a technology mostly driven by mobile oper- ators to provide an operator centric approach to Fixed Mobile Convergence. although 5 should be some sort of practical limit. In order to lower roaming cost and to accommodate the communication needs. The routing on the PBX must be configured to have this number routed to the Convergence . we speak about at least two and potentially up to ten. This standard defines a handover mechanism that is implemented by all compatible handsets. it should however still be unique in the context of your Enterprise network. Switching between those different SIM cards has to be possible without any data connection because it cannot be guaranteed to be available when needing to do the switch. When we talk about multiple numbers. Whenever performing a handover between GSM and WLAN or vice versa.3. a GSM call will be made to some fixed line phone number that needs to be configured here. GSM to WLAN Number This is a number that must be reachable over Wireless LAN. To avoid any conflicts. By calling this number with a provisioned SIM card will identify the calling user and activate the SIM card he utilized. The treatment of this number should be similar to the callthrough number. This implies that the authentication of the user is based on Caller ID. but it is only used for handover purposes. Therefore activating a different SIM card should be possible simply by making a call to a special number. the Convergence will help you to facilitate your mobile telephony experience. many people own more than one SIM card and hence have more than one number. The provisioning of this special number is done here by the administrator. 4. this mechanism works by having the client initiate the second call. we are only dealing with a pure Client / Server connection this can be any number you choose. Contrary to the standard approach. it is possible to configure multiple GSM numbers for each user account (see ??. If this is a known 2005-2008 c Comdasys AG 160 . WLAN to GSM Number This number must be a proper fixed line phone number. Since in WLAN.6 Multiple GSM Number Support Beyond being a dual mode solution. In order to support this feature. This number can be compared to the Callthrough number. In the case of the WLAN to GSM handover. These multiple SIM cards can be administered using the Convergence and activated from anywhere thus always correctly forwarding the calls to the currently used number. because some of the control over the billing is lost. The IMS VCC handover will work with all VCC compliant handsets and clients. This makes it much less suitable for Enterprise use. The Conver- gence also supports this way of performing handovers.3.

one host could set its IPv4 datagrams’ TOS field value to prefer low delay. The value will be taken as 8 bits with the bitmask’s meaning being explained above.3.7 RTP Options The RTP Options are used to set system wide behavior of RTP media streams such as time- outs and sending of RTP keepalive packets. use a decimal number between 0 and 255.custom file 2005-2008 c Comdasys AG 161 . you have to define rules in the /etc/sysconfig/firewall. you will need to use the separate 5062 (default setting) port for UDP messages.3 Global Settings user. TOS for outgoing media Specify the TOS byte that is to be set in the IP header for all voice payload traffic leaving the Convergence . 1 = High Reliability • bits 6-7: Reserved for future use This field is now used for DiffServ and ECN. 4. NAT handling has been enabled in contrast to the standard B2BUA mode. Please refer to the ?? section for more information about this topic. To perform generic DSCP and TOS tagging. It is however relatively easy to enable SIP and RTP traffic on the WAN interface. i Note that this setting applies only to WAN interface traffic. the firewall will block those by default. For TLS. 1 = High Throughput • bit 5: 0 = Normal Reliability. On port 5062 (deault setting). These bits have been redefined. The original intention was for a sending host to specify a preference for how the datagram would be handled as it made its way through an internetwork. In order to set the field. 1 = Low Delay • bit 4: 0 = Normal Throughput. 4. while another might prefer high reliability. ! Note that if you want to use FMC services across the WAN port. most recently through DiffServ working group in the IETF and the Explicit Congestion Notification codepoints (see RFC 3168). The following 8 bits were allocated to the Type of Service (TOS) field in the IP header: • bits 0-2: precedence • bit 3: 0 = Normal Delay. If your messages arrive on the WAN interface. It has been originally defined in RFC 791. For instance. you can use the standard 5061 port. the SIM card that he is currently calling with is assumed to be the active number. The server will reject in order to signal the user that the switching was successful.

4 Number Profiles Generic DSCP and TOS tagging To enable generic TOS / DSCP tagging. 4. and Keepalives. the connection will be dropped. you have to add the following lines to the /etc/syscon- fig/firewall. This may be used for dead peer detection and will reduce telephony costs in case of failure. which will result in terminating this connection. there is a timeout of 300 seconds. the Convergence will drop any call after not having received RTP media for 30 seconds. Nevertheless. The RTP Timeout is the amount of seconds to wait for RTP traffic before classifying the con- nection as discontinued. Contrary to the other directions. Meaning that after a call was on Hold for 300 seconds. iptables -I OUTPUT -t mangle -m layer7 --l7proto rtp \ -j DSCP --set-dscp 34 iptables -I OUTPUT -t mangle -m layer7 --l7proto rtp \ -j TOS --set-tos 16 The TOS and DSCP values must of course be changed to the desired ones. As just mentioned. The default value is 30 and means that if no RTP traffic is received for more than four seconds. it was necessary to set RTP Timeouts. If that is the case. Note that this timeout does not come into effect when having a call on Hold. we will explain the different timers here. This profile defines how outgoing numbers will be formatted towards the PBX. charges can be incurred on this leg.g. also the incoming numbers 2005-2008 c Comdasys AG 162 . With some options. This has all been automated with the newer version and there is no need to change these set- tings. Note that this timer applies only from the dual mode device towards the Convergence since there the connection towards the PBX must be terminated. 4.4 Number Profiles Every PBX is associated with a unique Number Profile. it is simply hung up because it is assumed that the party was forgotten or lost (e. i Note that there are some other predefined timeouts hardcoded to the B2BUA. This is called the RTP timeout and is used for hanging up dead calls. use the following lines: iptables -I OUTPUT -t mangle -m layer7 --l7proto sip \ -j DSCP --set-dscp 35 iptables -I OUTPUT -t mangle -m layer7 --l7proto sip \ -j TOS --set-tos 17 Former Version compatbility In former versions of the Convergence . when the FMC user who put the other party on hold dropped out of the call).custom file. To accomplish the same for the signalling.

The goal is to always have dialable numbers especially after receiving a call. You can add arbitrarily many number profiles. 4. With others it is not even possible to format the numbers approrpiately. Note that it is possible to define additional mappings through the Number Patterns page. Source pattern to target pattern mappings defined by explicit rules (see ?? for more information about this) 2. 2005-2008 c Comdasys AG 163 . First we want to define a general Number Profile. i The fields Country Code. Automatic conversions based on the Number Profile settings performed here When a match is found in a specific stage. Area Code. Country Prefix. The FMC number converter performs its operations in 3 stages: 1. Considering numbers as internal depending on their length 3. This step is crucial since it determines how numbers are sent to your PBX. You will need to use this name whenever you are referencing the number profile defined here. The parameters set here in the number profile will be used by the number converter for formatting outbound requests. all following stages are skipped. The number in the Call Log is then assumed to be in the E164 format so that it can be dialed both via WLAN as well as over the cellular network. and you will see the following mask (the content as always will vary depending on your configuration): ! Note that by default there is no number profile configured. The exception to this rule are the ??. You however need to configure at least one to proceed. Each number profile must be associated with a PBX. Note that numbers on the cell phone are typically dialed in E164 format and therefore need to be reformatted by the Convergence . • Name This is a name identifying the number profile in the other masks. it will lead to no connections or wrong connections at a later point in time. There the Treat As field determines if further processing is done or not.4 Number Profiles from the PBX are modified to provide the correct Caller ID display on the client. Area Prefix have to be set if you want to have the Convergence operate correctly. You can also define multiple SIP Host referencing the same PBX but using different Number Profiles. With some PBXs sepcial number formatting would need to be done. This will however be considered later. However this cannot be assumed from a number coming from a PBX. Select the Number Profiles menu entry. If you make mistakes here. This is when the Convergence needs to take over this job.

Note that the area code also has to be specified without any leading zeroes. Note that this setting only applies to numbers dialed from your mobile device. As briefly mentioned before it will be 00 for most countries. The + sign will be handled automatically on the client side already. Whenever you dial a number that starts with your own country code.g. 2005-2008 c Comdasys AG 164 . 00. Note that this only applies to numbers dialed from the mobile device. but in the US it is for example 011. e. Whenever you dial a number that starts with our own city code (relative to where the Convergence is positioned).4 Number Profiles Figure 4. the Convergence would strip away its own Area Code before sending to the PBX. 4. This is required for properly converting E164 numbers. e. 0049 instead of +49. • Country Prefix Prefix to denote that a country code will follow.g. the Convergence will strip away this country code before extending the call to the PBX. This paramter is used in conjunction with the City Code to correctly compose numbers for outgoing calls. or on the GSM side if we are dealing with a callthrough case. You have to specify it with leading zeroes instead of the plus sign.3: Number Profiles Configuration • Country Code The country code is the international prefix number of the country the host is located in. • Area Code The Area Code is used in conjunction with the Country Code to correctly compose the numbers for outgoing calls.

Since there are few real numbers with three digits. As briefly mentioned above. This can be used for a variety of reasons where you want to know in the PBX that this is actually an FMC call. meaning Never touch numbers that do not exceed length X. To disable this you should set this to 0. If you do not want these exceptions. Note that this digit will not be prefixed if the Convergence identifies a call as an internal call. Number Conversion Stage 3 1. In most cases this will simply be a single digit. The first step is an explicit specification as described in ??. A leading + character is replaced by the country prefix as configured. the outbound prefix. • Internal Length Numbers that do not exceed this length will always be considered as internal numbers. Stage 2 was meant to enable special treatment for short numbers.g.g.4 Number Profiles • Area Prefix Enter the number you have to dial on your phone before making a long distance call. When forwarding to GSM. the prefix will be removed from this number. internal numbers have a maximum length. be used for doing a special treatment in the billing or a least cost routing implementation. • Use Remove Prefix for GSM This option activates the removing of the prefix in a SIP From header for a case where the call is forwarded to the GSM side of the Called User. Sometimes there is no real pattern to internal numbers. If nothing matches. even if they start with e. This setting is authoritative for Stage 2. the modification is usually not done because the PBX will also do some number processing. • Remove Prefix This prefix will be matched against any calls coming from the PBX. all short numbers are left untouched. 2005-2008 c Comdasys AG 165 . • Outgoing Prefix With this parameter you can specify the prefix required for getting an outside line with your PBX. the ?? box must be checked also. just set the Internal Length value to 0. This will however only be done if the call is forwarded directly to the WLAN side of the user. in most European countries a 0. In the US this is a 1. See ?? for a more in depth description of this. Then Stage 2 is completely disabled and all numbers undergo automatic conversions as described below. This could e. these parameters will be used to do a conversion in three steps. If Internal Length is set to anything greater than 0 . If you want to have the number modification also done if the call is forwarded to the GSM side. • Fixed Prefix A fixed prefix can be added to all numbers sent to the PBX. 4. If a SIP From header contains a number with this prefix. only numbers that are longer will ever see Stage 3. Mostly however. an automatic conversion in two steps is done Number Conversion Stage 2 Numbers that are considered as internal by their length.

If the previous does not apply the number is examined whether it starts with the country prefix followed by the country code (without area code) if so. 6. as specified if so. All numbers that are flagged as outgoing are prepended by the dialout prefix as speci- fied. If the previous does not apply. 3. 5. the number is flagged as outgoing and the country prefix together with the country code are replaced by the area prefix. The number is checked to see whether it starts with the country prefix followed by the country code and area code. the number is flagged as outgoing and area prefix together with area code are removed. it is flagged as outgoing. 2005-2008 c Comdasys AG 166 . 7. 4. the number is flagged as outgoing and the country prefix together with the country code and the are code are removed.4 Number Profiles 2. the number is checked to see whether it begins with the area prefix and the area code as configured if so. 4. ! Note that there must be a valid number profile before you can define a SIP Host. If the previous does not apply. the number is checked to see whether it begins with a 0 if so. The fixed prefix (if configured) is prepended to all numbers.

The most im- portant ones are the network addresses. typically a PBX. You will have to assign a Number Profile to each enpoint. A SIP server can be one of the following: • SIP capable PBX • B2BUA or Softswitch • SIP Proxy • Gateway able to handle registrations Each configured host may have a wide variety of different configuration settings.5 Endpoint configuration In order to be able to configure any users. 4. as well as some SIP settings. ! At least one SIP Endpoint has ot be configured before you will be able to do any further configuration. The SIP endpoint will be some sort of SIP Server.5 Endpoint configuration 4.4: SIP Hosts configuration 2005-2008 c Comdasys AG 167 . you must first configure the SIP endpoint you want the Convergence to work against. Figure 4. authentication options.

If the host is behaving completely compliant to the SIP specifications. Hostname/IP Address This setting enables you to specify the address for a SIP host either as its IP address or as a fully qualified domain name (FQDN). the standard SIP port. All devices con- nected to the Convergence must hence belong to the same authentication realm to work together. A lot of the scanning bots used for trying to determine vulnerable systems on the Internet only check for these standard ports. It may be the hostname or DNS name of the configured host. If you are going to use the FQDN you need to make sure that the Convergence is able to resolve the configured FQDN correctly. The most frequent reason for using a non-standard port are security considerations to use a non standard ports for making an attack more difficult. both options are explained in more detail. Port In some configurations it is necessary to specify the port on which your desired host listens for incoming SIP connections. This should work for most configurations. Although the n otion of a realm is cleanly specified in RFC2543. 2005-2008 c Comdasys AG 168 . Below. If disabled. a special header field is added to preserve the Caller ID of the orignially received call. This name will be used throughout all further configuration. many UAs fail to implement it. These then simply ignore the parameter. you can simply leave this field blank. When in doubt. The default is to connect to port 5060. This however will most likely break the billing of the used PBX. while enabling the call to be correctly billed to the called FMC user. 4. it should reject any attempt to register with the wrong realm. Some PBXs however do not support this special header which is why the From: header needs to be overwritten. Therefore. Note however that by obscuring the port cannot and must not replace real security mechanisms such as digest auhthentication. Realm The realm parameter specifies the authentication realm used when connecting and authen- ticating to the SIP endpoint / host. simply leave disabled. Preserve Caller ID This setting applies to incoming calls that are extended to the cellular side of the dual mode device. This approach can make denial of service or other attacks more difficult by obscuring that the Convergence is actually a SIP aware device.5 Endpoint configuration Common name The common name of a SIP host uniquely identifies it. If that is okay for your use. It is used for internal purposes only and should be descriptive because it is used in other configuration pages. but it does not have to be. the likelihood is very high that registrations will work even without setting this parameter.

Some PBX also interpret the P-Asserted-ID header and put it into the From: header towards the gateway. This codec setting will become effective whenever a call is terminated on your PBX. especially if the correct billing is required. • Enabled If enabled the Convergence will simply replace the From: header with the origi- nal Caller ID. you must have the No Screening feature enabled on your PSTN trunk. The important part however is that the original Caller ID is correctly passed on to the voice gateway. Available Codec Please select the preferred codec towards the PBX. 4. In order to ensure the correct billing of the call. The same holds true for the Contact: Header. Others simply pass it through to the voice gateway and rely on that to do the call properties translation to the Caller ID. The result of the above can be one of two things. In order to enable all Caller ID information to come through. Most PBXs should be able to setup the call with this SIP message. or he sees the his own office number / the enterprise trunk number. Either the user sees the correct Caller ID of the original caller. For others not supporting any special headers however. this might in fact be the only way to get the Caller ID information right. The first alternative is of course the preferable one. The codec set here will always represent the first codec offered in the signalling between the Convergence and the PBX. ! Even if all of the above is properly supported by the PBX and the Caller ID gets sent out correctly it might still not arrive on the other side. This is the default behavior.5 Endpoint configuration • Disabled The Convergence will add the SIP P-Asserted-Identity Header to message setting up the cellular call leg towards the dual mode device which contains the Caller ID of the original call. This will almost certainly break billing and make some PBXs reject the call (because it is not coming from any known user). the From Header will show the Enterprise number of the called dual mode user. or on an IP phone / Gateway connected via your PBX. however not possible in all combinations. All other numbers will usually be replaced by the head number of the Trunk the PBX is connected to. Most carriers will screen the sent Caller ID information and restrict the number range to that of the Trunk connection. 2005-2008 c Comdasys AG 169 .

It will be the IP address of the configured interface that the PBX will see in all messages. ! Note that at least one Number Profile needs to be selected for an endpoint.711 alaw and ulaw codecs towards the PBX. please refer to ?? for more information. especially ILBC is very resilient in bad network condition and could even lead to better voice quality under certain conditions. On the other hand. It has to be able to return messages to this IP. In order the see how you can configure a converter profile. so all routing and security settings on involved firewalls need to be set appropriately. The Convergence will do the number formatting. On the mobile device side. This is one of the key concepts in FMC. It would be very inconvenient if the stored contact only worked in one of the two modes. Both codecs are always offered. the use of a compressed codec is highly recommended. This enables a clean network separation as is sometimes required for security purposes. Number Converter Profile You need to select a valid Number Profile for creating a host. 2005-2008 c Comdasys AG 170 . using a compressed codec such as ILBC or GSM is even recommended because it is less straining for the WIFI network. so that the SIP endpoint will only get proper enterprise numbers. Local Interface Specify the interface to be used for sending / receiving the SIP messages.5 Endpoint configuration i The Convergence supports both the G. This is done to provide a uniform behavior between plain cellular mode and enterprise mode. will lead to the creation of the host failing. and transcoding to a different compressed codec would seriously degrade the quality. Different SIP endpoints can be configured to use separate network interfaces. so the PBX is completely free to determine the used codec by selecting its preference. Typically compressed codecs are used on the mobile device. Before forwarding a call to the PBX. When using the FMC client across a WAN connection. the Convergence will enforce the configured number profile against the dialed number. While the cell phone now is an enterprise phone. The use of compressed codecs is not possible and not recom- mended on this side of the Convergence . It is not possible to configure an endpoint without a number profile. numbers are assumed to be dialed in E164 or abbreviated E164 format. Not doing so. 4.

In that configuration. where the callee will always see the enterprise number. this enables a true single number service.6 Callthrough Numbers Figure 4. your client will make use DTMF dialing (check the client documentation for more information on that). this might not work without answering the call because PSTN providers will cut the resulting phone number after a fixed amount of digits. The sequence of events is that the mobile user first sets up a call to the Convergence .5: Callthrough Number The dial-in (also called callthrough or trampolin number) routes cellular calls through the en- terprise PBX to keep all supplementary services working. In addition to that. as well as the dialed number. 4. The client will signal the callee number via DTMF which will subsequently be translated to SIP and dialed through the PBX (two-step dialing). and it will then forward the call to the right destination through the PBX. Numbers up to 18 digits are supported by most providers. When you are in the cellular and dial a number.6 Callthrough Numbers 4. 2005-2008 c Comdasys AG 171 . These 18 digits must suffice for both the Callthrough number. In that case. This usually works without first picking up the call (one-step-dialing). this callthrough number will be dialed by the FMC client followed by the number of your desired target. Sometimes however. the Convergence will accept the call and then listen for a DTMF sequence.

4.6 Callthrough Numbers

! The dial-in number must be specified exactly as the Convergence receives the call
from the media gateway or the PBX. This means that the number should not contain any
prefixes that are stripped by the PBX. If the callthrough number is not working, please check
in a trace that the SIP INVITE message sent by the PBX or media gateway contains exactly
the number specified here.

! The dial-in number is only usable for configured users. This is essential for security
purposes. In order to authenticate the users, the Calling Party number field is used. In most
countries, the accuracy of this number is guaranteed by law and accordingly enforced by
the carriers.
It is possible to specify multiple callthrough numbers here. The assumption is a large organi-
zation with PSTN break-in / break-out in several countries and or locations. In those cases it
is advisable to always use the nearest dial-in number. If you are travelling abroad for exam-
ple, it is most of the times cheaper to use a dial-in number at your current location rather than
always calling home.

Callthrough Numbers Configuration Options
• Number: This field should contain the number exactly as it is called from your PBX or
media gateway. Make sure to not have any additional prefixes or suffixes in here.
• Active: This field Activates/Deactivates the callthrough number. If the number is not
activated, the call to it will be rejected.
• Local Port: The local port will determine the port on which the unit will listen to receive
callthrough calls from the PBX / the media gateway. Signalling here is always SIP UDP.
• Interface: Defines the local interface to be used when communicating to the SIP Server
providing this callthrough number. Even a dedicated interface can be used here. It
is also possible to make use of the WAN interface here to implement the callthrough
number e.g. through a SIP Trunk.
• Active Registration: Enables registration of this Callthrough Number on PBX. In some
PBX it is easier to let endpoints (even if this is a trunk connection) register dynamically
rather than doing a static configuration. This is required for some SIP Trunks. It can also
be required if the SIP host handling the callthrough number is behind a firewall. With the
regsitration information a suitable PBX can even do NAT handling and it would hence be
possible to have the Convergence and the PBX in two completely separate networks.
• Registration IP: Without doing active Registrations, the Convergence will accept all in-
bound calls to the specified number on the above defined interface and port. When
registering to the IP specified, only calls from this host are accepted. Note that it is also
possible to specify a hostname here that has to resolve correctly.

2005-2008
c Comdasys AG 172

4.6 Callthrough Numbers

• Port: Describes the port of the SIP host the callthrough number should be registered
against.
• Registration Password: In this case the configured number will be used as Request URI
and username for registering with the PBX. This field is for configuring the password
used for digest authentication.

i In case the callthrough number does not work you should check that the number is
configured without any prefixes / suffixes. In order to check you can make a trace of the call
coming in across your PBX. Check the Request URI and the To to exactly match the above
specified number. If the call is rejected, the user cannot be authenticated. This could also
have to do with the Caller ID. The Convergencewill check up to 10 digits. If less digits are
coming in across the gateway, these need to exactly match the configured number. This is
necessary for security purposes, because otherwise the number cannot be guaranteed to
be unique. If you have a number with less digits, the prefix in the Caller ID of the incoming
call also has to match the configured number

2005-2008
c Comdasys AG 173

4.7 Registrations

4.7 Registrations

Figure 4.6: SIP Registrations

It is very important to understand the notion of a Registration. The Convergence provides a
layer of abstraction between the PBX and the mobile device. The PBX for example does not
even know if the device is currently in WLAN or in GSM. Therefore, the Convergence needs
to perform this abstraction. SIP signalling is used both towards the PBX as well as towards
the FMC client. This fact leads to some confusion between Registrations and User Accounts.
Both however are in fact competely different.
A Registration always refers to the PBX side. The Convergence regsiters to the PBX just like a
normal endpoint would. On this side, nothing is known about WIFI or GSM, the Convergence
will always use plain SIP signalling towards the PBX. The User Account on the other hand
manages the communication with the WLAN side of the FMC client.
You therefore always need to define how the Convergence registers with the PBX, even when
using a GSM only client. In a normal configuration, you need one registration per FMC user.
The Convergence will not allow multiple users to be assigned to the same registration. Note
that this information depends on the SIP host you want to register the Convergence and the
handled users to. You will need to configure the registration details as well as a SIP Host to
register to.

2005-2008
c Comdasys AG 174

4.7 Registrations

i At least one SIP Endpoint has to be configured because each Registration has to be
made against a SIP Endpoint. Please refer to ?? for more information on this.

PBX Number
The number of the dualmode handset as registered on the PBX. Note that this number must
also be set on the PBX. The Convergence will use this number to register with the PBX.
Somtimes this parameter is referred to as SIP URI in PBXs.

PBX Username
The username used to register and authenticate on the PBX. Together with the password
defined below, this information will be used if there is a digest challenge from the PBX. The
Convergence supports the auhthentication both for the REGISTER as well as for other SIP
requests where the Convergence is challenged.

! The username should be indentical to the PBX Number because anything else might
be unsupported by certain PBXs.

PBX Password
The password used to authenticate on the PBX. This field may be left blank if no authentication
is required on your PBX. If you want to be using full authentication, you should also use a safe
password here, as specified in the ?? section.

SIP Host
Select the host you want to register this account to. Please refer to the ?? page for more
information on configuring different SIP Hosts / Endpoints.

i Note that a Registration will only become active once a User Account has been
associated with it.

2005-2008
c Comdasys AG 175

4.8 User Accounts

4.8 User Accounts

Each of the SIP user accounts represents an FMC subscriber. As described above, the User
Account is solely responsible for handling the communication towards the FMC client. In order
to associate a User Account with the PBX, a Registration has to be assigned to each User
Account. The following should provide an overview of the necessary details that need to be
configured for each user account.

Figure 4.7: SIP User account configuration

2005-2008
c Comdasys AG 176

you might see strange effects on the server side that have to do with the nature how incoming SIP mes- sages are mapped. This will prompt the FMC client to resend the original request with the correct digest information. via database batch import.g. although it can just be different by prefixing something to the PBX number or e. this setting is used for both identification and digest authentication. That means that this number has to be configured into the Client both as a URI as well as for authentication purposes. Dupli- cates however can still be introduced e. ! The SIP Number has to be unique in two ways. See ?? for more information on the configuration of a GSM number. You should also note. Contrary to the Reg- istration side. If you ever see the SIP error message 488. by omitting the country code. Doing so will result in the user being unable to use the system in cellular mode. GSM Number It is possible to assign multiple GSM numbers to a user. there is probably a password mismatch. you will see a SIP 401 response challeging the client. Secondly. You can select a number form a drop-down box here. the newly configured number will automatically become active. i The SIP number is also used for authentication of the client. This table will always reflect the currently active number for the user in question.g. If you do not follow this rule. please check all the utilized numbers for uniqueness. The FMC client will use this number for registering against the Convergence. 4. If this is again rejected. SIP User Password The password for the SIP user on the FMC client side. this number must be different from the Registration number used with the Server. This password is solely used for client authentication and hence must be entered properly into the client. Firstly this number must not be assigned twice for two different users. The GUI will enforce this uniqueness as far as it can. This differentation is enforced by the GUI and is necessary to enforce a very strict separation between the PBX and the FMC client side. It must be different from the PBX number. That is the most obvious reason that you should check 2005-2008 c Comdasys AG 177 .8 User Accounts SIP Number The SIP number is the number the client uses to register with the Convergence . If a GSM number for a user is configured after the user has been created with a blank number. or by accessing the database directly. that this number has to be unique across all users configured in the Convergence. i Whenever the client Registers with the Convergence. You can also leave this field blank.

containing at least 6 characters including special characters. the number of this user will also not be available in cellular operation. This will determine how the dual mode user is reachable. the direct media connection is cancelled and 2005-2008 c Comdasys AG 178 . If you do not select a registration here. you will not see them register with the PBX until this is the case. this can mean cost for incoming calls of users. 4. Enable Static Roaming Static Roaming is the term for forwarding an incoming call to the GSM side of the FMC client . or a handover occurs. i Whenever you check the Registrations. This information is entered in the ?? section. not be able to make calls. The Convergence must be given the information it needs to register this user with the PBX. you should keep this enabled. ! Every users must be associated with a registration. under what phone number. Here you only associate an FMC user with the account on the PBX. If not checked. the creation of the user will fail. the call groups he is part of. In order to enjoy the full feature set of the Convergence and especially the single numnber features. the user is essentially disabled.8 User Accounts i If you want to ensure security it is strongly recommended to use safe passwords here. Depending on the contracts you have with a carrier. Registrations Every FMC user must be associated with a user on the PBX. DMC be- comes active after a call is established. This is done using SIP ReINVITE requests mechanisms. The media is then renegotiated to let the two parties communicate directly. As soon as features are involved. etc. You should also make sure not to use dictionary words in this case. Enable User This item has to be checked for a user to be able to use his account. This means if you have configured Registrations that have no User Account associated with them. The user will not be able to register. This is a mechanism for letting payload pass directly between two IP communication endpoints. Therefore you can disable this feature on a per user basis. those will only become active once a User Account has been associated with them. If disabled. Use DMC DMC stands for Direct Media Connect. In the FMC case this would typically be the FMC client in WLAN mode communicating with an IP phone connected through a PBX.

4.8 User Accounts

media passes across the Convergence again. This means that during a dialog, the media
connection can change multiple times between direct and indirect media connection. DMC is
activated on a per user basis and is turned off by default.

! DMC will only be attempted in WLAN mode. DMC will also only be attempted if the
user registers locally and is not behind a NAT firewall. In those cases the Convergence
needs to stay in the media stream because those devices could not establish a direct path
of communication.

! DMC will only work correctly if the proper codecs are set. The FMC client needs to
utilize a codec that is also supported by the endpoints directly connected to the PBX. ILBC
is typically not supported by gateways or IP phones.
Former version compatibility

NAT Handling
You do not need to enable anything special for NAT handling. All you need to do to enable
NAT handling is use the target port 5062 on the client. Using this is only recommended if you
actually want to use the handset behind a NAT. If port 5062 is used, and the Convergence
detects that the device is not behind a NAT, it will act normally as if port 5060 was used.
However this detection will take extra effort and is thus unnecessary. If the NAT handling port
is used, the Convergence will use the origin information of all SIP messages and all RTP
traffic from the client to determine where to respond to. This will enable NAT traversal without
any special features on the client (such as STUN).

Enabling NAT Keepalives
If the handset is behind a NAT, it is necessary to have a constant stream of messages to keep
the firewall pinholes open. If the NAT handling port is used, the Convergence will automatically
send NAT keepalives at an interval of 20 seconds. These NAT keepalives are empty UDP
packets. These are very small, but enough to keep any NAT pinholes on the way open. On
the client side, the TCP/IP stack will already consume these empty UDP packets. Thus, no
special settings are necessary on the client side.

i Note that all user changes will take effect immediately after saving without press-
ing Apply Configuration. Note also that this behavior has changed compared to previous
version.

2005-2008
c Comdasys AG 179

4.8 User Accounts

! When deleting a user, this deletion will cascaded to all data associated with this user.
That would be Call Forwardings, GSM Numbers, as well as Registrations. Please make
sure that this is what you want before confirming the deletion.

2005-2008
c Comdasys AG 180

4.9 Number Conversions

GSM Number
In order to provide a true FMC solution, the FMC client also needs to be integrated when in
the cell phone network. The connection to the FMC client in those cases is the GSM number.
The GSM number of the handset is use for static roaming, mid-call handovers as well as
callthrough calls.
You must specify the number exactly as you have to dial it on the PBX for creating an outbound
call. If you need a leading zero there for makinga PSTN call, you also have to specify it here.

• SIP User: You need to select a user to create the GSM number for. You can of course
create multiple GSM numbers per user. Those numbers can be activated in the User
Account settings or by calling the configured GSM switching number to activate the
currently used SIM card / GSM number. You can also refer to ?? for more information.
• GSM Number: This is the GSM number of the handset. As mentioned above, this
number is utilized without doing any mappings for static roaming calls and must be
configured exactly as they need to be dialed with the configured SIP Endpoint.

i The first number created for a user is automatically set as the active number for the
specified user.

! Each GSM number needs to be unique in the entire list of configured numbers. The
reasons lies in the necessity of the Convergence to uniquely map an incoming GSM call to
a user. This would not be possible if the number was configured more than once.

! If the GSM number has 10 digits or less, it must exactly match the Caller ID in
callthrough scenarios. The Convergencewill check at least 10 digits to make sure that a
number does not accidentally match.

4.9 Number Conversions

The Number Pattern page can be opened by pressing the menu option in the navigation
page.
The mask allows you to define source and target patterns, activate/disable, delete, edit, move
(up/down) a rule and add new ones. The rules are processed from the first to the last. The first
match will be used to apply the appropriate mapping. All in all, the Number Patterns defined
here have priority over the automatic conversions defined in the Number Profiles section.
Both however can work side by side, if the Treat As parameter is set to something other than
Internal Call because the standard number mapping will also be done then.

2005-2008
c Comdasys AG 181

4.9 Number Conversions

Figure 4.8: Number Patterns

2005-2008
c Comdasys AG 182

4.9 Number Conversions

Source to target pattern mappings are defined by explicit rules. Incoming Numbers (the num-
bers will be calls coming from the client) that match a source pattern are reformatted as
defined by the target pattern. The source pattern can be any Perl Compatible Regular Ex-
pression (PCRE). Every expression entered will be checked for validity but not for semantically
making sense, so beware! The same holds true for the targert pattern. The target pattern can
only consist of the digits (0-9) and dollarsigns ($). Whenever a piece of a source pattern is
enclosed in brackets, it will be considered as captured subpattern that could be inserted in
the target pattern by using a $ followed by the number of the bracketed pair. Up to 9 captured
substrings can be used. For example, assuming that a leading 0 is used to dial out, then any
of the following definitions shall map the incoming number 911 to the outgoing number 0911,
making it possible to call 911 directly from an internal phone:
Let us consider these examples:

Source Pattern Target Pattern Active
(9)(1)(1) 0$1$2$3 Yes
(9)(11) 0$1$2 Yes
(9)(1)1 0$1$21 Yes
(911) 0$1 Yes
911 0911 Yes

Table 4.1: Number Mapping Example I

! Note that this 911 should only be understood as an example. Emergency num-
bers (depending on country) will automatically handled by the client and will be forwarded
through the GSM network.

! You should be very careful with this function because wrong rules can destroy the
called party numbers thus rendering the whole solution useless. It can also lead to miscon-
nection due to wrong number mappings.
The rule in the middle starts the target pattern with a literal 0, copies the content of the first
and second bracket pair (1and2) and appends a literal 1. Most likely you would use the last
rule since the source pattern is constant and this rule definition has the best readability. In
cases where an incoming number matches several source patterns, the first matching pattern
wins, i.e. as soon as a match is found, no further matching is tried. Copying parts of a
source pattern becomes useful when the source pattern contains wildcard characters. E.g.
assuming you want all numbers that begin with 0005 or 0006 to be mapped to 55505 or
55506, respectively, followed by the rest of the number, you could define:
The first bracket pair matches one of the ciphers 5 or 6 and captures the cipher as $1. The
dot within the second brace pair (captured as $2) matches any single character while the
following plus sign specifies to repeat the last pattern one or more times. Please note that

2005-2008
c Comdasys AG 183

Please use the above described format to write the patterns. but then your rule would never match. If a number matches any of the rules. depending on the settings in the number profile.pcre. depending on the settings in the number pro- file. 2005-2008 c Comdasys AG 184 . the country code will be removed and any appliable prefixes made.9 Number Conversions Source Pattern Target Pattern Active 000([56])(. Note that you can leave this field empty. Hence the automatic mapping as defined in the Number Profiles pages will not apply!! Priority The priority in the number patterns determines the order in which these will be matched. Please see http://www. The converted number will be treated like one the user has dialed and that runs through the number profile. Treat As • Internal Call If this option is selected no further number tanslation will be done. The number can be 0 or higher with 0 being the highest possible priority. • National Call If the call is to be treated as a national call.+) 5550$1$2 Yes Table 4. Stage 2 and Stage 3 are skipped. • Local Area Call If the call is to be treated as a local area call. The converted number will be treated like one the user has dialed and that runs through the number profile. Also note that you cannot use a literal plus sign in the target pattern. the country code and area code will be removed and any appliable prefixes made. This field must not remain empty. Source Pattern Enter the source pattern in the above described format. 4.2: Number Mapping Example II a plus is a special character so if you want to match a literal + in a source pattern you must write it as \+.org for more information about Perl Compatible Regular Expressions. Target Pattern The match source pattern will be mapped to this.

any appliable prefixes will be made. depending on the settings in the number profile. except for supporting SIP redirection with the 302 session redirection response. The target can be specified here. Always. The change will take effect immediately. • Unavailable . The change will take effect immediately.This will configure the number used for an unconditional immediate forwarding. The change will take effect immediately. In order to activate this you can check the checkbox next to the field for entering the number.10 Client based call forwarding • International Call If the call is to be treated as an international call. This can also be done from the FMC client. In order to activate this you can check the checkbox next to the field for entering the number. The target can be specified here. 2005-2008 c Comdasys AG 185 . The target can be specified here. There are three different ways to do the call forwarding. Any defined rule will only be applied if this option is checked. Each type can be configured with a separate number. Call forwarding types: • Always . All three can be configured and activated separately.The call will be forwarded if the called FMC client does not answer for a period of 60 seconds. 4. • Busy . The call forwarding will become active anytime the Convergence receives a call from the PBX. The reaction will depend on the type of forwarding set. Each type can also be activated separately. The see FMC clientmanual for more information on this. If multiple forwardings are activated you have to pay attention to the precendence. In order to activate this you can check the checkbox next to the field for entering the number. This means that the server does not have to implement any special features to support this.10 Client based call forwarding This page allows to configure and activate client specific call forwardings. The converted number will be treated like one the user has dialed and that runs through the number profile. Rule Active This enables you to activate and deactivate rules. It is useful both for debugging purposes as well as for temorarily deactivating certain rules. On Unavailable.This will configure a call forwarding if the extension and hence the FMC client is busy. On Busy. The call forwarding behavior of the Convergence mimics the call forwarding functionality of a standard SIP client. 4.

10 Client based call forwarding Figure 4. 4.9: Call Forwarding 2005-2008 c Comdasys AG 186 .

• Name: You can configure a descriptive name for the feature. It will then take the access code sent by the client and translate it to the correct one towards the SIP Endpoint. The FMC client supports hiding such access code features behind an easily selectable menu. you can simply specify this mapping here. but the customer’s PBX expects #9. Now if the Access Code e. In GSM mode. namely the PBX. namely digits. To avoid this. ! It is possible to have more forwardings activated simultaneously. ! You need to specify the call forwarding number exactly as you need to dial it on the PBX. Configuration fields: • Endpoint: This will allow the selection of an endpoint to use. ∗and # 2005-2008 c Comdasys AG 187 . Access codes are used by the PBX to implement platform specific features as for example Group Pickup. This parameter has purely informational value • FMC Feature Code: Configure the feature code to search for in every call. That means if the PBX for example expects a leading zero. The following example should give a better insight into what is actually happening. you can simply define a mapping here in the Convergence.g. Figure 4.10: Predefined Feature Codes The following can be configured here. If the FMC user has a predefined setting for a DTMF invoked feature say ∗8 on his FMC client. 4. This should only contain symbols that can be dialed from a standard phone. for Pickup changes on the PBX.11 PBX Access Codes i The call forwarding can be activated both via WLAN as well as GSM. the callthrough number needs to be configured in the client because the activation is done through it. 4. This se- quence will be replaced by the respective PBX Faeture Code. These Access Codes however are configurable in the PBX. however call for- warding Always overrides remaining two. This means that the defined mapping will be applied for all users registered here. you would hence need to change the stored code on each client.11 PBX Access Codes This page allows the configuration of rewrite rules for access codes sent by the FMC client towards the PBX. you need to specify it here.

The client can adapt its display based on this information to not display unavailable features. 4. it is possible to communicate to clients. In order to achieve this. ∗and # i This feature is purely optional and is usually only used for special customer 4. The supported features will be sent in the response to a registration request via SIP. namely digits. 4. the server will send these supported features. which features are available on the respective SIP endpoints.12 Supported PBX Features Using this configuration options. the selectable features are static. You can enable or disable them on a per SIP Endpoint Basis. To avoid a manual configuration of this on the client. This should only contain symbols that can be dialed from a standard phone. This applies to both in-call and out of call features.12. so that you only need to selectively disable them if not supported by the PBX. The features all have a uniqe feature code Fxx where xx is a number. By default. The following features have been defined: • Inbound Basic Call • Outbound Basic Call • Inbound Enterprise Call • Outbound Enterprise Call • Handover • Manual Handover • IMS Handover • Blind Transfer • Attended Transfer • Hold • Consultation • Toggle 2005-2008 c Comdasys AG 188 .1 Predefined PBX Features As mentioned above. all supported features are enabled. the PBX supported features must be configured for every SIP Endpoint.12 Supported PBX Features • PBX Feature Code: The code to replace the matched FMC Feature Code with.

You just need to select the endpoint for which you want to disable a certain feature. • Endpoint: You need to select a SIP Endpoint for which these feature settings apply. so that there is no need to do any work. Figure 4.12 Supported PBX Features • Conference • Callback • Pickup • Group Call Pickup / Boss Secretary • Call Forwarding i It depends on the FMC client and its version which fields are actually interpreted and which ones are ignored.11: Predefined Feature Codes The following explains the configuration of the fields in detail. all standard features are automatically added to the table. 2005-2008 c Comdasys AG 189 . 4. In fact.

• Active: Select this to activate or deactivate the feature.12 Supported PBX Features • Name: This is a descriptive name for the feature in question. 4. 2005-2008 c Comdasys AG 190 . There is no need to configure this since it has been predefined. This will prompt the Convergence to signal support for this feature in the Registration response for all users associated with this endpoint. • Code: The Feature code here is predefined and cannot be changed.

it is also possible to assign user defined ones. You will probably not need this unless you have larger strongly customized deployments. Figure 4. This again needs to work in conjunction with the client.2 User Defined PBX Features Besides the Predefined PBX Features. 4.12 Supported PBX Features 4.12: User defined Feature Codes 2005-2008 c Comdasys AG 191 . The idea behind this is to define a mecha- nism between Server and Client to signal if certain features should be displayed or not. The following should give an overview over the configuration options.12.

You should put a descrip- tive name of the feature in questions. As you can see that this closely resembles the Predefined PBX Features • Endpoint: You need to select a SIP Endpoint for which these feature settings apply. Contrary to the predefined features. 4. This will prompt the Convergence to signal support for this feature in the Registration response for all users associated with this endpoint. 2005-2008 c Comdasys AG 192 .12 Supported PBX Features The following explains the configuration of the fields in detail. • Name: This is a descriptive name for the feature in question. The same one must be used on the client. • Code: The Feature code to send to the FMC client. • Active: Select this to activate or deactivate the feature. you need to set this on a per feature basis here. The format has to be Uxx where xx is a number. but the parameter is purely informational.

This is used by the Convergence to preconfigure the right registrar IP address for the FMC client configuration. Please note that the Conver- gence listens only on port 5062 if you are connecting via the WAN interface.13: Client Download • User: select here the user you want to build the client for • Interface: select here the interface which should be used to connect to the Convergence. You simply select an FMC user of you system and the Convergence generates a ready to use installation file for the FMC client. • To-Address: Specify the recipient of the mail here • SMTP authentication type: Chose here between the PLAIN and LOGIN authentification method.13 Client Download The Convergence allows an easy deployment of the FMC client using a installation package builder. • SMTP server: Specify here the smtp server used to deliver the client • SMTP port: The port for connecting the smtp server. Figure 4. The number is virtualy the same as the Call through Number (See ??). +4989123456789 to allow the FMC client to call this number even it is used in a different country. For Microsoft Exchange SMTP server you have to use the LOGIN method. • MOC Number: The MOC (Mobile Originated Call) number is dialed by the FMC client if it is operating in GSM mode. The FMC client matches the caller id of the incoming GSM call with the MTC number. • SMTP username: Specify the username here if you need authentication • SMTP password: Specify the password for the authentication 2005-2008 c Comdasys AG 193 . You can also set the authentification type to NONE. You need to put here the PBX numer of your user in international format.g. In this case no username and password is used e. • MTC Number: The Mobile terminated prefix is used to identify if an incoming GSM call is initiated by the Convergence or if it is an external call. Calls triggerd by the Convergence (static roaming or handover) use the associated PBX number by default as caller id.g. 4. Use the default port 25. You can either download the FMC client to your workstation or sent it directy to an email address.13 Client Download 4. no matching will be done on the FMC client. • Send Client via Mail: Check this box if you want to mail the FMC client to a specific e-mail address instead of downloading it. You should configure it in international format e. If you are unshure about this field it is save to leave it blank. Sendmail or Postfix servers dont have authentification enabled by default. Then. • Port: the portnumber for connecting the Convergence.

If user exits allready the complete importe will be rejected.csv file (Comma Separated Values) and the Convergence will setup the accounts for you.14003. GSM Number Optionaly you can configure up to three GSM numbers by using the following syntax: PBX Username. All the users will be imported for one specific endpoint.csv file are formatted correctly.superman. Remove the corresponding line from the CSV file and try the import again.4000.x4rewrre. PBX Number. PBX Password. Each line of the file configures one user and should have the syntax: PBX Username. SIP Password.017212345111.15 XMPP Endpoints In order to use the XMPP functionalities you have to configure XMPP endpoints and XMPP users.sonne123.14 Import User List Setting up a large number of users requires sometimes a lot of handwork.14000. GSM Number2.csv # # PBX Username. PBX Password.4001.017978912345 4002.432dsaxd. PBX Number.14: Import Users List 4. Finaly this is an example of an csv file: # myimport. 4. PBX Number.14 Import User List 4. SIP Number. SIP Password.14002. GSM Number3 You can add comments to the file by inserting a as first character into the file.14001.foobar99. SIP Password. PBX Password.017212345678 4001. To allow the import of a large number of users you can create a .xnj43ked.017212345123 4003. The XMPP endpoints are used for Instand Messaging 2005-2008 c Comdasys AG 194 .4002. SIP Number.43eedcff. The import will be only done if all lines of the . The concept of XMPP Endpoints and XMPP Users is quite similar to the concept of SIP Endpoints and SIP User Accounts. SIP Number. GSM Number1. ! It is not possible to overwrite or recreate users.017212345456 Figure 4. # 4000. GSM Number1.mypw0815.4004.

By default the domain name of the connect server is used but you can overwrite it here. • Port: This field contains the port number of the remote XMPP server. • Domain: You can configure a different domain name here. • Connect Server: Here you specify the the connect server where the the Convergence registers its XMPP endpoints This could be your your internal XMPP server or a public server like Google Talk or jabber.15 XMPP Endpoints and Presence only. The XMPP default port is 5222 and used by default if you leave the field blank.net/servers to have a list of public available servers. Look at https://www. 2005-2008 c Comdasys AG 195 . It is save to leave this field blank.15: XMPP Endpoints The following explains the configuration of the fields in detail. Figure 4. It is used for internal purposes only. • XMPP Endpoint Name: Here you asssing a descriptive name for the XMPP configura- tion.xmpp.org. 4. You can use here either your own XMPP server or one of the free servers of the public JABBER network.

16 XMPP Users Each FMC User can assigned with an XMPP user in order to use instand messaging fea- tures. Here you create the mapping between the FMC user. 4. the XMPP user and the XMPP endpoint. Figure 4. You should enable this by default since most of the servers will only work if TLS is enabled.16 XMPP Users • TLS: This checkbox enables TLS (Transport Layer Security) for the communication with the XMPP server. If you are using a public XMPP server you can create your XMPP account with an external XMPP client like Miranda IM (Windows) or Pidgin (Linux).16: XMPP Users i Before you can use the XMPP users you have to create the XMPP accounts on your XMPP server first. The following explains the configuration of the fields in detail. 2005-2008 c Comdasys AG 196 . This is done by administrative tasks on the XMPP server. 4.

With the usage of external tools you wil gain more power and flexibility in managing large amounts of FMC configuration data and will also be able to automate common management tasks. The IP address and port will give you some indication as to where these users registered from. this indicates that the user regis- tered from behind a NAT network. Note that if you see the local host’s IP address here. You can always press Reload to get the most up to date view. The page will not refresh automatically.17 Enterprise FMC Status Page The status page displays the active PBX registrations.org you must put only the userpart (test123) here. If your XMPP login is test123@jabber. You will not see who initiated the call in this screen. In order to see the originCommand Line section.18 Using external Tools with the FMC Database This section provides information of how to connect to the FMC database with external tools like Microsoft Access or OpenOffice. 4. and the Connected User field the party the user is connected to. • XMPP Endpoint Name: Select the XMPP endpoint you want to use for this XMPP ac- count. • Call Status: This will show all active calls where the name represents the local user. • Registered Users: This displays all users that are currently registered via IP. 4. • Activate XMPP User: Check this box to activate the XMPP user. the registered users. All registrations should be in the Status REGED signifying that they are correctly registered with the SIP endpoint. only that this call is ongoing.17 Enterprise FMC Status Page • FMC User Name: Select the FMC user that should be assigned to this XMPP account. • Password: configure the password for the XMPP user. The current FMC convergences are using a PostgreSQL Database for saving all the following data in the database: • Global Settings 2005-2008 c Comdasys AG 197 . as well as all active calls. • XMPP User Name: Configure your XMPP username here.org Base. 4. If the account is not activated the Convergence tries not to connect to the XMPP server and XMPP function- alities are disabled. The displayed information in detail includes: • Active EndPoint Registrations: Every registration to the PBX as well as its status are listed here.

4.18 Using external Tools with the FMC Database Figure 4.17: Status Page 2005-2008 c Comdasys AG 198 .

2005-2008 c Comdasys AG 199 .18 Using external Tools with the FMC Database • SIP Endpoints • User Accounts • Registrations • Numbering Profiles • Numbering Patterns • Call Forwarding • PBX Access Codes • PBX Features 4. When you are using the SSH tunnel method to connect to the database. After starting OpenOffice. The default port of the PostgreSQL database is defined as 5432. the URL will look like the following: jdbc:postgresql://localhost:9500/FMC.18. just open a terminal and enter the following command: ssh -L9500:HOSTNAME:5432 root@HOSTNAME Just replace the placeholder HOSTNAME with the IP address or hostname of your FMC. Select the option Connect to an existing database and select JDBC from the dropdown box. which can be found at http://jdbc.18. the default username is pgsql and the password is 18273645.org Base For connecting OpenOffice.org the database wizard will appear. Enter the URL for the connection in the following format jdbc:postgresql://hostname: port/databasename . 4.postgresql. 4. If you want to make a connection to database from another network.org. After establishing the SSH connection you can connect to the FMC database via the local port 9500. you will need to use a SSH tunnel to forward a local port to the database port on the FMC via a SSH connection.org Base to the FMC database we will use the PostgreSQL JDBC driver.2 Using OpenOffice. Creating a SSH tunnel with a Linux system for example is quite easy. The PostgreSQL database is configured to listen only to connections from the loopback adapter or the LANA and/or LANB network.0.1 Establishing Database Connection The database name of the Database to use is FMC.0.

postgresql.18.3 Using Microsoft Access For connecting Microsoft Access with the PostgreSQL database you will first need the Post- greSQL ODBC driver. If all of your settings were correct you will see an infobox popping up which should tellyou that the connection to the database was successful.li/∼sgtatham/ putty/0.60/htmldoc/Chapter3.postgresql.65): jdbc:postgresql: //10.5. In the next dialog you can select which tables from the FMC database you want to have linked with your Microsoft Access Database. You are now able to access the FMC database tables from inside Microsoft Access and all changes you make to the data in the tables are present on then FMC.html#using-port-forwarding. If you don’t connect to the database from your internal network you will need a tool to open an SSH connection and creating a local forwarded (tunneled) port to the FMC. After setting up the database connection either via local network or SSH tunnel you will need to create an ODBC datasource which can be used from inside Microsoft Access later on. See the Screenshot below how to configure a ODBC Datasource where you use the local port 9500 to access the database via a SSH tunnel. Now you can start Microsoft Access and create a new database file.100. After that you can create links to the FMC Tables via File -> External Data -> Link Tables.0.18 Using external Tools with the FMC Database If you are connecting directly to the database via your local network the URL might look like this (in this example the FMC has an internal IP address of 10.earth. We recom- mend the usage of PuTTY which is a free and opensource SSH client for Microsoft Windows operating systems. 4. You can just install the downloaded driver by doubleclicking the downloaded .5.msi file. Just press Next and enter pgsql as username for the connection and check the box Password required.org. When prompted for the password just enter 18273645. Now you can test the connection to the database via the Button Test Connection. For a detailed description of how to setup your PuTTY client with forwarding of local ports see the PuTTY user documentation which can be found at http://the.65:5432/FMC. The field JDBC driver class must be set to the class org.Driver. You can now press the Button Finish and work with the database. To verify that your PostgreSQL JDBC driver works correctly you can press the button Test class.100. 4. which can be found at http://www. A Dialog appears in which you need to select as file type ODBC and then select the previously created ODBC datasource. 2005-2008 c Comdasys AG 200 .

18.2 sip reg The table sip reg contains the configuration of all outbound registrations and a foreign key that points to the corresponding endpoint of the registration.1 FMC Database Tables 4. 2005-2008 c Comdasys AG 201 .1. It is only there for future use. It is only there for future use and may be NULL at present.18 Using external Tools with the FMC Database Figure 4. but is currently not used. 4.18: PostgreSQL ODBC DSN Example 4. The field must not be NULL and should therefore just be an empty string.1 sip user The table sip user contains all user account settings foreign key which points to the corre- sponding outgoing registration.1. i The Username field can be entered into the database. i The Realm field can be entered into the database. but is currently not used.18. 4.18.

4 settings The table settings contains all global settings and contains only a key and value column. 4. etc. so that it can continue to operate if the master fails.6 nc patterns The table nc patterns contains the configured call routing patterns which should be applied to all outgoing calls. 4. i There are also additional tables present such as Codecs. In such a configuration. Number Profiles. the other serving as a slave. and Registrations. The all changes to users.19 Synchronize database 4.1. This applies only to the FMC part of the configuration.1. Things like IP addressing etc. These are for internal use and should not be altered. 4.1. 2005-2008 c Comdasys AG 202 . Endpoints. This slave will obtain its configuration from the master server.18. en- points.1.18. we would have two appliances. are con- sidered separately. several changes are collected and then synchronized in one step. In order to lower the network load.18.3 sip endpoint The table sip endpoint contains all configuration data of the endpoints. 4. this is not a real synchronisation but rather having a master containing the configuration. The Slave will however keep a copy of the configuration.18. Therefore. The synchonization is done by directly accessing the configuration database of the master server. This automatically synchronized configuration however includes all Users. A foreign key points to the converter profile which should be applied when making outgoing calls. one serving as a master. or registrations will become effective immediately and will therefore also be scheduled for synchonization right after pressing ”Save” in the WebGUI.5 nc profiles The table nc profiles contains all configured number converter profiles which can be used from the endpoint configuration.19 Synchronize database The synchronization of the user data between two Convergenceis ordinarily used in a redun- dancy configuration. 4.

Since this feature is however used in conjunction with VRRP.0.0. 4. i Changing the configuration will only be supported on the Master Server. In theory a standard routed connection is enough. no configuration change will be possible for the time the Master is down.19 Synchronize database i It can take up to 3 minutes until all changes have been properly synchronized to the Slave device. If the Master is down. Master IP is the IP of the interface which acts as a master and the Slave IP is respectively for the interface acting as slave. The first item Operating mode will be used to select the operating mode for the unit.8 Standanlone mode In the Standalone mode the Convergence uses the database without network connection to other databases. It will also configure the database synchronization. This is the default operation mode.0.7 Operating Mode The Synchronize database page is used to configure the Convergence in Master. you need to have a connection supporting Multicast requests. i To configureboth Master and Slave you need to have a network connection. ! To update the Convergence it is very important to use the Convergence in Standalone mode.19.9 Master Mode The Master mode initialize the local database as master and the database from the Conver- gence with the Slave IP as slave. At any time you can turn a Standalone Convergenceinto the master of a cluster.19.19. The IP addresses under the Operating mode item will be ignored. usually a switched connection. 4. The connection deamon starts on the master Convergence after the initializing process. You need to configure the Master the Master IP and Slave IP. 4. 2005-2008 c Comdasys AG 203 . Slave or in Standalone mode. You have to be careful turning it into a slave because you will lose your configuration. 4. the Slave can continue to operate normally. For consistency purposes however.

4.19 Synchronize database

Figure 4.19: Synchronize database

2005-2008
c Comdasys AG 204

4.19 Synchronize database

You also need to download the security key to enable communication between the Master and
the Slave, see ?? for more information on that.

4.19.0.10 Slave mode

This puts the Convergenceinto slave mode. All configuration data will be fetched from the
master. To start the Convergence in Slave mode you need the Master IP and Slave IP. The
Slave IP naturally is the IP address of the unit you are currently configuring and you need to
specify the appropriate interface IP address that should be used for synchronization.
After applying this configuration, the unit will start to synchronize the data from the master
server.

i The Security Keys (see ??) of the Master must be present on the slave. Otherwise
the unit will not be able to synchronize the configuration.

! All FMC configuration data present on this device will be overwritten by data fetched
from the master. This means that the configuration present on this device will be lost

i You can switch a Slave back into Standalone mode, but the synchronized data will
be kept.

4.19.1 Failover Operation

Two HPMC appliances can be deployed in a failover fashion. In such a configuration, the
secondary server can take over the functionality of the primary one. In order to offer that, we
will make use of the VRRP protocol to provide a dynamic failover mechanism. The properties
of this failover mechanism are as follows:

• Secondary appliance will be idle when the primary appliance is active
• VRRP is used to switch the IP address between the master and the slave, so the HPMC
appliances do not have to be in the same multicast domain. The master and the slave
will share one virtual IP address. In addition to that a management / physical address
for each of them is required to enable communication among each other. All three
addresses should be in the same subnet.
• Once the master fails, the secondary appliance will take over
• All active calls will be lost in a failover scenario
• Right after a failure, the call can be re-established via the secondary appliance

2005-2008
c Comdasys AG 205

4.19 Synchronize database

• The secondary appliance does not have to be maintained, since the configuration will
always be taken from the primary appliance (only pertaining to the FMC configuration)

The configuration of the solution is as follows. The primary server will contain all FMC con-
figuration. The slave server is normally configured for networking, firewalling etc. The FMC
configuration is only done by pointing to the master server via database synchronization, as
described in ?? . This will lead to a mirroring of this configuration. The VRRP portion has to
be setup separately. Please refer to ?? for more information.

2005-2008
c Comdasys AG 206

4.20 SIP TLS configuration

4.20 SIP TLS configuration

The SIP TLS configuration page is a simple tool to upload a TLS private key and a TLS
certificate used to communicate with the client in TLS mode. Naturally this is only relevant
if you have a client that is able to support SIP in TLS mode. Otherwise you can ignore this
section.
The Convergencegenerates a new privat key and a certificate automatically while booting if
noprivate key or certificate exists. Therefore, if you do not want to setup authentication based
on certificates, there is no need to do any configuration here.

Figure 4.20: SIP TLS configuration

4.20.0.1 Upload Private Key and Certificate

To upload a new TLS Private Key press the Browse button and select the new private key
from your file system (Figure: ??).

2005-2008
c Comdasys AG 207

4.21 QOS

In the next step press the Upload button and the new TLS private key will be saved onto the
Convergence. The procedure for the TLS certificate is essentially the same (Figure: ??).

! The TLS certificate must fit the TLS private key, otherwise no TLS communication
will be possible

4.20.0.2 Create default private key and certificate

If you do not have any keys to use for TLS communication, you can also use the Conver-
genceto create a key set. Simply press Generate and the Convergencegenerates a new
default TLS private key and TLS certificate. These will be stored on the Convergenceand
activated after pressing Apply Configuration .

4.21 QOS

This page allows to configure layer 3 QoS tagging by using DSCP/TOS byte in IP header.
This tagging is supported both towards the FMC clientside as well as towards the PBX side.
Simply configure the correct interfaces here. Note that this tagging only makes sense for
outbound traffic.
There are three different ways to specify the traffic you want to mark:

• Interface
• IP and Application Protocol
• TCP / UDP Ports

There are several configuration options for each criteria:

• Protocol: Select a Protocol, either UDP, TCP, ICMP or ANY. ANY will match all packets.
• Received on Interface: This will match packets arriving on a specified interface. This
option only applies if the traffic is just forwarded and the Convergencehence acts as a
router. For traffic terminated on this device this rule is useless.
• Sent over Interface: Will match all packets sent out over the given interface. It does not
matter if the packets were forwarded or generated by the local device.
• Destination Port: Matches all packets addressed to the given destination port.
• L7 Protocol: Stands for Layer 7 Protocol and will actually analyze the payload of each
packet to match a certain protocol. Only a subset of the supported protocols is given as
a choice here, namely ANY, SIP, RTP, TLS. More protocols are usable via the CLI.

2005-2008
c Comdasys AG 208

”38”) or hexadecimal (e. Value can be entered in decimal (e.”0x26”). The DiffServ standard supersedes the original specification for defining packet priority described in RFC 791 • TOS: Type of Service as described in RFC 791 Both set inteded QoS tag into the same byte field in IP header. i Note that it is only possible to specify one tagging method (i. If this byte field will be interpreted as DSCP or TOS dependes on network infrastructure settings.e.g. DSCP or TOS) for any given tagging rule. Traffic tagging methods: • DSCP: Stands for DiffServ and is specified in the RFCs 2474 and 2475.g. 4. 2005-2008 c Comdasys AG 209 .21 QOS ! The use of Layer 7 Filtering is discouraged for devices needing to handle high data rates (in excess of 5MBit constant load) because analyzing each packet can become quite resource consuming.

advanced methods of configuration. You will get a Linux prompt that can be used like any other Linux computer. A detailed descrip- tion of the functionality accessible through the CLI is provided in the Commandline Guide.0. As VGA connector is not accessible from outside the product. These meth- ods are especially useful for immediately configuring the primary Ethernet interface properly.0. You can access this CLI in three ways: • Using a SSH client • Using the serial interface (COM1. this way to connect Convergence is reserved for service purposes. for initial setup of interface addresses only the local methods are applicable).1 Accessing Convergence products The Convergence is preconfigured for the IP address 10. (Of course.1 The Convergence Command Line Console There are 12 console windows available when accessing Convergence products with a key- board and VGA monitor. The configuration via the CLI is primarily used for special tasks as resetting to factory defaults and for extended debugging.5 Command Line Interface The Convergence does not only offer configuration via the Web interface but further provides access through a CLI (Command Line Interface). by connecting a VGA monitor and a PS/2 keyboard) In every case the username is root and the password is identical to the password set in the Web interface. there are additional.e. 2005-2008 c Comdasys AG 210 . Some of these consoles are reserved for special 1 Applies only to Convergence products with VGA connector. In addition to the suggested way of configuring the box by adding a PC to this network and configure the Con- vergence this way. Opening the product and using VGA connector should be done by the service engineering staff only. 5. 9600-N-1) • Using the console (i. 5.1 They can be reached by pressing the Alt key and one of the function keys F1 to F12 simultaneously.1. There are basically two methods for local and one for remote command line configuration.205/24.

1 stop bit. 5. assign an IP address to the unit. secure shell) con- nection using any SSH client (e.1. 5. 8 data bits. The menu does the same as the analog WebGUI pages.e. After exiting the quick configuration menu.g. you will see the following login prompt: Akira login: 2005-2008 c Comdasys AG 211 . 5. VT100 emulation. no parity. The quick configuration menu can be used to e. PuTTY on Windows).2 Initial setup using the Command Line Interface purposes though.2 The Convergence Serial Line Console It is also possible to access Convergence products via RS232 (aka COM1) and a terminal emulator program like MS Windows’ Hyperterminal. so only some of these consoles are usable for an administrator’s command line console: F1 Reserved for the start up screen F2 Usable as command line console F3 Usable as command line console F4 Usable as command line console F5 Usable as command line console F6 Usable as command line console F7 Reserved for future use F8 Reserved for future use F9 Reserved for future use F10 Reserved for informational messages F11 Reserved for error messages (severity warning and higher) F12 Reserved for critical error messages 5. unless set differently in the security settings of the graphical user interface.2 Initial setup using the Command Line Interface If you log in via one of the local methods (VGA console or RS232 console) you get a login menu.g.3 The Convergence Remote SSH Console The third possibility to get a command line terminal is to use a SSH (i.1. OpenSSH on Unix/Linux. You can exit this quick configuration menu by pressing s . The connection parameters for the serial line are: 9600 baud. Convergence products allow SSH version 2 connections from all configured interfaces.

Also the name Akira is just the initial name of the Convergence and can be altered using the Web interface (system name).0/24).1 In both cases. as they show the current version of the software at the time of this writing. root@Akira:˜ # The shell used is a normal bash.1. 192.2 Initial setup using the Command Line Interface The only available user to log on is root. 5.20 network 255.0 up route add default gw 1.3. When you have logged in. The actual numbers may vary.3.4 netmask 255.2. as known from almost all Linux distributions and a number of commercial Unices.1): ifconfig eth1 1. e.g.255.255.g. as shown below) to become permanent.3.168.168. Also pay attention that you don’t change the IP address of the interface with which you’re currently logged in if you’re connected via SSH! 2005-2008 c Comdasys AG 212 . initially sesam.g. with the same password as the admin’s password in the browser interface. add (e.255. If you want to modify the Convergenceś WAN address.255. ! Be careful if you intend to configure the Convergence remotely: Initially there are no firewall rules in place and everyone who knows the IP address may log in and modify the box if the standard password has not been changed.20 (because your local network is e.2 (Lisa) for i686 at revision 528 No mail.2.2.1.3. You should change this password via the browser as soon as possible! After having logged in you see a prompt like this: Akira login: root password: Akira Linux Release 1.2. you probably want to adjust the IP settings of the first LAN interface first: Examples: 1.1.4 with gateway 1. immediately after entering these commands the Convergence is accessible from the given networks. if you have a static internet address and want to do the rest of the configuration from a remote site. add the following command: ifconfig eth0 192. To change your LAN’s IP address to 192.0 2. but these settings have to be done again in the web interface (or in the basconfig directly. for a static address 1.168.

• Your modifications may disappear if you upgrade to a newer version of the system. • Don’t modify startup scripts. even when certain changes are done on the command line 2. the manufacturer does not take any responsibility for damage that oc- curs (especially security breaches) because of improper use of this command line interface. • The security of your Convergence might be compromised.3 Restrictions using the Command Line Interface 5. • Don’t install your own software packages. These limitations result from the approach of the Con- vergence to 1. • Don’t modify parts of software programs. remain compatible with the web interface • Your modifications may disappear if you select Apply config in the web interface. So the restrictions are (unless explicitly permitted by manufacturer’s support): • Don’t modify configuration files.3 Restrictions using the Command Line Interface While the command line environment is a plain bash shell there are nevertheless limitations on what can or should be done here. • Your Convergence may suddenly lack functionalities or functionalities stop working as desired. • Debug network connections with the provided tools. 2005-2008 c Comdasys AG 213 . unless for special program packets that are not meant to be configured from the graphical user interface. • Check error conditions more thoroughly. • Modify the central configuration file /etc/config/baseconfig. See chapter ?? for details on this file. In any of these cases. remain upgradeable.g. 5. Because almost all features of the Convergence products can be configured via the browser GUI (and this is what you should normally do) all that is left that can safely be done on the command line is: • Modify configuration files for special program packets that cannot be configured in the WebUI (e. traffic shaping). which contains all configurable options of the web interface. • Don’t change passwords (even if you find out how to do that). • Your modifications may disappear if you reboot your Convergence.

e.4 Configuration utilities To avoid accidential editing of managed configuration file running vi or vim on such a file will result in a warning and ask you whether to continue2 . This is handled by the restartservices utility. overwriting already existing ones.sh this utility operates on all services when called without arguments. 2005-2008 c Comdasys AG 214 . overwriting the previous one. Because the reference for the baseconfig file is quite extensive the details of this file are described in chapter ?? after explaining the utilities which work with this file first.2 The ”restartservices” utility Now that applyconfig. 5.18 and 6060. 5.4.4.sh syslog causes only the configuration file for the syslog daemon to be generated.sh” utility applyconfig. 5. Like applyconfig. If you find the need to edit a managed configuration file repeatedly you can avoid the warning by passing -n as first argument. For example: applyconfig.2 respectivly.4 Configuration utilities Configuring Convergence products is normally done by editing one central configuration file called the baseconfig file which location is /etc/config/baseconfig.sh utility. When called with- out any command line options all configuration files are generated.sh operates: with or without command line options.cfg 5.g. If arguments are passed only configuration files for those services are generated. which even allows groups of services to be restarted.: vi -n /etc/openser/openser. Because old configuration files are overwritten you should not edit the controlled configura- tion files directly as the next you’re pressing Apply configuration in the WebGUI all your changes will get overwritten by applyconfig. This file controls how the necessary configuration files for almost all services are generated by the applyconfig.sh processes the baseconfig file and generates the configuration files for all daemons and other services that can be configured via the WebUI. There are two modi in which applyconfig. To get a list of known services and service group enter: 2 This feature is available since release 4675.1 The ”applyconfig.sh.sh has written the configuration files we need to restart one or more (maybe even all) services. If arguments are given only the specified services are restarted.

e.norun. For example: chkconfig dyndns on enables DynDNS chkconfig dyndns off 2005-2008 c Comdasys AG 215 .d/rc3. For example: root@Akira/˜ # chkconfig dyndns dyndns on Particular service can be enabled (or disabled) by typing chkconfig followed by the name of the service and on (or off ). Typing chkconfig followed by the name of a particular service lists the current status of this service only.sh or not.4 Configuration utilities restartservices -l Another very useful command line argument is -n which causes restartservices to just show what it would do without actually doing something so you can be sure that it really will do what you want it to do. 5.d/K90syslogd stop /sbin/stophttpd /sbin/stopsshd /usr/bin/setsid /etc/rc.d/rc3. /etc/config/dyndns.d/S11klogd start /sbin/starthttpd /sbin/startsshd 5.d/rc3.d/rc3. When called without any command line options all services that support chkconfig and their current status (enabled/disabled) are listed. Services can be enabled and disabled depending on whether they should be started when running restartservices.norun .: root@Akira/˜ # restartservices -n logging /usr/bin/setsid /etc/rc.g. When starting services the system looks up whether there is a locking file for a par- ticular service in /etc/config.3 The ”chkconfig” utility chkconfig is used for controlling services’ configuration (checking configuration).d/S10syslogd start /usr/bin/setsid /etc/rc. There are two modi in which chkconfig operates: with or without command line options. e. If a service is disabled it won’t be started and will be simply ignored.4.g.d/K89klogd stop /usr/bin/setsid /etc/rc. The locking file is an empty file named <service>.

on VPNs or iptables) please consult the products’ web sites.gz in older releases) To restore a configuration that was saved with saveconfiguration use restoreconfiguration and supply the appropriate file as argument.sh tool just flushes the firewall. and >0 otherwise. 2005-2008 c Comdasys AG 216 . however will not flush NAT related rules. If you want to disable NAT too. call flushfirewall.gz (or /root/configuration-<date>. which could be done for testing purposes. Furthermore.4. chkconfig -q dyndns. The applyfirewall. not as a conceptual guide to techniques behind the products used. /etc/openvpn/* into a file /tmp/configuration-<date>. e.sh -n 5. /etc/ssh/*. flushfirewall. thus temporarily disabling it. mailing lists etc.4.5 The ”baseconfig” configuration file This chapter serves as a reference to the parameters of /etc/config/baseconfig. The flushfirewall.sh / flushfirewall.wig) into IPTables rules and applies them.g.sh utility flushes the current firewall rules.5 saveconfiguration / restoreconfiguration saveconfiguration saves the most important configuration files The files currently are: /etc/passwd. This. chkconfig can be run with -q (quiet mode) which will suppress output. since chkconfig return value is 0 for enabled services. /etc/htpasswd. This can be used for scripting purposes. compiles the CIG script (located in /etc/sysconfig/firewall.4 applyfirewall.sh with the command line option -n. Custom IPTables rules may be added in /etc/sysconfig/firewall. If you are interested in the basic concepts (e.5 The ”baseconfig” configuration file disables it. /etc/ssl/*.g.sh Convergence products don’t create Linux IPTables firewall rules directly but use an interme- diate format called CIG which helps simplifying the creation on firewall setups. /etc/config/baseconfig. 5.sh and restartservices to regenerate the configuration files for all ser- vices and to restart them. 5.cpio. Note that restoreconfiguration automatically calls applyconfig. 5.custom.cpio.

A complete reference to all baseconfig keys. its interpretation depends on <Variable> and the service that to be configured.6 Parameter Reference for baseconfig The following chapters describe all keys and their meanings used in the /etc/config/baseconfig file.sh script which is described in section ??. Example: system_name=gatekeeper system_name_comment=This is the name of my box You already could see the overall syntax of entries in this file: <Variable>=<Value> <Variable> is the name of the parameter. If you want to add a comment to a parameter. the accord- ing entries are added/modified/deleted and then the entire file is written back in alphabetical order. <Value> can be any entry.g. Whenever data from the web interface is saved the entire file is read. just create a new parameter with the same name as the original parameter. 5. followed e. 2005-2008 c Comdasys AG 217 . A complete list of names used in the Conver- gence can be found in section ??. The generation of configuration files is handled by the applyconfig. their explanations and their possible values is provided in chapter ??. with comment. 5. See chapter ?? for an overview of this file.6 Parameter Reference for baseconfig The purpose of the baseconfig file is to have a central configuration file that controls the generation of configuration files for all included services. 5. • You cannot use comments in this file the normal way.1 Syntax of baseconfig entries The file baseconfig contains all configuration parameters that can be set using the web interface.5. This behaviour has two consequences: • You may add as many additional parameters as you want (they just have no effect).

Has to be in the same subnet as lana ip/lana nm and has to be smaller than lana dhcp to Example: lana dhcp from=10. specifies whether NAT should be used between the first LAN interface (eth0) and WAN (eth1).104. Not to be confused with system dns.0. Name: lana ip Description: IP address of first LAN interface or “dhcp” for dynamic IP support Example: lana ip=10. lana dhcp ntp2. which is used by the Convergence itself.6 Parameter Reference for baseconfig 5. Has to be in the same subnet as lana ip/lana nm and has to be higher than lana dhcp from Example: lana dhcp to=10.0.0. Example: lana dhcp dns1=217. Example: lana nat=1 2005-2008 c Comdasys AG 218 .0.1 Settings for First Local Network interface (lana ) These settings configure the first LAN interface eth0.230 Name: lana dhcp gw ip Description: Specifies optional standard gateway other than the Convergence itself.104.205 Name: lana nm Description: Net mask of first LAN interface Example: lana nm=255.0.0. Example: lana dhcp ntp1=217. which is used by the Convergence itself.11 Name: lana nat Description: Value “0” (no) or “1” (yes).145. 5.0.6.220 Name: lana dhcp to Description: End of IP range for DHCP on first LAN interface.255.11 Name: lana dhcp ntp1.0 Name: lana dhcp from Description: Start of IP range for DHCP on first LAN interface.255. Example: lana dhcp gw ip=10.145.0.223 Name: lana dhcp dns1. lana dhcp ntp3 Description: Specifies optional NTP time servers forwarded to a DHCP client along with its assigned address. lana dhcp dns2 Description: Specifies optional DNS servers forwarded to a DHCP client along with its assigned address. Not to be confused with system dns.

all values referencing lanb are not used “dmz”: second LAN is used as DMZ.168.0 Name: lanb dhcp from Description: Start of IP range for DHCP on second LAN interface.168.1. “internal”: second LAN is a normal second internal network and treated like the first LAN Example: lanb type=inactive Name: lanb ip Description: IP address of second LAN interface (eth2) or “dhcp” for dynamic IP support Example: lanb ip=192. 5. NAT is not supported on this inter- face and the interface cannot be opened unlimited against the first LAN interface. Has to be in the same subnet as lanb ip/lanb nm and has to be higher than lanb dhcp from Example: lanb dhcp to=192. Example: lanb dhcp gw ip=192.1.6. Name: lanb type Description: Specifies usage of second LAN interface (eth2).1 Name: lanb nm Description: Net mask of second LAN interface (eth2) Example: lanb nm=255.1.1.20 Name: lanb dhcp gw ip Description: Specifies optional standard gateway other than the Convergence itself.10 Name: lanb dhcp to Description: End of IP range for DHCP on second LAN interface.255.168.255. Has to be in the same subnet as lanb ip/lanb nm and has to be smaller than lanb dhcp to Example: lanb dhcp from=192. Valid values are: “inactive”: second LAN interface is not used at all.13 2005-2008 c Comdasys AG 219 .168.6 Parameter Reference for baseconfig 5.2 Settings for Second Local Network interface (lanb ) These settings configure the second LAN interface eth2.

wan nm “pppoe”: ISP connection using PPPoE is used for Internet access. Not to be confused with system dns.35 2005-2008 c Comdasys AG 220 . implies wan user.145. specifies whether NAT should be used between the second LAN interface (eth2) and WAN (eth1). lanb dhcp ntp2.6 Parameter Reference for baseconfig Name: lanb dhcp dns1. Example: lanb dhcp ntp1=217. lanb dhcp dns2 Description: Specifies optional DNS servers forwarded to a DHCP client along with its assigned address. one of: “ip”: static Internet address used.3 Settings for Wide Area Network interface (wan ) These settings configure the WAN interface eth1 and its PPP connection.178.34 Name: wan gw Description: IP address of PPTP DSL modem Example: wan gw=62. which is used by the Convergence itself. Not to be confused with system dns.11 Name: lanb dhcp ntp1. wan ip. if PPTP is used Example: wan ip=62. Name: wan type Description: Type of WAN connection. which is used by the Convergence itself. lanb dhcp ntp3 Description: Specifies optional NTP time servers forwarded to a DHCP client along with its assigned address. implies wan ip.6. 5. if required. wan pwd “pptp”: ISP connection using PPTP is used for Internet access. Example: lanb nat=1 5. if a static Internet address is used for connection • IP address of Convergence in transfer net to DSL modem.34.104.178.11 Name: lanb nat Description: Value “0” (no) or “1” (yes). Example: lanb dhcp dns1=217.145. wan pwd.104.34. wan gw Example: wan type=pppoe Name: wan ip Description: • Static IP address of WAN interface (eth1). implies wan user.

Without additional configuration. putting some switch ports in a VLAN other than 1. i The x must be a consecutive number.6 Parameter Reference for baseconfig Name: wan nm Description: Netmask of WAN interface (eth1) Example: wan nm=255. given specific configurations. These settings are also there for another reason.6. some ports on switch A can be in VLAN 10 and other ports on switch B can be in VLAN 10. With VLANs.255.213523@my provider Name: wan pwd Description: Password for PPPoE and PPTP connections Example: wan pwd=kgvfasdhl 5. the default VLAN. A LAN is a local area network and is defined as all devices in the same broadcast domain. routers stop broadcasts. you. Similarly to physical LANs. If you remember. You can then define routing policies as well as security policies between the virtual interfaces to route packets any way you like. Broadcasts between these devices will not be seen on any other port in any other VLAN. other than 10. 5. 2005-2008 c Comdasys AG 221 . they would not be able to communicate with any other devices. a switch can create the broadcast domain. However. The acronym VLAN expands to Virtual Local Area Network. the administrator. In order to achieve that. Normally.255. a VLAN is a broadcast domain created by switches. A virtual interface can also be configured as a VLAN. Since switches can talk to each other. not in their VLAN. VLAN is a virtual LAN. All ports in a single VLAN are in a single broadcast domain. A VLAN is a logical local area network (or LAN) that extends beyond a single traditional LAN to a group of LAN segments.248 Name: wan user Description: User name for PPPoE and PPTP connections Example: wan user=123567. you need a router to exchange packets between two VLANs. switches just forward them.4 Settings for Virtual Interfaces (vif intf) Use these settings to configure virtual interfaces on your box (so called IP Aliasing). these devices can all communicate because they are on the same VLAN. This works by. you can create a Virtual Interface for each VLAN the Convergence is in. it is a router creating that broadcast domain. In technical terms.

IP Address of the network to be configured. but can cause very unwanted routing behavior.145.6. for ping. 5.165. The name of the interface on the device will then be ”physical interface name”:”number”. Activate VLAN If this switch is set to on. this number is the same of the VLAN tag you want to be using.255. Note that 4. Example: vif intf0=[lana.192. Number of the virtual Interface Every Interface for aliasing needs to have a number to uniquely identify it.6 Settings for System Logging (syslog ) These settings configure the system’s logging behaviour.wan) for which the IP alias should be created 2. Netmask of the network to be configured on this virtual interface.0] or for VLAN vif intf0=[lana.67.192. For VLANs.netmask] Description: The option value must be enclosed in square brackets.254. Especially overlapping netmasks will not be caught by the sanity check in the configuration management.gw1.6 Parameter Reference for baseconfig Name: vif intfx=[native interface.11 5.168. e. Interface name (such as lana. 2005-2008 c Comdasys AG 222 .0.6. The option value is a semicolon seperated list which must contain the following information: 1. 5.104. dyndns.7.168.name. 3.255. only sep- arated by a colon.255. 5. Example: system dns=217. a VLAN interface will be created with the number as tag.255.g. Name: system name Description: Computer name of the Convergence Example: system name=gatekeeper Name: system dns Description: DNS server for name resolution of the Convergence.ip.255.5 Settings for System Settings (system ) These settings configure aspects of the box itself.on] ! Note that you cannot configure two interfaces with the same network and netmask.255. etc.123.

https ) Use these settings to customize port numbers for ssh and https. log messages will be logged to this local file. “alert”. if you are know what you do! Example: syslog file=1 5. a malicious user on one Convergence might be able to modify registered addresses from other boxes. “notice”. “info”. which is especially useful. valid number is any integer from range 0- 65535. Example: httpd port=44300 5. 5.0. Default value is set to “443”.10 Name: syslog level Description: Severity level for logging. “error”.8 Settings for Dynamic DNS (dyndns ) These settings configure an dynamic DNS service. Example: sshd port=22000 Name: httpd port Description: Custom port number for https.6. val- ues are (in descending order of verbosity): “debug”. “warning”. If you use this feature. For most services the same username/password may be used for a number of hostnames. Name: sshd port Description: Custom port number for ssh. valid number is any integer from range 0- 65535.0.6 Parameter Reference for baseconfig Name: syslog server Description: Name or IP address of a remote syslog server that shall get all system and kernel messages of this Convergence Example: syslog server=10. everything from this level on will be logged. Use with caution! There is only limited space available and there is no mechanism to prevent syslog from filling up the entire file system. Default value is set to “22”. Warning: Use this option only.7 Port numbers (sshd . “critical”. which is a potential security risk! 2005-2008 c Comdasys AG 223 . “emergency” Example: syslog level=debug Name: syslog file Description: If set.6. when no static address is available for the WAN interface.

zoneedit. Example: dyndns host=gatekeeper.com “eznet” www.dyns.cx “easydns” www.tzo.have a look on their web sites for addi- tional information and registration: “dhs” www.dyndns.ez-ip.com 5.org “dyns” www. one of: “on”: Name Server enabled.org “dyndns” www.com “zoneedit” www.hn.org “tzocom” www. implies bind dnsx “off”: Name Server disabled.dhs. It will be reachable from the Internet using this name.org “justlinux” www.6 Parameter Reference for baseconfig Name: dyndns type Description: Dynamic DNS service to be used.com Example: dyndns type=dyndns Name: dyndns user Description: Username you are registered with at the selected dyn-DNS service Example: dyndns user=comdasys test Name: dyndns pwd Description: Password for your registered dyn-DNS username Example: dyndns pwd=test pwd Name: dyndns host Description: Registered hostname for this Convergence.easydns. this Convergence supports several sup- pliers of dynamic DNS services . no query forwarding “custom”: Custom configuration of Name Server Example: bind mode=custom 2005-2008 c Comdasys AG 224 . Name: bind mode Description: Intended use of the Name Server.testdom.com “ods” www.justlinux.net “hnorg” www.ods.6.9 Settings for Name Server (bind ) These settings configure the Name Server function. 5.

0. if a number is missing.255.254. IP addresses have to be separated by blank Example: bind forwardZone0=[zoneName.0.42.10 Settings for Routing (routex) These settings contain static routes. one per parameter.6 Parameter Reference for baseconfig Name: bind dnsx Description: IP address of a DNS server (forwarder ) that should be asked if a DNS query could not be resolved Example: bind dns0=10.255. processing of routing information will stop at that gap.6.0.10.0.255.11.10.1.255. <interface>] Example: route0=[10.255.1. Name: routex Description: Static route with numerical identifier <x>.LANA] Name: proxy sip transparent Description: Enables transparent sip proxy functionality Example: proxy sip transparent=on 5. 5. <netmask of network to be routed to>. parameter contains all informa- tion in a semicolon separated array: [<Network to be routed to>. <gate- way>.1.1. 10.2.zoneFileName] Name: bind forwardZonex Description: IP addresses of one or more forwarder servers for the given zone of type forward.42.10 Name: bind slaveZonex Description: IP address of a master server for the given zone of type slave Example: bind slaveZone0=[zoneName.0.LANA] route1=[10.14] 5.0.0.42.254.42.0.12 10.255.10.0.0. The parameters need to be num- bered consecutively.1.11 Bandwidth (htb ) Name: htb classx Description: Example: Name: htb virtifx Description: Example: 2005-2008 c Comdasys AG 225 .6.

6. 5. Name: ntp on Description: Turning on/off NTP. “debug” Example: info 5. “error”. in tenth of second. implies ntp namex. possible values are: “none”.1. “warning”.42. Name: bw rate Description: Sample rate. combined with bw rate this value determines the size of a time window the bandwidth daemon uses.6 Parameter Reference for baseconfig Name: htb ifx default Description: Example: 5.13 NTP (ntp ) These settings define NTP servers that can be used to synchronize the system time with. the default value is “30” Example: 30 Name: bw log Description: Log level.6. The bandwidth daemon is queried by the SIP proxy for Call Admission Control (CAC).12 Settings for Bandwidth Daemon(bw ) These settings configure the bandwidth daemon that monitors the network traffic and calcu- lates the current average bandwidth. “info”. one of: “on”: NTP feature enabled. one of: “on”. ntp prefx “off”: NTP feature disabled Example: ntp on=on Name: ntp namex Description: IP address of an NTP server Example: ntp name0=10.10 Name: ntp prefx Description: Preferring answers sent by a particular NTP server. the default value is “1” Example: 1 Name: bw size Description: Number of samples. “off” Example: ntp pref0=on 2005-2008 c Comdasys AG 226 .

. Name: fw seclevel Description: This parameter allows to disable all access configuration and set the Con- vergence to a special secure mode.1 Meta Parameters for Firewall (fw ) There are a number of ”meta” rules that cause a whole range of rules to be generated. etc.6 Parameter Reference for baseconfig 5. In general firewall rules are exe- cuted in the following order: • Allow rules for active clients (DNS. Example: fw loglevel=0 Name: fw ssh via lana Description: Permit (“1”) or deny (“0”) SSH access to the Convergence via the first LAN interface (eth0) Example: fw ssh via lana=0 2005-2008 c Comdasys AG 227 . Default level is “4” (log all denied packets). • “custom”: normal operation Example: fw seclevel=custom Name: fw loglevel Description: Level indicating which rules generate messages.14.custom (except rules added with ”iptables -I”) • User defined rules (with fw rulex . Only access be- tween local networks and remote sites via tunnel connections are possible. syslog. dynamic DNS.) • Allow rules for admin access (ssh and https) • Allow rules for IPsec and OpenVPN • Allow rules for base services (see fw lana services.14 Settings for Firewall (fw ) These settings contain all information to configure iptables.. see below) • Deny all 5. This parameter just states how many iptables LOG rules are created. Valid values: • “secure”: All local Internet access is switched off. 5.6..6. value is an integer be- tween “0” (no logging at all) and “9” (very verbose logging). fw lanb services) • Include file /etc/sysconfig/firewall.

“NTP”. “SNMP” Example: fw lana services=FTP SSH HTTP HTTPS Name: fw lanb all open Description: Permit (“1”) or deny (“0”) unlimited access from the second LAN interface (eth2) to the internet. “SSH”. 5. Example: fw lanb all open=0 2005-2008 c Comdasys AG 228 . This only applies to outgoing connections. This only applies to outgoing connections. Example: fw lana all open=1 Name: fw lana services Description: List of outgoing services. “HTTP”. “HTTPS”. “FTP”. Valid services are: “DNS”. “SMTP”. “PING”. “TELNET”.6 Parameter Reference for baseconfig Name: fw ssh via lanb Description: Permit (“1”) or deny (“0”) SSH access to the Convergence via the second LAN interface (eth2) Example: fw ssh via lanb=0 Name: fw ssh via wan Description: Permit (“1”) or deny (“0”) SSH access to the Convergence via the WAN interface (eth1) Example: fw ssh via wan=0 Name: fw https via lana Description: Permit (“1”) or deny (“0”) HTTPS access to the Convergence via the first LAN interface (eth0) Example: fw https via lana=0 Name: fw https via lanb Description: Permit (“1”) or deny (“0”) HTTPS access to the Convergence via the second LAN interface (eth2) Example: fw https via lanb=0 Name: fw https via wan Description: Permit (“1”) or deny (“0”) HTTPS access to the Convergence via the WAN interface (eth1) Example: fw https via wan=0 Name: fw lana all open Description: Permit (“1”) or deny (“0”) unlimited access from the first LAN interface (eth0) to the internet. that are valid through the first LAN interface (eth0). “POP3”. seperated by whitespaces.

“FTP”. one per parameter set fw rulex The rules have to be numbered consecutively (substitute x with that number). Almost all parameters apart from fw rulex in int. all these rules are activated again by renaming them back to their normal names. that are valid through the second LAN interface (eth2).255. may also specify a network address. “WAN ”. “TELNET”. If the security level (fw seclevel) is switched from custom to secure. “WAN ”. “SSH”. “HTTP”. “LAN2”. If the security level is switched back. fw rulex out int (which may be ANY). one of “ANY”. “HTTPS”. Example: see example below ?? 2005-2008 c Comdasys AG 229 . 5. a tunnel name (generating forward rule) or “LOCAL” (generating outgoing rule) Example: see example below ?? Name: fw rulex s ip Description: Source IP address. “LAN1”. “SNMP” Example: fw lanb services=FTP SSH HTTP HTTPS Name: fw lana lanb open Description: Permit (“1”) or deny (“0”) unlimited access between the two LANs (Only supported. if second LAN is internal) Example: fw lana lanb open=1 5. it has to be a valid network address.6. a tunnel name (generating forward rule) or “LOCAL” (generating incoming rule) Example: see example below ?? Name: fw rulex out int Description: Incoming interface for rule x. “SMTP”. “LAN1”. one of “ANY”. seperated by whitespaces. if a number is missing. generally not giving a parameter means a wildcard (all possible values). In fact. fw rulex policy and fw rulex type are optional. “LAN2”. “PING”. “NTP”. “POP3”.255”. if fw rulex s nm is not “255.2 Firewall Rules (fw rulex ) These settings contain rules. Valid services are: “DNS”.14. processing of rules will stop at that gap.255.6 Parameter Reference for baseconfig Name: fw lanb services Description: List of outgoing services. Name: fw rulex in int Description: Incoming interface for rule x. all existing firewall rule parameter are renamed to no fw rulex and therefore not applicable.

only used if fw rulex type is “TCP” or “UDP” Example: see example below ?? Name: fw rulex policy Description: “ACCEPT” or “DENY” (which is useless in most cases.255. fw rulex d ip has to be a valid network address. Example: see example below ?? Name: fw rulex s port Description: Source port for packet. from /etc/protocols) Example: see example below ?? 2005-2008 c Comdasys AG 230 . In fact.255. it has to be a valid network address.6 Parameter Reference for baseconfig Name: fw rulex s nm Description: Source IP address netmask. fw rulex s ip has to be a valid network address. may also specify a network address.255”. because the “DENY ALL” rules are next to these rules. If fw rulex s nm is not “255.255”. if fw rulex d nm is not “255. Example: see example below ?? Name: fw rulex type Description: Protocol type for this rule.255.255”. If fw rulex d nm is not “255.255. 5.255. “UDP” or “ICMP” or a protocol number (e.g. Example: see example below ?? Name: fw rulex d port Description: Destination port for packet. is either “TCP”. only used if fw rulex type is “TCP” or “UDP” Example: see example below ?? Name: fw rulex d ip Description: Destination IP address. Example: see example below ?? Name: fw rulex d nm Description: Destination IP address netmask.255.

one per pa- rameter. “echo-reply”.16 Settings for Port Forwarding (fwd ) These settings contain port forwardings to computers in NAT’ed local networks.0. “redirect”.1. “router-solicitation”.17 Settings for VPNs (vpnx ) These settings contain VPN definitions. 5. parameter contains all information in semicolon separated array: Port on Convergence target IP address.2.15 Example for fw rulex fw_rule0_in_int=ANY fw_rule0_out_int=WAN fw_rule0_d_ip=16. one tunnel per parameter set vpnx .e. “router-advertisement”. The tunnels have to be numbered consecutively. target port Example: fwd0=[2222.10. Name: fwdx Description: Forwarding rule. “address-mask-reply”. “parameter-problem”. pro- cessing will stop at that gap. “time-exceeded” Example: see example below ?? 5.1. processing of tunnels will stop at that gap.6.0.0. if a number is missing. 2005-2008 c Comdasys AG 231 . port 22) access to the internet com- puter with address 16. “timestampreply”. only used if fw rulex type is ICMP.120. “timestamp-request”.22] Sets port forwarding from Convergenceś WAN interface port 2222 to the SSH port on local box 10.255.10. 5.120 fw_rule0_d_nm=255. The parameters have to be numbered consecutively. “source-quench”. Valid values are: “address-mask-request”. if a number is missing.255 fw_rule0_d_port=22 fw_rule0_policy=ACCEPT fw_rule0_type=TCP This allows access from any internal network SSH (i.2. “destination-unreachable”. “echo-request”.6.6 Parameter Reference for baseconfig Name: fw rulex icmp type Description: ICMP type to which the rule shall apply.6.255.10 5.0.

6 Parameter Reference for baseconfig These parameters describe IPsec and OpenVPN tunnels. If neither this parameter nor vpnx partner ip are set. vpnx partner name is not evaluated.255. Example: vpn0 partner net=10. Example: vpn0 active=1 Name: vpnx type Description: Sets the type of the tunnel. Example: vpn0 partner ip=219. vpnx tls Name: vpnx name Description: A (preferably not too long) unique name describing the tunnel connection..0 Name: vpnx partner ip Description: Public IP address of remote VPN gateway. a road warrior with dynamic IP address is assumed. Example: vpn0 partner net=255. It has either the value “openvpn” or “ipsec”.5. a device /dev/tun0 will be created) Example: vpn0 type=ipsec Name: vpnx partner net Description: Remote side’s network to be secured by the tunnel.0. a road warrior with dynamic IP address is assumed.132. as IPsec and dynamic DNS names result in synchronisation problems as soon as the dynamic DNS host’s IP address changes. vpnx remote ip.0 Name: vpnx partner nm Description: Netmask of remote side’s network be secured by the tunnel. Example: vpn0 name=munich-branch Name: vpnx active Description: A possibility to activate (“1”) or deactivate (“0”) a tunnel temporarily. If neither this parameter nor vpnx partner name are set. If this value is given.com 2005-2008 c Comdasys AG 232 .67 Name: vpnx partner name Description: Public DNS name of remote VPN gateway. there are some specific ones: • IPsec only: vpnx local if.. 5. vpnx remote • OpenVPN only: vpnx local ip. for vpn0 . If the type is “openvpn”.255. vpnx port.mycompany. a tun device with the VPN’s number will be used (e. While most parameters are com- mon for both types.g. A dynamic DNS name may only be used with OpenVPN tunnels. Example: vpn0 partner name=vpngate.23.

This parameter and vpnx cert are mutually exclusive. 5. Example: vpn0 local ip=10. This address and vpnx local ip must be unique (especially different OpenVPN con- nections may not use the same addresses).6 Parameter Reference for baseconfig Name: vpnx local if Description: Interface connected to the IPsec tunnel. This address must be used as local IP on the remote gateway. The port must be unique (especially different OpenVPN connections may not use the same port). Example: vpn0 local if=LAN1 Name: vpnx local ip Description: Local side’s IP address for OpenVPN transfer network.1 Name: vpnx remote ip Description: Remote side’s IP address for OpenVPN transfer network. Example: vpn0 ss=test secret 2005-2008 c Comdasys AG 233 . Example: vpn0 port=5001 Name: vpnx ss Description: Defines • a shared secret for a password based setup of an IPsec connection • a shared secret file for a shared secret based setup of an OpenVPN connection. The file /etc/openvpn/secrets/<ss>.2 Name: vpnx port Description: Port number to be used for the OpenVPN connection. that will be connected to the tunnel then. This address must be used as remote IP on the remote gateway. This port must be the same as configured on the remote gateway.key must ex- ist.254. alternatively an IP address on a local network.254.254.254. This address and vpnx remote ip must be unique (especially different OpenVPN connec- tions may not use the same addresses). Normally port numbers start from 5000 and are incremented for ad- ditional connections. Example: vpn0 remote ip=10.

If the remote certificate was created on the Convergence and exported to the remote PC as PKCS12 certificate.pem containing the RSA key • /etc/ssl/CA/certs/<CA certificate>-cert.OU=Mobile.pem -text | grep Subject: This information is only necessary for IPsec connections.pem containing a X.C=DE Name: vpnx tls Description: Certificate based OpenVPN connections use TLS. the subject can be checked in the web interface or with the following command on the Convergence: openssl x509 -in / etc/ssl/certs/<remotecertificate>. Example: vpn0 tls=server 2005-2008 c Comdasys AG 234 . Example: vpn0 cert=roadwarrior Name: vpnx remote Description: Describes the X. The following files must exist locally for IPsec connections: • /etc/ipsec. 5.pem containing the CA certificate the certificate was signed with All these files are normally managed by the web interface.O=Test-Org.cert. Example: vpn0 remote=CN=L2TP-Mobile. the other one as TLS client.d/certs/<certificate>-cert. This parameter and vpnx ss are mutually exclusive.509 compatible subject of the remote certificate.509 certificate • /etc/ssl/private/<certificate>-key.pem containing a X. for OpenVPN connections the CA cert information is processed automatically (TLS con- nection). one of the connection partners has to be defined as TLS server.d/private/<certificate>-key.509 certificate • /etc/ipsec.6 Parameter Reference for baseconfig Name: vpnx cert Description: Defines a certificate for a certificate based setup of the IPsec/OpenVPN connection.pem containing the RSA key The following files must exist locally for OpenVPN connections: • /etc/ssl/certs/<certificate>-cert.

0 Name: l2tp rangestart Description: Within the L2TP transfer network.2.200 Name: l2tp msdns Description: Defines a DNS server that will be assigned to the clients (optional) Example: l2tp msdns=217.1 Name: l2tp netmask Description: Defines the size of the L2TP transfer network Example: l2tp netmask=255.168.255.104. defines the L2TP transfer network.11 Name: l2tp mswins Description: Defines a WINS server that will be assigned to the clients (optional) to allow them WINS name resolution and browsing. the value has to be within the L2TP transfer network defined by l2tp localip and l2tp netmask.6. defines the last address to be assigned to a client that has not defined its own static IP address. Example: l2tp localip=192. 5. Example: l2tp active=1 Name: l2tp local ip Description: Sets the local IP address within the network allocated to the L2TP transfer network.100 Name: l2tp rangeend Description: Within the L2TP transfer network. At the same time.2. Example: l2tp rangeend=192. Values are “1” (active) and “0” (not active).18 Settings for L2TP Server (l2tp ) 5.0. together with “l2tp netmask”.255.1 Generic L2TP Server Settings (l2tp ) These settings contain all information to set up a L2PT server on the Convergence.168.0.6.18.6 Parameter Reference for baseconfig 5. Example: l2tp mswins=10. Example: l2tp rangestart=192. Name: l2tp active Description: This parameter allows a temporary switch off of the l2tp server without the need to delete all parameters.145. the value has to be within the L2TP transfer network defined by l2tp localip and l2tp netmask.168. defines the first address to assign to a client that has not defined its own static IP address.200 2005-2008 c Comdasys AG 235 .2.

processing will stop at that gap.168.l2tp rangeend. the remote computer also receives its IP address. if a number is missing.1. Within this session. authentication is done via connection settings.2 User Based L2TP Server Settings (l2tp userx ) These settings contain settings that apply to special users / computers upon their connection setup. No authen- tication is done on this layer. 5. using username and password. there is a number of protocol layers involved: 1. the authentication can be done via passwords (shared secrets) or certificates. When using L2TP to connect Windows XP and Windows 2000 computers. Name: l2tp userx name Description: PPP login name Example: l2tp user0 name=testuser Name: l2tp userx pwd Description: PPP login password Example: l2tp user0 pwd=testpwd Name: l2tp userx ip Description: Optional static IP address. The user specific parameters have to be numbered consecutively. but outside the pool de- fined by l2tp rangestart and l2tp rangeend. This option might be interesting for setting special firewall rules for particu- lar users. otherwise he gets one from the pool l2tp rangestart . This parameter and l2tp userx cert / l2tp userx remote are mutually exclusive. Example: l2tp user0 ss=test secret 2005-2008 c Comdasys AG 236 . The value has to be within the L2TP transfer network defined by l2tp localip and l2tp netmask.30 Name: l2tp userx ss Description: Defines a shared secret for a password based setup of the IPsec connec- tion. Example: l2tp user0 ip=192. the user always receives the same IP address. 4. On top there is another PPP session that finally establishes an IP session between the remote computer and the Convergence. This session has to be authenticated again. 2. both possi- bilities can be configured on a per-user basis.6 Parameter Reference for baseconfig 5. Mostly PPP to connect the remote computer to the Internet. if this value is set.18. An IPsec connection is set up to establish an encrypted communication channel. An L2TP (Layer 2 tunnel protocol) connection is established on top of IPsec. 3.6.

5.port.cert.1.509 certificate • /etc/ipsec.22.C=DE 5.2c. Example: l2tp user0 cert=roadwarrior Name: l2tp userx remote Description: Describes the X.19 Settings for SNMP (snmp ) These settings configure the SNMP-Daemon. The following files must exist locally: • /etc/ipsec.O=Test-Org.509 compatible subject of the remote certificate.pem containing a X.0.pem containing the RSA key.6. This parameter and l2tp userx ss are mutually exclusive.d/private/<certificate>-key. These files are normally managed by the web interface.version.0.OU=Mobile.3] 2005-2008 c Comdasys AG 237 .pem -text | grep Subject: Example: l2tp user0 remote=CN=L2TP-Mobile. the subject can be checked in the web interface or with the following command on the Convergence: openssl x509 -in /etc/ssl/certs/<remotecertificate>.9) Description: Enable the snmp daemon to act as a proxy format = [ip- adress. If the remote certificate was created on the Convergence and exported to the remote PC as PKCS12 certificate.d/certs/<certificate>-cert.password.6 Parameter Reference for baseconfig Name: l2tp userx cert Description: Defines a certificate for a certificate based setup of the IPsec connection...OID] Example: snmp proxy0=[127.password.1. Name: snmp enable Description: Enable or Disable the SNMP daemon Example: snmp enable=on Name: snmp ropass Description: Specify the read-only community pass for SNMP version 1 and 2c Example: snmp ropass=example Name: snmp rwpass Description: Specify the read-write community pass for SNMP version 1 and 2c Example: snmp rwpass=example Name: snmp proxy(0.

there are two ways of setting this up.7.1 5. or you upload the desired keys to the Comdasys. This is always explained to- gether with the keys. All Comdasys products will autocreate tls keys for use with the SIP Proxy.1.9) Description: Specify the ip-adress destination for SNMP traps Example: snmp trap dest=127.. 5. 5. If the interaction with phones is desired.2 Custom Custom template that permits configuration via CLI. 2005-2008 c Comdasys AG 238 . 5. This is mostly used in large projects with specialized configuration templates that are put into the Convergence through mass deployment tools. Besides the parameter values as explained below.7 Settings for Voice-over-IP (ser ) These settings configure the SIP proxy service.0.7 Settings for Voice-over-IP (ser ) Name: snmp trap Description: Enables the trap-sending functionality of the SNMP daemon Example: snmp trap=on Name: snmp trap community Description: Specify the SNMP community name for sending traps Example: snmp trap communitys=foo Name: snmp trap dest(0. Ei- ther you download the preconfigured keys (they are generated on first boot of the Comdasys device.1. 5.7.1 SIP Proxy Scenarios The most important parameter is that for selecting the used template profile is the ser type parameter. This one selects the scenario the product is to be used in.1 Disabled Disable SIP Proxy functionality. The parameter values discussed here are sometimes used for multiple configuration templates. This service features multiple configuration templates that are explained in more detail in the handbook.7. The following scenarios are possible.0. This is usually not recommended unless for specialized projects. the keys for tls have to be setup if this is desired.

the Survivability and Branch SBC configurations could also apply. the phones on the customer premise would only interact with the Convergence through a local IP address. With that. it will not perform a registration with a provider.5 Session Border Controller Session Border Controller template that makes the SIP Proxy act as an SBC in front of a SIP server / B2BUA.7 Settings for Voice-over-IP (ser ) 5. 5. This template also support CAC scenarios.1. The SBC approach has the advantage that features between the local PBX and the Trunking Provider are transparently handed through.1.7.1. As such. This selection is the template for a typical centralized Session Border Controller used to connect endpoints coming from the Internet. No changes to the network.7. routing or anything else would be necessary to support deploying a VoIP solution. This is a very simple template to setup simple configurations.7.1. The selection here will make the Convergence behave like a special SBC for SIP Trunking scenarios. This template will hence perform NAT handling. Depending on the exact usage. or in Hosted scenarios. There is a great varierty of configurations for this. The configuration of voice gateways to enable outbound calls is supported. usually behind NAT Routers.3 Standalone Standalone template which will make SIP Proxy act as a standalone SIP server. it will typically serve in Enterprise Branch Office scenarios. the Convergence would receive one data center IP address as well an IP address in the local range. 5.7. 5.1. via the SIP Proxy / SBC component and via the B2BUA.7. A hosted service provider can use the product to terminate his service at the customer premise. 2005-2008 c Comdasys AG 239 . 5. As such. the locally connected PBX / SIP server behind the SBC has to perform that. 5.4 Survivability Survivability template which will forward all messages to a central SIP server unless this one is unavailable. This is something a B2BUA approach cannot absolutely guarantee. In this case. the SIP Proxy will take over the role of the central SIP server.6 Branch Session Border Controller Branch SBC which sits in front of a SIP server but at a decentral location instead of a central one as with the SBC template. In order to use that service.7 SIP Trunking Scenario The Convergence offers two different ways of handling SIP Trunking scenarios.

In contrast to the central SBC scenario. Sometimes however it is inappropriate. 5.7. Imagine for example a case where we can route a call over multiple links.9 ENUM Scenario With this template the SIP Proxy will act as an IP-to-IP gateway performing message forward- ing based on ENUM lookups as well as SBC functionality for incoming calls. The other possibil- ity is to use the TDM network via a gateway realizing a local breakout. the SIP Proxy is to be setup in. 5. there might be an alternative route to the destination via a second link. The Comdasys Convergence appliances support a number of pre- defined scenarios that are explained in more detail in the following. As mentioned with the CAC parameters. Choose one of the two from the Drop- Down list. 5. The possible action are ”redirect” and ”deny”. This second possible action is Redirect. simply denying calls is the simplest of all actions that can be taken. the central SBC will not be in the media stream. the SIP proxy permits the specifica- tion of an action in the case of a limit violation. the central SBC can pcik up the media stream.2 Configuration Explanation Name: ser type Description: This value selects the profile type.8 Cascaded SBC Scenario This scenario is a very specialized central SBC scenario where it is assumed that a Branch SBC is connected behind.7 Settings for Voice-over-IP (ser ) 5.1. Example: ser action0=deny 2005-2008 c Comdasys AG 240 . “disabled” Disabled “custom” Custom template “standalone” Standalone “survivability” Survivability “sbc” Session Border Controller “branch” Branch Session Border Controller “cascaded” Cascaded Session Border Controller “enum” Example: ser type=survivability Name: ser action Description: For each Call Admission rule definition.7. If the media however is renegotiated for example because one party was put on hold. Since the Convergence Se- ries is operating at the edge of one or more bottleneck links. This also works dynamically for features.7.1. Future versions will come with additional actions. it will not stay in the media path for connections that stay ”inside” a single branch. For example if you first have a branch internal call.

Example: ser callforward0=4711 2005-2008 c Comdasys AG 241 . although in reality this will mostly be a single digit as for example a 0 or a 9. If this parameter is not checked. it is of course possible to have multiple entries where the numbers must of course be unique. the parameter will only be used in Survivability mode.. If the user part of the request URI matches the this parameter. Example: ser cac=on Name: ser cacchecknet Description: This parameter should be checked if there is a local PSTN in the branch office. This would however mean. Also note that this parameter can only be used in conjunction with the ser callforwardtarget parame- ter. you can put any regular expression here. This parameter is only relevant in the Survivability scenario and will only become active in survivability mode. 5. All Call Admission control related settings for these two scenarios will only apply if this option is activated. The parameter will identify an incom- ing call in survivability mode. This parameter however does not apply for any Call Admission Control settings towards a gateway. In Standalone mode this will be directly used for determining the calls that have to go to the gateway. meaning that you have to attach a number from 0 . The possible actions are ”on” and ”off”. Branch SBC. This parameter represents the digit combination a user has to dial for getting an outside line.. Standalone. In the other modes. Therefore. and Enum scenarios.7 Settings for Voice-over-IP (ser ) Name: ser amt Description: This parameter is relevant for Survivability. the SIP Proxy will assume that all Calls to and from non-local destinations will go over the bottleneck link and hence require Call Admission Control (of course only if all other parameters match). Call Admission Control would be falsely performed although the Me- dia Stream would stay in the local network. that for a Call coming in over the local gateway. The possible actions are ”on” and ”off”. Example: ser amt=0 Name: ser cac Description: This option applies to the Branch SBC as well as to the Survivability sce- narios. It only ap- plies to to the Call Admission Control towards the central SIP server.. In theory. Strict checking will additionally check the SDP header to determine how the RTP streams would flow to correctly perform the Call Admission Control. . Example: ser cacchecknet=on Name: ser callforward Description: This parameter is a list. the call will immedialtely be redirected to the user given in the ser callforwardtarget parameter with the matching index. going to the central SIP server then coming back in to the SIP Proxy.

Example: ser domain0=foo.7 Settings for Voice-over-IP (ser ) Name: ser callforwardtarget Description: This parameter is a list.bar 2005-2008 c Comdasys AG 242 . See “syslog” documenta- tion for more information on how to read and use this debug output.. The debugging messages will be printed out in the system log.bar to the Comdasys Convergence appliance. The possi- ble values are ”on” and ”off”. meaning that you have to attach a number from 0 . Among these is CDR in- formation in survivability mode that will always be generated. it is of course possible to have multiple entries where the numbers must of course be unique. for bigger ones 16 or 32. .. This parameter is only relevant in the Survivability scenario and will only become active in survivability mode.bar. Recommended number for smaller Convergence boxes is 8. A call in survivability mode directed to the user name given in the ser callforward with the matching index will be directed to the username given here. Also note that this parameter can only be used in conjunction with the ser callforward parameter. it will only act upon it in the way described here if foo. a lot of log information can be generated. Do- main as used here refers to the rear part of a URI parameter.. The SIP Proxy will only apply the Survivability / Call Admission Control / SBC logic to SIP messages directed at specified domains. Therefore. Example: ser callforwardtarget0=4712 Name: ser children Description: Determines the number pf threads being forked off in the SIP proxy per interface. Otherwise it will simply perform a DNS lookup and forward the message appropriately. A higher number of threads will lead to a higher efficiency in using the available CPU resources at the expense of higher memory and resource usage.bar can be found in the domain list. 5. Possible values are either foo. The debug mode should only be switched on for testing purposes since depending on the traffic conditions. or an ip address. Example: ser debug=off Name: ser domain Description: The Domain list parameter is one of the most important parameters for the SIP Proxy. Note that some output will be generated by default. This means that if you have some client send a SIP message for 500@foo. Example: ser children=8 Name: ser debug Description: This option will enable debug support for the SIP proxy.

the destination would most likely be the IP PBX. This can have multiple reasons. Use a ”0” for each byte of the IP address where you want to specify network ranges. Sometimes. The source address could for example be used to configure groups for the phones. Simply enter the Source and Destination IP addresses or network addresses that you want have the limit and action applied to. it might be necessary to exclude the local gateway from this.168.1. Group 2 another. If the return route for SIP messages is forced by the proxy. A link is closely associated with the routing functionality offered by the ConvergenceṪypically source and destination addresses are used for classifying packets as belonging to a certain link (matches the standard IP networking principles). since your SIP server might want to stay in direct touch with the local gateway. Example: ser dst ip0=192. It applies to all scenarios involving the explicit defintion of a gateway. As soon as the primary server stops responding. the SIP proxy will stop respond- ing on port 5060 and only respond on port 5080 thus emulating the backup server functionality.1 Name: ser dualreg Description: This enables dual registration functionality inside the SIP proxy for sup- porting Survivability scenarios with Cisco or Siemens phones.7 Settings for Voice-over-IP (ser ) Name: ser dst ip Description: The notion of a link is fundamental to the way the Call Admission Control is done. If enabled. The Convergence however does not stop there. In princi- pal. The mentioned IP addresses pertain to the SIP signalling traffic. Some UAs however support displaying something to the user to inform him about survivability mode. Example: ser excludegw=on 2005-2008 c Comdasys AG 243 . The source would for example be the local branch network. the most likely reason would be features. The simplest case of a link is a physical network connection. Example: ser dualreg=off Name: ser excludegw Description: This parameter has to be considered in conjunction with the ser return parameter. One of these options lets the phones register to a primary server and a backup server. it is desirable to use this phone functionality. The possible values are either ”on” or ”off”. Group 1 could get a range of IP addresses. this is not necessary since the Comdasys survivability functionality is completely transparent to the UAs. Comdasys supports this by running on port 5080 in addition to the standard port. This option is very rarely used. they will register to the backup server for continous operation. 5. The possible values are either ”on” or ”off”.

Note that the backup server should again have the primary server set as failover pendant. meaning that a measure- ment is not something you want to rely on. Example: ser failover=on Name: ser failover server Description: For more information on this option please also refer to ser failover server.bar 2005-2008 c Comdasys AG 244 . The possible values are either ”on” or ”off”. all state informa- tion will be replicated to the failover server that can be specified with the ser failover server parameter. The option here only refers to the SIP part of this construct which requires to have a backup server be in the same conditions concerning states and registrations as the primary server. Failover server support is usually realized in conjunction with DNS SRV or VRRP to have a backup take over the IP address of the primary SIP proxy. In contrast to normal voice streams. If this option is set.7 Settings for Voice-over-IP (ser ) Name: ser failover Description: This option enables you to turn on or off failover server support. T38 streams will exhibit a great deal of variance when it comes to a call in progress. 5. Example: ser failover server=on Name: ser faxuri Description: This parameter must be seen in conjunction with the ser t38redirection parameter. Therefore. we do a reservation for these cases. In this case. The possible values are either ”on” or ”off”. it is of course not necessary to have Example: ser faxuri0=45674@foo. T38 streams can vary from anywhere between 10 kbit/s and 100 kbit/s in throughput. since the roles are bound to change depending on configuration of course. This means that all streams for T38 will be treated differently than the normal voice streams. This option will set the IP address or DNS name of the failover server that all state information should be forwarded to. where the call for the fax remains reserved for the entire duration of the call. Setting this up in such a manner will however by no means result in messages bouncing back and forth since this is automatically detected by the software.

this flag instructs the SIP Proxy to catch any SIP 302 response sent by an UA and creates a new INVITE request from that. it will only have an effect if you are currently in survivability mode. As the name already indicates. this parameter denotes the gateway IP address. This also works in conjunction with SIP forking. Note that this only ap- plies to Survivability scenarios. all other branches will be Cancelled. Also refer to ser gateway strip for more information on this. In that mode. it rather specifies the number of digits to remove.7 Settings for Voice-over-IP (ser ) Name: ser forwarding Description: This function activates server based call forwarding in Survivability mode. Example: ser gateway strip0=1 2005-2008 c Comdasys AG 245 . it will proceed to the second one and so on. For the exact behavior in this case. For all remaining scenarios. It should be noted that this not only works for digits. Example: ser gateway ip0=192. meaning that you have to attach a number from 0 . meaning that the SIP proxy will first always address the first gateway. The prefixing will only apply in Survivability mode. Gateways can be defined for most scenarios except ENUM and SBC.. it is of course possible to have multiple entries where the numbers must of course be unique. or as a Standalone server.168. . If it gets an error from there.2 Name: ser gateway prefix Description: The prefix determines what digits or characters to attach to the front of the URI before forwarding to the gateway. 5.. It does not have an effect in any other usage scenario. the SIP Proxy will never do changes to the URI when forwarding requests to a gateway.. Therefore. Example: ser forwarding=off Name: ser gateway ip Description: This parameter is a list. Note that this parameter does not specify what to remove from the front of the number. If the original request was forked and one UA responds with 302. The prefixing will always be executed after stripping the URI. The gateways will be addressed in a hunting mode. In normal mode. The possible values are ”on” or ”off”. Even in the Survivability scenario. it is possible to define multiple gateways. but for all characters permitted in SIP URIs.1. Example: ser gateway prefix0=0 Name: ser gateway strip Description: Determines how many digits should be stripped from the front of the num- ber before forwarding the request to the gateway. please see the centryser hunting parameter.

There are reasons however for using tcp. In these cases the central SIP server would perform the gateway hunting. In that case. or ”tls”. It can also be used for deliberately leaving some room to the bandwidth limit by checking for a higher bandwidth than required. Note that the hunting usually only applies in Survivability mode. and tls. Example: ser gateway transmit0=tcp Name: ser hunting Description: This paramerter determines the behavior of the SIP Proxy if multiple gate- ways are being set up. For each Call Admission decision. 5. tcp. Example: ser limitcall=8000 2005-2008 c Comdasys AG 246 . since in normal mode. This kind of behaviour would be very user unfriendly. udp. not ”bits/s”.7 Settings for Voice-over-IP (ser ) Name: ser gateway transmit Description: This determines the SIP transmit type to be used towards the gateway. This field should therefore reflect this worst case. This means that this parameter has to reflect the worst case that can occur in your network. Example: ser hunting=on Name: ser limitcall Description: Each SIP session uses a certain average bandwidth depending on the codec being used. the worse case is hence assumed. there is no other way but to use tls. as to whether a call should be permitted or not.g. The band- width check parameter here. RFC3261 currently defines three transmit types. The possible values are either ”udp”. Most systems currently use udp. which is also supported by a lot of systems. Beware however that you cannot do traces of tls encrypted signalling to track down errors. since codices can be renegotiated during a session. Note that you have to enter the parameter manually. the Proxy will of course also perform the hunting functionality. If you need security. identifies how much bandwidth must still be available in order to permit another session. If set to on. For G. Otherwise this would mean that your session is permitted first. ”tcp”. a gateway hunting will be done meaning that the SIP Proxy will automatically try the next gateway if the previous one did not respond or responded with an error. so this will most likely be your protocol of choice. The possible values are either ”on” or ”off”. then renegotiated with another codec and denied there. The difference would then remain un- used which can be desirable under certain conditions. It is therefore highly recommended to set up a system with an unencrypted protocol and only switch to tls once everything works. Branch SBC functions).711 for example the bandwidth required for each session is around 75 . the central SIP server can correctly address the SIP messages to go to the correct gateway. Mostly this error will be a ”486 Busy”. There are however special scenarios where the SIP Proxy itself is specified as a gateway (e. Note that this field is entered in ”bytes/second”.80 kbit/s including the overhead packets.

This option is not required if your SIP server features an option to route requests through a SIP proxy. 5. This means that the central SIP server will think that all phones have the IP address if the SIP proxy. but each one with a separate port.7 Settings for Voice-over-IP (ser ) Name: ser limitclass Description: The Limit Class definitions make the connection between the SIP and the IP layer in Call Admission Control scenarios. The possible values are either ”on” or ”off”. Example: ser multiport=on Name: ser notifyreturn Description: This parameter enables or disabled the function of sending Survivability Notifies. that every UA connected behind the SIP proxy will be mapped to a separate port on the SIP proxy. This means that a message will be sent. For the Limit definitions. The limit is enforced by the Call Admission Control functionality. This enables supporting features in e. Example: ser limitclass0=eth0-2:4 Name: ser multiport Description: Only use this parameter if you know what you are doing. All traffic class definitions are used for making assessments as to whether additional calls can be accom- modated. the Bandwidth Management Configura- tion is used where a traffic class with certain limits is defined. The possible values are either ”on” or ”off”.g. NAT scenarios where the return route also has to pass through the SIP proxy. an- other one will be sent if normal operations is being restored. Please also refer to ser return for more information. if the Survivability mode becomes active. For more information on the definition of the traffic rules refer to the Bandwidth section of this handbook or the User Guide. Setting this option will make the SIP proxy modify all SIP requests in such a way. If enabled. Example: ser notifyreturn=on 2005-2008 c Comdasys AG 247 . the SIP proxy will send a SIP NOTIFY message to all registered devices each time the Survivability mode changes. This option has a severe impact on the SIP request routing behavior.

it of course also applies to the Branch SBC mode. hence the 49893333 which it will attach to the short number to lo- cate the phone. If you do not set this up.10. you can just leave it blank. SBC. This parameter will be used for identifying downstream messages as com- ing from the PBX. To make it reachable now. As such. It is not used for anything else. Example: ser ownnumber=49893333 Name: ser pbx Description: This entry is the IP address of the softswitch.168. meaning that you have to attach a number from 0 .. the Comdasys must know the prefix. Example: ser pbx=192. it will only have an impact on this feature (Short numbers in Survivability mode).g. performing the CAC function- ality where incoming calls have to be handled. In the Standalone scenario. It is possible to specify both IP addresses and domain names. The phone registers (SIP registration) with the full number. and Branch SBC scenarios. The PBX could be a load-balanced or cluster system meaning that messages could come from multiple IP addresses. this will be the target of all messages received from any UAs. Also see the ?? parameter that determines the protocol to use for communication with the SIP server. since the Comdasys will be the main SIP server. Enum..3 Name: ser pbxalias Description: This parameter is a list. .3 2005-2008 c Comdasys AG 248 . SIP server.10. If the PBX only has a single IP address it is not necessary to set this parameter. or SIP PBX. This is important for e. 49893333567. Therefore. The PBX Alias is the way to tell the Comdasys that all these messages are coming from the PBX. it is of course possible to have multiple entries where the numbers must of course be unique. where 567 is the short number of the phone..7 Settings for Voice-over-IP (ser ) Name: ser ownnumber Description: This parameter is being used for short dialing in Survivability and Stan- dalone mode.168. Example: ser pbxalias0=192.g. you want to be able to use both the long and the short number in survivability mode where the PBX normally doing the translation is offline. If you have a telephone with the phone number e. Messages can come from phones or the PBX. You can specify eihter IP addresses or domain names. 5. The domain names can also be DNS SRV entries. this entry does not have any effect. You can specify eihter IP addresses or domain names. In Survivability.

. activate a call forwarding. Example: ser pickup0=\*5 Name: ser prefixpbx Description: As described in the ser redirectpbx parameter.?. Example: ser port=5060 2005-2008 c Comdasys AG 249 . This applies only to SIP requests.. Therefore. Therefore also beware to escape (prefix by \) all special characters used in regular expressions as for example . This means that you make a call to such a special extensions for e. There it is more than common to use certain exten- sions for doing control functionalities.6. . it is of course possible to have multiple entries where the numbers must of course be unique. In telephony applications. this prefix will be added to the dialled number to inform the central SIP server that an alternative routing needs to be performed.7 Settings for Voice-over-IP (ser ) Name: ser pickup Description: This parameter is a list. 5.168. Similar to centryser proxy parameter. This parameters allows you to specifiy extensions / URIs that will be ex- cluded from Call Admission Control. Example: ser proxy=192. Please see these two for more information on this option. Response routing is determined by the Record-Route parameter which is explained in ser rrpreset. This prefix can be any combination of al- phanumeric characters and special characters like ”*” or the hash sign.. Usually this is only relevant for pure telephony scenarios.7 Name: ser port Description: This specifies the port for the return routing of the messages. Another example for this are pickup group extensions. Also see the Regular Expression section for more details. Example: ser prefixpbx=*0 Name: ser proxy Description: This parameter will have an effect on the response routing. Although a call is made. this has only an effect in conjunction with the centryser proxy parameter. This parameter must be seen in conjunction with the centryser return parameter since it will only have an effect if this one is set.. Enter a list of all extensions that should be included from CAC.g. the prefix will most likely be numeric. there is no real media that is ever sent in any case. Note that it is possible to specify arbi- trary regular expressions.* . meaning that you have to attach a number from 0 . The central SIP server will return these messages to the IP address specified here.

5. the Call can be either denied. This does not require any Call Admission Control awareness of the central PBX. the rerouting to e. Example: ser reserve=on Name: ser src ip Description: This is a Call Admission Control parameter that has to be seen in con- junction with the ser limitclass and the ser dst ip parameter. On the other hand. Example: ser src ip0=10. since reserved bandwidth might never be claimed because a Session is denied. See also the ser dst ip parameter for a more in depth explanation of the meaning. The higher the bandwidth available on your link. If enabled. In this case. the SIP Proxy will only permit the redirection of outgoing calls. the SIP proxy will reserve the bandwidth for all initated SIP requests that have not been finally answered. The possible values are either ”on” or ”off”. other Sessions could have been accomodated. This specifies the destination of the SIP signalling for which this CAC rule de- fined in the ser limitclass should apply. The matching up with the ser limitclass is done through the index number. This parameter is again a list parameter. The field here specifies another possible action. the more significant this effect gets. I can never overbook a link.7 Settings for Voice-over-IP (ser ) Name: ser redirectpbx Description: If there is no more bandwidth for permitting an extra session. or it can be redirected to a gateway. The SIP Proxy can modify the dialled number by prefixing something to let the IP PBX know that the usual call routing path does not apply. All other non-internal calls will not get redirected but rather denied with a ”606 Not Acceptable” message.g.1.10.1 2005-2008 c Comdasys AG 250 . if this option is enabled. do suffice. The central IP PBX can then route the call over the local gate- way in the branch office. simple call routing features with mul- tiple alternative routes. In that case. a local gateway can be performed by the central IP PBX. These actions are described with the ser action in more detail. Also refer to the ser prefixpbx and ser redirectpbxamtonly parameters for more information. Example: ser redirectamtonly=on Name: ser reserve Description: Enables or disables the bandwidth reservation. The possible values are either ”on” or ”off”. as for example found in least cost routing features. This means that there could be unused bandwidth in your line. Example: ser redirectpbx=on Name: ser redirectamtonly Description: This parameter only has an effect in conjunction with the ser redirectpbx parameter. If enabled. thus not generating traffic load on the bottleneck link.

even if checks fail in the meantime. It is possible to specifiy arbitrary response codes. meaning that for every non suc- cessful reply sent for a SIP request. unless of course DNS / DNS SRV is being used. For this parameter just specify all codes where no rerouting should apply. and to avoid a frequent switch- ing due to e. 5. Example: ser survcachetimeout=30 Name: ser reroutecodes Description: This option only applies to survivability scenarios. If a UA does not support outbound proxy functionality. Some SIP servers react very sensitively to the SIP URI. Example: ser reroutecodes=400 401 402 Name: ser rewrite Description: This option is only relevant for all scenarios that involve a separate SIP server. the SIP Proxy will reroute for all error conditions. This time must be given in seconds. As mentioned. The possible values are either ”on” or ”off”. the Comdasys SIP proxy allows you to rewrite the SIP domain on all messages sent to the SIP server. Therefore. a rerouting to the gateway will be induced. some SIP servers will then refuse to handle the sent requests. Example: ser rewrite=off 2005-2008 c Comdasys AG 251 . The domain that the requests will get rewritten with is that of the ser pbx parameter. The most frequently used however are: “400” 400 Bad Request “401” 401 Unauthorized “402” 402 Payment Required “403” 403 Forbidden “404” 404 Not Found “405” 405 Method Not Allowed “406” 406 Not Acceptable The reply codes are defined in a “410” 410 Gone “480” 480 Temporarily Unavailable “486” 486 Busy “487” 487 Request Terminated “603” 603 Decline “606” 606 Not Acceptable list separated by blanks. This lazy timeout is intended to reduce the number of alive messages sent. By default.7 Settings for Voice-over-IP (ser ) Name: ser survcachetimeout Description: This is the time the last alive message from the central PBX will assumed to be valid. the SIP domain when rout- ing messages through the SIP proxy will be that of the SIP proxy. a flapping line. not only the ones defined in the RFC.g.

If set active. the SIP proxy will insert the correct Record Route header. that all requests coming from the main server will also flow through the SIP proxy under all circumstances. Record-Route header fields. This applies to all scenarions that involve another SIP server such as SBC. the SDP information in the SIP messaging will be modified in a way so that the media stream runs through the SIP proxy. Example: ser rrpreset=off Name: ser rrpreseton Description: This parameter enables or disables the use of the ser rrpreset param- eter. The ability to do this automati- cally is however hampered in NAT and multiple interface scenarios. The possible values are either ”on” or ”off”. The possible values are either ”on” or ”off”. Example: ser rtp=off Name: ser return Description: This parameter determines if the SIP proxy will change all upstream mes- sages in such a way. Route. Example: ser rrpreseton=off Name: ser rtp Description: This parameter determines if the SIP proxy also handles the media streams. The possible values are either ”on” or ”off”. Survivability and ENUM scenarios. 5. In all other scenarios. the SIP proxy will always do this. This is a requirement in NAT scenarios and for SRTP termination (optionally available). it is necessary to statically fix this parameter. In such circumstances. this is optional and can be modified with this parameter. This will make the SIP proxy modify all contact fields that determine the SIP routing such as the Contact. By default.7 Settings for Voice-over-IP (ser ) Name: ser rrpreset Description: This parameter enables presetting the record route header that will be in- serted by the SIP proxy in the SIP requests that are forwarded to the central SIP server. it is not necessary to set this field. This parameter will only be applied if its use has been enabled by setting the ser rrpreseton parameter. In will for example have adverse effects on any features involving SIP forking. Be very careful using this field since it can break some functions of your SIP server. In Branch SBC and SBC scenarios. Also refer to this one for more information. Example: ser return=off 2005-2008 c Comdasys AG 252 . If your SIP server and UAs support Outbound Proxy function- alities.

the SIP proxy will only OK them with the timeout given here in surviv- ability mode. Beware however that you cannot do traces of tls encrypted signalling to track down errors. which is also supported by a lot of systems. This means that independent of the registration timeout value given in the UA. There are reasons however for using tcp. tcp. the SIP Proxy will assume Sur- vivability mode. since it defines the timeout for the Survivability function. RFC3261 currently defines three transmit types. ”tcp”. there is no other way but to use tls. This is to expedite the reregistration with the SIP server once the connectivity is restored.g. this parameter is absolutely critical. so this will most likely be your protocol of choice. This parameter is im- portant for all scenarios. It is therefore highly recommended to set up a system with an unencrypted protocol and only switch to tls once everything works. In order to let the SIP proxy know where he can expect T38 to be negotiated you can specify special fax URIs. Most systems currently use udp. or ”tls”. the SIP proxy will use bandwidth reservation to handle the greatly varying bandwidth requirements of a T38 media stream instead of measuring it. 5. Example: ser timeout=2 2005-2008 c Comdasys AG 253 . udp. For survivability. and tls. Example: ser transmit=udp Name: ser timeout Description: Timeout value for SIP Proxy to take action itself. If you need security. Example: ser rereg=720 Name: ser transmit Description: This determines the SIP transmit type to be used towards the SIP server. The possible values are either ”udp”. although a save default is in place for e.7 Settings for Voice-over-IP (ser ) Name: ser t38redirection Description: If enabled. If there is no response provisional or final within this time period. Example: ser t38redirection=on Name: ser rereg Description: Timeout value for SIP Proxy to confirm registrations in survivability mode. See the ser faxuri parameter for more information on that. the SBC templare.

164 numbers for doing proper ENUM lookups. Towards the SIP endpoints. This parameter is part of the link defintion for doing CAC.255. It will usually be the PBX IP address for which you do CAC. its own Call ID will be assigned. the netmask will only point to a single host instead of a network. This will normally be the case in voice scenarios where you have multiple SIP endpoints with the same phone number. This parameter will be used to properly convert any incoming numbers to E. Usually. Enter the plain city code (3- digits area code in the US). Example: ser country code=49] Name: ser dest ip mask Description: This applies only to the Branch SBC and Survivability Templates. Example: ser b2buasurv=on Name: ser city code Description: This is used to convert numbers routed to the Convergence to full E. this function will not be necessary if you have no forking. the Convergence will terminate this call and only forward a single response to the gateway. Otherwise outbound calls will not work. This parameter applies only to the ENUM template. Checking this box will make the Convergence behave like a B2BUA towards the voice gateway in survivability mode. It can also be a number of variable length in many other countries. 5. You have to enter this parameter correclty. the ”49” for Germany. The parameter here is the netmask for the destination IP. This is commonly described as keyset feature or multiline appearance. This link definition is done via the Source and Destination IP address.164 format. In that case. This will lead to the fact that multiple SIP responses are forwarded to the gateway which is a problem for some of them. Example: ser dest ip mask=255. Example: ser city code=89 Name: ser country code Description: This parameter applies only to the ENUM template.255. etc. This parameter applies only to the Survivability and Branch SBC templates. the Convergence will continue to behave as a SIP Proxy. This means that for each session from and to the gateway. CAC is done on a per link basis.7 Settings for Voice-over-IP (ser ) Name: ser b2buasurv Description: This function is necessary for gateways that do not properly support SIP forking. Incoming calls in such multiline scenarios sometimes pose difficulties for gateways because the SIP proxy in the Convergence will fork the request. This would be a ”1” for the USA. Enter the Country Code for your country without any preceding digits.255 2005-2008 c Comdasys AG 254 . Forking is necessary if you have multiple SIP endpoints with the same SIP username. With the B2BUA feature enabled.

With a survivability scenario. In a branch session border controller scenario it denominates the side towards the PBX. loose routing can be disabled in normal operation (non survivability). Thus. Example: ser fix looseroute=on 2005-2008 c Comdasys AG 255 . This parameter only applies to the various SBC templates. the correct behavior of loose routing is not guaranteed with all devices. Example: ser distance prefix=0 Name: ser external ip Description: All Convergence products support multiple virtual and non virtual inter- faces. all endpoints having a connection with some endpoint inside the SBC will be sending their media streams to this external IP address. where the messages are routed onwards. In that case enter the 0 for the the parameter here.164 format. the external IP address will point to the endpoints that can register from behind NAT firewalls.10. e. all SDP bodies will contain this external IP address. in most European countries a ”0”. In the central SBC scenario. and where the proxy is on the return route in addition to that. there however must be a unique uplink interface through which outgoing media streams should be routed. this works for most endpoints. This parameter applies only to the ENUM template. In simple scenarios. Loose routing is defined in RFC3261 and will make the Convergence route all in dialog messages the same way that the dialog setup was routed. in most cases the WAN interface or a VPN connection. In order to avoid that. A typical sign is ACKs or BYEs coming from the softswitch being directly returned to it. The external IP address however has a different meaning in the different templates. If you see in dialog mes- sages like ACK and BYEs not flowing as expected. In the US this is a ”1”.g. When looking at the SIP messages that are leaving the LAN network of the SBC towards the outside of the SBC. Example: ser external ip=10. When acting as a session border controller. Assume for example that you want to call somebody with the area code 221. In order to do that. you have to dial a number in front of that. where the endpoints are registered to a server. This however assumes properly behaving SIP endpoints and a properly behav- ing SIP servers.10 Name: ser fix looseroute Description: This only applies to the Survivability and Branch SBC templates. This value is needed to correctly convert incoming and outgoing numbers into E. Do not confuse this with the prefix you have to dial on your phone to get an outside line on the PBX. 0221 xxxx. 5.7 Settings for Voice-over-IP (ser ) Name: ser distance prefix Description: Enter the number you have to dial on your phone before making a long distance call.10.

The Deny action will abort the call with a ”606 Not Acceptable” response. the first gateway will be selected. This only applies to the Survivability template. not in a best match manner! This means the gateway with the first access code match will be selected. The Call Admission Control parameters will allow limiting the number of calls going to the gateway. Example: ser gateway action=deny Name: ser gateway cac Description: It is possible to perform Call Admission Control in Survivability mode be- fore the Call is being forwarded to a gateway. it can only be reached via some backup link. Example: ser fromhost=sipserver. This is necessary since it cannot be assumed that the gateway is always connected to the LAN.foo. The check is made sequentially. The CAC has to be activated for this parameter to have an effect. This only applies to the Survivability and Branch SBC templates. The switch must repsond to the URI with a non 5xx and 6xx response. For more information on Call Admis- sion Control refer to the more detailed explanation in the general section. Example: ser gateway cac=on 2005-2008 c Comdasys AG 256 . If you put a 0 there for example. it is assumed that the PBX is responsible for directing the calls to the appropriate gateway. any number starting with a 0 would be sent to this gateway. There are many scenarios that are conceivable. It could be located off site.bar Name: ser gateway access Description: The access code is a way of forcing calls onto a certain gateway in Sur- vivability mode. This could mean that in a backup case. Any call received in Survivability mode that starts with an appropiate prefix will be forwarded to the best matching gateway. This only applies to the Survivability template. you can configure the URI hsot part the Convergence should be sending. If there is no match. 5. This only applies to the Branch SBC and Survivability templates. Simply specifiy the host part of the URI with this parameter. You can also refer to the ser userpart for setting the user part of the URI. Example: ser gateway access=*9 Name: ser gateway action Description: The Redirect action will make the Call Overflow to the next possible gate- way. If there is none. the call will be forwarded to the next gateway in the list. This only applies to Survivability mode! Under normal op- eration.7 Settings for Voice-over-IP (ser ) Name: ser fromhost Description: Please refer ot the ser usesipping parameter for more informaiton on that. When using the SIP OPTIONS messages to check whether a server is still available. the Redirect will behave the same as a Deny. If hunting is enabled and the gateway with the access code match is busy.

since a reac- tion in case of an overload must be configured. This only applies to the Survivability template. 5. This only applies to the Survivability template.10. we first need to define a link. Also refer to the ser gateway cac parameter for more information. Also refer to the ser gateway cac parameter for more information. After defining the link. This only applies to the Survivability template. you can configure a policy.23.34. After defining the link. Also refer to the ser cac and ser gateway cac sections for more information on this.10 Name: ser gateway limitclass Description: In order to define a CAC action.10. The link definition here is done by entering the source and destination IP ranges. Usually this will be the IP address of the gateway. In order to configure Call Admission control. In order to configure Call Admission control. you will need to associate a limit class with your CAC link.7 Settings for Voice-over-IP (ser ) Name: ser gateway dest ip Description: This parameter applies only for CAC scenarios towards the gateway. Usually this will be the IP range of your SIP phones. we first need to define a link.10 2005-2008 c Comdasys AG 257 . The link definition here is done by entering the source and destination IP ranges. Example: ser gateway src ip=10. Here you can define the destination IP address for which the CAC rule towards the gateway would apply. Example: ser gateway limitclass=eth0-1:3] Name: ser gateway src ip Description: This parameter applies only for CAC scenarios towards the gateway. Here you can define the source IP address for which the CAC rule towards the gateway would apply. since a reaction in case of an overload must be configured. you can configure a policy. Example: ser gateway dest ip=10.

5. that the gateway is provisioned via a DNS name in the PBX. the PBX can send the messages di- rectly to the branch SBC IP address. That way. This only applies to the Branch SBC template. Therefore.bar Name: ser gwdnsaliascheck Description: This item will activate the setting of the ser gwdnsalias parameter. enable the transmission of the Caller ID. Function like these are often used by prefixing an access code to the actual number you want to dial. there is no way for the PBX to directly address the media gateway on the internal private network of the branch SBC. the Convergence can act as a virtual gateway for the PBX. you will also want to have the DNS name in the contact header of any SIP message coming from the gateway.g. If a media gateway is placed inside the branch SBC. It could be the case however. Example: ser gwdnsaliascheck=on Name: ser ignoreprefix Description: All prefixes specified here will be ignored for any CAC decision. This means that if you specify a prefix of xx here. the PBX will also send all subsequent requests through the SBC. This only applies to the Branch SBC template. This prefix must of course not change the CAC assessment of where the call is going. This feature will only be used in telephony scenarios where special prefixes can be dialed to e. Please see the ser gwdnsaliascheck key for more information. In those cases. Example: ser gwdnsalias=gw. The branch SBC will always change the contact header of any message or response coming from the gateway to the external IP address of itself.7 Settings for Voice-over-IP (ser ) Name: ser gwdnsalias Description: This parameter only has an effect if ser gwdnsaliascheck is set. You can set this DNS name here. In Branch SBC mode. the CAC checks will be based on the dialed number with the specified prefix being removed first. In that case.foo. Example: ser ignoreprefix=on 2005-2008 c Comdasys AG 258 . This only applies to the Survivability and Branch SBC operation modes. the media gateway is completely hidden from the PBX.

the gateway will be assumed to be local. When acting as a session border controller. there must be a unique interface through which local endpoints communicate should be routed.168.7 Settings for Voice-over-IP (ser ) Name: ser internal ip Description: Whenever it is operating as an SBC.255.1 Name: ser internal mask Description: Please also refer to ser internal ip for more information on this topic.255. located at the central softswitch. This can actually be a superset of the netmask associated with the actual interface of the Convergenceİt defines what IP addresses are to be treated as being SBC internal.g.164 format. If not checked.1. When looking at the SIP messages that are coming from the outside network. For more information on this topic also refer to ser external ip. Example: ser internal ip=192. e. This will enable media handling for all external calls. If turned on. This parameter defines the internal network that is associated with the SBC. This parameter only applies to the Branch SBC operational mode. Example: ser international prefix=00 Name: ser local gw Description: You need to configure whether media handling should be done for calls to and from gateway calls. All other IP addresses will be treated to be external ones no matter from which interface of the SBC they are This only applies to the different SBC templates. all endpoints having a con- nection with some endpoint outside the SBC will be sending their media streams to this internal IP address. Example: ser local gw=on 2005-2008 c Comdasys AG 259 . the gateway is assumed to be external. In the US this is the ”011” in most European countries the ”00”. 5. Example: ser internal mask=255.0 Name: ser international prefix Description: Enter the number you have to dial on your phone before making an interna- tional call. All Convergence products how- ever support multiple virtual and non virtual interfaces. This parameter will be used to properly convert dialed numbers to E. At least one interface of the Conver- gence must have this internal IP address assigned. the Convergence is basically forming the bridge between two different networks. This only applies to the ENUM mode of operation. This only applies to the dif- ferent SBC templates. Hence. all SDP bodies will be rewritten with this internal IP address. and media handling will be disabled for all calls between local endpoints and the local gateway.

If such redun- dany precautions have been taken in the data center.5 2005-2008 c Comdasys AG 260 . either transparent. In order to avoid that. This field is meant for the latter concept which is frequently being used if the 2 nodes of a cluster have been spatially separated. or with two IP addresses. Setting this value to on will turn on this feature.7 Settings for Voice-over-IP (ser ) Name: ser looseroute Description: Loose routing is defined in RFC3261 and will make the Convergence route all in dialog messages the same way that the dialog setup was routed. If you see in dialog mes- sages like ACK and BYEs not flowing as expected. This however assumes properly behaving SIP endpoints and a properly behav- ing SIP servers.111. this works for most endpoints. There are two ways of implementing this clustering. If this is not defined. Example: ser pbx port=5060 Name: ser pbxnode Description: Some IP PBXs / Softswitches support clustering or redundancy through a second host. the correct behavior of loose routing is not guaranteed with all devices. Example: ser pbxnode=62. This parameter only applies to the Survivability and Branch SBC modes of operation. the branch equipment must also support this. in which case we do not have to handle anything exlicitly in the branch office. 5. In that case they are available through different WAN links thus increasing the robustness of the overall solution. With a survivability scenario. messages will automatically be forwarded to the second node. loose routing can be disabled in normal operation (non survivability). the Survivability function of the Convergence will only take over if both the PBX as well as the 2. Node have failed. This only applies to the Survivability and Branch SBC operational modes. Example: ser looseroute=on Name: ser pbx port Description: With this parameter. where the endpoints are registered to a server. you can configure to which port the Convergence will be sending the SIP requests towards the PBX. the standard ports for the selected transmit types will be chosen. If only the first node has failed. and where the proxy is on the return route in addition to that. In simple scenarios. where the messages are routed onwards. In order to have standard loose routing. This is port 5060 for UDP and TCP and port 5061 for SIP TLS. If this field is set.222. simply leave this blank. A typical sign is ACKs or BYEs coming from the softswitch being directly returned to it.

Note that you can enter a regular expression here and the above described functionality will apply to all ex- tensions matching this expression.10. simply leave it blank which should work okay for almost all scenarios. or because you maybe want to exclude emergency calls. but the Convergence can optimize some media streams if it e. In that case. Example: ser presence=10. Example: ser pickup=9 Name: ser presence Description: This is a very rarely needed parameter. This also means that characters having a predefined meaning in a regular expression must be escaped to match the real character.5 2005-2008 c Comdasys AG 261 .11.7 Settings for Voice-over-IP (ser ) Name: ser pickup Description: All prefixes specified here will not be considered at all for a CAC deci- sion. This applies only to the SBC mode of operation. It is being used for doing proper internal classification of mes- sages and separating out all presence requests. Excluded calls can cause an overload on a link if you are not careful in configuring your bandwidth rules.13 Name: ser pstn gw Description: This parameter specifies the IP address of the used SIP gateway. This can be used for excluding certain number ranges because you know that there will always be enough bandwidth. 5. Example: ser pstn gw=10. In such a case. Caution: This is a dangerous function since it can break CAC althogether. you hence have to enter a ”\*9” into the field. Regular expressions can be specified here. In order to match the ”*9” used in the example above. This permits using any telephone and dial a certain special extension like for example ”*9” in order to pick up the call of another ringing telephone inside this branch office. Be very careful that the expression spec- ified here only matches the actual calls that you want to have filtered and no more.g. No Admission Control will be per- formed on the extensions entered here. It usually does not have to be specified. the Convergence must be told that the ”*9” is not a regular number but rather the special extension for that. In Voice scenarios with a central IP PBX as SIP server. the presence messages would be sent to your SIP server that should in turn forward them correctly. knows the IP address of the VoiceMail and the Media gateway.10. You only need to consider it. especially when using regular expressions.12. Escaping can be done by adding a backslash before the character in question. there is a commonly offered feature named Pickup group. if your presence server is to directly communicate with the SBC without interaction of your PBX. This applies to the SBC mode of operation only. If you are unsure about this.

This only applies to the SIP Trunking template. This only applies to the SIP Trunking template. The time is specified in milliseconds. please refer to the firewall section. Example: ser rtp proxy tos=0x184 2005-2008 c Comdasys AG 262 . Example: ser retrans final=8000 Name: ser retrans1 Description: This parameter specifies the time after which the Convergence will do the first retransmission of a message to the trunking side if no response (provi- sional or final) was received in this period. Example: ser retrans2=4000 Name: ser retrans3 Description: This parameter specifies the time after which the Convergence will do the third (and usually final retransmission) of a message to the trunking side if no response (provisional or final) was received in this period. This only applies to the SIP Trunking template.7 Settings for Voice-over-IP (ser ) Name: ser retrans final Description: his parameter specifies the time after which the Convergence will do the final retransmission of a message to the trunking side if no response (pro- visional or final) was received in this period. The time is specified in milliseconds. This only applies to the SIP Trunking template. If you want to do TOS tagging beyond this. Note that this parameter only applies to the SBC templates and to those calls where the SBC component is doing actual media handling. The time is specified in millisec- onds. 5. Example: ser retrans3=8000 Name: ser rtp proxy tos Description: You can define the TOS bit that will be set for all outgoing media streams. Example: ser retrans1=2000 Name: ser retrans2 Description: This parameter specifies the time after which the Convergence will do the second retransmission of a message to the trunking side if no response (provisional or final) was received in this period. The time is specified in mil- liseconds.

To the SIP endpoint side. This parameter defines the netmask for the ser src ip parameter. SAVP offerings will be replaced with AVP offerings. Note that setting this port only applies to the UDP and TCP variants. Refer to the ser tlsport for setting the TLS port. so you should also refer to the ser cac section for more information. the Convergence will start terminating SRTP calls that are coming from clients and passing to the internal network of the SBC. This parameter only applies to the Branch SBC mode of operation. the default 5060 port will be used. Once the call is established. the media stream will be encrypted if SAVP was offered by the client.255. There.7 Settings for Voice-over-IP (ser ) Name: ser sipport Description: This defines the port where the Proxy / SBC component will be listening for incoming SIP requests. If left blank. In this case. Survivability functionality must be separately enabled. This parameter only applies to the SBC mode of operation.255. This parameter applies only to the Survivability and Branch SBC operational modes. Example: ser surv=on 2005-2008 c Comdasys AG 263 . Example: ser src ip mask=255. Set this value to on to activate survivability. The Convergence will then rewrite all SDP bodies of incoming messages. 5. the media stream will be decrypted. the Convergence will behave exactly the same way as in Survivability mode. but it will do the media handling in addition to that. Example: ser srtp=on Name: ser surv Description: In the Branch SBC mode of operation. Example: ser sipport=5064 Name: ser src ip mask Description: This parameter is used for CAC settings only.0 Name: ser srtp Description: Whenever turned on.

but the initial SSL hello must be v2 (in the initial hello all the supported protocols are advertised enabling switching to a higher and more se- cure version). The initial v2 hello means it will not accept connections from SSLv3 or TLSv1 only clients. If left blank. If you want to support older clients use SSLv23 (in fact most of the applications with SSL support use the SSLv23 method). The message will be forwarded to the server with the highest priority. Example: ser tlsport=5071 Name: ser tos Description: The TOS (Type Of Service) to be used for the sent SIP packages.means the Convergence will accept only TLSv1 connections (rfc3261 conformant). Example: ser trunk dnssrv=on 2005-2008 c Comdasys AG 264 . This applies to the central SBC mode of operation. Example: ser tos=0x180 Name: ser trunk dnssrv Description: If this parameter is set activated. If you want RFC3261 conformance and all your clients support TLSv1 (or you are planning to use encrypted tunnels only between different Conver- gence proxies) use TLSv1. • SSLv23 . the default 5061 port will be used. Thus a DNS SRV lookup will be performed at first. • SSLv3 . If the first host fails. Note that setting this port only applies to the TLS SIP variant. This parameter only applies to the SIP Truning mode of operation. any hostname entered in ser trunk host will be interpreted as a DNC SRV name. Example: ser tlsmethod=[VALUE] Name: ser tlsport Description: This defines the port where the Proxy / SBC component will be listening for incoming SIP TLS requests. The values apply to both UDP and TCP packages.7 Settings for Voice-over-IP (ser ) Name: ser tlsmethod Description: Sets the TLS protocol method which can be: • TLSv1 .means Convergence will accept only SSLv2 connections (al- most all old clients support this).means Convergence will accept only SSLv3 connections • SSLv2 . If multiple servers have the same priority. the messages will be distributed acording to the weight assigned to the DNS SRV host. Refer to the ser sipport for setting TCP and UDP ports. 5.means Convergence will accept any of the above methods. the backup host is contacted.

Example: ser trunk port=5060 Name: ser trunk srvpenalty Description: This specifies the time period for the penalty box. UDP. The only type requiring further explanation is TLS. You can also refer to the ser fromhost for setting the host part of the URI. Example: ser trunk srvpenalty=30 Name: ser trunk transmit Description: The SIP Transmit Type parameter is the transmission type the Convergence uses to contact the central local PBX. it will be placed into the penalty box. This only applies to the Survivability and Branch SBC templates. and the encrypted TLS variant. you can configure the URI user part the Convergence should be sending. For TLS additional things like the encryption keys are required. The Convergence will generate TLS keys automatically that can be downloaded for the use in Servers/Phones via SCP.7 Settings for Voice-over-IP (ser ) Name: ser trunk port Description: This parameter sets the port to which outgoing SIP messages are ad- dressed on the Trunking provider side. This means that no further attempts will be placed to that server for the specified time. Note that this parameter only needs to be set if DNS SRV is not being used. The switch must repsond to the URI with a non 5xx and 6xx response. Simply specifiy the user part of the URI with this parameter. This parameter only applies to the SIP Truning mode of operation. When using the SIP OPTIONS messages to check whether a server is still available. The TCP and UDP types are straightforward and just specify the used protocol type. If left blank. This parameter only applies to the SIP Truning mode of operation. Please consult the Command Line Reference for more information on how to do that. TCP. If a host obtained via a DNS SRV lookup is not reachable for a certain amount of time. This parameter applies only to the SIP Trunking template. the default of 5060 for UDP and TCP and 5061 for TLS respectively will be used. With DNS SRV enabled. The Convergence supports 3 differ- ent SIP transport modes. 5. another re- quest is tried to that server. Example: ser trunk transmit=udp Name: ser userpart Description: Please refer ot the ser usesipping parameter for more informaiton on that. the target host port will be queried from the DNS server. Example: ser userpart=user 2005-2008 c Comdasys AG 265 . Only after that time. this cannot be configured via the WebGUI as of yet. The type to use depends first and foremost on the used IP PBX. Since this is a very advanced topic.

the pings will be sent in intervals of around a minute. This interval can be shorter depending on the amount of SIP messages flowing through the ConvergenceṪhe interval can also vary if there are abnormal negative responses to requests forwarded to the server. You only need to consider it. the Conver- gence switches to survivability mode. a single non-response will not lead to the Convergence switching to survivability mode. This is usually the case except firewalls on the way. Whenever the SIP server supports SIP OPTIONS (please refer to RFC 3261 for more information on this SIP request type) requests. The check with pings should work with all servers as long as the underlying network supports this. Example: ser voicemail=10. This applies only to the SBC mode of operation. 5. Example: ser usesipping=on Name: ser voicemail Description: This is a very rarely needed parameter.10. This monitoring can be applied at the network layer (via ICMP messages) or on the application layer with SIP OPTION requests. or a packet filter on the server itself prevents the Ping Echo Reply messages from getting back to the ConvergenceȮther than that. simply leave it blank which should work okay for almost all scenarios. If no response is received. This only applies to the Survivability and Branch SBC templates.7 Settings for Voice-over-IP (ser ) Name: ser usesipping Description: There are two ways the Convergence supports to check whether the SIP Server for which we are providing the survivability functionality is monitored. Whenever we receive 5xx or 6xx responses from the central server for an OPTIONS request. If you are unsure about this. It will also enable the Convergence to switch into survivability mode for situations in which the central SIP server is reachable.10 2005-2008 c Comdasys AG 266 . this should be used for doing the alive check. but not responding correctly. if your voicemail system is to directly communicate with the SBC without interac- tion of your PBX. The non-response to a single ICMP message will not lead to the Convergence switching into survivability mode.10. It is being used for doing proper internal classification of messages.

SBC are made to protect a datacenter from Internet users. Since now all endpoints connected behind the SBC would seem to come from the same IP and port combination. In order to avoid confusion especially with multiple registrations of different phones. This applies only to the SBC. The phones will continue to send to the configured SIP port. Nevertheless. One of the measures taken here to make attacks more difficult is so called topology hiding. As such. The same holds true in the other direction where all headers are modified that the endpoint returns the messages to the SBC. but well known branch users. each registered phone will be mapped to a unique port. Example: ser multiport=on Name: ser topohide Description: An SBC typically separates an untrusted and a trusted network. If activated the Convergence will always change the contact header of SIP requests that are being forwarded to the SIP server. Branch SBC are slightly different since the users are not really Internet users. This means however that some headers as for example VIA cannot be modified. Example: ser topohide=on 2005-2008 c Comdasys AG 267 . What is done there is that all IP addresses of the datacenter appearing in the SIP message as for example To: and From: headers are rewritten with the external IP address of the SBC thus concealing the network architecture of the data center. so the port mapping only applies to the direction towards the SIP server. the normal RFC compliant mechanics of routing SIP messages are not affected. namely the SBC. Any message arriving from the PBX on that port will hence be forwarded to the correct phone. 5. the SIP server will think that the SBC is the actual endpoint.7 Settings for Voice-over-IP (ser ) Name: ser multiport Description: This activates multiport mapping towards the SIP server. Branch SBC and Cascaded SBC modes of operation. the SBC should protect the hosts in the datacenter by isolating them from the users. This applies only to the SBC. By just using this option. Branch SBC and Cascaded SBC modes of operation. Usually.

you should not activate this feature. This applies only to the SBC mode of operation. In addition to the general header fields. In a simple configuration. 2005-2008 c Comdasys AG 268 . it is not possible to perform any CLI configurations here. The SBC will remove the VIA headers in both directions meaning that any routings behind or before the SBC will not work properly if they rely on the presence of VIA or record route headers. Therefore. 5. the FMC settings are now stored in a database. with a server.7 Settings for Voice-over-IP (ser ) Name: ser topohide vias Description: Refer also to the ser topohide parameter. the header fields concerning the message routing such as VIA and Record Route headers will be modified. an SBC and a client. For more information about this refer to ??. This feature is hence a security feature that hides all headers. You can however access the database directly. This could for example im- pact the use of SIP proxies outside the SBC since the SBC will always send outbound messages to the registered user.7.3 Settings for Dualmode Enterprise operation Contrary to earlier versions. but endangers proper RFC3261 message routing. If you want to preserve proper RFC3261 compliant message rout- ing. Example: ser topohide vias=on 5. this configuration does not pose a prob- lem.

The downside is a very complex configu- ration process. Online help for this topic is available on the box itself by displaying the README file in the htb directory.com/content/documents/bind9arm. The Convergence series has a config file where the kind of configuration can be selected. HTB stands for Hierarchical Token n Bucket which can be configured to work in conjunction with SFQ (Stochastic Fairness Queuing) and Priority Queuing.init. The preferred way of configuring traffic control in the convergence series is via htb. There are two ways for configuring traffic control in the Convergence Series. which must be done in /usr/sbin/shaper. 6. It can be found under /etc/sysconfig/trafficshaping. Here we will only describe where to find the respective configuration files.org/howto/ to get a more detailed introduction as to how Linux handles this. Since traffic control is an immensely complex topic. you should refer to http://lartc.pdf 2005-2008 c Comdasys AG 269 . An example configuration is avail- able from the Comdasys Website which documents the way this is configured. 6.nominum. If configuration via the shaper script is selected. all of the features of Linux traffic control can be utilized. For in-depth documentation please consult the BIND9 Administrator’s Reference Manual.sh.1 Traffic Control / Quality of Service The Convergence Series porducts feature sophisticated traffic control and bandwidth man- agement support. The documentations are included for completeness reasons. A very simple but frequently used configuration can be found there which can be adapted to your liking.2 DNS Server (ISC BIND9) Most Convergence products have the ISC BIND9 installed. Please note that these documents are copyrighted by their respective owners and are not the property of Comdasys AG. As the BIND9 configuration file reference is longer than this document we do not include it here. located at: http://www.6 Documentation for packaged products This chapter contains documentation from third-party products that are used by Convergence products.

3 SIP Proxy / Registrar 6......... show speeddial details 2005-2008 c Comdasys AG 270 ..... add an aliases rpid add <username> <rpid> .... add a new subscriber (*) passwd <username> <passwd> ....... and to monitor server health.. add an alias (*) alias_db rm <alias> . show aliases alias rm <alias> . remove an alias alias add <alias> <uri> ........ send an email to a user alias show [<alias>] .................. 6.......... in memory contacts... including links to further documentation... help message speeddial show <speeddial-id> . access control lists. list aliases for uri alias_db add <alias> <sip-id> . show rpid of a user alias_db show <alias> ...6........ Note that the documenation included here is only a small excerpt of the lower level functionalities of OpenSER.......org/......cfg file are actually not part of the standard OpenSER....3 SIP Proxy / Registrar The Convergence Series uses the OpenSER (derived from SER from IPTel.1 .. show alias details alias_db list <sip-id> .. set rpid to NULL for a user (*) rpid show <username> ....2 $ parameter usage: * subscribers * add <username> <password> <email> .................... remove an alias (*) alias_db help .........org) as Proxy / Registrar.......openser.... Executing serctl with no arguments will produce this output: # openserctl /usr/sbin/openserctl 1... 6...... i Own additions however have been made both to the documentation as well as to the software............ change user’s password (*) rm <username> .......... It can be used to man- age users. add rpid for a user (*) rpid rm <username> ..1 Control script serctl There is a script openserctl to control the SIP Proxy server process........ Details can be found at http://www...... There is also a lot of documentation available on the Internet...........2........... delete a user (*) mail <username> .$Revision: 1............. Most commands used in the WebGUI generated openser......3...

......... grant user membership (*) acl revoke <username> [<group>] ................ show user membership acl grant <username> <group> ..... add gateway group with grp_id 2005-2008 c Comdasys AG 271 ......... introduce a permanent UrLoc entry showdb [<username>] . help message avp list [-T table] [-u <sip-id|uuid>] [-a attribute] [-v value] [-t type] ...............4 5080 sip tcp 1 * * openserctl lcr addroute +1 % 1 1 * lcr show .. autocreate g lcr addgw_grp <grp_name> <grp_id> .........g.................. help message * access control lists * acl show [<username>] ....... grant user membership(s) (*) * usrloc * ul show [<username>]...... show online users flushed in DB * pa * pa pres <p_uri> <pstate>.......... remove a served domain * lcr * * IP addresses must be entered in dotted quad format e..........4 * * <uri_scheme> and <transport> must be entered in integer or text... show in-RAM online users ul rm <username> [<contact URI>]........ gateways and group lcr reload ........................* * e....................... add gateway group................ reload lcr gateways lcr addgw_grp <grp_name> ......3...... 2=tcp............. list AVPs avp add [-T table] <sip-id|uuid> <attribute> <type> <value> .. 2=sips.............. transport: 1=udp................... 6.2.................. 1.........2......... remove a speeddial (*) speeddial help ..g....... list speeddial for uri speeddial add <sip-id> <sd-id> <new-uri> [<desc>] .. 3=tls * * Examples: openserctl lcr addgw_grp usa 1 * * openserctl lcr addgw level3 1. delete user’s UsrLoc entries ul add <username> <uri> ....................... show list of served domains domain add <domainname> .3 SIP Proxy / Registrar speeddial list <sip-id> .. set location for a presentity * domains * domain show ....... show routes....... transport ’2’ is identical to transport ’tcp’..... set pstate for a presentity pa loc <p_uri> <loc>..............3.. add a new served domain domain rm <domainname> ...... add AVP (*) avp rm [-T table] [-u <sip-id|uuid>] [-a attribute] [-v value] [-t type] .... * * scheme: 1=sip. remove AVP (*) avp help .. add a speedial (*) speeddial rm <sip-id> <sd-id> ..

.. ACL privileges are: local ld int voicemail free-pstn prepaid Adding and deleting users with serctl User account management is performed with these commands: serctl add serctl password serctl rm The contents of the in memory cache can be managed with the ul argument.. delete a gateway lcr addroute <prefix> <from> <grp_id> <prio> .. restart openser ping <uri> . add a gateway lcr addgw <gw_name> <ip> <port> <scheme> <transport> <grp_id> <prefix> ... add a gateway with p lcr rmgw <gw_name> .......... the password will not be prompted....3 SIP Proxy / Registrar lcr rmgw_grp <grp_id> .... restart a Cisco phone (NOTIFY) Commands labeled with (*) will prompt for a MySQL password.. The output will look like this: 2005-2008 c Comdasys AG 272 ..................... delete the gw_grp lcr addgw <gw_name> <ip> <port> <scheme> <transport> <grp_id> .... Examining in memory cache with openserctl The command serctl ul show will list any currently registered clients...... As for example: serctl ul rm joe will remove the current contact information about Joe from memory.... delete a route * control and diagnostics * moni ........ ping a URI (OPTIONS) cisco_restart <uri> . start openser ps .. Whereas openserctl rm joe will delete joe’s account.. add a route lcr rmroute <prefix> <from> <grp_id> <prio> ......... If the variable PW is set... stop openser fifo ....... Please take care using these commands.. show internal status start ..... 6... send raw FIFO commands restart ....... show runnig processes stop ................

.101’ CSeq : 11 State : CS_SYNC next : (nil) prev : (nil) ˜˜˜/Contact˜˜˜˜ ./Record.. domain: ’location’ aor : ’test’ ˜˜˜Contact(0x402f708c)˜˜˜ domain : ’location’ aor : ’test’ Contact: ’sip:test@192.0. 2005-2008 c Comdasys AG 273 ../Record.00 Call-ID: ’e8d93059-e46e-4fd9-958b-ccb36a1cf245@192.168...168....100’ CSeq : 101 State : CS_SYNC next : (nil) prev : (nil) ˜˜˜/Contact˜˜˜˜ ...3 SIP Proxy / Registrar ===Domain list=== ---Domain--- name : ’location’ size : 512 table: 0x402ee6d0 d_ll { n : 2 first: 0x402f1a74 last : 0x402f089c } lock : 0 .168. 6..Record(0x402f089c)..168. .Record(0x402f1a74).0..101:14354’ Expires: 432 q : 0. domain: ’location’ aor : ’joe’ ˜˜˜Contact(0x402f0924)˜˜˜ domain : ’location’ aor : ’joe’ Contact: ’sip:192.100:5060’ Expires: 2501 q : 0.0...00 Call-ID: ’000a8a93-d4660017-4571a6cd-658ac1bf@192.0..

1::5060 8 31040 receiver child=3 sock=1 @ 192.1::5060 9 31049 fifo server 10 31072 timer The second command. the ip address and the port they are listening on.168.168.0. openserctl monitor shows the server version.0.168. 6. and the number of major category responses the server has sent. statistics=11 tm:received_replies = 8465 tm:relayed_replies = 8355 tm:local_replies = 71 tm:UAS_transactions = 8317 tm:UAC_transactions = 0 tm:2xx_transactions = 4243 tm:3xx_transactions = 0 2005-2008 c Comdasys AG 274 . The first command openserctl ps returns a list of all SER related processes.0.1::5060 5 31037 receiver child=0 sock=1 @ 192. For example: [root@gateway /root]# openserctl ps 0 31029 attendant 1 31033 receiver child=0 sock=0 @ 127.1::5060 2 31034 receiver child=1 sock=0 @ 127. if constant make sure server lives] Server: OpenSer (1. uptime.0.0.1::5060 4 31036 receiver child=3 sock=0 @ 127. pending and completed transactions.1::5060 7 31039 receiver child=2 sock=1 @ 192.1::5060 3 31035 receiver child=2 sock=0 @ 127.1.0.0.3 SIP Proxy / Registrar ---/Domain--- ===/Domain list=== Examining server status Two commands can be used to check the health of the server.0.0.0.0.168.1::5060 6 31038 receiver child=1 sock=1 @ 192. For example: [cycle #: 1.1comdasys-tls (i386/linux)) Now: Sun May 18 18:44:32 2008 Up Since: Fri May 16 07:34:32 2008 Up time: 213000 [sec] Transaction Statistics: Module name = tm.0.

It is a secure SIP transport method (besides UDP and TCP) for user agents or other SIP servers/proxies connecting to the Convergence. statistics=9 sl:1xx_replies = 0 sl:2xx_replies = 0 sl:3xx_replies = 0 sl:4xx_replies = 0 sl:5xx_replies = 0 sl:6xx_replies = 0 sl:sent_replies = 0 sl:sent_err_replies = 0 sl:received_ACKs = 0 UsrLoc Stats: Module name = usrloc. The main configuration settings regarding TLS are shown below.3 SIP Proxy / Registrar tm:4xx_transactions = 4073 tm:5xx_transactions = 0 tm:6xx_transactions = 6 tm:inuse_transactions = 2 Stateless Server Statistics: Module name = sl.3. is a mandatory feature for proxies and can be used to secure the SIP signalling on a hop-by-hop basis (not end-to-end).2 TLS TLS. statistics=6 usrloc:aliases-users = 0 usrloc:aliases-contacts = 0 usrloc:aliases-expires = 0 usrloc:location-users = 1 usrloc:location-contacts = 1 usrloc:location-expires = 16 6. The ”SBC” (Session Border Controller) scenario currently uses TLS as the only possible transport method.cfg.pem and the private key into 2005-2008 c Comdasys AG 275 . 6. For a documentation of the syntax of the configuration file and the rich sets of features and commands of the OpenSER please refer to its documentation. as defined in SIP RFC 3261. The default paths for the server certificate and private key is /etc/ser Put the server certificate in the file /etc/ser/cert. TLS works on top of TCP. The configuration of the SIP server is written to the file /etc/ser/ser. It is dynamically created by the web based configuration application depending on the selected scenario.

A regular expression. the string. It matches every input record whose text belongs to that class.pem" path to server private key tls method=TLSv1 possible values are TLSv1. or metacharacters. Thus. Thus they are used in comparison expressions to match input strings. SSLv3. the regexp ‘foo’ matches any string containing ‘foo’. or if it provides one.3 SIP Proxy / Registrar /etc/ser/prik.3 Regular expressions Various options for the SER accept regular expressions. or regexp.pem" path to server certificate tls private key="/etc/ser/prik. ‘$’ This is similar to ‘ˆ’. SSLv2. 6. Here is a table of metacharacters. numbers.the verification process will only succeed if the client pro- vides a certificate and this verifies cor- rectly against the server’s list of trusted CAs. Regular Expression Operators You can combine regular expressions with the following characters. and may be used to identify international calls.3. Other kinds of regexps let you specify more complicated classes of strings. beginning of a string.pem and make sure to set the file permissions to a restrictive value (”600”: -rw-------). or both. The simplest regular expression is a sequence of letters. SSLv23 disable tls=0 temporarily disables TLS when set to 1 tls verify=on requires a certificate from the connecting client tls require certificate=on only used if tls verify=on • tls require cert=0 . but it matches the ‘p$’ matches a record that ends end of a string or the end of a line within with a ‘p’. • tls require cert=1 . 2005-2008 c Comdasys AG 276 . is a way of describing a class of strings. All characters not listed in the table stand for themselves. tls certificate="/etc/ser/cert. it verifies correctly against the server’s list of trusted certification authorities. 6. called regular expression operators. Such a regexp matches any string that contains that sequence. Operator Description Example ‘ˆ’ This matches the beginning of the string ‘ˆ00’ matches two zero digits at the or the beginning of a line within the string. to increase the power and versatility of regular expressions.the verification pro- cess will succeed if the client does not provide a certificate.

closed in the square brackets. ‘|’ This is the alternation operator and it is ‘ˆP|[0-9]’ matches any string used to specify alternatives. but the pre. would match all three of these strings. that matches either ‘ˆP’ or ‘[0-9]’. nation applies to the largest possible reg. They can be used to concatenate regular ex- pressions containing the alternation oper- ator. ‘fe?d’ will match ‘fed’ and ‘fd’. It finds as many repetitions as possible. ‘|’.A’. ‘(..)’ Parentheses are used for grouping in reg- ular expressions as in arithmetic. It matches any characters except those in the square brackets (or newline). ‘[. or not at all.3 SIP Proxy / Registrar ‘. that contains a digit or starts with ‘P’. using a hyphen between the beginning and ending characters.. and enclosing the whole thing in brackets... characters ‘M’. or ‘X’ in a string. 6. Using concatenation we can make reg- ular expressions like ‘U.P’ matches any single character a newline. Use parentheses if you wish to repeat a larger expression. This will also match just ‘p’ if no ‘h’s are present. but the pre. whereas ‘wh*y’ least once. It matches ‘[MVX]’ matches any one of the any one of the characters that are en. ‘wh+y’ would match ‘why’ and ceding expression it to be matched at ‘whhy’ but not ‘wy’. which matches any three-character se- quence that begins with ‘U’ and ends with ‘A’.. ‘*’ This symbol means that the preceding ‘ph*’ applies the ‘*’ symbol to the regular expression is to be matched zero preceding ‘p’ and looks for matches or as many times as possible to find a to one ‘p’ followed by any number match.]’ This is a complemented character set. followed by a ‘P’ in a string. ‘[ˆ. The ‘*’ repeats the smallest possible pre- ceding expression. This means it matches any string exps on either side. ‘?’ This symbol is similar to ‘*’..]’ This is called a character set.’ This matches any single character except ‘. of ‘h’s. 2005-2008 c Comdasys AG 277 . Ranges of characters are indicated by ‘[0-9]’ matches any digit. The alter. ‘[ˆ0-9]’ matches any character The first character after the ‘[’ must be that is not a digit. ‘+’ This symbol is similar to ‘*’. a ‘ˆ’. ‘V’. but ceding expression can be matched once nothing else.

not metacharacters). and finally by ‘|’. and inside character sets. the ‘*’. In regular expressions. Thus a ‘w’ in a regular expression matches only a lower case ‘w’ and not an upper case ‘W’. 2005-2008 c Comdasys AG 278 . both when matching ordinary characters (i. and ‘?’ operators have the highest precedence. As in arithmetic. parentheses can change how operators are grouped.3 SIP Proxy / Registrar ‘\’ This is used to suppress the special ‘\$’ matches the character ‘$’. meaning of a character when matching. 6. ‘+’. followed by concatenation.. Case is significant in regular expressions.e.

7 Extended options and debugging The Convergence does not only offer configuration via the Web interface but further provides access through a CLI (Command Line Interface). 2005-2008 c Comdasys AG 279 . You will get a Linux prompt that can be used like any other Linux computer.e. The configuration via the CLI is primarily used for special tasks as resetting to factory defaults and for extended debugging. You can access this CLI in three ways: • Using a SSH client • Using the serial interface (COM1. A detailed descrip- tion of the functionality accessible through the CLI is provided in the Commandline Guide. by connecting a VGA monitor and a PS/2 keyboard) In every case the username is root and the password is identical to the password set in the Web interface. 9600-N-1) • Using the console (i.

All you need to do to configure this is use the Convergence as an outbound proxy for your local phones and gateways.5 Branch Connectivity and Branch Session Border Controller The more generic Branch Connectivity Solution is very similar to the Standard Survivability scenario. Maintaining voice quality is a requirement that cannot be tackled with standard quality of service means. one internal. The SIP signalling and VoIP media handling is translated between these two networks. If the maximum allowable number of calls or the maximum allowable user bandwidth is reached. Contrary to a far end NAT traversal solution like a central SBC. the Convergence can enforce hard limits on the number of possible calls based on predefined bandwidth constraints. In order to avoid that. the Convergence is simply used as a SIP Proxy that can take over the functionality of a central softswitch (compare figure ?? ??). the decentral SBC has a number of advantages especially in Enterprise scenarios. As such. 2005-2008 c Comdasys AG 280 . For an illustration. In the Branch Connectivity Scenario. The Convergence will continuously monitor the VoIP traffic streams. one external one. This is accomplished via standard SIP mechanisms. the Convergence will instanly take over.0. so that neither special software in the data center nor special phone hardware is necessary. Once the connection breaks.4 Survivability In the Survivability scenario. Using the Convergence in your branch office can also help address the QoS problems typically associated with converged networks. the device serves as a decentralized Session Border Controller. all additional calls flow- ing over that WAN link would be denied. Too many voice calls on a WAN link will degrade the voice quality of all connections.0. please compare to figure ?? There is one major difference in the handling of network. The Convergence will constantly monitor the connection to the softswitch. the Convergence has two network connections. The advantages of this decentralized over centralized server-based ones are numerous: • Works with all SIP compliant servers • Works also if NATs and Topology Hiding is used in the network • Works for multiple SIP servers delivering different applications • Works for a mix of Video and VoIP A. This functionality is commonly referred to as Call Admission Control.A Sample scenarios A.

1: Survivability Scenario 2005-2008 c Comdasys AG 281 . A Sample scenarios Figure A.

0. A Sample scenarios • Clean Network Separation with Clean Routing • Enhanced stability because there is no need for firewall pinholing for potentially thou- sands of phones • Increased Security and Simplification of Firewall rules due to Server-Server only Com- munication • Single Device Demarcation line between Headquarter and Branch Office • Improved bandwidth utilization because branch traffic stays in branch office • Enables the use of local PSTN gateways even behind NATs in branch offices • Additional Functionality can be implemented in the Branch A. you can support the same scenarios as described here. • Support for both Full Topology Hiding as well as SIP Proxy mode for improving interop- erability and Feature interworking 2005-2008 c Comdasys AG 282 . The difference is probably the ownership of the device as well as the security policy. A.0. and gracefully reject calls when nec- essary.7 Scenarios with Integrated Voice Gateways If you have a Comdasys product with integrated Voice Gateway cards.0. protecting the network from Denial of Service attacks and sudden spikes in congestion. the Convergence will support such functionalities as: • Securing Network Boundaries and providing Connectivity between your PBX and the external network • NAT handling for both signalling and payload • Signalling control of calls through the network. Figure ?? should give you an overview. with having the Voice Gateway built into the device.6 Hosted Communication The Hosted scenario is a slight variation of the Branch Connectivity Scenario. the Convergence is a customer premise termination equipment managed by the Hosted Operator. In Hosted Scenar- ios. Security and Survivability are important topics there. A. This means that the Convergence is used to deliver a service to the customer premises. The figure ?? should give an overview of how this fits together.8 SIP Trunking When used for SIP Trunking.

A Sample scenarios Figure A.2: Hosted Scenario Figure A.3: BiaB Scenario 2005-2008 c Comdasys AG 283 .

A Sample scenarios • Advanced Security Features such as TLS and SRTP Termination for implementing se- cure connectivity over insecure network links without having to upgrade all your equip- ment. If that is selected proprietary SIP signalling will however not be supported. The other way is acting as a true Back-to-Back User Agent supporting Registrations. The Convergence supports two different types of SIP Trunking scenarios. but supports transparent pass- through of signalling – DNS SRV Solution and Support for failover and load balancing solutions • B2BUA Mode 2005-2008 c Comdasys AG 284 . The following gives an overview of the different modes of operation: Figure A. Transcoding.4: SIP Trunking Scenario • SBC Mode – Full Termination of Media – Malformed Packet Protection and Topology hiding. They can act as a transparent Session Border Controller for PBXs that natively support SIP trunks or for Carriers not needing a Registration with their service. etc. You can also use VPN based encryption for communication towards the SIP Trunking provider • DNS SRV handling for supporting redundancy configurations with your SIP Trunking Provider Figure ?? ?? shows a SIP trunking scenario.

If that is not the case. i Products with Integrated Voice Gateway and Autoattendent functionality only support the SIP Trunking without Registration.9 Central SBC The Convergence can also be used as a central Session Border Controller for Remote and Internet users. A Sample scenarios – Can Actively Register – Can handle various Individual Accounts (as common with some smaller SIP providers) – Full Termination of both Signalling and Media The choice which way to use will depend on wheter your carrier requires SIP registration and whether your PBX connected to this trunk can perform the registration or not.0. If it can. The Convergence can provide the following functions: • SIP NAT Handling • RTP NAT Handling • QoS / Traffic Shaping • Protects Softswitch from unauthorized access • Layer 7 packet inspection for FW pinholing • TLS Termination • SRTP Termination • Topology Hiding Figure ?? ?? should provide an overview of a typical deployment. A. With this approach even propriertary signalling such as SIP-Q is possible. the transparent SBC approach is the suitable one because it can preserve the features across the SIP Trunk. This can be configured in the B2BUA section. 2005-2008 c Comdasys AG 285 . you will need to use the Back-to-Back User Agent based approach. They cannot handle individual user accounts with digest authentication with the SIP Provider.

5: Central SBC Scenario 2005-2008 c Comdasys AG 286 . A Sample scenarios Figure A.

Besides Enterprises.11 FMC The Convergence enable enterprises to fully leverage their existing network infrastructure as well as their WLAN networks for enabling more efficient voice communication while drastically reducing the cost of mobile communication. A Sample scenarios A. Media streams will be achnored for all connections from the Branch to the Headquarter. This can be accomplished by offering its employ- ees a true one number solution for their fixed line and mobile phones where the Mobile phone can either be connected via GSM or via WLAN while retaining the Enterprise PBX features. Figure ?? ?? provides a typical setup for this scenario. If the connection stays behind one of the Branch SBCs however. or for connections between branches.10 Cascaded SBC The Cascaded SBC Scenario has to be seen in conjunction with the Branch SBC scenario.6: Cascaded SBC Scenario A.0.0. the Cascaded SBC will not anchor these media streams. Figure A. Service Providers can use the Convergence to enhance their offering 2005-2008 c Comdasys AG 287 . It is a special version of the Centralized SBC.

This would make special sense to pure ISPs. the WLAN capabilities of the dual mode phones can be utilized anywhere in the range of an accessible Hotspot. The Comdasys FMC will also make sure that the media path is handled appropriately depending on where the dual mode phone is currently located (e. NAT handling for dual mode phone behind a Hotspot) The following picture shows the principal layout of this scenario. The Comdasys FMC systems enable static as well as dynamic handovers for making sure that the appropriate transport WLAN or GSM/UMTS/CDMA is being used. to deploy converged applica- tions that now become seamlessly usable on their mobile devices. The Convergence enables enterprises and service providers. 2005-2008 c Comdasys AG 288 . A Sample scenarios by Voice Features and can thus become Virtual Mobile Operators. WISPs (Wireless Internet Service Providers) and IP Telephony Service Providers. The Convergence allow enterprises to make full use of dual mode phones (WLAN/WiFi/GSM/UTMS/CDMA) by en- abling them to use their own wireless infrastructure for voice calls wherever possible.g. Besides using their own wireless infrastructure.

7: FMC Scenario 2005-2008 c Comdasys AG 289 . A Sample scenarios Figure A.

The Command Line reference is available from ftp://ftp. This will give you information about the possibilities of tracking down miscon- figurations or problem through tracing etc.com 2005-2008 c Comdasys AG 290 .comdasys. Howto’s and FAQ’s visit our Website: http://www. you should first refer to the Command Line Handbook.com/Support/ or request support via eMail: support@comdasys.B Support For a more in depth information on the Configuration.comdasys.com/pub/documentation For further support.