Professional Documents
Culture Documents
TELECOMMUNICATIONS
HANDBOOK
Permission is required to reproduce any part of this handbook. Permission will be granted freely to educational or
non-profit organizations. Contact:
Division of Information and Communication Technologies
3 United Nations Plaza, New York, NY 10017, USA
Tel: + (212) 326 7528
(page intentionally left blank)
Daniel Couture
SCOPE
Emergencies strike in the blink of an eye. Responding to an emergency without the essential
communication technology resources runs the risk of being unable to deliver vital assistance to the most
affected communities. This edition is built on the foundation of three critical components that facilitate
a successful ICT response in humanitarian emergencies: equipment, procedures and local capacity.
Responders will find this as a useful tool, enabling them to make immediate decisions in the face of
emergencies in order to deploy the necessary equipment in challenging environments. In seven well-
written chapters, it successfully conceptualizes the nature of ICT in emergency preparedness and
response, and addresses the overall integration of various standard telecommunications systems. This
information proves vital in the first few days of an emergency.
Hani Shannak
AKNOWLEDGEMENTS
This handbook is the fruit of collaboration among many individuals and institutions. The editorial team
would like to thank all who gave so generously of their expertise and energy, in particular:
Simon Genin (UNICEF); Runar Holen (UNICEF); Johnni Bundgaard (Danimex); Mickael Da Silva (IEC
Telecoms); Karim Ghalaini (UNICEF); Josua Hunziker (Open Systems); John Jacobs (Codan); Charles
Lomotey (UNICEF); Cecile Lussi (Open Systems); Callum McEwen (Codan), Rado Ramanahadray
(UNICEF), Jean-Claude Rutayisire (UNICEF), Roberto Salazar (UNICEF) and Laurent Zimmerli (Open
Systems).
REVISION HISTORY
VERSION DATE DESCRIPTION
V1.0 Oct. 2011 - Initial version created as a support document to the ETT2011 workshop. Handbook is
composed of 7 chapters (EPR, HF, VHF, MSS, VSAT, LAN, WLAN), each subdivided
into 3 topics (theory, standards, configuration).
V2.0 Oct. 2012 - Modifications to the EPR chapter: addition of UNICEF’s strategy, move of the EPR
checklist to annexes, removal of the chapter aimed at non-ICT staff.
- Modification to the HF chapter: theory knowledge additions, revamping of callsigns /
selcall chapter, addition of step by step installation and configuration instructions for the
Codan NGT radios.
- Slight amendments to the VHF theory chapter, revamping of callsigns / selcall chapter.
- Minor modifications to the LAN theory chapter, addition of a chapter dedicated to the
operations of UNICEF emergency kits
- Addition of WLAN hardware standards
- Removal of all training quizzes
V2.1 June 2013 - Updated HF theory contents, addition of Codan Envoy hardware
- Addition of configuration guidelines for the BGAN 700 and Thuraya Satsleeve
- Revamped LAN chapter, especially information related to the new emergency kits,
switching & VLANs, IP telephony
- Addition of a chapter focusing on Cisco Wireless LAN controllers and standard WiFi
V3.0 Oct. 2014 - Conversion from a training support document to a handbook that can be used in any
situation, removal of all exercise and quiz sheets, uniformization of the handbook
structure and contents.
- Added forewords, scope and new cover
- Revamped EPR chapter: move of the CCCs to annexes, addition of a scope and
definitions chapter, country risk index, BCP and ICT-DR, prestocking guidelines, minor
alterations to the response chapter
- Minor alterations to the HF chapter, addition of HF hardware standards and step-by-
step configuration instructions for the Codan Envoy
- Minor alterations to the VHF theory, addition of VHF hardware standards and
configuration instructions for the Motorola Mototrbo
- Major revamp of the MSS chapter, addition of hardware standards and selection
guidelines, airtime service plans
- Major revamp of the VSAT chapter, addition of hardware standards, bandwidth pricing
and step-by-step VSAT installation
- Major revamp of the LAN chapter, addition of theoretical content, hardware standards
and specific instructions for the operations of UNICEF kits
- Minor updates to the WLAN chapter
V3.1 Nov. 2014 - Minor corrections to the technical procedures
V3.2 Jan. 2015 - Minor corrections to the technical procedures
V4.0 Aug. 2016 - New forewords, scope and cover
- Changed from letter to A4 format
- Corrected VHF Mororola Motorbo configuration guidelines
- Update Mission Control security gateway configuration instruction
V5.0 July 2017 - Adapted overall wording for an Inter-Agency audience
- Updated EPR chapter (BCP, ICT-DR, IA/ETC guidelines), MSS chapter (BGAN 510/710
configuration guidelines), VSAT chapter (Inmarsat GX) and VHF chapter (latest VHF
radio models, DMR, antennas).
- Major revamp of LAN/WLAN chapters to focus more on standard emergency office
setup rather than emergency kit procedures. Addition of Meraki and Ubiquiti hardware
standards and configuration instructions. Additional configuration guidelines for security
gateways, switches, voice routers and WLCs.
V5.1 Dec. 2017 - Minor corrections (VHF, LAN chapters)
CHAPTER 1
ICT EMERGENCY
PREPAREDNESS
AND RESPONSE
GUIDELINES
EPR GUIDELINES 9
1 SCOPE AND DEFINITIONS
A "Humanitarian emergency” is defined as a situation that threatens the lives and well-being of large
numbers of a population and requires extraordinary action to ensure their survival, care and protection.
Examples of some major occurrences include natural disasters such as the South Asia Tsunami (2004),
the Pakistan and Haiti earthquakes (2005, 2007) or man-made emergencies such as decade long
conflicts in Afghanistan, Sudan, Somalia, DRC, Syria… Most involved five or more operational areas
and an impacted population in excess of 500,000.
From a practical and operational viewpoint, humanitarian organizations responds to the following
situations or types of emergencies:
- Sudden disasters (or sudden-onset emergencies) – usually triggered by natural disasters that
damage infrastructures, hospitals, schools, water plants...
- Slow-onset crises – such as drought or severe economic crises that erode livelihoods, undermine
food and water supply systems and hence affect the ability of vulnerable populations to meet their
needs and the ability of communities to support them.
- Complex emergencies – conflict and widespread social and economic disruption resulting in
severe humanitarian crises and insecurity. Complex emergencies can be either sudden disaster or
slow onset.
The emergency management cycle is a continuous process that can be sub-divided in the 3 phases:
The Preparedness phase takes place before the emergency. By definition, it is referred as the process
of an office complying with a list of preventive measures that would seek to contain the effects of a
disastrous event. This process ensures an office have the capability to continue to sustain its essential
functions without being overwhelmed by the demand placed on them. An office’s preparedness
requirement is directly related to its level of exposure; for instance, an office in Pakistan, being in an
earthquake zone, would have higher preparedness requirements than a country such as Kazakhstan.
- Level 1 (L1): localized response lead by the affected country. UNICEF responds using in country
resources (offices, personnel, funding and supplies). The local ICT Officer is in charge of the ICT
response.
- Level 2 (L2): large scale localized or regional emergency. The Regional Office (RO) provides
leadership and coordination support to the country office. Additional staffing and equipment needs
can be met at the regional level. The RO ICT Chief supports the local ICT Officer in the response.
- Level 3 (L3): very large scale localized or regional emergency requiring an institution-wide
mobilization. Mechanisms such as the Emergency Programme Fund (EPF) and the Immediate
Response Team (IRT) are triggered while Head-Quarters (HQ) and Regional offices dedicate all
resources to the response. UNICEF Information Technology Solutions and Services Department
(ICTDD) in HQ and RO ICT Chief supports the local ICT Officer in the response.
While UNICEF ICT has well established standard emergency response procedures for each level of
response (refer to Annexes Simplified Standard Operating Procedures for Level II and III emergencies),
they still may need to be adapted to the specific country’s profile (importation restrictions, availability of
standard equipment in the local market, Internet Service Provider capacity...) and to the type and size
of the required response (upgrade to an existing office, new space or additional sites requirements,
inter-agency arrangements...).
UNICEF has adopted a decentralized approach to emergency response: Country Office ICT staff and
equipment are the organization’s first line of response. A main advantage of such approach, is the deep
local knowledge of its ICT staff, which accelerates procedures such as telecoms regulations,
importation, supply... Such approach implies however a large ICT workforce and a long-term presence
in high-risk countries. It also requires significant investment in terms of preparedness at local, regional
and global levels (information sharing, training, standards, procedures).
Another commonly used strategy is to adopt a more centralized approach to emergency response. For
example, having a dedicated global emergency response unit, capable to deploy within 24/7. This is a
privileged approach for governments (military, medical, police…) but also humanitarian organizations
with smaller global footprint. Such approach is particularly efficient for quick response, as the same
personnel is deployed multiple times and familiar with equipment and procedures. It also however
requires partnerships at local / global level, maintenance of global rosters (as staff rotation is higher)
and prestock.
The last approach is to adopt a combination of both strategies. Local presence supplemented by an
emergency response team. It combines both advantages but also requires clear reporting lines as
global and local teams must collaborate on-site.
EPR GUIDELINES 11
2 EMERGENCY PREPAREDNESS GUIDELINES
Maintaining an adequate preparedness level is essential for an efficient and timely response. When the
emergency strikes it is often too late to acquire essential telecoms and ICT equipment, and much time
can be saved and problems avoided by ensuring a good preparedness.
The country risk index is a measuring stick highlighting the risk for humanitarian crises in a particular
country that could overwhelm national response capacity. It is based on the Index for Risk Management
(InfoRM, www.inform-index.org) which is determined by indicators such as hazards (events that could
occur), vulnerability (the susceptibility of communities to those hazards) and capacity (resources
available that can alleviate the impact).
Country offices with a high risk index should consider prioritizing resources and advocate for
preparedness, including in the ICT area. In 2016, the 12 countries with highest overall risk are:
Afghanistan, Chad, Central African Republic, DR Congo, Iraq, Mali, Myanmar, Sudan, South Sudan,
Somalia, Syrian Arab Republic and Yemen.
An important part of the field-office’s ICT preparedness is the development and maintenance of a solid
Emergency Preparedness Plan. A good guide on developing such plan is to revise every 6 months the
ICT Emergency Preparedness Checklist for Field Offices (see annexes) which should be uploaded to
the UNICEF’s ICT Office profile portal. Field ICT should work closely with other operations and security
staff to ensure a realistic preparedness. Some general guidelines:
- In most emergencies, the security situation will deteriorate quickly, requiring rapid access to
additional security telecoms equipment - such as radios and personal satphones. Staff should be
able to work from home if required, using 3G, mobile satmodems (BGAN, Thuraya IP) or other high-
speed data-solutions (local and reliable ISPs). It is a good practice to ensure that every office has
All humanitarian organization’s offices, whether it is Headquarters, a Regional Office or Country Office,
must be able to maintain continuity of highly critical functions during and following a disaster and/or
crisis event. Events such as major power outages, natural disasters, terrorist attacks, and a possible
global avian and human influenza pandemic specifically highlight an urgent need for humanitarian
organizations to implement a corporate Business Continuity Management strategy, the central element
of which is the Business Continuity Plan.
A Business Continuity Plan (BCP) is a series of procedures to restore normal organizational office
operations following a disaster and/or major event – within a pre-determined time. The BCP will address
specific scenarios where an office or personnel is directly impacted by the emergency.
1. Improve the organization’s ability to maintain highly critical business functions in high-risk situations,
thereby significantly enhancing emergency preparedness and operational capacity at all levels and
locations;
2. Continue highly critical/critical business operations in the event of a disaster to ensure that the
organization’s strategic objectives are being met;
EPR GUIDELINES 13
Each humanitarian organization office therefore maintains a completed and tested Business Continuity
Plan that is supported by the following:
These plans are thoroughly documented and accessible either through UNICEF’s Early Warning Early
Action portal or ICT office profile.
As part of the ICT-DR plan, data back-up must be done on a daily basis by the Country Office ICT staff
and stored away from the office in a safe and secure place. Periodically, ensure that the backup data
can be restored and is useable. While backup of data/files on individual computers is the responsibility
of the users, it is important that the users be advise/informed to take backup copy of their important
data/files and keep it in safe/secure place.
There should be regular testing and validation of ICT-DR plans, including the preparation of a lessons-
learned report after testing activities.
A revised, country-specific Security Risk Assessment (SRA) system is in effect, wherein each country’s
security level is determined by the DO/SMT based on country-specific SRA. The country ICT team
(UNICEF and partners) will need to support this process; assess need, evaluate gaps and provide
DO/SMT with appropriate recommendations for the telecoms sector.
It is essential that an office in emergency maintains MOSS compliance. Much can and should be done
in the preparedness phase – such as pre-stocking back-up equipment; however, most emergencies will
require procurement/loan of additional equipment to ensure MOSS compliance. When considering the
office’s MOSS compliance, the country specific Security Risk Assessment must be consulted; this
requires collaboration with the office’s security officer/focal point.
MOSS compliance usually requires that staff, vehicles and offices are equipped with adequate
communications to call for help when required. In most emergencies this means VHF or UHF (for
personal and office use) and HF radio or mobile satcoms (for mobile and inter-office use). If the office
doesn’t have a preparedness stock to rely on, it is urgent to order additional VHF (or UHF) radios.
To achieve the objective of minimizing the negative impact of a natural disaster or conflict on IT and
telecoms infrastructure or services, UNICEF has developed, in collaboration with the private sector and
Following diagram summarizes the recommended training curriculums and path for UNICEF ICT
responders:
Refer to training catalogue located in the flash drive and portal for further detail on each course.
Every UNICEF Country Office should maintain a minimum amount of equipment as a preparedness
measure. Such equipment could include:
- An ETR1 kit or equivalent, used for field assessment missions, mobile units and initial response
- 3G/LTE mobile hotspots (if available) with SIM cards ready to be activated
- Spare VHF handsets radios
- Spare office IT equipment such as a laser printers (+toners) and digital scanner
- A couple of satellite phones and at least one satellite data transmitters (such as a BGAN or Thuraya
IP) with SIM cards, either pre-activated or ready to be activated (institutional contract signed)
- Set of tools for hardware installations, ideally a small generator for IT equipment and UPS
UNICEF maintains at the global level a significant emergency pre-stock of IT and Telecoms equipment
at Supply Division's warehouse in Copenhagen, in Regional Offices and at New York’s headquarters.
This equipment is organized in a kit format which can be put together based on requirements identified
during the assessment phase. Such kits are composed of VSATs, LAN, WLAN, IT and tools.
EPR GUIDELINES 15
2.8 LONG TERM ARRANGEMENTS
Most large scale humanitarian organizations maintain global and local Long Term Arrangements (LTA)
for all manner of IT, telecoms and power equipment and in some cases LTAS (Long Term Arrangement
for Services) which would include services (airtime, bandwidth, equipment rental, on-site installation
services...). A best practice is to require suppliers to maintain a minimum of stock which could be
shipped within 48 hours.
As the emergency strikes, the country office ICT responsible should immediately take action to ensure
the ICT component of the emergency response is handled in a quick and effective manner while
ensuring compliance with the CCCs ICT component. It is the responsibility of the country office ICT, in
collaboration with Regional Chief of ICT and ICTD NYHQ to ensure that the office at all stages in the
emergency response is CCCs compliant.
When a sudden humanitarian emergency impacts a Country Office, a good practice is to follow the
Simplified Standard Operating Procedures. Procedures for L1, L2 or L3 emergencies slightly differ but
can be summarized with the following steps:
During the first 24 to 48 hours, whether the emergency has affected the office or a remote location,
the ICT staff must perform a quick ICT assessment. If the emergency has impacted ICT systems in the
office, the BCP must be immediately enabled. Standby equipment should be checked and radio and
satphone batteries charged.
After 48 hours, as the impact of the emergency becomes clearer, emergency responders or teams
travelling to the field must be provided with a GSM/3G phone, a satellite phone, data-capable satphone
(BGAN or Thuraya IP) and VHF radios (operating in simplex if no repeater is available yet), if security
requires it. Ideally the first response team should travel with the Office in-a-Box or ETR1 kit (see
Equipment). The staff to lead the ICT emergency response must have been identified and have started
internal and inter-agency coordination (teleconference call, short ICT situation report to be shared with
the CO management/RO/HQ). Local and global ICT providers will be alerted about a possible
requirement for additional capacity in the field. If the response is likely to trigger an increase of staff in
an already existing office, Internet service providers should be contacted to anticipate an upgrade of
the bandwidth, wireless infrastructure or ICT support staffing.
By the end of the first week, as the overall emergency response requirements become clearer, the
ICT response plan must be finalized. The plan shall include replacement for the equipment used at the
initial stage of the emergency, one-time-cost for the additional requirements, budget to cover recurring
costs for the response duration, list of service providers, procurement strategy (locally or out-sourced
to RO, HQ or SD) and accountability for follow-up. A dedicated file sharing mechanism (for example, a
SharePoint portal) is created and IT requests (such as email or Intranet access) for responders are fast-
tracked.
Starting the second and following weeks, real-time monitoring of the situation is required to
permanently assess needs of field responders. The objective being to quickly identify any ICT gap that
could possibly impact the overall response. If a new office is considered, it is essential that an ICT
responder is part of the premises first assessment, to verify requirements such as satellite visibility for
VSATs, height of radio antennas, distance to power source, potential interferences, LAN and WiFi
infrastructure requirements, grounding, etc.; all factors that are critical when considering a new location.
Continuing the coordination effort, weekly conference calls and situation reports must be produced by
the local ICT officer in collaboration with the Regional ICT officer, HQ and the inter-agency community.
Refer to the Simplified Standard Operating Procedures in annexes for step-by-step instructions. The
diagram next page summarizes the recommended chronology of actions in a typical humanitarian
response.
EPR GUIDELINES 17
Preparedness EMERGENCY RESPONSE
CHRONOLOGY OF ACTIONS
CRISIS
Initial
Assessment
On-site On-site
Assessment Assessment
Final Report
Lesson s
learn
As a country office encounters an emergency situation, the ICT responder must rapidly carry out an
initial assessment to determine the impact of the situation and any immediate ICT needs. The ICT
officer should therefore participate in all internal meetings related to the emergency, consult with
operations and program colleagues, engage with the inter-agency ICT working groups, inquire local
service providers (Internet, GSM,...) status and capacity, and local authorities position (if applicable, for
example telecoms authorities).
The initial assessment shapes the response plan, as such the ICT officer should determine:
- if the office ICT system are affected and whether the BCP should be deployed;
- if UNICEF personnel is deploying to the affected areas;
- if surge UNICEF personnel is deploying to reinforce capacity in existing offices;
- if new offices will be required;
If one or several of the conditions above apply, the ICT officer should then seek to determine:
- if there is enough equipment pre-stocked in the office to cover immediate needs, and if such
equipment is deployable;
- if the actual network and bandwidth will cope with the increase of users;
- if there is enough ICT personnel available to support at the office and on-site (if applicable);
- what is the capacity of local service providers and other agencies;
- if the emergency telecoms cluster (ETC) is activated and who is leading it.
Based on the emergency level, the initial assessment should then be shared and discussed with the
country Operations Officer, Regional Office and NYHQ to determine whether any further support is
required and what would be the next actions.
On-site ICT assessment only apply to emergencies requiring the deployment of responders for an
extended duration. It should therefore focus on the location where UNICEF responders are operating
from. This can be a hotel, an inter-agency office, a dedicated office space. Such assessment addresses
detailed ICT situation including: local ISP(s) capacity (services, coverage and quality), VSAT site survey
(if applicable), security telecommunications requirements, ETC service quality, staff requirements,
power status...
The outcome of the on-site assessment will either confirm the initial response plan, identify any
unplanned gap or determine whether the requirements have been over-estimated.
In cluster-activated emergencies, the ICT/ETC lead agency is responsible for carrying out an ETC gap-
assessment. Such assessment may indicate that there are gaps (i.e. needs) in the areas of security
(radio) communications and/or in the area of common data-communications. Examples of such gaps:
- Lack of repeater coverage in a specific location, requiring installation of additional repeater(s)
- Lack of radio-rooms for interagency security coordination, requiring establishment of a common
radio-room
- Lack of capacity among agency staff in radio programming, requiring the deployment of a radio-
trainer
- Lack of Internet access, requiring installation of a VSAT with Wi-Fi connectivity.
In this process, the ETC lead agency will seek to involve UNICEF and other major UN agencies and
NGOs operating in the country, to jointly develop an ETC project that would cover any of the identified
gaps. The ETC lead agency will seek to include this as part of a consolidated emergency funding
request, typically included in an emergency Flash-Appeal. The Flash-Appeal will – in addition to ETC
needs – include funding needs for all areas of program and operational activities in the specific
emergency.
EPR GUIDELINES 19
In some emergencies UNICEF may be requested to serve as local ETC cluster lead and take
responsibility for the ETC gap assessment and subsequent project plan and funding request.
Note that the ETC assessment and subsequent project plan/budget is targeted at covering inter-agency
needs (radio back-bone; common VSAT, for instance) and is not meant to cover each agency’s internal
ICT needs. Therefore it does not substitute UNICEF’s own ICT assessment and procurement needs.
The response plan is an important document that applies when an office does not have the capacity or
budget to cover the medium/long term ICT needs of the emergency. A typical scenario applies to level
2 or 3 emergencies, when one or multiple offices must be upgraded or created very quickly, and the IT
department does not have enough budget to cover such requirements. The response plan is used to
present the ICT project to management and justifies the required investment in equipment, services
and staffing.
Monitoring and Evaluation (M&E) is a critical component of any project, whether it applies to
programmatic or operational areas.
When applied to ICT in emergencies, the following measures are required to ensure a formal M&E
process is in place and systematically applied:
Note that a final independent evaluation covering the organization’s response as a whole may be taken
by donors or auditors. It is critical that the ICT emergency responders share their inputs and lesson
learned in this evaluation.
Key Performance Indicators stems from the list of essential services as defined in the Service Catalog
(see Global IT services portal). In addition, following Key Performance indicators can be useful when
monitoring ICT projects in emergencies:
3.5.1 Budgeting
A component of the response plan is to estimate how much additional funding is required and present
this to the Operations Officer to ensure it is included in the office’s overall request for emergency
funding. It is highly recommended that such budget is shared with the Regional Office and HQ to make
sure nothing is missing. Various funding mechanisms exist and many of these require quick action so
the ICT budget should be available within the first week of the response.
The budget must cover the costs for the entire project duration, including potential handover/closure
expenses and the post emergency evaluations such as lessons learned exercises. Some guidelines
key cost considerations when drafting an emergency ICT budget:
EPR GUIDELINES 21
Refer to the budget tool located in the flash drive or portal
The IT manager will always need to be aware of the total ICT budget, funds spent or committed,
purchase orders (PO), planned expenditure (purchase requisition - PR) and future needs. In general, it
is necessary to track on a weekly basis the budget reports in the organization’s Enterprise Resource
Planning tool (Oracle, SAP, salesforce…), and compare it to manually recorded records (maintain a
tracking spread sheet). This is crucial to ensure best use of funds and insure against under or over-
spending. In addition, it is necessary to work closely with the supply team to ensure follow-up and
verification of expenditures.
3.5.2 Supply
Experience shows that lack of timely ordering of emergency ICT equipment can be a major obstacle to
an efficient response. The Supply Plan is therefore a critical component of the response plan and much
effort should be put into ensuring that orders for ICT equipment and service are properly anticipated
and correctly initiated. The ICT responsible should ensure that the equipment needs are established as
quickly as possible and work with the CO supply officer/focal point to have ICT equipment prioritized in
the ordering and shipping process.
- In large scale emergencies, it may be beneficial to outsource the procurement of ICT equipment to
a Regional Office or to Head-Quarters to free-up time at the local level. Local procurement officers
are indeed often overloaded with important procurements related to program areas, risking that ICT
orders are delayed.).
- Large scale humanitarian organizations typically package equipment into emergency ICT “kits” and
pre-position them in strategic locations (in UNICEF: Copenhagen global warehouse, Regional
Offices and New York Head-Quarters). Usually it’s the fastest way to obtain equipment. Kit solutions
can also be a buffer for response plans that may have been over-estimated as a result of the "no-
regret" policy; since these kits can be shipped back if not used and therefore limiting costs to
shipping only.
- Standard emergency IT and Telecoms equipment and services are available through Direct Order
(DO) Long Term Agreements (LTAs), either through Supply Division (equipment) or ICTD
(services). Emergency telecoms related LTAs contain emergency clauses requiring vendors to
maintain a minimum stock, thus ensuring rapid shipping. (UNICEF example: IEC maintains stock
of mobile satcoms terminals; Danimex maintains stock of VHF and UHF radios; ATEA maintains
stock of laptops and other IT equipment). It is recommended to work closely with the procurement
officer in order to enable such option in Vision and ensure vendor is aware that this is an
“emergency order”.
- For LTA equipment without emergency clause, such as IT equipment (laptops, printers, LAN,
WLAN...), delivery lead time can be various weeks, it is therefore urgent to initiate procurement as
early as possible. Consider assigning "temporary laptops" from the office stock for surge personnel
without equipment.
- Avoid ordering non-standard material as this may require a bidding process that can delay
shipment. If non-standard equipment is required, make sure to separate these out in a dedicated
Purchase Order.
- When procuring items which value is higher than 2,500 USD, IPSAS recommends to create an
asset number / inventory tag and link them to the organization’s ERP.
- Assigned ERP budget codes should be verified before committing any expenditure. Before
providing a budget code the following must be confirmed:
o Are sufficient funds available for the project?
o Can the budget be utilized for the said expenditure?
o If spending is from a funding source managed by another unit/person, ensure that
unit/person authorizes the expenditure in advance, even if previously agreed.
- Separate orders by supplier – this facilitates for tracking of orders
- Work closely with the supply focal point to ensure orders are correctly processed.
- Keep RO ICT and ICTD informed about status of orders – they can support and speed things up.
- Frequently visit the warehouse and check at the delivery schedule, it can happen that equipment
has been delivered without notifying the ICT team.
Build a strong working relationship with the logistics' team handling reception and dispatch of
equipment. If there are emergency relief flights leaving from global warehouses and if timing allows,
seek to have the ICT equipment delivered to the warehouse, for subsequent inclusion in relief flights.
HQ ICT teams can support country offices to liaise with their global supply and logistics emergency
units.
3.6.1 Rosters
Large humanitarian organizations maintain a local/regional/global ICT rosters of personnel that are
trained and experienced in emergency response and possess a wide range of skills, including ICT
management, VSAT installation, VHF and HF radio setup (handhelds and repeaters), LAN and WLAN
as well as mobile satellite devise. In addition members have important personal attributes such as
teamwork and problem-solving skills, cultural sensitivity, tolerance, flexibility, and the ability to function
effectively in a demanding emergency environment.
During an emergency there is often a need for surge capacity in specific areas. Humanitarian
organizations have usually implemented standby arrangements with several public or private
organizations to cater for this. These arrangements allow a field office to quickly obtain trained and
experienced ICT professionals to support emergency response and in some cases also preparedness
activities. Standby partners are “free”; the only cost for the country office is in-country flights.
Standby arrangements can be used for various areas of ICT support, such as:
In UNICEF, three standby arrangements also include provision of equipment (typically shipped back
once the deployment is over):
- Ericsson Response can deploy the "WIDER", a networking technology providing captive WIFI
portals and a user registration/authentication mechanism (airport or hotel type). This is a
recommended solution for inter-agency sharing type scenarios (ex: ETC deployments).
EPR GUIDELINES 23
- TSF is an NGO specialized in first response. They can be deployed to install temporary Internet
and voice access (30/45 days maximum) and cover all costs related to it. TSF usually relies
on mobile satellite terminals (BGAN) and small Ku-band VSATs.
- The Government of Luxembourg can deploy the emergency.lu solution, preferably in an inter-
agency shared scenario (ETC type). The emergency.lu solution includes a "rapid deployment" kit
composed of an inflatable 2.4m VSAT (GATR model) and Voice-Over-IP phones. The largest
emergency.lu solution is called "Regular deployment kit" and is composed of a 2.4m Quick-Deploy
VSAT antenna (Viking model) and a network rack (VOIP, server).
EMOPS Geneva acts as the focal point for standby partner support. Before contacting EMOPS Geneva
to request ICT surge capacity, the requesting office should develop a Terms of Reference/Job
Description for the secondment. The link below to the UNICEF standby partner arrangements
homepage has information about this and examples of such ToR for ICT/telecoms staff.
3.7 COORDINATION
Coordination, collaboration and information sharing are important components of the emergency
response. Such activities take place both within and outside the agency.
Typically, the field office ICT staff will be supported by the Regional Chief of ICT (RCICT) and by
ICTD/HQ, where the RCICT handles day-to-day coordination and support while ICTD/HQ handles the
global interagency/ETC (Emergency Telecoms Cluster) related coordination – in addition to facilitating
access to ICTD’ in-house stock of emergency telecoms equipment and roster of emergency ICT
response staff.
To ensure the best possible coordination and collaboration within an organization (CO-RO-HQ), regular
sharing of information is essential. This is especially important in the early stages of an emergency,
where bi-weekly or weekly conference call and minutes are organized with the RO and ICTD (for
eventual further distribution). Similarly, findings of initial / on-site assessments and response plans
should be shared with RO/HQ, to ensure these are also leveraged at HQ and regional level. A hand-
over note should be also be agreed on between responders when there is a staff replacement.
During an emergency, many organizations will face the same challenges in terms of urgent need for
ICT equipment, additional staffing and emergency funding. Through collaboration and resource sharing
at the global and local levels, individual agencies’ resources can be better utilized and shared. Such
sharing and collaboration mechanism should already be in place as a preparedness activity.
The Inter Agency collaboration can take the form of collaboration on one or more specific projects or
activities or, typically in a larger emergency, in the form of overall shared security and data
communications services, systems and networks. The ICT Working Group at the local level can be an
instrument for collaboration, coordination and information sharing between UN agencies, NGO’s and
INGO's in ICT related matters, thereby reducing gaps and avoiding overlaps and duplication of effort.
The local ICT working group can be chaired by one agency or on a rotational basis. The ICT working
group is a tool for joint emergency preparedness and response, and as such it should be established
- One agency takes on field mission tasks on behalf of one or more sister-agencies, thereby avoiding
duplication of field missions;
- Agencies support one another in developing Emergency Preparedness and Response Plans
(EPRP);
- Agencies share a VSAT installation in a field office, thereby reducing equipment and installation
costs. Monthly recurring costs are shared among the agencies;
- One agency seconds ICT support staff to another agency for short term support. Within the ICT
working group, each member can have special experience and training that can benefit other
agencies;
- Equipment that is no longer needed in one agency can be handed over to another agency. The ICT
working group can improve the design and implementation of interagency services (such as a radio
network) by facilitating discussion and fact sharing.
Clusters are groups of humanitarian organizations, both UN and non-UN, in each of the main sectors
of humanitarian action (for example water and sanitation, health, logistics...). They are designated by
the Inter-Agency Standing Committee (IASC) and have clear responsibilities for coordination. It is
designed to strengthen the "collaborative response" and improve predictability, timeliness and
effectiveness of humanitarian response. It also aims to strengthen the leadership and accountability in
key sectors where gaps have been identified, which includes emergency telecommunications.
When the Emergency Telecommunications Cluster (ETC) is activated, it facilitates access to additional
funding for common emergency telecoms. In most emergencies, WFP (as global ETC lead and Provider
EPR GUIDELINES 25
of Last Resort) or HCR (in conflicts scenarios with refugees) will be tasked to take the lead; however, if
another agency has a strong presence in the country/operational area, the Humanitarian & Emergency
Relief Coordinator may request that agency to take the lead in that specific emergency. Example: If
UNICEF has a well-developed ICT infrastructure and staffing in a given country, UNICEF may be
chosen as cluster lead agency in that specific emergency. More information on ETC deployments
(activation, situation reports, guidelines, technical information…) can be found on the ICT emergency
website.
Note: UNICEF was initially mandated to deliver common data-communications services for the cluster.
As of June 2009, UNICEF handed over this responsibility to WFP, with WFP now providing both
common data and security-communications.
3.8 EQUIPMENT
Data-communications for first responders are typically obtained using 3G modems (“dongles”), if
coverage is available; BGAN/Thuraya IP; or Emergency Telecoms Cluster (ETC) connectivity in the
early stages of an emergency. Such solutions are acceptable as long as the response timeframe is kept
short (less than 2 weeks). There are indeed limitations with each of such solutions when considering
the longer term:
- 3G dongles are not easy to share as a team, often requires one device per responder (making it
hard to track) and are easy to lose. In addition the multiplication of data plans can be a costly
solution for the office.
- Mobile satellite communications services (MSS) airtime can lead to substantial usage costs.
Country Offices are recommended to closely monitor their airtime consumption (using the
equipment log and provider's portals) and to modify the subscription plans accordingly. In addition,
transmission speed of such terminals is poor (in practice data-rates reach 20-30 KB/s) and latency
high (900-1500ms).
- ETC connections (often VSAT) are shared among a large number of responders and can therefore
be equally slow. Responders must also commute on a daily basis to the ETC location where such
service are provided, making it inconvenient and inefficient over the longer term.
If the response continues beyond 2 weeks, the solutions mentioned above should be replaced with
conventional local Internet Service Providers if available (such as DSL, fiber) or VSAT (either from local
provider or a global LTA/LTAS provider. These services all offer guaranteed data-rates at fixed cost.
Security telecommunications should be determined by the UN security level and requirements for the
Emergency Communications System (ECS). Such information should be available with the agency’s
Security Focal Point. Alternatively, UNDSS or the lead ETC agency (if activated), which often has the
senior advisory role for staff security and radio infrastructure, should be able to provide such
requirements. In most cases humanitarian organizations will use an inter-agency radio infrastructure. If
such arrangements cannot be obtained or if operational requirements impose the setup of dedicated
radio rooms, a dedicated and experienced radio technician should be deployed.
Electrical service can have huge negative impact if not done properly. An unstable, unreliable or badly
designed electricity supply network will not only damage or destroy the equipment, but it poses a danger
to staff safety. There are two main solutions for electricity supply that are used as follows:
- Mains with generator backup: Publicly provided electricity is the main source with agency provided
generators used as a backup. To ensure stable power when running the mains, all electricity
provided to ICT equipment should be filtered through voltage regulators and UPSs.
It is important that all security telecommunications equipment (radios, repeaters) and LAN/WLAN
infrastructure are additionally backed up by Uninterruptible Power Supplies (UPS) and/or solar power
systems. If electricity supply and distribution networks (public and office) are unreliable, an electrician
should be included in the staffing plan. Electricians can usually be recruited locally but oftentimes it can
be difficult to get the right technical level. It is therefore recommended to seek for temporary / standby
personnel to fill the gap for the initial period, assist with networks and grounding upgrades, and to train
a local electrician who eventually can take over the responsibility.
EPR GUIDELINES 27
(Page left blank intentionally)
CHAPTER 2
Using frequencies in the range of 3 to 30MHz, HF can offer reliable communications over thousands of
kilometres with independent and limited infrastructure. Although its usage has declined with the
emergence of new terrestrial technology such as GSM networks, it is still considered as last resort
communication and equips most vehicles and offices in countries where staff security is considered as
a priority. The possibility to reach any humanitarian vehicle, no matter the location in a country and
without any infrastructure (other than in the office and vehicle) remains HF's greatest asset. It can also
be used for operational voice communications, SMS type text messaging, GPS tracking and
communications with aircrafts.
The ionosphere is comprised of regions of the upper atmosphere in which there are free electrons. It is
this ‘electron soup’ that has the ability to act on HF radio waves as if it had a refractive index different
from the surrounding non-charged layers of the atmosphere. This is similar to light passing through
different layers of heated air in the desert and producing a mirage or image of the sky that appears to
be on the ground. In their simplest form, the layers of the ionosphere may be thought of as “mirrors in
the sky” that reflect radio waves. It is, however, refraction and not reflection that redirects the radio
waves and the degree of bending of these waves is dependent on several factors.
The free electrons are generated by powerful radiation from the sun such as extreme ultra-violet (EUV)
striking gas molecules in the upper atmosphere so violently that they knock an electron from the outer
orbit. As in the upper atmosphere gas molecules are thinly spread, it takes considerable time for the
free electrons to find positive ions and recombine. This process is called photo-ionisation and leaves
layers of electrons and positive ions high above the earth, hence the name ionosphere.
More than twenty years after Marconi’s first transatlantic radio transmission, the British scientist Edward
Appleton discovered the existence of the ionosphere. Further research revealed that the ionosphere
was not just one layer but composed of four layers, designated D, E, F1 and F2. It is the changing
nature of these layers that makes HF propagation an interesting and challenging discipline.
- F layer: The F layer actually comprises two layers during the day (F1 and F2) which combine at
night to form one layer. It is the F2 layer, right at the top of the ionosphere, at an altitude of around
250 km which receives the most solar radiation and is hence the most strongly ionized. This layer
is the most useful for long distance communications. Its electron density varies between day and
night and also with the seasons and the sun’s activity cycle.
The degree of ionization of the ionosphere (and hence its ability to refract radio waves) changes with
the amount of solar radiation. This is most clearly seen in the difference in the frequency required to
reach a given distance between daytime and nighttime. The ionosphere is not a stable medium, but
varies with different factors. These cause reasonably predictable changes in the ionosphere which
affect HF communications.
In mid and high latitudes, during the spring and summer there are more hours of sunlight. This increases
ionization in all the layers of the ionosphere. Higher frequencies are required to pass through the D and
E layers and to compensate for the extra refraction of the F layers. Likewise in autumn and winter,
ionization is less and so lower frequencies are required for a given communication distance.
The radiation emitted by the sun is also not constant. It varies with the (approximately) 11 year sunspot
cycle. A sunspot is a region on the sun’s surface that shows intense magnetic activity and generates
higher levels of radiation, which in turn cause higher levels of ionization in the ionosphere. They are
visible to optical instruments because the strong magnetic field inhibits the normal convection currents,
creating a cooler spot on the sun’s photosphere. The more sunspots the greater the levels of ionization.
The frequency required to make a link at the peak of the solar cycle may be double that required at
solar minimum.
1.2 PROPAGATION
There are three main ways that an HF radio transmission travels or propagates to its destination:
- The ground wave, as its name implies, travels parallel to the earth’s surface and has a relatively
short range. It may reach a short way over the horizon. Its range depends on two factors, the
frequency used and conductivity of the ground. Low frequencies and highly conductive ground or
seawater give the longest ground wave transmission distances. The terrain is also a factor. A high
ridge of non-conductive rock or ice will effectively block ground wave propagation.
- A direct wave is one that travels a ‘line of sight’ from the transmitter to the receiver. HF radio offers
line-of-sight propagation, but where this signal is mostly used is in VHF and UHF radios, wireless
data systems, and satellite communications. On the ground, the range of direct wave is limited by
the height of the transmitting and receiving antenna.
- Sky wave transmission is the most common HF propagation mean as it uses the ability of the
ionosphere to refract HF radio waves back to earth. Dependent on the frequency and the electron
density of the ionosphere the distance covered (skip) may be hundreds or even thousands of
kilometers. More on the sky wave transmission below.
Earlier in this section the analogy of light refraction was given to illustrate the bending of radio waves
by the ionosphere. This analogy should be extended to understand that the degree of bending of the
radio wave is proportional to the frequency being used. Think of white light passing through a prism.
The degree of bending is different for each colour (frequency) and so we see the colours of the visible
spectrum. In a similar way, radio waves are bent differently according to their frequency.
An HF radio transmission that uses too low a frequency will be absorbed by the ionosphere and not
returned to earth. A frequency that is too high will only be bent a little as it passes through the ionosphere
and will go on into space and be lost. Between these extremes, there is a range of frequencies that will
be sufficiently refracted by the ionosphere so as to be returned to the earth’s surface at a distance from
the origin. The higher the frequency the less will be the degree of bending and so the greater the
distance before the transmission returns to earth. Such phenomenon results in the HF rule of thumb
number 1:
The longer the distance to be covered, the higher the frequency used
During the day, as the sun gets higher in the sky the level of solar radiation increases and so does the
electron density of the ionosphere. This higher density of electrons increases the refraction of radio
waves so that to reach a given distance in the middle of the day, a higher frequency is required than
during the night or early in the morning. Such phenomenon results in the HF rule of thumb number 2:
Because the most useful layer of the ionosphere (F layer) is high in the upper reaches of the
atmosphere, there is usually minimum practical distance (skip distance) before skywave communication
is possible. This minimum distance is almost always greater than the maximum possible distance
achievable by ground wave. This leaves a problem area between the end of ground wave
communication and the start of skywave communication. This zone of silence is called the skip zone
and is illustrated in figure 8.
1.4 MODULATION
Modulation refers to the addition of information (voice) to a signal carrier in the HF frequency band. One
can think of blanket waving as a form of modulation used in smoke signal transmission (the carrier
being a steady stream of smoke).
There are many types of modulation technique and Amplitude Modulation (AM) is typically used in HF-
radio frequencies. In AM the amplitude or size of the constant frequency carrier varies with the voice or
other audio signal. The modulated carrier is transmitted to the receiving station where the changes in
amplitude are lifted from the carrier and the original audio is recovered.
Amplitude modulation, in its original form suffers from some disadvantages. The first is that noise and
other interfering signals will affect the amplitude of the received signal, hence making this method of
transmission inherently noisier than other methods. This can make conversations over HF radio difficult
to understand for inexperienced operators. Another drawback with traditional AM transmission (such as
shortwave broadcasting), is that it requires a significant transmit signal (watt), which means expensive
and bulky transmitters. The process of creating an AM signal is to combine the audio signal and a carrier
in a device called a mixer. This produces two products, the carrier plus the audio band and the carrier
minus the audio band. These are called upper and lower sidebands (USB, LSB) as they lie above and
below the carrier in a frequency plot. In a commercial broadcast radio, where there is ample power
available and where transmission distances are often short, simple AM is used. Because the same
information is sent on both sidebands, the two signals can be combined in the receiver, reducing the
effect of noise on one sideband.
HF radio refers to the band of frequencies between 3 MHz and 30 MHz, although modern radios transmit
between 1.6 MHz and 30 MHz and have an extended receiving range down to 250 kHz. The width of
an HF signal is 7 kHz (compared to 12.5 kHz for VHF or 20/80 Mhz for 802.11 wifi). Radio transmissions
made in the HF band travel to their destination differently from other radio frequencies in that they a)
follow the earth curvature for some distance and b) can be reflected (refracted) in the earth’s
atmosphere, thereby extending range significantly.
For a practical HF network, the frequencies needed may be chosen by experience, they may be
imposed by the local telecommunications authorities, or they may be calculated. In every case it is
vitally important that radio operators comply with the laws of the country in which they operate.
With so many variables, one may be forgiven for thinking that finding the optimum frequency for a
communications link is difficult. This would certainly be the case if one made all the calculations by
hand. One would need to know great circle distances between stations, zenith angle of the sun, solar
flux prediction among other factors.
Fortunately, there are many computer programs which; given the geographical coordinates of the
locations, and the solar flux or sunspot number, can calculate the optimum frequency for each hour of
the day. These programmes usually calculate the Maximum Usable Frequency (MUF) that will be
refracted back to earth for that distance and from that derive the optimum working frequency (OWF)
and the required take-off angle from the antenna. Some programmes calculate the differences in
propagation using different antennas and power levels. Our HF radio supplier can assist with obtaining
frequency predictions for multiple sites where the frequencies are chosen to accommodate the local
variations due to the solar cycle.
- ASAPS (http://www.ips.gov.au)
- VOACAP (http://www.voacap.com)
- ICEPAC (http://www.voacap.com)
- ACE-HF (http://www.acehf.com)
In addition, most HF radio suppliers will be able to provide guidance on HF network/frequency planning.
Once having obtained a suitable frequency combination for the location (taking into account distances,
working hours, variability due to solar cycle, traffic loads, etc.); it then falls to the radio operator to select
the best frequency to communicate over a given link at a given time.
Most modern radios, Codan included, offer an automatic link establishment (ALE) system. These
systems exchange information between radios to build a database of link quality information between
them and other radios in the network. This is then used when calling to select automatically the best
available frequency.
2.1 HF TRANSCEIVERS
The Codan Envoy X1 and X2 models are the current standard and the latest in the line of Codan HF
transceivers. The radios can be installed in an office (base) or in a vehicle (mobile). In addition to the
features of previous generation of Codan radios (NGT series), the Envoy series integrate additions such
as IP compatibility, remote or USB flash drive configuration, a colored LCD screen with a modern
"mobile phone" type operating system, multi-lingual user interface, while digital voice processors and
improved noise filter are enhancing voice transmission quality. The software used to program the Envoy
radios (TPS) interface changes significantly and was praised for its simplicity over the NGT's (NSP).
The Codan Envoy replaces the previous standard, known as Codan NGT series radios. The table below
compares features between Envoy and NGT series:
The Codan NGT series of radios have been part of the UN fleet of radios since 2001 and have proven
to be reliable, easy to use and easy to install. However the NGT is now coming towards its end of life
and is being replaced by the Envoy. There were 2 models of NGT radios, both of which could be
installed as base or in a vehicle:
2.2 HF ANTENNAS
The antenna and its corresponding transmission line (typically a coaxial cable) are arguably the most
important components of a radio system. Through the antenna and transmission line we seek to ensure
that as much as possible of the transmit signal is converted into radiating energy; and in reception the
antenna has to pick up as much as possible of the often extremely weak receive signal (while avoiding
noise and interference). It is therefore essential that both antennas and transmission lines are adequate
and appropriate to the system, power and frequencies we seek to operate on.
Various antennas exist for different types of stations, radiation-pattern needs, etc. Typically a simple
single-frequency antenna - or half-wave dipole antenna - is only useful for a very limited frequency
span, for which it is in tune and presents the characteristic impedance to the coax/radio (i.e. 50Ohms
in our case).
The half-wave dipole is therefore the simplest antenna available but also
a very good antenna – if one is operating on one channel/frequency only.
This antenna resonates at a certain frequency and cannot be used
(efficiently) much above or below this resonating frequency. A 5 MHz
dipole is therefore only useful for a small deviation around 5MHz – it
cannot be used (efficiently) at 10 or 15 MHz. However, as a station often
uses five or ten different frequencies, it would be impractical to have 5-
10 such dipole antennas. Figure 13 - Simple frequency
antenna
A compromise antenna is the so-called broadband-dipole antenna. This is constructed to give a near
overall resonance from fo.i. 5 – 30MHz and can be used at all frequencies in-between. These antennas
therefore cover large parts of the HF-radio spectrum with relatively good efficiency. They are not the
“best” antennas but good compromises. Codan’s kits come standard with such antennas. They can be
mounted horizontally – for best range/directivity, or as inverted-V, for more omnidirectional
operation/less gain.
Antennas are often on the tallest part of a building or mast and as such are prone to lightning strikes.
Such strikes can easily follow the transmission line down to the radio, and destroy (with possibly all
other equipment in the radio-room!) it if it is not
properly protected grounded. Lightning
protection and grounding are therefore an
essential component of building a radio station
and the installer, unless being an expert himself,
should seek for advises and guideline. As a very
minimum, an in-line protector that is inserted on
the transmission line (coaxial) where this enters
the building. This in-line protector should be well
and have a separate ground, to allow high-
Figure 15 - In-line Coaxial Surge Protector
Mobile antennas are different from the base station antennas mentioned
above. Their small dimensions do not allow them to resonate in the
same way as a half-wave or a broadband dipole antenna. Instead an
internal tuning mechanism (a coil that is being mechanically tuned)
adjusts the “electronic length” of the radiating element until this is in tune
(i.e. has the characteristic impedance) for a specific frequency. The
efficiency of this antenna, with its small dimensions, is significantly
reduced compared to fixed antennas. Another characteristic with mobile
antennas is that these are (nearly) always vertical antennas, meaning
that they transmit and receive equally well in most directions (the car
Figure 16 - Mobile Antennas chassis has some effect though). This is however not the case when the
mobile antenna is used with an NVIS ad-on. In this case the antenna
transmits with most power upwards, to allow for short-range skywave reflection, and improved skip-
zone performance. NVIS add-on is recommended in operations with mountainous terrain and shorter
distances.
The cable is responsible for ensuring the signal is transmitted with minimum
loss between the antenna and the transceiver. As these cables often can be
tens of meters long, the quality, impedance and conditions of the cable are
crucial. Codan standard antenna kits come with 30 meter RG-58 coaxial cable.
This type of cable is thin (~5mm) and therefore easy to install while offering a
good compromise in terms of power transfer. For systems with antennas more
than 30 meters away, thicker cables such as the ~10mm RG-213 coaxial must be Figure 17 – RG213 vs
used. RG58
Two errors often made when installing cables are a) letting cable hang full weight on the connector at
the antenna, causing too much stress on connector and b) too much bending on the cable, such as
letting cable hang over a window sill. Use a cable stress-reliever where it has to hang over long
distances and always allow cable to run smoothly and with ample diameter in curves. Consider
additional support – such as a plastic tube cut in half, where the cable runs over a sharp bend. Also
avoid tightening cable-ties too hard as this can affect impedance.
Coaxial cables are very different from other “electric” cables. The distance between the different
elements of the cable (inner conductor, shield) is crucial and any change in these parameters will affect
the cables impedance and create SWR, heat and loss. It is therefore nearly impossible to properly repair
a coaxial cable. If a cable shows cuts or other damage, always substitute the entire cable. If the cable
needs to be shorten because of too much loss, crimping guidelines for coaxial cable are available in
the VSAT chapter, make sure the proper connectors are used.
Another important factor is the impedance; transceivers output/input in HF (and most other radio-
systems) typically have a characteristic impedance of 50 Ohms (there are systems that use 75 or 300
Ohms but these are rare). In order to ensure impedance matching – and through this transmission of
maximum power between transceiver and air, there has to be impedance matching between all
elements, i.e. transmission line (cable), antenna and transceiver all have to have an impedance of – or
close to – 50 Ohms. If we do not have impedance matching, some of the output (and input) power will
be reflected back to its origin, with less efficiency and loss of power being transferred to and from the
air.
a. Checking the equipment. Although Codan equipment is very resistant, damage during shipping can
always happen. Special attention should be taken if the equipment is not being shipped in its original
factory packing, as it could happen in an emergency. Indeed it is common practice to rush equipment
from a neighbouring country by any means of transportation.
The most vulnerable parts of the equipment are the cable connectors, which are partially made out of
plastic, and can be broken (therefore exposing and possibly bending the pins) during shipping. Other
vulnerable parts requiring special care are the heavy power supply units (PSU).
If the original packing material for the Codan equipment is not available before shipping, it is a good
practice to protect well all units and to wrap the connectors in bubble packing material. Also make sure
the connectors are not left underneath heavy equipment that could possibly crush them.
Another crucial detail to consider before sending/receiving the equipment is to make sure the PSU will
match the power requirements of the receiving country. This applies not only to Codan devices but also
any emergency telecoms device; A frequent mistake being to order 220VAC power supply for a country
relying on a 110VAC nationwide standard and different AC wall plug. Codan equipment uses 12V DC
as standard, however the PSU providing that voltage can be configured for either 220VAC or 110VAC.
In an emergency scenario, this detail is often neglected and could lead to irrevocable damage on the
radio.
Once the equipment is received, make sure the inventory is complete with all following items:
Note: when using the Desk Console Unit, the seven pin male connector from the handset connects to
the back of the Desk Console Unit as seen in the pictures below, and not to the handset and speaker
connector.
► Refer to the “mobile VHF and HF installation manual.pdf” and “Codan vehicle installation.pdf” files
in the HF documentation for the detailed information on how to install the radio in following vehicles:
- Land Cruiser Station Wagon
- Toyota Hilux
- Land Cruiser Prado
NSP, The NGT System Programmer is a software program that enables to modify, via a serial
port, the settings (channels, modes, networks, station addresses, control settings…) of any
software-configurable NGT series equipment, including the SRx series. This is the software
used for anyone required to configure or reconfigure a transceiver’s information, for example
Codan agents or field service personnel.
Connecting radios and computer is done with the Codan’s NGT software interface
cable and a serial to USB converter (at the time of this publication, laptops have no
longer built in serial ports, therefore a converter is required). On one side the normal
Serial DB9 Port female connector connects to the USB to serial converter while on
the other side, the stereo audio plug connects to the handset (lift the rubber cover
and plug in the connector).
IMPORTANT: NSP software has been designed to work with COM Ports 1 to 10. If the Serial to USB
interface defaults to other ports outside the Ports 1 to 10 ranges, then manually change the port number
allocated to the converter (indications next page).
Configure NSP to access the radio, back to the preference menu make sure of the following:
1. The transceiver type is correctly selected with the 2. In the List Processing tab, the option “Allow
Codan model being configured (here SRx) and the selection of lists before processing” is ticked
“Prompt for… profile” option is ticked. and correct lists are selected.
3. In the General tab, the option 4. In the Access right tab, make
“Enable toolbar” is selected. sure the correct options are ticked
This chapter details the necessary steps to program a Codan NGT SRx model based on the standard
parameters implemented in UN HF networks. The recommended programming sequence is similar as
follow:
b. Channel c. d. e. Control
a. Profile f. Write
List Networks Addresses List
a. Introducing profiles.
A profile is a file containing all user-definable settings that control a transceiver system. The settings
are organized into lists within the profile. A basic transceiver profile contains the Channel, Network,
Phone Link, Address, Control, Keypad, and Mode information. In order to achieve the programming of
the Codan devise, each list must be duly completed with all the necessary information. A profile can be
saved anytime to the hard drive and can be used as a template to program different Codan units.
A channel (ex: ICRC1, UN Ch 1…) is a name given to a frequency or pair of frequencies within the HF
range. As described in Chapter 1.1, each channel has one or more modes associated with it, indicating
which sideband can be used with the channel (USB and/or LSB)
2. Enter the channel names, RX and TX 3. Make sure the appropriate USB/LSB is
frequencies as per UN country network marked at the Allowed Modes drop down list
standards. Use the TAB key to advance to the based on the country HF network
next column.
A network is a group of stations sharing channels, a calling system and other characteristics. A direct
field application could be a agency network communicating exclusively with the agencie’s
vehicles/bases and a second network used to communicate security purposes with UNDSS (or other).
Networks that use the UN selcall call structure make calls by entering the address of the remote station
and then by selecting the appropriate channel (frequency + mode). The transceiver can also be set to
scan the channel used by the network to detect incoming calls. It is therefore recommended that when
the transceiver is not used to communicate, the scanning function is switched on.
The Codan Automated Link Management (CALM) is a function that automates the selection of
channels. It enables the transceiver to test the signal propagation qualities of the channel and build a
profile for each channel’s suitability for use at different times of the day and night. The transceiver can
then automatically select the most suitable channel/mode when a call is made. This function is
particularly suitable in countries with many different HF frequencies allocated is also recommended to
use in an inter-agency project where humanitarian organizations would share their frequencies.
d. Pre-defining Addresses.
The Address List acts as a personal address book: it stores the names and addresses of stations the
user often calls. For example, if a station is called O mob 1 and has a “GP” (Get Position) Call Type.
This address, when selected, automatically generates a call on the assigned channel asking the remote
radio to return its GPS position every (GP request). Note that for such case, the GPS option must be
enabled on the radio and a compatible GPS connected. Similarly one can create an entry on the address
list to call the base with predefined channels in the day or night. Following are the required parameters
for the vehicle earlier mentioned:
5. Define which network,
channel and mode should the
radio automatically use when
44 EMERGENCY TELECOMS HANDBOOK selecting this address
4. Enter the selcall ID
1. Go to View, Addresses (if applicable)
► Refer to the Codan NGT SRx Reference Manual located on the flashdrive for further information on
the different call types available.
e. Control Lists
Last step is to configure the transceiver with the Control List. The Control List stores the settings that
control the operation of the transceiver, such as the unit self-ID, a power-up passwords, the time and
date. One can also find more advanced configuration settings such as the frequency range, the output
power, TDM mode, etc… Most of these settings however, are usually configured by a system
administrator and it is advised not to change them. Without the admin password, most of the parameters
won’t be visible.
1. Go to View, Controls
The special #$! LM-AO command will restrict access to normal users to the List Manager via the
Handset. AO means that this function is “Administrator’s Only” selectable.
This step is straight forward once one has completed the profile. Click on File, Program Transceiver:
2. Make sure all items but the 3. Wait for the progress bar to 4. Press OK once the operation
modes are selected and press be a 100%. is finished
Program.
Turn off the radio and on again by using the Headset Power Button, to make sure it starts up with the
new programming in place.
Although Codan equipment is very resistant, damage during shipping can always happen. Special
attention should be taken if the equipment is not being shipped in its original factory packing, as it could
happen in an emergency. Indeed it is common practice to rush equipment from a neighbouring country
by any means of transportation.
The most vulnerable parts of the equipment are the cable connectors, which are partially made out of
plastic, and can be broken (therefore exposing and possibly bending the pins) while the shipping.
If the original packing material for the Codan equipment is not available before shipping, it is good
practice to protect all units and to wrap the connectors in bubble wrap packing material. Also make sure
the connectors are not left underneath heavy equipment that could possibly crush them.
AC Power Supplies: All Codan equipment requires 12VDC to operate. To obtain the 12VDC required
a Power Supply is used to convert AC mains power to DC.
3020 Power Supply: The 3020 power supply is a switch mode power supply (SMPS) which operates
on AC voltages from 90 to 250VAC. Ensure the correct AC mains cable suits the country.
Once the equipment is received, make sure the inventory is complete with all following items:
► For detailed mobile installation guidelines, refer to the “mobile VHF and HF installation manual.pdf”
and “Codan vehicle installation.pdf” files in the HF documentation for the detailed information on how
to install the radio in following vehicles:
TPS is a Windows only program that enables administrators to modify, via a USB port, the settings
(channels, modes, scan tables, HF networks, station addresses, control settings…) of any software
defined Envoy series HF transceiver. This is the software used for anyone required to configure or
reconfigure a transceiver’s information, for example Codan agents or field service personnel.
From a computer, connect the Codan handset or desktop microphone using the USB cable to a
computer and turn on the radio.
This chapter details the necessary steps to program a Codan Envoy based on the standard parameters
implemented in UN HF networks. The programming sequence is similar to the Codan NGT series:
b. Channel c. Scan d. e.
a. Profile f. Settings
List Table Networks Contacts
Before proceeding ensure the Envoy is reachable by clicking the auto-connect icon have selected the
correct model (X1/X2) as the transceiver type. The Envoy uses IPv4 addresses to connect the TPS
software to the Handset or RF Unit. The default IP addresses are listed in the table below, enter the CP
IP address in the IP address field and press connect or alternatively select “auto-Connect to display a
list of accessible devices:
A profile, or codeplug, is a file containing all user-definable settings that control a transceiver system.
The settings are organized into lists within the profile. A basic transceiver profile contains Channel,
Scan Table, HF Network, Contact, Setting, Macro, and Customise information. In order to achieve the
programming of the Codan device, each list must be duly completed with all the necessary information.
A profile can be saved anytime to the hard drive and can be used as a template to program different
Codan units.
A channel (ex: ICRC1, UN Ch 1…) is a name given to a frequency or pair of frequencies within the HF
range. As described in Chapter 1.1, each channel has one or more modes associated with it, indicating
which sideband can be used with the channel (USB and/or LSB)
1. Go to Channels Tab
2. Enter the channel names, Tx and Rx 3. Make sure the correct mode(s) is marked
frequencies as per UN country HF network. at the Allowed Modes drop down list
Use the TAB key to advance to the next according to the country HF network.
column.
A scan table is a group of channels used to either make an outgoing call or listen for an incoming call.
d. Creating an HF Network
The HF Network sets the calling system and self-address to be used with a Scan Table. There can be
multiple HF Networks and, therefore, multiple self-addresses per Envoy
2. HF Network Name
4. Enter the Self Address
The Contacts List acts as a personal address book: it stores the names and addresses of stations the
user often calls.
1. Go to Contacts tab
This is the last step to configure the transceiver. The Peripheral contains various selections for the
external connectors i.e. Antenna, RFU 15way & RFU 6way. Ensure the correct antenna type is selected
i.e. BB, 9350, 3040 etc. The Settings list stores control parameters for the operation of the transceiver,
such as the Admin PIN, time and date and Status Areas. Users can also find more
advanced configuration settings such as the frequency format, language, output
power, etc… Most of these settings however, are usually configured by a system
administrator and it is advised not to change them. Without the admin password,
most of the parameters won’t be visible. To continue select the Admin and
Advanced buttons.
Welcome Text, Time & Date, Status Area & Admin PIN settings
4. Select the Configuration tab then enter the Admin PIN as ‘2222’
Entering an Admin PIN will prevent users from modifying the parameters from TPS or the handset.
g. Saving the profile. Finally save the profile by clicking on the icon at the top and select Save
As. Provide a name for the profile and save it. This completes the profile and it can be used to program
the Envoy Radio. Profiles with an Admin PIN set will require the TPS user to enter the PIN before
viewing or editing the profile is allowed.
Ensure the Envoy to be programmed is ‘connected’ . Correct connection will display a ‘TPS Connected’
popup window on the Envoy handset.
Also the TPS button will change to
Use the Program Transceiver window to select what parameters should be programmed in to the Envoy
e.g. if changes have been made to Channel Names then only select Channels and Modes from the list.
Press the Program button. If the PIN window is displayed, enter the Admin PIN before the Envoy can
be programmed. Press OK to continue.
The radio requested by the radio to restart by pressing the Handset Power Button. This is to ensure the
Envoy starts up with the new programming parameters in place.
As configured in TPS, the welcome text “UNICEF [Call Sign]” should be displayed on the handset
screen when turning on the equipment. If a Welcome Image was also programmed this will be displayed
before the Welcome Text. Since the radio was programmed to scan the Network, it will automatically
start scanning.
- Apply changes to the profile saved on the hardrive using TPS and program the radio.
- Read the profile from the radio, modify it and program again. If an Admin PIN has been set TPS
will prompt you for the PIN before reading the profile from the radio.
1. To make a call, press the Call button, 2. The Handset should prompt for the
either on the handset unit or the desk HF Network to be used. Select UNICEF
console. and press OK.
HIGH FREQUENCY RADIO 55
3. Using the left and right arrow buttons 4. Enter the selcall ID of the radio to
make sure the Call Type is set for Selective be called. Then press Call
5. Select the channel to make the call on. 6. The call will be sent to the remote
Press Call to call the radio. radio using Open Selcall.
If the dialed radio is reached, an acknowledgment return sound called a revertive is heard on the
transceiver. On the remote radio, a call in progress sound is heard. The receiving operator only has to
press the PTT button and start talking to respond to the call.
CHAPTER 3
VERY / ULTRA
HIGH FREQUENCY
(VHF/UHF)
Very High Frequency (VHF) and Ultra High Frequency (UHF) bands cover the range of 30-300MHz and
300-3000 MHz, respectively. Within these ranges, commercial two-way radio operate in 146-174MHz
(VHF) and 403-470MHz (UHF).
VHF and UHF communications are primarily used for local communications related to security and/or
for operations. Typically UN agencies (and often NGOs) share a common infrastructure (network of
repeaters; common channels) and radio-rooms, where operators make the daily or weekly security
checks and monitor all vehicle movements.
The UN standardizes on Motorola GP/GM series (analogue radios) and – as of 2014 - Motorola
Mototrbo DP/DM series (digital radios).
Scope of this chapter: This handbook provides information directly applicable to the UN standard
Motorola equipment used in emergencies: handhelds, mobile and base stations. Programming of
repeaters for example is not covered; although repeaters are maintained by UNICEF in some cases,
most of the time these are installed by WFP or UNDSS. Similarly this handbook does not include
information about designing and configuring VHF equipment for digital communications, therefore
guidelines for the Mototrbo equipment focus on operating in analogue mode only.
1.1 COVERAGE
The actual range of a VHF (or UHF) network will depend on many factors, including: man-made or
natural obstructions (buildings, mountains); transmit power; sensitivity of receiver; height, type and
quality of antennas; antenna cable quality and length; etc. VHF and UHF max range is determined by
Line-of-Sight (LOS), i.e. if there is an obstruction between sender and receiver the signal will be
interrupted, causing lack of communication.
Power and antenna size are also significant factors: portables, as they have little power (4-5Watt) and
small antennas can only communicate over a couple of kilometers, while mobiles and base stations
(typ. with 25 Watts and bigger antennas) may be able to reach each other over tens of kilometers.A
theoretical (ideal) distance guide for VHF would be as follow:
1.2 PROPAGATION
VHF typically offers a better range than UHF in suburban/rural areas, whereas UHF typically offers
better coverage in city-environments (the UHF signal bounces and reflects off buildings and reaches
further). Ultimately, however, the band to be used will depend on what the local telecom authorities
make available. In UN networks, probably 95% of networks operate on VHF.
1.3 CHANNELS
VHF and UHF radios typically use 2 types of channels, simplex or (semi-)duplex:
- A simplex channel radio system transmits and receives on one single frequency. Simplex is used
when no repeater is available, or to communicate directly between two or more users where users
are close to one another and to avoid using repeater-space. Since VHF radio signals are generally
limited to line-of-sight, range is short.
- When using repeaters, these are said to work on a full duplex channel, i.e. the repeater receives
and transmits at the same time (and often using one shared antenna). This is possible because the
receive frequency (“input”) and transmit frequency (“output”) are separated (typ 3-5MHz), thus
avoiding that the strong output signal goes straight into the sensitive receiver (in addition, strong
filtering is employed). The radio (for instance a hand-held) operating over a repeater channel is
said to be operating in semi-duplex, i.e. it uses two separate frequencies for Tx and Rx, but can
only receive or transmit at a given time (not simultaneously).
- Repeaters are usually placed on a mountain (where available/accessible), on top of tall buildings
or on large towers/masts to increase the range. Due to their importance in the network, repeaters
are typically powered by non-interruptible power supplies, such as generators, solar panels and
batteries.
A radio is always part of a network with two or more radios which operate on the same
frequencies/channels in the same geographical area. Networks can have multiple channels: an
interagency calling or security channel, a dedicated agency repeater (duplex) channel, and a dedicated
agency simplex (no repeater) channel. Individual channels can be configured for simplex or duplex use,
according to the requirements and coverage required.
1.5 SIGNALING
Similarly to the Internet Protocol headers, radio networks can use signaling to transfer information other
than the voice communication. This functionality can be used to improve privacy, limit interferences,
identify the caller, remotely disable or enable a radio… There are two types of signaling used in standard
UN analogue VHF/UHF networks: Select 5 and PL/DPL.
PL (Private Line) or DPL (Digital Private Line) signaling are used both for network privacy and to avoid
interference with other networks that may transmit on the same frequency. PL uses sub-audible tones
(below about 250 Hz) to carry the selection information. These are transmitted in addition to the normal
voice channel, but as they appear below the audio range passed by most mobile radios (roughly 300-
3000Hz), they are filtered out and therefore not heard. Only when the correct tone is transmitted will the
receiver be opened and the transmitted audio will be heard. Whereas PL is purely analogue, DPL is a
square wave signal (0’s and 1’s).
Using PL or DPL in a network helps eliminate disruptive conversations and interference from other
networks who may be sharing radio frequencies. This also creates privacy by only allowing calls that
have the network’s specific PL or DPL code. In other words; even if a neighboring radio transmits on
the same frequency but uses another PL or DPL code, the receiver will not open. All radios in the same
channel must have the same PL or DPL code in order to be able to communicate – this includes also
the repeater station.
“PL encoding” refers to as radios transmitting their tone code whenever the transmit button is pressed.
The ability of a receiver to mute the audio until it detects a carrier with the correct PL/DPL tone is called
“decoding”. There are as many as 50 PL tone codes, ranging from 67 to 257 Hz, identified with a 2-digit
code, for example:
PL XZ WZ XA WA XB WB YZ YA YB ZZ ZA ZB
Hz 67 69.3 71.9 74.4 77 79.7 82.5 85.4 88.5 91.5 94.8 97.4
Traditionally to identify users in a network, each user is assigned a dedicated verbal call-sign (refer to
Point 3 – UN Call-Sign and Sell-Call standards). If the user had the radio switched on with a sufficient
audio volume, others would get in touch using a verbal call sign protocol. The weakness of this system
is that all users have to constantly monitor all the traffic on the channel, waiting to hear their own call
sign. This can be a challenge to anyone’s patience and creates the risk of users turning down their
volumes, or even switching off their radios.
Signaling can again be used to address such problem. For example, a radio can transmit a specific
code that is targeted – and decoded - only by one radio, or a specific group of radios. In this system, all
radios in the network can keep the audio volume turned down and still be reachable whenever required.
When the code is received, the radio will open its loudspeaker and “ring”, inviting the user to increase
the volume and respond to the call.
In addition to selective calling, Select 5 signaling can be used for the following functionalities:
- Caller ID and Call Back displays the identity code of the caller enabling easy call back.
- Group Call allows a user to selectively call a dedicated group of radio users, allowing for instance
specific teams to communicate with each other without disturbing others.
- PTT ID identifies the radio that is transmitting and thus discourages inappropriate use of a radio.
- Auto-acknowledgement provides for a called radio automatically to send back its ID; an automatic
radio “handshake” and confirmation that the message was received.
- Kill Mode (Stun/Unstun) provides a way to prevent unauthorized use of a stolen radio by disabling,
and re-enabling the radio.
- Emergency Alarm sends a priority message silently from a radio to the network control base station
(typically the UNICEF radio room and the Security Officer) allowing security personnel to quickly
track a person in danger and take necessary action.
- Lone Worker facility allows the radio to be programmed to issue an Emergency call if the radio
hasn’t been activated for a predefined period of time. Typically it is used for making certain that a
lone worker, for example a night guard has his radio switched on, and is awake/that nothing has
happened to him.
In 2014, the Inter-Agency community determined a new standard for VHF radios: Motorola Mototrbo.
Mototrbo radios operate with a protocol known as DMR (Digital Mobile Radio), which bring significant
enhancements to the previous PMR standard (Portable Mobile Radio):
Repeater Modes
Depending on the geographical area to cover (number of sites) and the size of the network (number of
users and traffic), repeaters can be installed in the following 5 modes:
IP Site Connect allows radios to extend conventional communication beyond the reach of a single
site, by connecting to different available sites which are connected via an Internet Protocol (IP)
network. When the radio moves out of range from one site and into the range of another, it connects
to the new site's repeater to send or receive calls/data transmissions. Depending on your settings,
this is done automatically or manually. If the radio is set to do this automatically, it scans through
all available sites when the signal from the current site is weak or when the radio is unable to detect
any signal from the current site. It then locks on to the repeater with the strongest Received Signal
Strength Indicator (RSSI) value. In a manual site search, the radio searches for the next site in the
roam list that is currently in range (but which may not have the strongest signal) and locks on to it.
Repeater
Repeater
Digital VHF network
Digital VHF network Repeater Location C
Location A
Channel 1 Digital VHF network
Channel 2
Location B IP LINK Channel 1
Channel 2
Channel 3
Channel 4
IP LINK Channel 1
Channel 3
Channel 4
Channel 5 Channel 2
Channel 6 Channel 5
Channel 3
Channel 4 Channel 6
Channel 5
Channel 6
2 HARDWARE STANDARDS
Listed below are the standard analogue and digital mobile and base stations recommended for
UN/UNICEF emergency communication systems and/or operations. Models exists for VHF (136-
174MHz) or UHF (403-470MHz) distinctively (determining the is required when procuring) and are
compatible with the DMR technology and PL/DPL signaling:
When selecting models it is important to take into consideration not only the current needs but also
eventual future network changes. Example: If the network is expected to be upgraded to GPS tracking
in for instance two years, it would make sense to purchase radios with GPS already enabled or with
GPS option.
It is highly recommended that field offices seek the advice of the regional ICT and/or HQ technical units
before procuring equipment. The following tables have been created to help offices in procuring
handheld equipment:
DP4801 645
DP3361 545
DP2600 510
DP3441 490
SL1600 315
Notes:
- DP4801e uses programming cable (PMKN4012)
The following tables have been created to help offices in procuring mobile equipment:
$ Cost
Digital PL Select Blue- Capacity Connect
Kit VHF Voice Text GPS IPSC LCP
(DMR) DPL V tooth Plus Plus
UHF
624.46
DM4601
611.70
799.34
DM4401
786.60
541.96
DM4400
529.20
Notes:
- DM4801e and DM4401e can be procured with the “remote mount” option, allowing the
transceiver unit to be hidden.
- DM4601e, DM4401e and DP4400e use the same programming cable (PMLN6404)
The following tables have been created to help offices in procuring base equipment:
$ Cost
Digital PL Select Blue- Capacity Connect
Kit VHF Voice Text GPS IPSC LCP
(DMR) DPL V tooth Plus Plus
UHF
1,507
DM4601
1,315
1,425
DM4401
1,232
1,375
DM4400
1,183
2.2 REPEATERS
2.3 ANTENNAS
The antenna is a device which converts the electric power transmitted by the radio into radio waves,
and vice versa. A good antenna is one of the most valuable assets to increase transmitting range,
enhance reception of weak signals and reduce interferences. All VHF equipment (handhelds,
mobiles/bases, repeaters) use antennas for both the transmit and receive signals. Motorola antennas
are generally of a high performance, durable, and very efficient but yet fragile (never grab a handset by
its antenna). On the other hand, when properly installed and maintained they can last from 10 to 25
years.
There are various types of antennas based on the application, all of them vary depending on the
frequency used. Before procuring the antenna, always communicate the intended frequency to the
reseller!
► Refer to the Vehicles installation Guides (Nissan/Toyota) in the flash drive for additional guidance
3.4 ANTENNAS
This manual explains how to develop and program Motorola GM/GP series radios, using “select V”, a
5-tones tone-calling and unique identification system.
VHF radios are programmed using configuration files, called “codeplugs”. The process is fairly straight
forward: load the codeplug (a *.cpg file) with a programming software (“CPS”), modify parameters to
the desired configuration (basically Rx/Tx frequencies, signalling code and user ID) and “programming”
(write) it back to a radio.
In standard emergency and regular operations, codeplugs are usually handled by UNDSS or WFP.
Therefore make sure to contact representatives of respective agencies if required.
Note that codeplugs are unique to each radio model (ex: GP360 or GP380) and firmware version
(example: version 5 or version 6). Therefore a GP380 cannot be programmed with a GP360 codeplug,
neither a GP380 with a v.5 firmware can read a codeplug initially designed for GP380 with a v.6
firmware. The procedure described in this document only applies to post-version 6 firmware.
4.1 REQUIREMENTS
- A Motorola GP/GM series radio with latest firmware installed (R03.17.01 or above).
- Laptop, with windows 98 or higher. Note: if PC is running Vista or Win7, only 32 Bits will work.
- A programming cable:
o For GP340, GP360 and GP380: RKN4075
o For GM360 and GM380: RKN4081
o For GP388: MDJMKN4123 in conjunction with RLN4008
- A USB to RS232 serial adapter.
- Motorola CPS (Customer Programming Software) for "Professional GP300/GM300 Series CPS"
software. (Software version R03.11.16 or higher is recommended).
- A standard radio codeplug according to the model of the radio.
- The country specific callsign and selcall allocation table.
- (optional) Firmware files for upgrading old hardware to latest Firmware.
From a computer, connect the programming cable to your computer via a serial to USB adapter (drivers
should have been installed). If using a GP3xx radios, remove the plastic cover located on the right side
of the radio and connect the programming cable. Insert the locking screw gently but firmly. Turn on the
radio.
If using GM3xx radios, disconnect the microphone plug and connect the appropriate programming cable
to the RJ45 socket and turn on the radio.
Launch the CPS software and load the Codeplug by clicking [Open] and search for the (standard)
codeplug file (Example: GP380_Nyala.cpg).
The Motorola CPS is a typical windows-based software which supports typical windows-commands:
copy, paste, file, save, save as, open etc. In addition to this the CPS interface allows for reading and
writing codeplugs to the radio. The software contains a quick access menu bar.
On the left of the screen is the tree view. The tree view
expands into following submenus:
- Radio information: Contains serial number, radio
model number, codeplug version and other
information.
- Per Radio: Contains Parameters common to the
whole radio.
- Per channel: Contains channel specific
parameters, frequency, PL codes, display and other
information. Figure 54 - CPS Tree View
- Per Personality: Contains parameters common to
one or more channels.
- Encoder definitions: Contains sequences and telegrams (a part of the select 5 Standard).
- Decoder definitions: Contains decoder specific parameters (part of the select 5 standard).
- Signaling definitions: Contains information about which Select 5 system the radio utilizes.
Once the codeplug has been loaded, following steps should be followed to personalize the radio:
It is also possible to load an existing contact list into the radio. Use the menu bar File, click [Import],
select Contact List and search for the contact list file. This file requires a .txt extension.
c. Status Decode
Expand the Per Channel tree with [+], click Per Channel
- Adding a New Channel into the Radio: Click in the green plus button located in the bottom
of the window. A new Per Channel page will be added at the end of the Channel List.
- Deleting an Existing Channel: Use the [◄] or [►] buttons to select the channel to be deleted.
Click on the red [X] button.
Display Tab
Encode PL Type
- Select “Disabled” if a carrier squelch is used, or
- Select “PL” if a PL squelch is in use for this channel
Encode PL code
- Select the tone code in use for this channel, normally
141.3 HZ (4A).
- Tick the PL Reverse Burst/DPL TOC box.
Decode PL Type
- Select “Disabled” if no tone squelch is used, or
- Select “PL” if a tone squelch is in use for this channel.
Decode PL Code or Decode DPL Code
Figure 61 - CPS PL/DPL Tab
- Select the PL tone code in use for this channel.
Once a codeplug has been configured according to previous chapter, it’s easy to quickly program
additional radios just by modifying the radio ID, Own ID sequence and decoder definitions.
Sometimes old codeplugs are not compatible with new radios that are shipped with recent firmware. It
such scenarios, it may be necessary to upgrade codeplugs to later versions. One can upgrade
codeplugs to match a newer radio but not downgrade codeplugs.
4.6.2 Procedure
The software will give a warning - press Ok. The software will give
you the option of labeling the file with an appropriate name and
which version you want to save the Codeplug in, please select
appropriate version to match your radio!
Figure 65 - CPS Upgrading
Save the file and open it for editing. Codeplugs
As GP380 is being phased out, only DP and DM series radios will be available for procurement.
Therefore being able to program DP and DM radio series in emergencies is crucial. However, since the
analogue radio park (GP/GM series) is still very important, taking possibly up to 5-10 years to clear,
most repeaters will remain in analogue mode to ensure backward compatibility. It is moreover likely that
digital features will not be implemented in the first months of a response, digital radio network design
and planning being significantly more complex.
Scope: This document focus on how to program a digital radio DP 4801 to use on an analogue network
with SELECT 5 features. The following SEL 5 Features have been tested to be working:
- Radio ID in radio room
- Radio stun
- Radio unstun
- Emergency call using emergency button.
Similarly to GP/GM series, Motorola’s DP/DM digital radios use configuration files called “codeplugs”
(*.cbt). In standard emergency and regular operations, codeplugs are usually handled by UNDSS or
WFP. Therefore make sure to contact representatives of respective agencies if required.
From a computer, launch the CPS software and load the Codeplug by clicking [Open] and search for
the (standard) codeplug file (Example: DP4801 - Analogue - Normal User.ctb). Note that the radio does
not need to be plugged to change the codeplug configuration. Make sure the expert view is checked by
thinking the option in the view tab:
Once the codeplug has been loaded, following steps should be followed to personalize the radio:
a. Radio b. 5 Tone
c. Channels d. Contacts e. Write
Name & ID Radio ID
From the Tree View (left menu) go to General Settings, change the Radio Name as per standard Call
sign (ex: AC8.2 or Alpha Charlie 8.2) and the Radio ID as the Selcall (ex: 2003802). The radio ID should
not contain the country identifier of the SELECT 5 Feature. One can also modify the welcome image,
however if selected, the radio ID will not show upon startup:
Still under the General settings, scroll down and edit the
U1U2U3U4U5U6U7U8 sequence under “5 tone Radio
ID”: enter the full select V selcall of the radio.
Figure 69 - Mototrbo CPS - 5 tone Radio ID
Open the channel folder from the Tree View and select the
channel named “CH1 – UN” under the “Analogue CH” folder.
One can copy/paste the same channel multiple times to match
the amount of frequencies available in the network (example:
CH1 - security, CH2 - UNICEF talk, CH3 - WFP talk, CH4 - HCR
talk…).
d. Adding Contacts
Analog call allows the radio to communicate with another radio using pre-saved contacts. The user
builds an analog call list by creating new call members under the Contact / 5 Tone folder. A call member
is an entry that contains the Contact name and address (unique ID of another radio = selcal). The user
may access this list via a short or long programmable button press (Button Features - Contacts) or
access the Contacts menu.
Go to the Contact folder in the Tree View and Right-click the 5 tone folder. Select Add->5 Tone Call. A
new member is inserted at the end of the folder list. The user may rename it and enter the individual
address. Valid characters are alphanumeric, spaces and special characters. An empty string cannot be
used for a name. Also make sure the telegram “Tel3” is selected:
Connect the USB programming cable to Handheld and computer. Power on the Handheld. The
computer will establish a private LAN connectivity with the handheld. Wait for that step to be finished.
Once done, simply type on the “write” icon in the tool bar.
CHAPTER 4
Mobile satellite services (MSS) refers to networks of communications satellites intended for use with
mobile wireless telephones, data communications and geo-positioning (GPS). Such devices – aside
from the GPS - work similarly to mobile phones, communicating wirelessly with antenna relays that
are themselves connected via fiber optics to the Internet and public switched telephone network
(PSTN). However, instead of using terrestrial antennas, MSS devises use network of satellites
(antenna relay) that retransmit the signal to satellite Land Earth Stations, which themselves are
connected to the Internet and PSTN.
UNICEF globally uses an estimated amount of 1,000 satellite handsets and around 250 satellite data
modems. Since such devices are not linked to national terrestrial networks, they have been the main
choice of communication when national infrastructure is either not available (remote areas), disrupted
(natural disaster, conflicts) or controlled (censorship, monitoring).
1.1 INMARSAT
Inmarsat is the leading mobile satellite service company. Based in London, UK, it maintains a global
satellite internet and telephony network using portable terminals. The company is famous for
developing market flagship such as the BGAN, the IsatPhone and the - now discontinued - Mini-M,
GAN M4 and RBGAN. Terminals can connect to the Internet and can make phone calls from
anywhere in the world, making popular tools for humanitarian responders.
Another advantage of Inmarsat equipment for emergency response when compared to other satellite
systems (such as VSAT) is that terminals are portable and can be easily set up by anyone. Devices
work on the L-band (Rx=1,525-1,559 Mhz, Tx=1,626-1,660 Mhz) which make them very resistant to
fading caused by precipitation, dust-storms and other similar phenomena known to traditional larger
satellite systems utilizing Ku or Ka bands.
1.1.1 Coverage
1.1.2 Network
Inmarsat operate Land Earth Stations (or "Satellite Access Stations"), located in Hawaii, Holland and
Italy, to manage the satellite networks and BGAN terminals. Inmarsat then uses "Distribution
Partners", or DPs, (see the full list here) from which users can access the public internet, the
international public switched telephone network (PSTN), and the international cell phone network. It
also caters for Virtual Private Networks (VPN) in order to have secure links to corporate applications
from the field (with a BGAN terminal). DPs handle the billing, end-user clients never directly
interacting with Inmarsat. The following diagram shows how the BGAN service work and the
demarcation lines between Inmarsat, DPs and end-user:
1.1.3 Services
- Background IP “always on” public internet (BIP) with theoretical maximum shared bandwidth 492
kbps, in practice 150-240 kbps. It serves most browsing and emailing requirements;
- Streaming (32/64/128/256/384/450kbps) on demand with dedicated bandwidth (1:1) charged per
minute connected. Used especially for media applications and live video transmissions;
- High Data Rates (HDR), only available with the BGAN 710, are 4 symmetric and asymmetric
streaming rates (325x325, 64x325, 64x650, 650x650 kbps);
- 64 kbps ISDN for “high quality” voice service, 4 kbps telephony and facsimile service;
- Public IP address available on demand.
Iridium Satellite LLC is a private company based in USA, which offers voice, data, fax, short
messaging services (SMS) and paging services via satellite from portable handheld terminals
worldwide. Iridium is the only mobile satellite services system with complete global coverage. Users
can place phone calls via the satellite network to/from any international fixed line, cell phone or other
satellite phones.
1.2.1 Coverage
Figure 75 - Iridium's LEO Constellation
Iridium has true global coverage. The network
comprises of 66 satellites, all in a Low Earth Orbit
(LEO) 780km above the earth’s surface. The satellites
orbit from pole to pole (polar orbit) with an orbit time of
approximately 100 minutes. Transfer of user
connection from one satellite to the other is performed
through inter-satellite cross links operating at 10 Mbps.
Each satellite can have 4 cross links operating
simultaneously.
The LEO configuration – and subsequently the short distance between satellites and users on
ground - offers little signal path delays, and the terminals can operate with relatively low signal
power levels for increased battery life-time. The inter-satellite links also lower costs for terminal to
terminal calls, as terrestrial gateways and networks are not utilized for that purpose.
1.2.2 Network
1.2.3 Services
Note that circuit switched data (2.4/9.6kbps) provides only limited capacity for emailing/web-
browsing, and would normally be regarded as a last resort. Field tests came back unsuccessful most
of the time.
1.3 THURAYA
Thuraya is a regional satellite phone provider, with service in CEE/CIS, WCARO, ESARO (excluding
South Africa, Lesotho, Swaziland; not recommended in Namibia, Botswana, Zimbabwe,
Mozambique, Comoros and Madagascar), MENA, ROSA and EAPRO. The company is the main
competitor for Inmarsat in both the mobile satellite service. It is based in the United Arab Emirates
and distributes its products and service through authorized service providers. As long as the user is
within the coverage area, Thuraya offers satellite connectivity, including voice, data (9.6kbps to
444kbps), fax, SMS and GPS.
1.3.1 Coverage
The Thuraya network is very similar to the other MSS or conventional satellite networks. A GEO
satellite, which constitutes the Space Segment, is operated and managed by a ground network
known as the "Ground Segment" (equivalent to the LES in VSAT terminology or SAS by Inmarsat's).
The Ground Segment includes the satellite operation Centre (in Sharjah, UAE), which monitors and
1.3.3 Services
As the most commonly used service; voice over satellite is on average US$ 0.60-0.70 to other
Thuraya phones, and US$ 0.80-1.50 for calls made to land lines, cell phones and other satellite
phones, dependent on destination party. Detailed pricing is available in the LTA, Thuraya often
providers a cheaper monthly subscription than Inmarsat or Iridium but its usage is slightly higher.
Circuit switched and GmPRS data services provide very limited capacity for emailing/web-browsing,
and would normally be regarded as a very last resort. Most of the field tests came out with negative
comments and a Thuraya handheld should therefore be regarded as a voice terminal. For most
users, Thuraya IP or IP+ would be the best alternative in terms of data connectivity.
Global standard for Mobile satellite equipment are based on field proven design, functionalities,
sturdiness and support availability. Standardization facilitates the negotiation of Long Term
Agreements (LTA) with equipment and service resellers, allowing for competitive pricing, continuous
and immediate service and support, training and pre-stock (quick delivery) for rapid deployment.
- Inmarsat voice and data modems: BGAN Explorer 510 and 710 models
- Inmarsat voice handsets: IsatPhone 2
- Thuraya data modems: Thuraya IP+
- Thuraya voice handsets: Thuraya XT Pro, XT Lite and SatSleeve
- Iridium voice handset: Iridium 9555 and Extreme
Most voice handset come with multiple accessories such as docking stations for bases or vehicles,
solar panels, external antennas.
1. The intended usage: voice / data, emergency response / business continuity, individual / team;
2. The service geographic coverage: for example, offices in Americas do not have Thuraya coverage;
3. The hardware and service pricing;
Following table is intended to guide offices when procuring a terminal based on its intended usage:
Small Large
Field Staff Radio
Equipment Cost $ Data Voice office office
Trip (BCP) Room
(BCP) (BCP)
Isatphone 2 720
In theory all mobile satellite terminals, including satellite phones, have data capacity. This chapter
focuses on terminals that can be used by one to multiple responders in an emergency office
environment. The segment has been dominated by Inmarsat since its flagship BGAN product was
released in 2005 but was lately challenged by Thuraya, which IP+ offers similar services at a more
competitive pricing.
Mobile data terminals are flexible enough to suit different operational needs. Terminals combine
voice telephony (BGAN only) and up to 492 kbps connectivity (~20-30KB/s in practice); they can
easily be connected to a laptop or smartphone/tablet (USB/Bluetooth/Wifi), or to the office network.
UNICEF standardizes on Cobham (previously Thrane & Thrane) devices for the BGAN service and
on Hughes for the Thuraya IP+ service.
There are also specific BGAN/Thuraya models that can be mounted on a vehicle but which will not
be detailed in this handbook. Similarly, satellite phones having extremely low data rates (unusable
in an office environment), they will not be considered as “data” terminals.
When procured, terminal include power adapter, international adapter kit, car charger, carry case,
cables, software and manuals. Accessories such as solar panels and their voltage limiter, docking
stations, wall mount kits and coaxial cable for longer antenna runs should be procured separately.
This chapter covers standard satellite phones aimed at providing voice telephony. The segment is
occupied by the 3x providers named earlier, each having advantages and disadvantages as covered
is paragraph 2.1.
Inmarsat's service is called the IsatPhone. In addition to voice, the terminal come with a variety of
data capabilities, including SMS, short message emailing, GPS look-up-and-send, and a limited
Internet service of up to 20kbit/s (~2.5KB/s). Thuraya’s lineup includes the Thuraya XT Pro/Lite and
the Satsleeve, which is adapter that can be fixed to a smartphone (IOS or Android), converting it into
a satellite phone. Last Iridium equipment consists of 2x voice handset’s model (9555/Extreme). The
following table compares all model’s features:
Satellite phones cannot be used indoors or inside vehicles unless attaching them to docking stations
and external antennas (for example the FDU-XT or SAT-VDS for the Thuraya XT PRO). Thuraya
also offers an indoor repeaters that can extend the coverage to inside buildings, even with non-line
of sight.
All mobile satellite terminal integrate a Subscriber Identity Module (SIM), which is a small card
containing a separate and unique identity. When the card is inserted into a MSS terminal, it adopts
the identity of the card. Thus all data and voice services made over the terminal will be billed to the
SIM card, and not to the phone itself. This can facilitate usage control in an environment where many
users share a terminal, or if one wants to be able to utilize different terminals but maintain one identity
or when a terminal stops functioning, it makes it easy to switch the SIM to another one.
SIM card purchases and activations are not done directly through the MSS service providers but to
distribution partners. These are telecommunications companies who provide an interface between
the service provider and end user. As of writing, UNICEF’s distribution partner handling all MSS
terminal activations is IEC Telecoms. Usually MSS terminals are not locked from the supplier to a
specific distribution partner, hence SIM cards from different distribution partners can be used with
the same terminal.
The SIM card requires an activation from the distribution partner before it can be used. Depending
on distribution partners, this can be done by login to the billing portal (for example, IEC Telecoms
uses OptiSIM) and selecting the desired service plan in the interface. Alternatively SIM cards can
also be activated by calling the distribution partner help desk and providing the SIM card number.
Activations usually take 2 hours before being effective.
With Postpaid plans, offices are billed per use of services at the end of each month. In such situation,
there is typically no limit on use of services, therefore the office must implement some cost control
mechanism (spending limit, alerts, content blockage…). In some cases, SIM card activation have a
one-time fee (OTC) and a monthly recurring cost (MRC).
Postpaid plans are recommended for the majority of offices, especially in countries with "high" and
"very high" risks profiles according to the InfoRM index (see chapter 1). The following table compares
postpaid plans pricing for the standard satellite equipment:
Usage
OTC MRC Allowance
Cellular Landline Internet
($) $/month ($/month)
($/min) ($/min) ($/MB)
BGAN 35 51 0.8 0.6 4.5 22
Thuraya IP+ 27 0 N/A N/A 4 0
IsatPhone 0 31 0.7 0.65 N/A 10
Thuraya XT/Satsleeve 0 16 1.2 1.2 N/A 0
Iridium 0 38 0.9 0.9 N/A 0
For example, an office using 100MB of data and 120 hours of calls to cellphone with BGAN for a
month would be charged 100 x 4.5 + 120 x 0.8 + 51 – 22 = $575.
Prepaid Plans are plans which credit, or voucher, is purchased in advance of service use. The credit
pays for voice and/or data services when the devise is utilized. If there is no available credit left, then
service is denied. Usage costs are 30-40% higher when compared to postpaid plans. Such plans are
not recommended unless the office has a low InfoRM risk profile index (see chapter 1).
Humanitarian SCAP (Shared Corporate Allowance Plans) plans have been introduced by Inmarsat
in 2011 with the objective of reducing costs for NGOs/UN organizations operating multiple BGANs
terminal s. The idea behind the SCAP is to share a common credit pool between multiple SIM cards
(5, 10, 15, 20...).
The plan can bring significant savings to large organizations SCAP 20 SIM Bundle Costs in USD
centralizing MSS payments or management. For 1 Yearly subscription fee 3450
decentralized organizations (such as UNICEF), it’s relevant 2 Yearly allowance 1950
only to country offices requiring at least 5 BGAN devises. An 3 Internet ($/MB) 5
example of pricing is available in table 12 for a 20 SIM card 4 Calls to PSTN ($/min) 0.82
bundle. The longer the plan (1, 2 or 3 years options) the
Table 12 - Humanitarian SCAP Plans
cheaper the subscription.
Both Thuraya and Inmarsat propose high volume or unlimited data plans for their BGAN (700/710)
and IP+. Those plans are recommended for offices using those devices as primary connectivity link
as there is no usage costs:
- BGAN Standard + is a postpaid plan which charges vary based on the monthly usage, ranging from
$51 (for less than 5MB usage) to $3,450 per month (between 10GB and 30GB usage).
- BGAN Unlimited is a prepaid 1 month plan providing 30GB at full speed and a 128 Kbps throttling
beyond. Plan costs $4,195 and is to be renewed on a monthly basis.
- Thuraya’s high volume data plan for the IP/IP+ is similar to the BGAN unlimited as it includes 30GB
and throttling to 144 Kbps beyond. Plan costs $2,650 and is to be renewed on a monthly basis.
The satellite service-level agreement (SLA) specifies what quality of service the network providers
(Inmarsat, Thuraya and Iridium) and distribution partner (IEC Telecoms, Telespazio, Marlink…) will
guarantee to the end user.
There are 2 mains SLA indicators when considering mobile satellite services:
- Network availability: measured in percent and calculated from the total outage (minutes) in each
calendar month as opposed to the total minutes in month.
- Service quality / Call success ratio: For voice, the call success ratio is defined as the ratio of calls
successfully completed to call attempts.
INMARSAT
# Measurable value Target value
1 Inmarsat availability (BGAN/Isatphone) 99.9% availability
2 Inmarsat call success ratio (BGAN/Isatphone) 95% success
THURAYA
# Measurable value Target value
3 Thuraya availability for voice and SMS services 94% availability
4 Thuraya call success ratio for voice and SMS services 94% availability
5 Thuraya availability IP services 94% success
IRIDIUM
# Measurable value Target value
6 Iridium call success ratio (9555/Extreme) Best effort
Table 13 - MSS Network SLA
In addition, a support service-level should be provided by the mobile satellite distribution partner.
These are measurable values that shall reflect the distribution partner obligations towards the client
for the provision of:
2.6 CONSIDERATIONS WHEN USING MSS TERMINALS FOR BCP AND EPRP
As critical operational (SAP, Office365, Sky for Business...) and program oriented applications (donor
reporting, ICT4D projects...) are increasingly dependent on a fast and reliable access to the Internet,
there are important limitations when considering BGANs or Thuraya IPs as the tool of last resort for
Internet access in emergency response or for business continuity:
1. As with all geosynchronous satellite connections, latency is an issue. Common latency is 1–1.5
seconds round trip for the Background IP service. SAP and DirectAccess for example are
sensitive to latency and will not perform well.
2. Inmarsat and Thuraya classify their data as "broadband". It is important to clarify that since these
terminals use shared channels, in practice the bandwidth fluctuates from 160 to 240 kbps.
Nowadays such value is considered as very little in comparison to conventional terrestrial
services.
3. Standard services charge per usage. 1MB usually equals $4.5. Putting this in perspective,
considering that the "normal" daily traffic for an office of 15 people totals 1GB, the resulting bill
would be equivalent to $4,500 per day or $135,000 per months! As for the streaming service,
considering a 256kbps dedicated connection valued at $11.5/minute, a permanent 24 hour
connection would result in a $16,560 per day bill!
There is unfortunately no remedy to leverage such drawbacks. If there is no other options but to use
a BGAN or Thuraya IP, UNICEF recommends to apply following tips:
- If a BGAN or Thuraya IP is required for a long time (more than 1 month), it is recommended to
switch from postpaid to high volume data usage plans. By doing so, the office will save thousands
of dollars every month. (see chapter 2.4.4)
- If the link is shared (LAN or WiFi), educate responders to limit usage to email, preferably using
a webmail client rather than local client (which usually downloads attachment by default).
- Limit applications by blocking specific ports, for example email only could be enabled.
The SIM card is provided by the airtime provider. Make sure that the SIM card is positioned correctly
and press gently until it clicks. Slide the lock to close the SIM slot. You can now power on the
terminal. Push the power button next to the display and hold it down until the green Power indicator
lights up.
In order to obtain the best possible signal at the lowest possible time, it is
important that the BGAN antenna is pointed correctly toward the Inmarsat satellite
(See Inmarsat I-4 coverage map). The antenna must have a clear line of sight to
the satellite without any obstacles blocking the signal, and the pointing direction Figure 80 - MSS
of the antenna should be as accurate as possible. pointing
As a rule of thumb, the signal strength should typically be 45 dBHz or more for the BGAN to be able
to establish a call or data session. To obtain the maximum signal strength, the BGAN uses a sound
that indicates the signal strength during pointing. The frequency of the tone increases with the signal
strength. When the maximum signal is reached, press OK on the keypad. The BGAN now tries to
register to the network.
Analogue or Bluetooth handsets (BGAN 500/700) must be connected to the phone/fax interface of
the BGAN. Alternatively, any SIP client (hardware or software based) can be registered with the
terminal (BGAN 510/700/710) and issue voice calls (see advance BGAN configuration).
Any BGAN terminal integrates a DHCP server, therefore a laptop connected to the BGAN LAN port
will automatically receive IP parameters, as far it’s been configured accordingly.
When connected, the laptop should obtain a private IP address in the 192.168.0.0/24 range. This
information can be checked by opening the command prompt (start->run->cmd) and typing “ipconfig
/all”).
This step implies Inmarsat’s LaunchPad software has been previously installed in the computer.
Once launched the software should look and find automatically the BGAN terminal (does not applies
to the BGAN 710) and redirect the user to the default screen.
The standard connection is an always-on, best effort connection and is suitable for most basic data
applications. It is charged by the amount of data sent and received.
Most of the features described below are enabled from the BGAN web GUI. In order to access the
GUI, make sure the terminal is connected and browse to its IP address http://192.168.0.1. The web-
GUI illustrated in this chapter is from a BGAN 700. The web-GUI of the BGAN 510 and 710 has quite
a different look but the menus and rationale instructed below applies equally to all terminals.
- From the left navigation pane, select “Administration” Figure 83 – BGAN Usage Calculation
(user/pass is admin/1234) and “Call charges”
- Select the currency from the “Currency” drop-down list.
- Enter the pricing for each of the services and validate.
- From the main left menu, select “Calls” to view the overall usage and related costs. A detailed
call log can also be exported from this menu.
- From the left navigation pane click on the “Administration” link (user/pass is admin/1234), select
“Data limits”.
- For Standard data type in the number of megabytes (MB) allowed.
- Click “Apply” to save the settings.
Restricted dialing
- From the Web GUI (http://192.168.0.1), select the “Administration” menu (user/pass is
admin/1234)
- Select the “Traffic flow filters” menu and create a new entry
- Enter the authorized ports in the “Source Port Range” section as above. A best practice is to
block all traffic first and then authorize specific ports one by one (example port 110 for POP3
email).
It is recommended to keep BGAN terminals with the latest firmware as these often introduce new
functionalities and solve bugs. Firmware can be downloaded from Inmarsat’s portal and uploaded to
the terminal using its web GUI:
- The BGAN terminal should be switched on
and connected to a PC via Ethernet.
- Access the Web GUI using a web-browser by
entering address http://192.168.0.1
- Select “Settings” and “Upload”
- Select “Browse”, locate the file “*.dl” and
“Open”. Figure 88 - BGAN Firmware Update
- Choose “Upload” and verify that the upload is
in progress.
- Select again the address http://192.168.0.1 and verify the software version at “Dashboard”.
This action can be helpful if your terminal becomes irresponsive or when having difficulties registering
following a change of service provider. Connect a laptop to the BGAN using the Ethernet interface.
- Open a command prompt (start->run->cmd)
- Run: telnet 192.168.0.1 5454
- Write the following at-command: ‘at+cmar=1234’
- Response from the AT should be ‘OK’
- The BGAN will reboot and reset all settings to factory default.
This procedure only applies to the BGAN 510, 700 and 710 models.
These model can act as WIFI routers, making it easier for users to
share the access. Attention is recommended though since this would
possibly trigger an increase in traffic and as a result expensive usage
charges. To enable the Wi-Fi service of the BGAN 700:
- Connect your computer to the BGAN 700 using the Ethernet
cable
- Browse to the Web GUI (http://192.168.0.1)
- Go to “Settings” > ”WLAN”
- Enable the WLAN interface
- Select the Country code for your present location
- Select any channel number
- Enable “Broadcast SSID”
- Select the WLAN mode “802.11b/g”
Figure 89 - BGAN WiFi
- Secure your WLAN access using a WPA-2-AES encryption key Configuration
- Click “Apply” and reboot the device.
Enabling SIP clients (PC, smartphone) to issue calls through the BGAN
This procedure only applies to the BGAN 510, 700 and 710 models. These models can act as SIP
servers, registering SIP clients installed on Smartphones or PCs, making it easier for users to dial
from anywhere in the office. Up to 16 SIP clients can be registered this way, note however that only
one client can issue a call at the same time and all clients ring when receiving a call. The call cost is
the same than a call through an analog phone connected to the BGAN.
There are numerous free SIP clients in the market. The procedure below applies to 3CX (available
for download on PC, IOS, Android) but should work with any SIP client. The BGAN SIP server is
activated by default so there is no particular configuration required. The client and server must be on
the same network or same WIFI for clients on smartphones. For example smartphones can connect
to integrated BGAN Wireless access point.
Once the configuration is done, users can dial a phone number and make a call through the SIP
Client application.
In the default Router mode, the BGAN acts as a router, NATing the
private network (by default 192.168.128.0/24) into a single public
IP which is dynamically assigned at each connections.
The SIM card slot is located under the battery. To access the slot, the battery
cover should be removed using a coin to turn the screw slot until it is vertical.
If the battery is in place, lift it out. Slide the catch down on the SIM holder and
flip it outwards. Make sure the angled corner of your SIM card is on your left
and slide it into the holder. Flip the holder back into place and slide the catch
back up. Insert the battery by pressing the battery forward and down. It will
click into place. Remove the battery by pressing the battery forward, then lift
up and out of the phone. Replace the cover and lock the screw.
Before being able to place calls on the network, the phone needs to acquire a GPS fix so it can be
located by the satellite. This happens automatically when starting the phone, the GPS fix icon will be
displayed. Keep the phone in the open with a clear view of the sky until the icon disappears.
After obtaining the GPS fix, the phone will register with the Inmarsat network. Stand outside with a
clear view of the sky with the phone antenna pointing toward the Inmarsat satellite (See Inmarsat I-
4 coverage map). There must be a clear line of sight between the phone’s antenna and the satellite.
“Searching for satellite service” will appear on the screen. The top left of the screen will display
“Inmarsat” when the phone is connected to the satellite. The signal bars indicate the signal strength.
At least two signal bars are required to make and receive calls. The phone antenna should be
pointing toward the satellite and user should remain static. Land or cellular lines can be reached by
dialling the full international number:
WARNING: due to high usage costs ($5/MB) and extremely slow service, it is not recommend to use
the data service of the IsatPhone.
To establish a data connection, connect the IsatPhone Pro terminal to a laptop using the USB cable.
CAUTION: the phone must be OFF. When switching the phone on, USB Drivers will be prompted.
A Thuraya XT requires a GPS fix before accessing the network. This step
is mandatory in order to register your phone with the Thuraya network.
The process is automatic upon bootup and can take from 30 seconds to
couple minutes depending on the GPS satellite visibility. Coordinates can
be accessed from Menu > Navigation > Current Position.
After receiving the current GPS data, the phone should automatically and
successfully register (as long as the SIM card has been activated) and display
should indicate “Thuraya + Current Country”. To obtain the best voice
experience consider that the antenna should be fully extended during
incoming and outgoing calls. The antenna is directional and users should
therefore point it antenna toward the sky in facing Thuraya satellite (see
coverage map), without any obstacle (free line of site). The SAT signal
indicator reflects the signal strength.
Dial 123 to access the voice mail system and follow the instructions. Choose the language by
pressing, 1- For English, 2- For Arabic, and 3- For French etc. Create a password (4-8 digits) and
press #, re-enter your password and press #. To program a voice mail message, press 3.
WARNING: due to high usage costs ($5/MB) and very slow service, it is not recommend to use the
GmPRS service, especially when coupled with a SatSleeve.
NOTE: GmPRS data is only accessible to SIM having subscribed to the GmPRS plan (+$10/month)
Thuraya GmPRS can provide an “Always On” mobile satellite Internet connection at speeds up to
5/1 KB/s downlink/uplink. The service is supported by the latest generation of handsets; SG-2520,
SO-2510, XT, XT Dual and SatSleeve.
First, verify the service is enabled in the satphone, for example from a Thuraya XT:
- Check the Software version is XT_1.90 or above - Menu> 9 Security > 7 S/W Version.
- Select APN ‘get’. Go to Menu> 7 Settings > 3 GmPRS > 1 APN to ensure the APN ‘get’ is
selected, otherwise, select Option and insert the APN as ‘get’ and select it.
- Select preference on Auto Reject option. Menu >7 Settings >3 GmPRS >2 Auto Reject > ON. If
Auto Reject is set to OFF, subscriber will have the option to either accept the call or reject it. If
Auto Reject is set to ON, incoming voice call during an active Thuraya GmPRS data session will
be rejected. However subscriber will be able to view missed calls.
Second setup the laptop: Connect the Thuraya phone to a PC using the USB cable. CAUTION: the
phone must be OFF. After that switch ON the phone and install the USB Drivers.
Fixed dialing
The Thuraya SatSleeve uses satellite communications which requires direct line of sight to the
Thuraya satellite. A Thuraya SIM card is required to use satellite services when connecting to satellite
network. SIM card previously linked to an older device (SO, SG, XT…) will be compatible with the
SatSleeve.
Attach your iPhone/Galaxy to the docking adaptor pin and press the top side of the phone into the
adaptor. Press and hold the power button down for about 2s to power on the Thuraya SatSleeve.
The blue LEDs will blink and you will hear a beeping sound. The Thuraya SatSleeve is now ready to
pair with the phone.
The SatSleeve can initiate a SOS call, even when not paired to a smartphone.
The SOS call button is located between the main unit and the docking cradle.
To setup the SOS number, from the SatSleeve app:
- Select settings
- Tap Call > SOS number
- Enter the emergency phone number
- Tap “Done”
Note that the SOS Button works even if there is no emergency number stored or if there is no SIM
card inserted in the SatSleeve. In such a case, the call will be routed to 112 as a default (not available
in all countries).
Place the Thuraya IP/IP+ outdoor on a flat surface with a clear view of the sky away from building,
trees and other obstructions. Power up Satellite Modem by pressing the Power button. Once
powered up, the device will automatically attempt to locate itself using GPS. This may take up to five
minutes. The small GPS satellite icons on the display (shaded area in the picture below) show how
many GPS satellites are in view at any given time. All three satellite icons should be on to obtain a
GPS fix. If any is missing or flashing, then the GPS signal is being blocked.
When the GPS icon stops flashing then Thuraya IP has successfully updated its GPS position.
The terminal should be pointed toward the Thuraya satellite. The receive signal strength can be
optimized by fine tuning the antenna position and based on the signal strength display on the Thuraya
IP/IP+. Slowly rotate the device a few degrees clockwise and counter clockwise. Likewise, slowly
raise and lower the antenna a few degrees until the maximum signal strength is reached (~80-85%).
Once the Thuraya IP/IP+ consider the signal strength enough, it will automatically register and
establish an IP data session. This can be verified by browsing to the Web GUI
(http://192.168.128.100) and confirm the “Network Status” line shows “Connected”.
Remove the battery and slide the SIM card into the SIM card slot. Follow the card
orientation shown on the decal. Be sure the gold contact is facing down.
Align the battery pack pegs with the slots on the bottom of the battery compartment.
Rotate the top end of the battery pack into the 9555 satellite phone. Press the battery
until it is flush with the case.
Keep your phone battery charged to ensure that the phone is ready for use when
needed. Fully extend your antenna then rotate into position. Make sure the antenna
has a clear unobstructed view of the sky.
For the convenience of the subscriber, it is suggested that the Iridium Message Centre Number be
programmed in the terminal:
- Press “Menu” then “Voicemail”
- Select “Voicemail Settings” then “Number”
- Type the voicemail number into the unit 00881662990000. Press “Save”
- Press “Back” to exit options
You can now use the “Call voicemail” menu (programmed with the Iridium Message Centre Number):
- From the terminal, press “Menu” then “Voicemail” and “Call Voicemail”.
- Enter the Iridium voice number (8816…)
- Wait for the recorded greeting to begin and press the * button
- When prompted enter your password
WARNING: similarly to the IsatPhone and Thuraya XT, data connections are not recommended with
the Iridium handsets.
Connect the Iridium terminal to a PC using the provided USB cable. CAUTION: the phone must be
OFF. Switch ON the phone and install the USB Drivers when prompted.
Iridium’s Direct Internet Data Service allows customers to connect directly to the Internet through the
Iridium gateway. Installing Iridium’s Direct Internet 3 software is recommended to enhance Internet
connectivity:
- Launch the Iridium Direct Internet 3 Installer executable file.
- Click Next> on the Setup – Iridium Direct Internet Installer welcome screen.
- The installer prompts to read a printed copy of this install guide. When ready, click Next> and
click OK on the pop-up dialog box.
- Check the Create a Desktop shortcut to launch Iridium Direct Internet checkbox. Click Next.
- Enter the location information and click OK in the Location Information dialog box.
- Click Add… from the Modems tab in the Phone and Modem dialog box.
- Select the check box next to Don’t detect my modem; I will select it from a list and click Next>.
- Select Iridium from the Manufacturer list box and click Next>.
The Iridium Extreme GPS and Location-Based Service features allow users to view, send, or restrict
location information. There are three main security options using these features:
- Programmable SOS button: a red button is located on the top of the phone, under a protective
cover. By removing the cover and pressing the red button users can send their location
information to a designated contact (example: the radio room) in the event of an emergency.
- Location Convenience Key: located on the right side of the phone, this button allow users to
quickly view and share their GPS position.
- Regular update: located in the Iridium Extreme main menu in the setup section, Location
Options, Message Options. Users can program their phone to send its GPS location to pre-
determined contact on a regular basis.
To enable the various GPS features, go to Menu / Setup / GPS Options / GPS On
CHAPTER 5
VSAT technologies are widely used by humanitarian organizations for regular and emergency
operations. In UNICEF, about 120 offices rely VSATs for their primary link, secondary link, Internet
off-load and voice services. In some locations where terrestrial connections are unreliable or
unavailable, two VSATs are used as primary and secondary links. In the early stages of an
emergency response (2 to 4 weeks after the disaster), VSATs remain the best tool when terrestrial
networks have been damaged (eg: due to natural disasters or conflicts). Data rates can assigned
based on the number of responders operating in the area and the operational capacity of the VSAT.
Other advantages for emergency response include high network availability (99.9%) and quick
installation (quick-deploy models can be installed within 30 minutes). Challenges when deploying
VSATs are linked to logistics (transport, location to setup) and government licensing/regulations.
Signals sent down to earth from the satellite are said to form a “beam” like the light beam of a torch.
The area covered by the satellite beam is called its “foot print” (see below). As can be clearly
illustrated with a torch in a dark room; the larger the floor area covered, the less bright is the
illumination on the floor. The same happens with satellite beams, with the brightness or intensity
analogous to the satellite’s power (technically referred to as the Effective Isotropic Radiated Power
or EIRP). Thus the larger the beam, the less power is generally available within the beam.
Traditional satellite technology utilizes a “wide” single beam (usually in the order of 1000s of
kilometers) to cover wide regions or even entire continents. This is highly efficient for large-scale,
one-way communication such as television broadcasts but not for on-demand two-way
communications. Global beams are classified as wide beams.
When using “narrow beams”, the satellite signal is specially concentrated in power (i.e. sent by a
high-gain antenna) so that it will cover only a limited geographic area on Earth. Narrow beams allow
satellites to transmit different data signals using the same frequency. Because satellites have a
limited number of frequencies to use, the ability to re-use a frequency for different geographical
locations without interfering with each other allows more local channels to be utilized. Latest High
Throughput Satellite (HTS) systems (O3B, Epic or Global Xpress…) rely on such beam technology
to achieve high data rates, the drawback being a significantly higher cost of manufacturing due to
the number of antennas on the satellite, the increased power consumption and the overall complexity
of the system. Spot beams are also classified as narrow beams.
A station which is located near the center of the footprint will have an advantage in the received
signal compared to another located at the edge of the same beam of the satellite. The satellite
antenna pattern has a defined beam edge to which the values of the satellite EIRP are referenced,
therefore a footprint as shown in the figure above has contours representing a 1 dB increments
toward the beam center. Footprints and EIRP details of every satellite and its transponders can
usually be found on the satellite operator’s website.
Essentially all commercial satellite communications transmit and receive in the microwave frequency
band, between 1 and 30 GHz. The figure below illustrates the relative bandwidths available for each
of the currently-used satellite bands:
Ka band (20-30 GHz) is used in the latest communications satellites (Global Xpress, Iridium Next…).
Uplink frequencies start from 27.5 GHz to 30 GHz. Unlike the Ku and the C bands, it is far more
susceptible to signal attenuation under rainy conditions, therefore targeted towards dry regions of
the world.
Based on the above bands, one may notice uplink and downlink frequencies are different. This is to
avoid interference between the two signals on the satellite and at the earth station. To further isolate
the signals, one polarization is usually used for the uplink and the other for the downlink. The principal
reason for polarization, is for frequency reuse, so that two channels can use the same frequency
band. The uplink frequency is higher because it reduces the complexity of the satellite by; permitting
a smaller receive antenna on the satellite, reducing the size of amplifiers and reducing the amount
of power required.
The gain of the antenna is proportional to the square of the frequency, so by using the higher
frequency the receive antenna can be smaller. Thus the practice has been to use the higher
frequency for the uplink and the lower frequency for the downlink and "put the burden on the ground."
It is easier to increase the size and power of the earth station antenna than the one of the satellite.
1.5 TRANSMISSIONS
The main access methods for satellite networks are Time Division Multiplexing (TDM), Time Division
Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Single Channel Per Carrier
(SCPC) and Multiple Channels Per Carrier (MCPC).)
When using multiple access networks like TDM/TDMA, the remote VSATs “listen” to same high
speed data stream using TDM from the hub. They then extract information/data that is addressed
uniquely to each of them. For the return to the hub, the VSATs transmit taking turns using a common
channel (TDMA) Service providers usually prefer this solution because it maximizes their channel
capacity, hence also a lower cost for the subscriber. iDirect platforms, for example, widely uses
TDM/TDMA.
Figure 97 - Time Division Multiplexing (TDM) and Time Division Multiple Access (TDMA)
The limitation with SCPC relies in the fact each channel requires a separate modem at each end of
the link. From the satellite provider SCPC circuits are an inefficient use of satellite bandwidth as
when the station does not transmit, the bandwidth cannot be reallocated to other stations (“bursting”,
see point 3.2). SCPC circuits are therefore more expensive than TDM/TDMA systems.
With Hybrid MCPC/SCPC Networks the hub combines several subcarriers into a single bit stream
before transmitting it as one carrier to all the remote sites (MCPC or Multiple Channel per Carrier).
The remote sites typically use SCPC for the return channel:
MCPC-S2/SCPC Network
Multicast - A Multicast - B
Satellite
Outbound MCPC Outbound MCPC
(hub–remote) (hub–remote)
Hub
Antenna
Remote Remote
MPLS Terminals
Terminals
Headquarters Cloud Internet
A Polarization is determined by the orientation of the electric and magnetic fields radiating from the
transmitting antenna. If polarization is used, two different signals can be transmitted in the same
frequency range without interference, even if they overlap in frequency. In this way, twice the number
of channels can be transmitted in a given bandwidth (frequency reuse). Satellite systems typically
use either linear polarization (horizontal/vertical) or Circular Polarization (LHCP/RHCP).
1.5.3 Modulation
The frequency spectrum is a limited resource that must be shared to meet the demand for
communication services. At the same time, developers of communication systems are constrained
with restrictions on the permissible transmission power and challenges with the inherent noise of the
system.
With the progress of science and the advent of micro-processors, highly complex but spectrally
efficient modulation techniques were created. A major transition occurred from simple analogue type
modulation to new digital modulation techniques. Examples of digital modulations applied in satellite
communications include Quadrature Phase Shift Keying (QPSK), Frequency Shift Keying (FSK) and
Binary Phase Shift Keying (BPSK). By using better modulation techniques, satellite operators are
able to provide higher data rates and host more users on their transponders.
When procuring VSAT services, all providers should be able to meet a certain level of performance.
Performance indicators are usually determined as “link availability” (percentage of time the link is up)
and the minimum Bit Error Ratio (total number of erroneous bit divided by the total number of bits
received). For example, a service provider may guarantee a 99.5% availability and BER=1e -6,
meaning that for the entire year, except for 44 hours, the link will perform much better than the BER
threshold. During these 44 hours, VSAT subscribers may expect slowness or disruption of the signal.
Usually the higher the availability the higher the monthly cost.
- Weather conditions, such as rain, snow, ice or fog can disrupt Ku and Ka Band systems (but
only marginally on C Band). High frequencies are more susceptible to attenuation caused by the
absorption and scattering effect of water in the atmosphere. Interestingly the signal could be
down not only because of bad weather conditions on the VSAT site, but also at the operator’s
teleport. Other rare events such as solar eruptions and eclipses can also affect the signal.
- Interferences are the major concern of satellite operators. These can be located at the
transponder or at the earth station. For example a damaged cable can pick up TV signals that
are in turn radiated to the satellite or an antenna on the ground pointing to the wrong satellite.
Inference can also be caused by a cable running too close to electrical equipment such as
motors, elevators, air conditioners or interferences caused by nearby microwave or TV towers.
- Noise from the environment, either external (atmosphere, sun, earth…) or internal electronics
(resistors in the circuit, semi-conductors…). As the signal bandwidth increases, the receiver will
pick up additional noise.
- Power failures account for 80% of all station outages. All indoor equipment should therefore be
backed up with a UPS and ideally a generator or batteries powered by solar panels.
- Latency, which ranges typically from 500ms to 1s in satellite networks because radio waves
have to travel from the earth station to the satellite and back. This factor is a problem for some
Internet transmission protocols. Notably, the Transmission Control Protocol (TCP) requires each
data packet to be acknowledged as received intact before sending further packets. While
designed to operate efficiently in terrestrial networks with delays of typically less than 100
milliseconds, therefore TCP does not perform as well over satellites. This limitation of TCP can
be overcome in a number of ways by using techniques such as acknowledgments, compression
and protocol emulation to reduce the amount of acknowledgment traffic. Other techniques simply
1.6 NETWORK
A typical VSAT network has many VSAT stations communicating with the provider hub which is then
connected to a public network (Internet, the telephone network) and UNICEF’s WAN:
SATELLITE
PSTN
VSAT 1
Internet VSAT 2
HUB VSAT 3
(NOC)
WAN VSAT 4
Suungard
NYHQ
As of writing, the vast majority of UNICEF VSAT stations are using 3 satellites: Arabsat 5A (30.5oE),
Yahsat 1A (52.5oE) and Telstar 18 (138oE). The network management is outsourced to EMC which
has teleports in Germany, UK and Hawai. Marine Fiber optic cables link the teleports to UNICEF’s
data centers in New Jersey (SunGard) and New York HQ.
Satellite
Router / Modem
Feed
2.1 ANTENNAS
The primary goal of an antenna is to reflect and concentrate the signal from and to satellites that are
36,000 km above earth. Most of the VSAT antennas have a parabolic dish shape, which focuses the
signal towards the satellite. In other terms, parabolic antennas are highly directional, a necessary
feature when considering the distance to the satellite. Note that a dish is generally incorrectly termed
“antenna”, the true receiving antenna being the LNB. Depending on the purpose and wavelength,
antennas are made in various forms and sizes. The higher the frequency for example, the smaller
the antenna, hence C Band stations being larger than Ku or Ka band stations. Similarly, antennas
located in the satellite operator’s teleport must accommodate large data rates (usually 155 Mbps),
hence their very large size (7 to 15m) while subscriber’s models range
from 98cm to 3.8 meter. There are four main types of parabolic antennas:
- Prime focus antenna: The prime focus antenna is round and has its
feed / LNB assembly at the focal point directly in front of the antenna.
A prime focus antenna is easy to manufacture and inexpensive. They
are also the easiest to point.
- Offset feed antennas have smaller diameters (30 cm-4 m) and the
feed is located below the lower edge of the offset block of the antenna
aperture. Offset antennas achieve a better radiation pattern because
of less aperture blockage. The offset must be taken into consideration
when pointing the dish.
- Cassegrain antennas can be either composed of a main center or
offset feed and uses a secondary hyperbole as sub-reflector. These
models usually achieve better efficiency and are used by most earth
station dishes or in mobile compact systems. Such antennas are
usually more expensive than Prime or Offset antennas.
- Gregorian antennas are physically similar to Cassegrain antennas
as they employ dual reflection to achieve compact structures. Figure 104 - Types of
Parabolic Dishes
There is no official standard antenna model, however, for emergency response, antenna
manufacturer GD Satcom (who acquired Prodelin and Vertex RSI) is recommended. Inmarsat’s
release of the Global Xpress platform leaded to the addition of multiple Quick-deploy antennas,
Cobham’s model is listed below.
Quick deploy antennas are recommended for operations needing flexibility; antennas can be
assembled and disassembled within 30 minutes and do not usually require any tools. Fixed antennas
are aimed at permanent installations, require up to 3 days for installation as civil engineering (such
as installing the mast) might delay the setup. Quick Deploy antennas ($10k to $40k) are significantly
more expensive than fixed antennas ($500 to $3k). UNICEF pre-stocks GD Satcoms Quick Deploy
VSAT series in Copenhagen so they can be shipped immediately upon request. Fixed VSAT can be
obtained through the LTA suppliers.
In a VSAT system, the electronics refer to the equipment attached to the antenna feed. Their function
is to shape the signal beam to match the parabolic dish and achieve the best transmission. In
addition, electronics also separate transmit and
receive signals with minimum loss and interference.
A typical antenna is composed of the following
electronics:
VSAT systems require a total of two Inter Facility Links (IFL) cables to be installed between the ODU
location and the IDU. The path and length of the IFL cable should be determined during a site survey
while approval from the building landlord should obtained as routing the cable may impose some
drilling in walls or ceilings. Transmit and receive intermediate frequencies (500 to 700 MHz) are
carried by shielded coaxial cables. Failure to use high quality low loss coaxial cable for extended
lengths will result in significant reduction in the ODU output and excessive signal distortion.
Coaxial cable conducts electrical signal using an inner conductor (usually a solid copper, stranded
copper or copper plated steel wire) surrounded by an insulating layer. All are enclosed in a shield,
typically one to four layers of woven metallic braid and metallic tape. The cable is protected by an
outer insulating jacket. Larger diameter cables and cables with multiple shields have less leakage
but are also more expensive:
There is no official standard coaxial model in UNICEF, however for emergency operations, high
quality cable standards such as RG11 (75Ω), LMR400 (50Ω) and LMR600-75 (75Ω) from
Manufacturers such as Belden, Pasternack or Times Microwaves come highly recommended. For
example, UNICEF ships 200 ft. Pasternack RG11A/U cables with all Quick-Deploy VSAT pre-stocked
in Copenhagen while EMC (LTA holder as of writing) uses LMR400/LMR600 for the long runs
(>100m). RG6 cables, commonly used for TV, might also be considered but only for short runs (less
than 30 meters) since they suffer greater signal loss.
12
10
8
dB
6
4
2
0 Hz
0 100 200 300 400 500 600 700 800 900 1000
Belden 8215 (RG6) Belden 8213 (RG11) TMS LMR400
There are many coaxial connectors in the market, the most common used in VSAT systems are F
connectors (75Ω) and N connectors (50Ω). No all connectors and coaxial cables are compatible. The
following are a set of recommended connectors for the cables mentioned above:
- RG6: Pasternack PE44312 (75Ω male connector, F type)
- RG11: Pasternack PE44315 (75Ω male connector, F type)
- LMR400: TMS EZ-400-NMC-2-D (50Ω male connector, N type)
- LMR600: TMS EZ-600-FMH-75 (75Ω male connector, N type)
Figure 113 - F & N connectors
Other important IFL elements to consider:
- Surge arresters, installed in line with a coaxial cable to protect modem from damage induced
by lightning striking the antenna and travelling through the cable. Recommended models are
Pasternack PE7301-1 (N male to N female) and PixelSatRadio Surge Protector 4645F (F male
to F female).
- Impedance matching pads can solve mismatching impedances between the cable/connector
and modem/BUC/LNB. Pasternack PE7070 for example is a N male 50 Ω to F female 75 Ω
impedance adapter.
- 2-way splitters with DC block are used to connect a spectrum analyzer during
the pointing procedure. Note that most Standard 'consumer-grade' splitters are
designed for TV frequencies and will not pass the higher frequencies of the
satellite signal, it is recommended to look for F female 75Ω or 50Ω, 0-2Ghz
splitters.
Figure 114 -
2.4 SATELLITE MODEMS Splitter
A "modem" stands for "modulator-demodulator". Its main function is to transform an input bit stream
to a radio signal and vice versa, the process is called “modulation”. Data to be transmitted is typically
received from a router. Probably the best way of understanding modem's work is to look at its internal
structure:
UNICEF uses various types of modems: the iDirect Satellite routers for TDM/TDMA systems (shared
bandwidth) and the Radyne, Datum and Comtech series for SCPC and MCPC links (dedicated
bandwidth with bursting).
VSATs are considered as the last resort long term solution for Internet and voice access in
emergencies. For this reason, a certain quantity of VSAT kits are pre-stocked in the Copenhagen
warehouse, so they can be quickly shipped to the field should an emergency happen.
The challenge with pre-stocking VSAT dishes is that there is no single standard solution that
guarantees worldwide operation, independently of the location of the emergency response. For
example an antenna UNICEF would deploy in Middle-East would be different than the antenna
deployed in South-East Asia. Parameters to consider include: the frequency band (Ku, standard C,
extended C, Ka…), the antenna size (0.9m, 1.2m, 1.8m, 2.4m), the transmission power (4W, 5W,
10W, 40W…), the modem type (iDirect, SCPC…). All of these depend on which ISP UNICEF goes
for (local, regional or global).
UNICEF have designed VSAT kits in a flexible manner, each kit being composed of 4 types of
“blocks”. The kit is assembled by selecting the blocks based on ISP capacity. Therefore a minimum
of communication is required prior shipping the VSAT kit. Following are the block’s composition:
1.2m Ku Band
Quick Feed Horn iDirect
250FT RG11
Deploy + 4W BUC & Modem Rack
Coaxial cable
Antenna LNB
OR
OR +
1.8m Coaxial connectors,
C Band
+ + + =
Quick adapters and DC
Deploy Circular Feed Horn
blockers
Antenna + 10W BUC & LNB SCPC
Modem Rack
OR +
Grounding
2.4m OR VSAT KIT
Quick +
Deploy C Band
Antenna Linear Feed Horn
+ 10W BUC & LNB Assembly and
Pointing Tool Set
- The antenna block is composed GD Satcom Quick Deploy antennas ranging from 1.2m, 1.8m
and 2.4m. It includes the pedestal, reflector (usually composed of 2 or 4 petals),
positioner/pointing mechanism, sand bags for ballast and the transport cases. Quick deploy
antennas are adequate for emergency response as they are fast to assemble: no tools are
required while just two persons can assemble the structure. Those models also favour
redeployment once the emergency is over or if an evacuation is required.
- The electronics block handles the transmission and reception of the signal. It is therefore
composed of the feedhorn, the BUC and the LNB. ICTD stores 3 types of electronics blocks: a
4W Ku band kit, a 10W standard C band kit and a 5W extended C band kit.
- The cable block is a single standard kit composed of 200 feet (30m) of RG11 bulk cable, F male
connectors, all sort of coaxial adapters (F to N, impedance matching pads, surge arrestors,…),
crimping tools and grounding accessories (rod, wire, wire terminal kit…).
- Eventually there are two modem blocks. One is composed of a network rack, an iDirect modem
and a UPS. The second is similar but replaces the modem with an SCPC model (either Datum
or Radyne) and adds a voice router and a switch.
Service providers usually offer shared or dedicated bandwidth. Shared bandwidth refers to bandwidth
that is shared with other customers. Dedicated bandwidth is “committed” solely to the office. Shared
bandwidth is obviously cheaper than dedicated bandwidth because costs are being shared among
other users. Unfortunately, some service providers pass off shared bandwidth as dedicated
bandwidth and charge rates equivalent to those for dedicated bandwidth. Such detail should
therefore be clear when a contract is being signed.
Service providers apply a formula that is used to determine monthly recurring cost (MRC) of a
dedicated bandwidth plan. Such formula depends on the sum of the download and upload bandwidth
multiplied by a coefficient:
Coefficients are usually kept secret and varies depending on the service provider. An average
indicative value of the coefficient is 1.1. The following table provides examples of the resulting costs:
To obtain the exact OTC and MRC pricing with UNICEF’s global service provider, contact ICTD.
Shared bandwidth on the other hand might be desirable for a VSAT running as backup or secondary
link (for email and Internet traffic) as the bandwidth won’t be used all the time. There are three key
metrics that need to be considered when purchasing shared bandwidth:
- The contention ratio is the number of users sharing the bandwidth. For instance if 1 Mbps
bandwidth is shared among 20 customers (contention ratio of 20:1), then the maximum
connection speed when all the customers are using the bandwidth is 50 kbps, which is equivalent
to a dial up modem connection. Contention is also called “over booking” or “over selling” capacity.
- The Committed Information Rate (CIR) is the minimum bandwidth capacity at all times. In the
example above using a contention ratio of 20:1, the CIR would be 50 kbps, even though the
service provider quotes a bandwidth capacity of 1 Mbps.
- The Bursting Capacity refers to the ability of a VSAT system to utilize capacity above and
beyond its normal allocation. If the service provider has implemented bursting, a portion or all of
the shared bandwidth capacity is pooled. When other subscribers are not using their capacity,
the office may be able to “burst” or use more than its allocated capacity. When other subscribers
need their bandwidth, it is removed from the pool and assigned to the subscriber. Bursting is
also applied on UNICEF SCPC/MCPC links with global service providers.
Shared bandwidth plans are the most common plans available in countries or regions, many of which
rely on the iDirect platform. However because these plans can be deceiving, it is essential to always
inquire about the contention ratio, CIR and entitled bursting capacity.
Similarly to dedicated bandwidth plans, a following formula determines monthly recurring cost of a
shared bandwidth plan:
Considering an average indicative value of the coefficient C = 1.35 and D = 350, resulting MRC is:
Download Upload MRC with 1:5 MRC with 1:10 MRC with 1:20
(kbps) (kbps) contention contention contention
256 256 488.24 419.12 384.56
512 256 557.36 453.68 401.84
768 512 695.6 522.8 436.4
1024 512 764.72 557.36 453.68
1536 768 972.08 661.04 505.52
2048 1024 1179.44 764.72 557.36
3072 1536 1594.16 972.08 661.04
Table 18 –Indicative Pricing for an iDirect link
To obtain the exact OTC and MRC pricing with UNICEF’s global service provider, contact ICTD.
This chapter details the necessary steps to install a VSAT based on the usual requirements from
most service providers. The VSAT installation sequence is as follow:
Before even considering installing a VSAT for a new office, one should first consider whether there
is no alternative (cable/DSL technologies are more cost effective) and if authorities will approve the
installation. In most emergencies, requirement will also depend on the UNICEF station in the affected
area:
- If the organization rents its own building for a significant amount of time (at least 1 year), then a
VSAT could be justifiable. Note that an emergency office with more than 20 users should have
a backup link, therefore a VSAT is more likely to be required.
- If UNICEF is located in an inter-agency building where another agency or the ETC cluster is
already providing services, then it doesn’t make sense to add up an additional antenna.
This chapter describes the procedure for conducting a site survey to determine the optimal location
for the VSAT, including:
a. Calculating
c. ODU site d. IDU site
azimuth and b. Checking LOS e. Reporting
selection selection
elevation
This task should be done even before travelling to the site and results printed out. Go to
www.dishpointer.com, enter the location antenna is to be placed (city) and press go. Select the
satellite to be used and move the cursor to the office location on the Google Map screen. For
example:
Communication satellites used in the satcom industry are typically in a geostationary orbit, appearing
to be in a fixed position in the sky directly above the equator, relative to an observation point on
earth. The entire field of geostationary satellites can therefore be found in an arc across the sky.
To communicate with the satellite, the antenna must be able to 'see' the location in the sky above
the equator in which the satellite is located. The situation of an unobstructed view between the
satellite and the antenna is known as 'having a line-of-sight' to the satellite.
The following table can be used as a reference for the above calculation:
The antenna location is obviously dependent on the line-of-sight to the satellite. Sometimes this
leaves few possibilities for the installation: garden, terrace, roof top. In addition, it is important to
perform the following checks when determining the terrestrial site for the antenna location:
- Site should be relatively flat and conveniently accessible.
- The antenna must be placed in a controlled area with restricted human access to the physical
air space between the antenna reflector and the output of the radio frequency amplifier.
- Site should have no underground obstructions, such as buried cables or pipes.
- Site should have no interference from nearby telecoms towers or airports (WiMAX, microwave
transmissions, cellular telephone towers, and airport radar).
- Site should be free from constructions or planned constructions.
- Confirm that installation at the site will follow all local building regulations and standards
regarding drilling, grounding, foundation requirements.
If the antenna is to be installed on the rooftop, the following arrangement should be considered:
- A lightning arrestor that is properly grounded.
- A point-of-entry for two coaxial cables and a clear path or empty conduit to run a coaxial cable.
- An antenna surface is capable of supporting the weight of the VSAT plus its wind load.
- 230V AC or 110V AC outlet near the installation site for use during both the installation process
and subsequent maintenance work.
At this stage, the type of mount and ballast should be determined, there are various options:
- Wall mounts can only be used with small antennas (1.2m max). They are only approved for use
on solid concrete walls. If the wall is too tin, a back plate would be necessary to balance the
weight. Very small antennas (0.90m) could also be attached to a vertical steel beam.
- A penetrating mount is recommended for 1.8m antenna size and above. These are the most
challenging mount to handle since they usually require a significant amount of civil engineering
work: digging a 1.5m to 2m deep square hole depending on antenna size, fill up with cement
around the mount. Alternatively such mount could be
welded or bolted to a suitable pole.
- A non-penetrating mount (NPM) is the preferred solution
in emergencies as it fits all antenna sizes, is easy to
assemble, and offers a low uniform distribution. Since
NPMs are not fixed to any structure, the installer must find
ballast, such as concrete blocks to hold the mast vertical
and avoid moving.
Figure 121 - Non Penetrating
d. Selecting the Indoor Equipment (IDU) site Mount
- Be within less than 70m from the ODU, otherwise there might be too much cable loss. If the ODU
is between 30m and 70m, RG11 type cable will be required.
- Space for a mobile 24U rack OR availability of an appropriate number of units of vertical rack
space in standard 19" equipment racks.
- Power should be provided using an uninterrupted power supply with either rectified 230V AC or
110V AC outlets in each rack.
- Ambient temperature range between 20 and 25 degrees Celsius.
- Relative humidity between 20% and 50%.
- Continuous air cycling with filtration for proper ventilation to ensure that equipment is kept free
of contaminants and particle matter.
- Fibrous material and gaseous elements should not be present in the equipment room and
measures be implemented to prevent the build-up of electrostatic discharge (including
appropriate straps and mats, and no carpeting).
The following diagram can be used for a quick site survey checklist:
This chapter describes the procedure for performing a VSAT installation, following sequence is
recommended:
- Verify all equipment versus the shipping list and manual contents, including Antenna and feed,
modem or IDU rack, coaxial cables and connectors, mast and ballast, Grounding rod and cables
- The site configuration sheet, to be provided by the service provider. It usually included NOC
contacts, satellite pointing information, expected plot to be observed on the spectrum analyser
and the modem configuration.
- Check licenses have been obtained
- Prepare the VSAT installer tool kit:
o Compass and Inclinometer
o Set of wrenches (at least a 1-1/2”), Allen wrenches and screwdrivers
o A Spectrum Analyzer, such as the Rhode & Schwartz FSH series
o A coaxial splitter, Assorted coaxial connectors and adapters
o Black cable ties (never use white color)
o Crimp or compression tool depending the connector type and coax stripping tool
o Self-fusing, electrical tapes, silicon grease and lithium grease
o GSM or satellite phone
o Console cable and serial to USB converter
Manufacturer’s installation instructions should have been included with the antenna. Make sure to
carefully read all steps and assemble properly the antenna following this sequence:
- Assemble the mount (or base for Quick Deploy antennas)
- Install the ballast
- Install the antenna
Importantly, if the system uses a circular polarization, the circular polarizer should be aligned
following the arrow and writing (LHCP or RHCP) on the OMT.
The fully assembled feed is then attached to the antenna feed support (follow instructions manual).
Use the two-way splitter, connect the spectrum analyzer to the LNB, with the input connected to the
F connector incoming from the LNB. One of the outputs connected to the spectrum analyzer, and
the other output connected to the L band satellite modem input. As the L band modem includes an
internal power supply, it will feed the LNB with the necessary power to make it work properly. The
spectrum analyzer should include a DC Block to avoid DC current to go into it. Alternatively, you can
use a splitter with DC block included on the output, or a spectrum analyzer with DC voltage tolerance,
such as the R&S FSH3. Once all connections have been done, boot up spectrum analyser first then
the modem.
VSAT Feed
L
N
B
Internal DC
Power
DC Power Modem
RX IF Signal
L-Band 2-Way
Splitter
RX Out
DC Power DC Block
RX in RX IF Signal
RX Out
RX In
Spectrum Analyser settings:
- Resolution Bandwidth: 100 kHz
Spectrum
-Video Bandwidth: 100 Hz
Analyzer
- Span:1 Mhz
- Sweep time: auto
- Amplitude scale: 1 dB / div
- Center Frequency: either Rx frequency or satellite beacon frequency
in the L band
To set the spectrum analyzer, the beacon or Rx frequency should be converted to L band values,
since the received signal is obtained after the LNB down-conversion. The following formula applies:
FL = LO - FC
Going back to the antenna, make sure the position is oriented correctly to the center of the satellite
orbital arc (all visible satellites from that particular site) and the canister is locked tightly against the
mast by tightening the lock screws.
Set the antenna to the elevation values
provided by service provider.
Em = Et -
Once the inclinometer measurement is ready, raise or lower the antenna to find the desired elevation
by turning the 1" nuts located at the elevation block using the appropriate tool (1-1/2” wrench).
Position the top nut so that it will not interfere with adjustment. Turn the bottom nut clockwise to
increase elevation and counterclockwise to decrease elevation until desired satellite elevation is
reached.
Use the compass to set the azimuth values. The compass needle always shows north, which
represents 0°. Place the compass horizontally and move the base until the arrow matches North on
the printed scale. The complete azimuth values are represented on the compass, for example, E is
Am = AT -
The azimuth supplied by the service provider should both indicate the true value and the measured
value on the compass. Once the compass measurement is ready, open the azimuth movement by
unlocking the two 1” adjustment nuts on the azimuth adjustment rod using appropriate tool (1-1/2”
wrench), to allow free movement of the dish for the whole length of the azimuth rod. Standing behind
the satellite dish, grasp the outer edges of the satellite dish and move right or left, until the antenna
is adjusted to the desired azimuth direction.
At this stage the installer should see the beacon on the spectrum Analyzer. The beacon shows as a
thin peak rising around the noise floor, and getting higher as long as the antenna beam is closer to
the satellite. If no signal is present keep moving the satellite dish slowly in a 20 degrees sweep in
one azimuth direction, and then the other until you get a signal. If still no signal is picked, verify all
parameters and start a large azimuth sweep (-20 to +20 degrees) starting from -20 degree elevation
to +20 degree elevation.
Some satellites share the same beacon, which may cause the installer to point at another satellite
than the desired one. To ensure that the correct satellite has been found, change the center
frequency of the spectrum analyzer to the site Rx carrier and compare with the plot the NOC
provided. Take a picture of the spectrum analyzer plot and send it to the NOC for confirmation:
e. Signal Peaking
If you reach this stage, the most difficult – finding the satellite - has been achieved, congratulations!
At this stage, the installer should make small adjustments on the Azimuth then Elevation repeatedly
one at a time until the strongest signal is obtained, which is defined as the greatest beacon height
on the spectrum analyzer. Adjustments should be no more than 1 degree in azimuth or elevation
while giving enough time to spectrum analyzer (5 seconds) to display the new signal. Once the fine-
tuning process is done, lock the dish by tightening all of the hardware used for adjustments and
making sure the amplitude of the signal does not drop, proceed to apply to the azimuth and elevation
rods the lithium grease provided with the installation kit and move to the IFL installation.
Most of the time, the coaxial will come already assembled. Unless requested by the NOC, for
example if there is too much signal loss, it is recommended not to cut the coaxial to the exact length
ODU -> IDU. In other situations where the cable is shipped in bulk, a connector might be need or
replaced. Section 4.4.1 covers the assembly process for F connectors and RG11 cables. In any
VSAT installation, connectors must be weatherproofed to ensure a long lasting installation which is
described in section 4.4.2. Section 4.4.3 describes IFL installation standards to ensure the maximum
longevity of the overall coaxial cable.
Coaxial cables can be damaged through every day wear and tear. To ensure cable longevity, it is
recommended to:
- Weatherproof any coaxial cables kept outside (see previous chapter). This will prevent any
rusting of the cable while protecting the cable itself from various outdoor forces of nature
(sunlight, rain, animals etc.).
- Avoid bending the cable. The cable is easily capable of being curved, but should never be
crimped or turned at an angle. Many wires are inside the coaxial cable and bending these wires
could disrupt the cable's ability to transmit information. Each cable type has a different bending
radius, refer to the cable technical specifications.
- Surround outdoor cables with PVC pipes. Make sure the cable is not bent inside.
- Leave extra coax cable on the rear of the antenna in case it has to be pointed toward another
satellite.
- Create “drip loops” before the indoor entry point and connectors. This will prevent fluids
and moisture from entering either the building or the connectors.
- Install surge arresters by the modem connectors.
WARNING: NEVER CONNECT THE TX PORT TO THE BUC UNLESS PROVIDER APPROVED
The procedure below details the configuration steps for iDirect VSAT modems. It applies to all
models: Infiniti 3000/5000/7000 and X series (X1, X3, X5).
Pre-requisites:
- A computer with serial or USB port
- A serial to USB converter and a serial cable
- iSite software
- Package (.pkg) and Configuration files (.opt) as shared by the service provider
Serial LAN
RJ45
USB to Serial
Feed
horn
L
N
B
Using Putty or another serial, connect to the console port of the modem. The default login user is
root and password is P@55w0rd! (or sometimes “iDirect”).
iSite is a software tool to manage the remote device by direct connection through the
Ethernet port in the rear modem. Depending on the iSite version, not all iDirect modem
are supported, thus make sure the service provider shares the adequate software
version along with the configuration files. For iDirect X series modem, the version has
to be 12.0.0.0 or higher (go to Help menu -> About iSite).
Before being able to configure the modem, make sure your computer has an IP address in the same
range as the one obtained through the “laninfo” command. In the example above, the computer could
be configured with any IP in the range 10.3.1.2-253 with a network mask of 255.255.255.0.
As the iSite software is launched, the modem will be automatically surveyed. If not found, verify the
IP and firewall parameters then go to File -> new, right click over the “unknown” device and click on
“login”. The default password should be “iDirect”.
Once discovered, the installer must upload the package and options files provided by the service
provider to the modem. Select the remote and right click on the “Download Package”. Browse for the
service provider *.pkg file. Then make sure the “Don’t check version”, “download images only” and
“don’t reset” options are ticked. Then click start to commence the upload process.
Perform likewise the package file, go back in the three view and select “download option from disk”.
Browse and install the appropriate option file. The option file is built by the service provider and
matches the specific site, as such it contains:
- - the Geographic location, which is important to determinate the timing delay.
- - the antenna information, such as its power voltage, BUC/LNB oscillator references.
- - the DID number. The HUB identifies each remote using a “HDLC number”, which it is related
to the DID of the modem.
This means a modem replacement cannot be done without generating a new OPT file.
At this stage, the pointing can be verified by going back to the tree
view, right clicking on the remote, selecting “Align Antenna” and
then click “Antenna pointing”. A graph showing a green bar
indicating the signal strength should be displayed.
Once the antenna has been pointed and fine-tuned, reach the service provider for a step by step
modem configuration. The installer should have received a modem configuration file similar to the
following:
To avoid any potential grounding problem BUC & LNB must be connected with a 16 mm2 grounding
cable to the indoor rack using the termination lugs provided with the installation kit.
Notes:
• Telecom equipment grounding is separate from building electrical grounding
• Always use the shortest and most direct path to ground point
• Avoid sharp bends in ground cable
• Do not connect the equipment ground to the lightning arrestor
• Lightning protection is not the VSAT installers’ responsibility
• Lightning protection reduces the risk of fire and does not protect the equipment
CHAPTER 6
IP NETWORKS
(LAN/WAN/VoIP)
When creating a LAN for an emergency office, the best practice is to adopt a modular approach to
the network design. Network should be segmented into functional areas or modules, following the
idea of flood chambers in a boat which minimizes the global impact of a localized event on the LAN.
Apart from a positive impact on security, stability and day-to-day operations (easier troubleshooting),
this approach also creates scalable networks where a module can be added or removed without
having to redesign the rest of the network.
There can be many modules in a LAN: remote access module (VPN termination), video-conference
module, PSTN module, etc… In most networks however, three main modules (core, access, server)
are the common denominator:
As illustrated, servers
should not be
Servers
connected to the
Servers Access layer but to
the Server Block
Printers, laptops
devices
desktops, VC devices.
End
In the case of emergency offices, the above model can be simplified by combining the Access, Core
and Server Layers creating what is called a “Collapsed Core”. In a nut-shell, all emergency offices
can be represented by three categories, the differentiating factors being as follows:
• Less than 100 staff AND • More than 100 staff AND/OR
• No local IT Support AND
• No VLAN-segregated IP Telephony AND • VLAN-segregated IP Telephony AND/OR
• No local services except Internet
• No remote office or hot standby BCP • Remote office or hot standby BCP site to
connectivity/printing provision
site to connect connect
This solution is only recommended for small temporary offices (1-15 responders, less than 6 months)
that would require basic Internet access to personnel through WiFi and relies on simple and cost
effective equipment (all-in-one wireless routers: Meraki, DD-WRT…).
An office is classified as “Case 2” (Flat LAN) if it has less than 100 staff, no remote office or “hot
standby” BCP site to connect. Functional VLANs might be necessary when adding modules (Corp
WiFi, Guest WiFi, IP telephony…):
An office is classified as “Case 3” (Routed LAN) if it has more than 100 staff, need to connect remote
office(s) or “hot standby” BCP site(s), requires geographical VLAN segregation and possibly network
redundancy:
To Firewall
HSRP .30
.28 .29
.124 .125
HSRP .126
Core 1 Core 2
.252 .253
HSRP .254
.252 .253
HSRP .254
.252 .253
HSRP .254
Case 2 are very rare and would only apply for large long-term emergency offices.
Determining the correct bandwidth is essential to avoid congestion. Usually the bandwidth is
calculated based on the type of connectivity, quantity of Internet links and amount of users:
Depending on countries and scenarios, Internet access would be available through following means:
- Local ISPs, can provide terrestrial or satellite links, oftentimes with more advantageous terms
than global providers but with a lower quality of service.
- Corporate terrestrial links: a global provider is contracted to ensure that offices benefits from the
best terrestrial connectivity option. In such case the operator also maintains dedicated leased
connections to Corporate global data centers.
- Corporate VSAT: a global VSAT provider is contracted to maintain the satellite network and the
leased lines from field offices to Global data centers. Providers usually implement MPLS
Wide Area Network (WAN) refers to the organization’s worldwide network, which is basically the
addition of all country LANs and their linkage to the main data centres. The WAN is accessed through
the establishment of IPSec tunnels which can be initiated either directly from the client machine
(OpenVPN, Cisco Any Connect, DirectAccess) or from a network appliance (router, firewall...). In all
cases IPSec tunnels are terminated in datacenters by an appliance called a VPN concentrator.
Thanks to the advent of cloud computing, humanitarian organizations no longer need to maintain
local or global servers. This allows to deploy “lighter” networks and reduce the ICT footprint, which
is also advantageous for emergency response, pending enough bandwidth is available. Services
generally hosted in the cloud are:
- Office 365, which includes email (Outlook), file sharing (SharePoint and OneDrive) and Active
Directory Federation Services (ADFS) for the end user authentication;
- Enterprise Resource Planning (ERP) software, based on Oracle, SAP, Salesforce…
- Windows Server Update Service (WSUS), which provides updates to Microsoft applications;
- AntiVirus updates;
- Domain Name System (DNS), which translates Intranet and Internet website addresses into
numerical IP addresses;
- Telephony and Voice over IP, for example with Skype for Business.
Because centralizing IT services in global data centers or in the cloud increases the load on existing
link bandwidth, and instead of systematically procuring additional capacity (which is not a solution to
congestion), UNICEF implements a number of WAN optimization techniques. These techniques
are usually performed by the security gateway or PC client and are summarized as below:
Usually the Routing/NAT/PAT functions are performed by a router CICR Hosts Netmask
or security gateway. The automatic distribution of IP parameters /30 2 255.255.255.252
(DHCP) to end-user devices can either be performed by a
Windows server or a network appliance (firewall, switch, wireless /29 6 255.255.255.248
controller). Following devices are assigned with IP addresses /28 14 255.255.255.240
either via DHCP or statically: /27 30 255.255.255.224
- Static: routers, Switches, Wireless bridges, Access Points, /26 62 255.255.255.192
servers and WLAN controllers /25 126 255.255.255.128
- DHCP: computers, printers, scanners, smartphones, tablets,
/24 254 255.255.255.0
IP Phones…
/23 510 255.255.254.0
In large humanitarian agencies, each country has a pre-assigned /22 1022 255.255.252.0
private IP address range that can be used when a new LAN is
/21 2046 255.255.248.0
required. A best practice is to assign a /24 range to small or
medium offices and a /23 range for the largest offices. /20 4094 255.255.240.0
Figure 140 - Dimensioning networks
Then, as a rule of thumb:
- First and last addresses of any range are automatically used by IP as network and broadcast
addresses. They should not be allocated to any network interface.
- The last IP addresses of the LAN range, outside of the DHCP scope, are reserved for network
equipment such as routers, firewall, switches... The gateway is always assigned the last IP
available (x.y.z.254).
- End users receive IP parameters from a DHCP server starting at the beginning of the scope.
Virtual networks or VLANs allow network administrators to create groups of logically networked
devices that act as if they are on their own independent network (different IP subnet), even if they
share a common physical infrastructure. Virtual networks carry specific terms defining the type of
network traffic being carried or a specific function the VLAN performs. The following describes
common VLAN terminology:
- Data VLANs are identified by a number and configured to carry only user-generated traffic. Such
traffic would include:
o Functional VLANs such as wired machines, corporate WiFi, guest, IP Telephony…
o Location VLANs such as a wiring closet, a building, a floor, a department (marketing,
finances…).
- Trunk links are required to transfer all VLAN information between switches. A port on a switch
is either an access port or a trunk port. Access ports belong to a single VLAN and only carry
traffic that comes from the VLAN assigned to the port. A trunk port is by default a member of all
the VLANs that exist on the switch and carry traffic for all those VLANs between the switches.
To distinguish between the traffic flows, trunk ports mark the frames with special tags as they
pass between the switches.
- The management VLAN is referred by network administrators as the VLAN used to access the
management and configuration interfaces of the networking devises (ex: CLI, Web GUI…).
To enforce LAN security, the “zone-based security” approach is used. A zone is a part of a network
that groups a specific function or role, and is rated from “trusted” to “untrusted” depending on the
nature of the traffic that it carries. Zones would restrict a pre-defined set of protocols and/or users
and has well defined inputs and outputs to other zones through a firewall:
In practice, security zones typically translate into firewall ports (virtual or physical). Several ports
could be part of a specific level or colour of security zone, effectively introducing several “shades” of
color (e.g. “darker” or “lighter” green etc…). As an example, the WAN is typically part of the green
zone but on a separate firewall port: the WAN conveys trusted traffic (green zone) but is still on a
separate firewall port for basic security visibility and control (dark green zone).
A default global security policy should be implemented globally to all firewalls. Such policy is
implemented by creating rules in the firewall, which in turns filters any packet to make sure only
legitimate traffic enters or exits the local networks. Rules can be later adapted on a case by case
basis depending on the site’s specific requirements.
Firewalls implements an algorithm (“Adaptive Security Algorithm”) that inspects the state of TCP and
UDP connections between a client in the network and a server on the Internet. Such inspection
generally protects against common attacks (such as Denial of Service or man in the middle attacks).
2 additional mechanisms, named “Intrusion Detection” and “Application Inspection”, analyses traffic
and prevent the propagation of virus, worms and spam through the network.
With the adoption of Microsoft Skype for Business as a standard for IP telephony, users can dial
correspondents either with the Skype for business software or with physical phones (Polycom).
Functioning as a SIP Gateway, a dedicated network appliance (Audiocodes, Sonus…) can be
implemented to enable local coms (PSTN, office communications…).
Another popular solution is Cisco’s IP Telephony solution. The voice traffic is handled by Cisco’s
Unified Call Manager (UCM) or for smaller offices, Cisco’s Call Manager Express (CME) which is
embedded to all Cisco voice routers. CME also allows to deploy IP and analogue telephones and
linking with the PSTN or a PBX.
Most Voice Gateways have slots where additional cards can be inserted, for example:
When issuing internal “on-net” calls (as opposed to “offnet” calls), the dialing plan for UN offices is
standard and as follows:
The amount of extension digit can vary from 2 to 4 depending on the offices, for example:
For offnet calls, ie calls through the local PSTN or a SIP provider, offices typically have too dial a
prefix then the full number (for example: 00 for international calls or 9 for local calls).
Figure 141 -
Redundant Network
(*) Open Systems is the company managing UNICEF firewalls. Please contact ICTD for latest pricing.
2.2 SWITCHES
Because configuring local area networks requires a significant amount of time (which is a limited
resource in an emergency), humanitarian organizations design “emergency kits” based on specific
requirements (WiFi, VoiP, servers…) and hardware. Kit are assembled, configured, tested and then
stored until deployed. In UNICEF, the following kits are available for deployment:
CB
VOICEBRI VOICEBRI FXS FXO
2 1 6 5 4 3 7
Plug the MX oor Z1 to the electricity and connect a computer to any of the LAN ports:
Once the MX has booted (LED rotating colors), the computer should obtain a DHCP IP address in
the 192.168.0.0/24 network, with the MX as gateway 192.168.0.1.
In a web browser, type the MX IP address (192.168.0.1) to access the local web configuration page
(note that since there is no Internet connectivity, the page shows a warning):
Go to the configure tab. The default credentials use the device serial number as the username, with
a blank password field.
- VLAN tagging: no
- Connection type: direct
- IP Assignment: static
- Enter the IP address, subnet mask, default
gateway IP and DNS server information.
Note: if the office has a secondary internet line, configure static or DHCP IP parameters for:
- Interface Internet 2 for the MX65
- Interface LAN 4 for the MX64
It will take couple minutes before the MX connects to the Meraki Cloud. Once operational, the LED
should turn white. You can connect to the new MX IP from an Internet browser to verify:
If you reached this stage, basic configuration of the MX has been achieved, the devise will connect
to the Meraki cloud and proceed with the download of its configuration (pending a global admin has
pre-configured the devise). You can connect to www.meraki.com to access the network statistics:
This session details the setup process of the Open System (aka “Mission Control”) security gateway
used in the majority of UNICEF offices. A working internet connection as well as a publically available
IP address will be required in the emergency site (DHCP based ISP for example are not supported
at the time of writing).
The Mission Control security gateway is operated as a managed device. This means the Mission
Control operations teams in Switzerland and Australia are responsible for the operational support of
installations, incidents and changes. This applies not only to emergency response but also regular
operations. Support is obtained either by using the ticketing system integrated with the Mission
Control web portal or the 24x7 hotline.
The Mission Control firewall not only carries out regular security operations (filtering, state inspection,
intrusion detection…) but also many routing functions at layer 3:
- Network and Port Address Translation (NAT/PAT). As LAN and WIFI clients have non routable
private IP addresses, the firewall translate all internal addresses to its public IP address(es).
- IP routing, so IP packets coming from the LAN/WLAN are routed through the Internet or the
WAN.
- IPSec tunnelling to link LAN and global UNICEF WAN.
- Automatic IP parameters address assignment (DHCP server) for LAN, WIFI and IP phones.
- Packet filtering to make sure only legitimate traffic enters or exits the local networks. The filtering
is enabled by the implementation of specific rules (defined by the global UNICEF security policy).
- Adaptive Security Algorithm to inspect the state of TCP and UDP connections between a client
in the network and a server on the Internet. Such inspection generally protects against common
attacks (such as Denial of Service or man in the middle attacks).
- Intrusion detection and application inspection, two mechanisms to analyse traffic and prevent
the propagation of virus, worms and spam through the network.
- Monitoring and statistics for all used interfaces.
Next figure illustrates the default interface assignation of the Mission Control security gateways:
- E0 – Primary link or WAN: due to the impossibility to pre-configure such interface, a (public) IP
address must be manually assigned from the field. The responder must make sure the Internet
Service Provider (ISP) provides a non-NATted publically routable IP address.
For UNICEF ICT responders, the only configuration required on the firewall will be to assign the ISP
provided public IP address to the external interface. Before doing so, it is mandatory to contact the
24/7 Mission Control Operations Center (+800 00 724 000 (toll-free number) or +41 58 100 11 11,
support@open.ch) and submit the following information:
Mission Control personnel will create a ticket which documents the complete
interaction referring to the setup of the emergency equipment. Such ticket will be
available using the security gateway Web Portal. Make sure the security gateway
has booted, it should be displaying the first 16 characters of its hostname as well as
its initially configured external IP address on the display on the front side of the device. Figure 151 –
Firewall Display
3.2.3 Assigning an External IP Address
A computer with a terminal emulator software (such as PuTTY or HyperTerminal), console cable and
USB to serial adapter is required. Plug the console cable to the security gateway console port, start
PuTTY and open a session on the COM port.
The security gateway UNIX prompt should display, enter username menu and password
Sam0cure16. The installer should redirected to the initconf menu. Select menu “3 – Configure
Network”.
Once configuration has been finalised, clients in the LAN, WIFI and IP Phones should get IP
addresses assigned automatically upon DHCP requests. Internet and Intranet should also be
accessible. Perform the following tests to verify these functionalities:
- Connect a computer to the LAN and check the correct IP assignment (for Windows use ipconfig
on the command line)
- Access any public website (e.g. www.google.com)
- Access any Intranet site (e.g. icon.unicef.org)
- Launch the Vision client (if it reaches the login prompt, test is successful)
- Proceed similarly using the WIFI networks and IP Phones
If any of these tests did not pass, call Mission Control operations and request live debugging support.
The security gateway management is available through a web portal that can be used to obtain
current status of services, configurations, statistics, troubleshooting tools and support tickets. URL
is as follow: https://control.open.ch/ Credentials are available to each UNICEF IT admin. A Token
generator will permit the last authentication phase. Press the token button to display the 6 numbers
and enter these in the portal. Once logged in, user is redirected to a page which lists the security
gateway included with the LAN kit.
Click on the device to access the dashboard. The dashboard provides a quick status overview of the
security gateway: list of resolved and unresolved tickets, basic network interface parameters and
connection monitoring information for the last 24 hours:
Open
Tickets
Network
Interfaces
Resolved
Tickets
Firewall
location
Subscribed
services
Link
Availability
Figure 154 - Security gateway Dashboard
In addition to the status overview the dashboard provides a menu link to more detailed security
gateway information:
The Statistics menu lists all sort of graphs, which can be useful to monitor bandwidth usage
patterns, link congestion and amount of LAN and WIFI clients connected… Clicking on each graphs
provides opens a more detailed page with historical graphs data over one day, week, month and
year.
The configuration menu opens a page listing security gateway settings such as IP routing, detailed
interfaces configuration, DHCP settings, failover status and, most importantly, the security gateway
security policy. Click the “Distributed Firewall Policy” link to open current, as well as former, firewall
policies:
The global policy contains the complete set of rules configured for all UNICEF firewalls worldwide,
including the ones which are not relevant for the emergency location. To access the location specific
security settings, select the “Distributed Firewall Policy for ucef-sg9XX-dk-etr-1”.
The firewall analyses one by one each packet crossing its interfaces and
compares them with the list of rules and chains configured in descending order. If
the packet matches the criteria of a chain, then the firewall will enter this chain,
check for a matching rule and if not found it will enter sub-chains and continue
inspection recursively. If a packet matches the criteria of a rule, then the action
defined in this rule is applied to the packet (accept, drop, or reject the packet) and
it is processed. At the end of every chain there is a policy rule which handles all
packets which didn’t match any rule before.
The minimum global security policy for UNICEF Firewalls is composed of at least three main chains
named respectively “ext2wan”, “wan2ext” and “wan2wan”. Following is the signification of these
chains:
- ext2wan: Chain for rules of traffic from external to the UNICEF WAN.
- wan2ext: Chain for rules of traffic from the UNICEF WAN to external.
- wan2wan: Chain for rules of traffic between different Zones of the UNICEF WAN.
Coming back to the portal, chains can be expanded and collapsed by clicking the “+/-“ icon. For each
chain and rules, matching criteria are displayed:
- Link Historical Status > Connection monitoring: link stability & SLA
- Statistics > VPN Connections: verify tunnel usage, RTT and packet loss
- Tools > neighbor detection: scan all devises in the same network
- Tools > Port Scan: tests open ports for a specific devise
- Distributed Firewall Log Viewer: verify if the firewall is not blocking traffic
Tickets are an important feature of the security gateway service since no change can be implemented
directly by UNICEF personnel on-site. Instead, the local administrator will raise a ticket, for example
to require a specific TCP port to be opened. Mission Control engineers will then analyse the request
and apply the change on the security gateway. Some changes require the approval from Network
Operations in NYHQ.
Tickets can either be created by the field administrator or by a Mission Control engineer during
operations to document a phone call or email. Tickets can also be automatically created by the
Mission Control monitoring engine to escalate warnings and alerts. In emergencies, service level
agreements impose a ticket to be resolved in less than 30 minutes.
To open the ticketing page, click on the “Tickets” tab in the main navigation bar at the top of the page.
To create a new ticket, use the link on top of the ticket list next to the green. This
link will open a pop up window, in which the administrator must determine the ticket type (request,
Any reply from Mission Control will be then logged in the newly created ticket. For example:
New comments can be added to the ticket by clicking the “Add Comment” on top of the event list.
Once resolved, the ticket will summarize all events in chronological order.
As a daily routine, field IT administrator might need to create additional firewall rules to allow
legitimate applications to pass through. Firewall changes must be requested via the ticketing system
(see previous chapter). It is essential to provide as much information as possible so the request is
comprehensible to the Mission Control engineer in charge of applying the rule, for example:
- Source address(es)/network(s)
- Destination address(es)/network(s)
- Service(es) (protocol and port)
- Rule description
Using the portal debugging and traffic analysis tools should prove useful to determine if a rule has
been applied. Also note that field administrators can create a request for a live debugging session in
which case Mission Control will call back and analyse the problem. A live debugging request might
look as follows:
We are not able to reach the Email server in Geneva from our DMZ 192.168.1.0/24.
Please call me back for a live debugging session. You can reach me on my mobile
phone +1 234 567 890. I am reachable all afternoon.
The switch is a crucial component of the network as it forwards all layer 2 frames in the different
VLANs (if applicable) attached to its interfaces and powers low consumption devices (IP phones,
access points…). All wired network devices in the office kit are physically connected to a switch:
security gateway, wireless LAN controller, access points, IP phones… Switches can be managed
either with Cisco’s Network Assistant or with the Command Line Interface (CLI). The CLI can be
accessed via the console port or SSH using a software such as Putty.
This method is recommended for responders being familiar with Cisco IOS
command and the CLI. All switch parameters can be modified using the CLI. For
further information about the list of available commands, refer to the following files
located in the flashdrive:
► Catalyst 3560-X - Configuration Guide - Release 12.1(19)SE.pdf
► Catalyst 3560-X - Switch Command Reference.pdf
a. Connect a PC to the switch console port with the provided blue console cable and power on the
switch. If the PC does not have a serial port, use a serial to USB converter.
e. Click Open.
This section highlights how to name the switch, create a username / password, define its IP
parameters (VLAN 1), enable remote access (GUI, SSH, telnet, SNMP) and configure the time.
hostname SS-JBCP-CS-01
username admin privilege 15 secret 5 $1$UQXk$GkzF/itgviIjTel0bmfEY1
ip domain-name unicef.org
crypto key generate rsa
ip forward-protocol nd
ip http server
ip http authentication local
The interface is divided into 3 parts. On top the menu bar one accesses the most commonly used
functionalities: rescan the network, save the configuration, upgrade the firmware, port and VLAN
configuration, health monitor, topology view…
Using the CNA, go to the “Configure” menu of the features bar, go to Switching and then click
VLANs.
An alternative would be to enter following commands using the CLI, here we create the VLAN 200:
Following commands are required to configure the port as trunk (multiple VLANs):
When connecting a PC to a switch, it may sometimes take 30 seconds or more before the PC can
communicate on the network. This is due to the many negotiations happening between the switch
and the PC network interface card: spanning tree initialization (15s), ether channel configuration test
(15s), trunk configuration test (couple seconds), auto-negotiation of switch port speed and duplex
(couple seconds)….
Although this negotiation phase is important when interconnecting switches, access points or
firewalls (especially the spanning tree protocol), on the other hand if end user equipment such as
desktops, laptops or printers connect to a port (and remains connected), the negotiation phase can
be reduced and optimized:
- Make sure all ports connecting to end users clients are in static access mode: in CNA, go to the
VLANs menu and manually define each ports as “Static Access” (instead of dynamic by
default). This disables trunk negotiation and prevents the port from going through Ether Channel
negotiation, saving about 15 seconds off of the switch port initialization. In the CLI, use the “show
vlan” command.
- Configure PortFast: in CNA go to port settings and check for the “port-fast” column, make sure
it is “enabled” or even better “enabled if static”. This saves the port from going through STP
negotiation and cuts another 15 seconds from the switch port initialization. In the CLI, use the
“spanning-tree portfast” command in the interface configuration mode.
- Optionally, you could also manually configure the switch port's speed and duplex, saving a few
more seconds. In CAN, go to port settings and modify each port via the speed and duplex
columns.
As DHCP is enabled on the LAN interfaces, it exposes the network to users connecting a non-
standard device to a LAN cable and gaining unauthorized access to the corporate network. Using
CAN, the port security functionality can be used to restrict a switch port so that only one device can
use it. When an inappropriate device attempts to send frames to the switch interface, for example a
user removing the LAN cable from a desktop to connect its laptop, the switch would discard frames
from the laptop, or even shut down the interface (not recommended).
a. Make sure the switch c. (Optional) Specify the
interface is on access mode b. Enable port security maximum number of allowed
(doesn’t work on trunks) MAC addresses
This example shows how to configure a secure MAC address and a VLAN ID on a port using the
CLI:
This example shows how to enable sticky learning and to enter two sticky secure MAC addresses
on a port:
This example show how to configure a port to shut down only the VLAN if a violation occurs:
An alternative to the manual port security process would be to use – pending availability - a radius
server to authenticate users connected to the switch against their active directory credentials and
computer unique certificate.
To enable radius server authentication, enter following commands through the CLI:
If required do an OS update. Download the TAR IOS (warning the bin IOS does not include the full
webGUI) and do the update through the GUI.
Alternatively, the update can be done through console but it’s longer. Copy the TAR file to a USB
flash and adapt the following command:
sh power inline
debug ilpower port
debug ilpower powerman
debug ilpower event
Call Manager (Express) 11 is required for the latest Cisco SIP phones. CME 11 is available starting
with IOS version 15.6. If required, upgrade the firmware: copy the IOS to a USB flashdrive and issue
following commands:
Note, that latest Cisco routers’ IOS-XE, the boot command is different:
This section highlights how to name the VoIP gateway, create a username / password, define its IP
parameters (Ge0), enable remote access (GUI, SSH, telnet, SNMP) and configure the time.
hostname SS-JBCP-VR-01
aaa new-model
aaa authentication login default local
aaa authentication login h323 local
aaa authorization exec h323 local
aaa authorization network h323 local
clock timezone Ross 3 0
no ip domain lookup
ip domain name unicef.org
file privilege 0
interface GigabitEthernet0/0/0
description Link_to_Core_Switch
ip address 158.113.205.77 255.255.255.240
no shut
ip default-gateway 158.113.205.78
ip forward-protocol nd
ip http server
!ip http access-class 23
ip http access-class ipv4 199
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:cmegui11.6
ip tftp blocksize 8192
ip tftp source-interface GigabitEthernet0/0/0
line con 0
password 7 14311B0E0000233F74
line vty 0 15
access-class 23 in
password 7 1068001C09131B1F5C
login local
transport input ssh
ntp server 158.113.18.9
If the office needs to register Cisco or generic SIP phones to the CME:
telephony-service
conference transfer-pattern
max-ephones 50
max-dn 200
ip source-address 158.113.50.119 port 2000
system message Welcome to UNICEF
load 7945 SCCP45.9-4-2SR3-1S
load 7960-7940 P0030801SR02
load 7965 SCCP45.9-2-1S
load 7970 SCCP70.9-2-1S
time-format 24
max-conferences 1 gain -6
web admin system name webAdmin secret 5 $1$Jesq$NiN3aZYnCl.EUrVQm7fyU/
dn-webedit
time-webedit
transfer-system full-consult
Then create the SIP Phones (example for a Cisco 8831 and 8841)
And finally, the following commands will generate the config files for the phones:
The procedure is similar to SIP phones, first create the phone numbers, for example:
ephone-dn 1
number 01
description Test
name UNICEF Test
hold-alert 30 originator
Then create the SCCP phone entry and assign the number (example for a Cisco 7945)
And finally, the following commands will generate the config files for the phones:
telephony services
no create cnf-files
create cnf-files
Dial plans on Cisco routers are manually defined using dial peers. Dial peers are similar to static
routes; they define where calls originate and terminate and what path the calls take through the
network. Attributes within the dial peer determine which dialed digits the router collects and forwards
to telephony devices. To configure a dial-peer which would reach another office through the WAN:
Call simulation
Note: csim only works in telnet mode, not SSH. Because telnet is disabled from the remote access
rule, SSH in the core switch and telnet to the voice router from there.
Debug
SCCP
telephony-service or ephone ephone-tag
restart { all [ time-interval ] | mac-address } or restart
end
SIP
voice register global or voice register pool pool-tag
reset or restart
end
Copy the attached config file to your router flash. Reboot the router by issuing the reload command.
When the router starts type "ctl+break". You should then see the prompt:
rommon 1>
Type:
rommon 1>confreg 0x2142
rommon 2>reset
>enable
#conf t
#config-register 0x2102
#end
#configure replace flash:2951-CAR-new.txt
#wr mem
CHAPTER 7
IP NETWORKS (WiFi)
Wireless Local Area Networks (WLAN), commonly known as “WiFi”, are usually implemented as the
final link between the existing wired network and a group of client computers, giving these users
wireless access to the ICT services across a building. WLAN are an ideal tool in an emergency
environment as ICT responders need a flexible and quick method to share connectivity between
users. Wireless technologies can also be used to connect buildings to one another without laying
copper or fibre cabling.
The 802.11 specification is the standard for wireless LAN. It was ratified by the
Institute of Electrical and Electronics Engineers (IEEE) in 1997 and been
continuously improved since. Like all IEEE 802 standards, the 802.11 standards
focus on the bottom two levels the ISO model, the physical layer and link layer.
Any LAN application, network operating system, protocol, including TCP/IP, will
run on an 802.11-compliant WLAN as easily as they run over Ethernet.
WLAN standards are created by the IEEE and grouped under the IEEE 802.11 protocols set. They
usually operate in the 2.4 and 5HGHz frequency band. Because standards set forth by the IEEE can
have such an impact on the development of technology, they can take many years to be created and
agreed upon. The most known 802.11 protocols are following:
- 802.11a - was ratified by IEEE in 1999 as an amendment to the original 802.11 standard. It
provided much faster data transfer rate than but lacked backwards compatibility with previous
802.11 protocols as it used the 5 GHz frequency bands.
- 802.11g – was the first standard seeing a widespread adoption. It was based on the 802.11
standard, offered data transfer rates equally as fast as IEEE 802.11a in the 2.4GHz band and
boasted backward compatibility with the previous 802.11 generation.
- 802.11n - is an amendment which improves upon the previous 802.11. Because 802.11n works
in both the 2.4 GHz and 5 GHz frequency bands, it is compatible with legacy 802.11a and
802.11b/g users. The key to 802.11n is the use of multiple antennas (MIMO), which improve
distance, reliability and speed. Up to four data streams can be sent simultaneously using 20MHz
or 40MHz channels, providing a maximum data rates of 248 Mbps.
- 802.11ac – is the latest 802.11 protocol, changes compared to 802.11n include wider
channels (80 or 160 MHz versus 40 MHz) in the 5 GHz band, more spatial streams (up to eight
versus four), higher order modulation (up to 256-QAM vs. 64-QAM), and the addition of Multi-
user MIMO (MU-MIMO). Client battery using 802.11ac is extended.
The 5 GHz band, also known as UNII radio band, is another unlicensed band used for wireless
networks. Starting at 5.15GHz and terminating at 5.825GHz, it is significantly wider than the 2.4GHz
band (675MHz vs. 72MHz) thus enabling 20 channels spaced by 20MHz. Another advantage is that
it is much less congested since fewer devices operate in this band. In the US (and most of the world)
the band is subdivided into four ranges:
- UNII-1: 5.15-5.25GHz. 50mW maximum transmission, indoor use only (access points).
- UNII-2: 5.25-5.725GHz. 250mW maximum, both outdoor (bridges / outdoor APs) and indoor use.
- U-NII-3: 5.725-5.825 GHz. 1W maximum. Outdoor use only for microwave links.
When a WLAN signal is modulated (see next paragraph) to transmit the information over the air, it
spreads over a wider band (20 to 160 Mhz depending on the protocol). This means that each access
point radiating at a specific frequency (or channel) uses in fact up a much wider frequency band.
This is an issue in the 2.4GHz band, which is only 72MHz wide and uses 11 channels (US) spaced
by just 5 MHz: access points radiating in adjacent channels would overlap and interfere with each
other (thus decreasing throughput and range). For example, if the WLAN is transmitting channel 9,
it will overlap with channels 7, 8, 10, 11. Consequently, when deploying multiple access points in an
office, only channels 1, 6, 11 should be used as they are spaced by 20 MHz:
Although most modern access points come with automatic channel selection mechanisms, it is
recommended to scan the environment for wifi signals (refer to paragraph about WLAN site survey)
and analyze which channel would have the least interferences.
Wireless networks use different technologies depending on the distance to achieve, the number of
devices to connect, and the amount of information to transmit.
All-in-one wireless routers such as Linksys models, function in BSS mode as well. Because they also
perform a layer 2/3/4 functions (switching, routing, firewall, etc…), wireless routers can accommodate
limited amount of clients (15 clients maximum recommended) and have a shorter range in
comparison with standalone APs.
Extended Service Set (ESS) uses more than one AP, often
with overlapping cells to allow roaming in a larger area.
Roaming means that users can move around inside the
coverage area and stay connected to the same WLAN. As
a result, the user does not loose connectivity and keep the
same IP addresses. All interconnected wireless access
points share the same SSID (network name), security
credentials and wired local area networks.
Using WLCs also simplifies the addition/removal of APs as it centralizes the configuration that is
pushed to all APs thus eliminating the need to individually connect devices for configuration
purposes. When using a controller, the AP is said “controller based AP”. Cisco AP can be used either
as controller based or standalone based by switching firmware.
When a WLAN NIC or access point sends data, it can modulate (change) the radio signal’s
frequency, amplitude, and phase to encode a binary 0 or 1. The IEEE 802.11 standard makes
provisions for the use of several different modulation techniques to encode the transmitted data onto
the RF signal. These modulation techniques are used to enhance the probability of the receiver
correctly receiving the data and thus reducing the need for retransmissions.
Latest 802.11 protocols uses a technique called Orthogonal Frequency Division Multiplexing
(OFDM). OFDM works by splitting the radio signal into multiple smaller sub-signals that are then
transmitted simultaneously at different close frequencies. Each OFDM sub-signals can be modulated
using Binary Phase Shift Keying (BPSK), Quadrature Phase Shift Keying (QPSK), or one of two
levels of Quadrature Amplitude Modulation (16, 64 or 256-QAM).
WLAN protocols also define forward error correction (FEC), or coding, as a technique used for
controlling errors in data transmission. The central idea is the sender encodes his message in a
redundant way by using an error-correcting code (ECC) defined by an algorithm. The redundancy
allows the receiver to detect a limited number of errors that may occur anywhere in the message,
and often to correct these errors without retransmission. The code rate is the proportion of the data-
stream that is useful (non-redundant). Code rate are displayed as “k/n”, where for every k bits of
useful information, the coder generates totally n bits of data, of which n-k are redundant. For example
a coding rate of 3/4 means that one redundant bit is inserted to every block of 3 bit of data. Obviously
a 5/6 rate would result in faster transmission than a ½ rate since fewer redundant bit are inserted.
IEEE 802.11 networks showed their biggest security vulnerability when the one real security feature
was hacked in the first few years of its existence. This security feature was the WEP; since then
hackers developed numerous methods to gain access to wireless networks, those include denial of
service attacks, Man-in-the-middle attacks, encryption cracking, MAC spoofing...
This chapter details the three recommended methods to secure wireless networks that implemented
in emergencies: WPA encryption, 802.1X authentication and Wireless Guest portals
Wi-Fi Protected Access (WPA) is a security protocol based on 802.11i that were designed to protect
WLANs. There are multiple variants of WPA:
- WPA Personal uses a pre-shared key (PSK) in combination with the Temporal Key Integrity
Protocol (TKIP) for encryption.
- WPA Enterprise also uses TKIP for the encryption part but an authentication server is used to
approve the access and to dynamically generate the encryption keys.
- WPA2 Personal uses the Advanced Encryption Standard (AES) for encryption, which is the
strongest available. It still relies on a user defined pre-shared key.
- WPA2 Enterprise uses AES for the encryption and, as for WPA Personal, a server for the
authentication and dynamic keys. This is the solution implemented with UNICEF Universal wifi.
The “Personal” variants are the easiest security solution to implement and are recommended at the
beginning of an emergency response when a small amount of responders are on-site. This solution
can however easily be “hacked” as all users have the same pre-shared key, which in the end is
known by everybody. Administrator should therefore not attach this type of WLAN to the corporate
network (for example by plugging the access point to a switch in the LAN) but directly to a firewall
interface or to a separate Internet link. Access to corporate applications would only be gained through
Citrix or Client VPNs.
The “enterprise” variant is recommended for longer term deployments where responder since an
authentication server is used to make sure only relevant personnel have access to the network (see
paragraph below referring to 802.1X and Radius) and keys are generated dynamically.
The solution is recommended to provide Internet access only to BYOD equipment, temporary
personnel and visitors. The Guest WiFi segment should be physically or virtually segregated from
the LAN/WAN. The following diagram is an overview of the standard solution as implemented in
UNICEF offices, the captive portal can be a network appliance (such as a Cisco 2504 WLC, Meraki
access point) or a server (such PFSense):
Captive
Portal
WLAN security can be significantly strengthened by using 802.1X to deliver dynamic pre-shared keys
to authenticated users. 802.1X relies on an authentication servers based on the Remote
Authentication Dial In User Service (RADIUS) protocol. RADIUS was originally defined to enable
centralized authentication for PPP dial-up sessions. Instead of requiring every dial-up gateway to
maintain a list of authorized usernames and passwords, the gateway would issue RADIUS requests
messages to a central Authentication Server which would then reply with RADIUS Accept or reject
messages. This architecture permitted to centralize the user database and consolidated decision-
making at a single point, while allowing calls to be supported by many distributed gateways.
In a wireless network that uses 802.1X, the wireless station plays the role of the Remote User, the
wireless AP (or WLC) plays the role of the dial-up gateway and the domain controller (such as Active
Directory) is the Authentication Server. RADIUS is still used as the communication protocol between
the AP and the Authentication Server. If the server approves access to the wireless station, the AP
and wireless station generate the key that is used by TKIP or AES to encrypt data. Keys are therefore
generated dynamically and change from session to session.
When a user authenticates to an SSID using 802.1X, that individual session is encrypted uniquely
between the user and access point. This means that another user connected to the same SSID
cannot sniff the traffic and acquire information because they will have a different encryption key for
their connection. With a pre-shared key network, every device connected to the access point is on a
"shared encryption" connection so they can all see each other's traffic if they choose to do so.
All these attribute make 802.1X the most robust mean to secure 802.11 networks. Since only domain
joined devices can access the network (basically all UNICEF desktops and laptops), this the
recommended solution to access corporate applications over WiFi.
The UNICEF standard 802.1X solution relies on Access Points broadcasting a hidden SSID
(CharlieWiFi). Internal users connect to the SSID using their usual AD credentials and a unique
certificate hosted in the machine; A Microsoft NPS server acts as the Radius server and the local
Active Directory server is the Authentication Server:
NAT
internal I P for NAT
internal traffic Public IP
DHCP
WiFi Internal – 172.16.2.0 /24
WPA2
UNICEF LAN
158.113.x.y
or
10.16.x.y
NPS (Radius)
Access Access
Authen tication fo r
Point Point
UNICEF A D acco unts
for WiFi internal. APs WiFi user
Local AD
que ry to Radi us server,
Another indirect advantage of the 802.1X solution is that all UNICEF offices can use the same SSID
(“CharlieWiFi”), which favors staff mobility. Indeed staff would be automatically and seamlessly
connected to the corporate network as soon as their computer is in the range of the office WLAN.
This is particularly useful in emergencies where staff movement is very frequent.
UNICEF emergency kits (see LAN chapter) ship with a preconfigured WLAN configuration that is
based on the combination of both the Guest Portal and the 802.1X / RADIUS authentication methods
described previously. A Cisco Wireless LAN Controller is used to implement both functionalities while
the implementation of 802.1X resides between the global Active Directory servers (instead of local
AD in the standard offices) and on a Cisco Identity Service Engine (ISE) appliance (instead of a
Microsoft NPS in standard offices):
SUNGARD
RADIUS Active
Cisco ISE
Directory
Internet
Cisco AP
SSID 1:
- Hidden SSID SSID 2:
UNICEF G uest
- WPA2 security Charlie WIFI
- 802.1X SSID 1: SSID 2:
UNICEF G uest Charlie WIFI
- broadcasted SSID
- Authentication Portal
In a similar way to light, wireless signals travel in straight lines and are affected by obstructions,
which can alter the radio signal. Wireless behaviour can be predicted and detected; the following
introduce the major RF signal behaviours and their implications:
If an RF signal bounces off of a smooth, non-absorptive surface, changing the direction of the signal,
it is said to reflect and the process is known as reflection. Reflected signals are usually weaker after
reflection; this is because some of the RF energy is absorbed by the reflecting material. Refraction
can occur when an RF signal is bent while moving between media of different densities (ex: wood or
plastic, layers in the atmosphere). Refraction introduces problems in outdoors point-to-point bridges
when a change in atmospheric conditions is observed (changes in temperature, air pressure, rain…);
the RF signal may change from the intended direction resulting in a broken connection or in increased
error rates.
Diffraction
Diffraction is defined as a change in the direction and/or intensity of a wave as it passes by the edge
of an obstacle. This phenomenon can also result in areas of “RF shadow”. Diffraction is often caused
by buildings, small hills, and other larger objects in the path of the propagating RF signal.
Multipath
When signals bounce around in an environment through reflection, refraction and diffraction, they
create an effect known as multipath. Multipath occurs when multiple paths of the signal, understood
as multiple signals, arrive at the receiving antenna at the same time or within a small fraction of a
second (nanoseconds) of each other. Multipath occurs very frequently
in an indoor environment where there is often no direct signal path
between the transmitter and the receiver (or the access point and the
client station). File cabinets, walls, desks, and doors - among other
things - cause RF propagation patterns that result in multiple paths
arriving at the receiving antenna. The difference in time between the
first and second signals arriving at the receiver in a multipath
occurrence is known as the delay spread. When the delay spread is
greater, so that the signals arrive out of phase, the signal will either be
down faded, corrupted, or nullified.
These are usually natural or unintentional and happen because of the process of RF propagation
(reflection, refraction, absorption…). The reduction in signal strength is logarithmic rather than linear.
For example, a 2.4 GHz signal, such as that used by many IEEE devices, will attenuate by
approximately 80 dB in the first 100 meters and then by another 6 dB in the second 100 meters.For
this reason, there are limitations in the distance travelled by RF signals.
Fresnel Zone
As an analogy with visible light, visual LOS is defined as the apparently straight line from the object
in sight (the transmitter) to the observer's eye (the receiver). The LOS is an apparently straight line
because light waves are subject to changes in direction due to refraction, diffraction, and reflection
in the same way as RF frequencies. RF works very much the same way as visible light within wireless
LAN frequencies with one major exception: RF LOS can also be affected by obstacles located in the
Fresnel Zone. The Fresnel Zone occupies a series of concentric ellipsoid-shaped areas around the
LOS path, as can be seen in the figure bellow.
The radius r of the Fresnet Zone at its widest point can be calculated with the following formula:
𝑑1 + 𝑑2
𝑟 = 17.32 × √
4𝑓
Where d is the link distance in Km, f is the frequency in GHz, and r is in meters. For example, with a
2.4 GHz link and 5 Km in length, the resulting Fresnel Zone radius r is 12.4 meters. Objects within
this area such as trees, hilltops, and buildings can absorb or scatter the main RF signal, causing
degradation or complete signal loss. Considering the Fresnel Zone when planning or troubleshooting
an RF link is therefore essential.
As the distance increases, other factors must be considered such as the curvature of the Earth,
where the line of sight becomes difficult at 10 Km and disappears altogether at 25 Km (for two
structures at 3 meters). Paths over 30 Km are extremely difficult to align and install, so caution must
be taken when recommending these types of configurations.
The placement of the APs at the correct places is an important factor that accounts in the extension
of the coverage area of the AP. Too many APs in the same vicinity can create radio congestion and
If signals propagate well through the floors of the facility, one can also take advantage of the inter-
floor propagation in a way that reduces the number of access points necessary to cover the facility.
For example, AP-1 and AP-4 in the illustration below can provide coverage on the 2nd floor (where
they are installed), as well some coverage on the 1st and 3rd floors. AP-2 (installed on the 3rd floor)
and AP-3 (installed on the 1st floor) both provide some coverage on the 2nd floor. This allows the
spacing between the access points, such as AP-1 and AP-4, to be farther apart than if the inter-floor
propagation is not taken into account. Of course this reduces the cost of the deployment.
You can extend the radio coverage area of an AP when you modify the transmitter power level
parameter. The transmitter power (mW) setting determines the power level of the radio transmitter.
The default power setting is the highest transmit power allowed in a regulatory domain. Government
regulations define the highest power level for radio devices.
Caution: The transmitter power level setting must conform to the established standards of the
country in which the setting is used. Governing bodies specify power rules for 2.4/5 GHz point-to-
multipoint and point-to-point links. Although designed for interior coverage, sector and phased-array
antenna output power levels must also be considered. The reality of output power rules is actually
more complex than most network administrators realize. Data rate is usually improved when the
power is increased; therefore the temptation is high for the administrator to go over the limit.
► for further detail on WLAN maximum allowed power output in different regions of the world, see
contents of the “Regulation” folder in the USB flash drive.
Generally, the transmitted power is reduced to limit the effect of RF interference. The reduction has
a negative effect on the radio coverage. The transmitted power is directly proportional to the radio
coverage area. Therefore, the weaker the transmitted power, the smaller is the radio coverage area.
The antenna is the radiating element in an RF system. In other words, it is the device that actually
causes RF waves to be propagated through space. They are most often used to increase the range
of wireless LAN systems, but a proper antenna selection can also enhance the security of your
wireless LAN. A properly chosen and positioned antenna can reduce the signal leaking out of your
workspace, and make signal interception extremely difficult.
There are four general categories into which all wireless LAN antennas fall:
- Highly-directional antennas emit the most narrow signal beam of any antenna type and have
the greatest gain of these three groups of antennas. These antennas are ideal for long distance,
point-to-point wireless links. Some models are referred to as parabolic dishes because they
resemble small satellite dishes. Others are called grid antennas due to their perforated design
for resistance to wind loading. They can transmit at distances of 35 miles or more and usually
require detailed aiming procedures that include a lot of trial and error (refer to satellite dish
pointing).
- Multiple-Input, Multiple-Output (MIMO) is the use of multiple antennas at both the transmitter
and receiver to improve communication performance. It is one of several forms of smart antenna
technology. MIMO technology has attracted attention in wireless communications, because it
offers significant increases in data throughput and link range without additional bandwidth or
transmit power. It achieves this by higher spectral efficiency (more bits per second per hertz of
bandwidth) and link reliability or diversity (reduced fading). Because of these properties, MIMO
is an important part of modern WLANs standards such as IEEE 802.11n (Wifi), 4G and WiMAX.
The Cisco Aironet family is the standard UNICEF hardware used in emergencies. Its rugged plastic
housing and extended operating temperatures makes it ideal for difficult environments like
humanitarian compounds or warehouses. In large installations, the roaming functionality provided by
multiple access points enables wireless users to move freely throughout the facility while maintaining
uninterrupted access to the network.
- Autonomous or standalone access points are based on Cisco IOS and can therefore be
directly configured using the command-line interface (CLI) or the web-browser interface. These
are the recommended models for small deployments with just 1 or 2 APs.
- Controller based Access Points work in conjunction with Cisco wireless LAN controllers. AP
automatically download appropriate policies and configuration information with no manual
intervention. This configuration is recommended for large deployments requiring more than 5
APs. Note that these are the models to be ordered when installing a LAN kit (refer to LAN
chapter).
The recommended Cisco Access Points models for emergency response are as follow:
Cisco MX64W and Z1 appliances are the standard for small emergency
deployments where aid workers would rely on 3G, mobile satcoms or DSL
connection. The MX64W and Z1 includes firewall, intrusion prevention,
content filtering, and auto-VPNs support; A 802.11ac interface enables
resource sharing via WiFi and L7 traffic filtering/shaping features can help
optimizing voice and video applications. Figure 187 - Cisco 881W
Alternatively, as a last resort, robust home routers such as the Linksys WRT1900AC or Buffalo
WZR-600DHP2D are acceptable solutions for less than 6 months deployment and limited amount of
personnel (15 maximum).
The Ubiquiti line of bridges are all-outdoor, tri-band systems operating in the UNII-2, UNII-2e and
UNII-3 license exempt bands delivering a 162 Mbps of aggregate throughput (at optimal conditions
and distance). This performance is obtained by implementing 802.11ac protocol. In the past UNICEF
used widely the Cisco 1300 and 1400 series as bridge standard, however these have been
discontinued in 2012 and subsequently replaced with the Cisco Exalt and Ubiquiti models:
This models is available for procurement using UNICEF LTAS. Exact reference is AIR-CT2504-5-K9
and costs $700. This specific model come with enough licenses to install up to 5x Cisco access
points. It is however possible to increase the access points capacity by procuring additional licenses.
The maximum recommended amount of AP that the 2504 can support is 50.
The planning of a wireless LAN involves collecting information and making decisions. One of the
most important step in implementing any wireless network is conducting a site survey. The objective
being to discover the RF behaviour, interferences and determine where to properly place WLAN
hardware in a facility. The following is a list of the most basic questions that should be answered
before the actual physical work of the site survey begins:
In the most basic indoor cases, the tools and equipment needed for the survey is at least one access
point, a laptop computer (or smartphone), some site survey utility software, the map of the facility
and paper/pen.
inSSIDer is free, open-source Wi-Fi scanning software. It can be assimilated as a software spectrum
analyser for WiFi networks. Following is an overview of what can be achieved using it:
The time view can be used to display the evolution of the signal strength while moving around a
building, hence providing an overview of the WiFi coverage.
HeatMapper is a free tool that can be used to map the wireless coverage of any 802.11 compatible
access point. Similarly to inSSIDer, it also locates all the audible access points, and shows their
configurations and signal strength - in real time and on a map. Following is a sample map, and the
resulting coverage with the software:
HeatMapper is particularly powerful to measure an access point coverage and determine its best
positioning. The image above for example shows coverage comparisons between the 2.4 GHz and
5 GHz bands as seen in HeatMapper. The darkest green in both simulations represents a speed of
150 Mbps, but the darkest reds are what’s different. The red in the 2.4 GHz simulation represents a
speed of 1 Mbps, while the 5 GHz’s red represents a speed of 6 Mbps. One can notice the 2.4 GHz
AP does have slightly more coverage, but the speed at the edges of the 5 GHz coverage are faster.
Note that an access point is not comparable to a “wifi router”. It’s role is more like a switch, therefore
a router is still necessary in the network. The scenario below describes how is to create a basic wifi
network with the following parameters:
IP Address 192.168.0.20
Mask 255.255.255.0
Gateway (router) 192.168.0.254
SSID UNICEF
Channel 2.4GHz/5Ghz dynamic
Encryption WPA2 (AES)
Pre-shared key P@s5w0rd
a. Access b. IP
c. SSID d. Encryption e. Save config
to the AP parameters
a. Accessing the AP
Connect a PC to the AP console port with the blue console cable and power on the
Access Point. If the PC does not have a serial port, use a serial to USB converter.
Click Open.
If everything went according to the instructions, the Access Point command line interface (CLI)
should display. The CLI language is similar to other Cisco equipment. Enter the privileged mode
with the command enable. Out-of the box, the default password is Cisco:
The “show” command can be used to verify the IP changed its IP address:
c. Creating the SSID. Use the dot11 ssid command to create the SSID named “UNICEF”:
In this scenario, we want to use open authentication (meaning there is no 802.1X authentication
mechanism) with pre-shared key management provided by WPA2. In addition, we configure the SSID
to be broadcasted over the air. While in SSID configuration mode:
d. Configure the Encryption. Now with the SSID profile configured, we need to specify an
encryption method for each wireless interface. Let’s enter interface configuration mode on the
wireless interface Dot11Radio0 (2.4GHz) first:
ap(config)#interface Dot11Radio1
ap(config-if)#encryption mode cipher aes-ccm
ap(config-if)#ssid UNICEF
ap(config-if)#no shutdown
ap(config-if)#end
Out of the box, the WLC can be configured using a quick setup menu. Connect PC to port 2 of the
WLC, wait for it to get an IP address and access the WLC through http://192.168.1.1
Using the quick setup menu, continue creating the SSIDs. By default the WLC proposes to create a
corporate 802.1X SSID and a Guest WiFi portal. In UNICEF, parameters should be as follows:
Apply, system will reboot and then be accessible via the management IP address. If the setup
includes VLANs, make sure the computer is connected to an access switch port in the same VLAN
as the WLC.
There should be no other reason to connect to the WLC other than monitor and troubleshoot wireless
access points and user authentication or to access the LobbyAdmin. Access Points, for example are
automatically recognized and configured by the controller as soon as they are plugged to the
network, there is no additional configuration required in the process.
Once authenticated, the administrator is redirect to a dashboard displaying most of the useful
information in a single view: WLAN status, amount of clients, interferers and usage statistics of the
WLAN. The configuration pages and logs can be accessed by clicking the “advanced” tab…
i. Configuring SSIDs
WLC administrators can create guest user credentials by goiing to Security > local Net Users.
Guest credential can be generated on demand and expire after a pre-determined period. Although
not recommended, one Guest credential can fit all users (the same username / password can be
used at the same time).
Lobby administrators are special WLC users that can create and manage guest user accounts on
the Wireless LAN Controller (WLC). The lobby ambassador has limited configuration privileges and
can access only the web pages used to manage the guest accounts (similar to the “local Net Users”).
The lobby ambassador can specify the amount of time that the guest user accounts remain active.
After the specified time elapses, the guest user accounts expire automatically.
The WLC can be used to monitor the amount of users logged-in. In the Default Summary page, click
“detail” in the row that corresponds to the current clients. Alternatively go to Monitor > Clients:
It is important to note that only CISCO Lightweight Access Points (LAPs), Controller Based Access
Points (CAPWAP) and Hybrid Remote Edge Access Points (H-REAPs) can be managed by the WLC.
Make sure to select the correct type of access points when undergoing the procurement. The IOS
version running in the WLC is important as it will determine which AP models are supported. For
example, the actual LTA models Cisco 1700/2700/3700 require the WLC version IOS 8.0+ to run,
likewise older AP models might not be supported by the latest version of the IOS.
A standalone Cisco Access Point can be converted to a controller based access point (and vice-
versa). Refer to the procedure further below.
Connect each APs to the relevant LAN kit switch port. As the switch is PoE capable, APs will be
powered from the Ethernet port and power on instantaneously. If the LAN switch is not PoE capable,
each AP will need power from an external power injector.
Upon connection, the AP will identify the WLC and generate a tunnel where all VLANs will be trunked
(see Figure 10). The LAP will then contact and establish connection to the WCS, who will take control
and configure it according to its settings. No additional actions will be needed on each newly
connected AP.
Connect a PC to the AP console port (on the back) with the provided blue cable and power on the
switch. If the PC does not have a serial port, use a serial to USB converter.
A black Window should then display, as soon as you connect the AP, the command line interface
will appear with the AP boot sequence and diagnostic lines.
When connected for the first time to the WLC, the AP will first obtain an IP from the DHCP server in
the firewall and look for the WLC by sending broadcasts:
*Mar 1 00:04:36.227: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:04:36.696: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-
CONTROLLER.unicef.org
*Mar 1 00:04:46.696: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 22 17:19:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip:
10.175.244.250 peer_port: 5246
Once found, the AP tries to create a CAPWAP tunnel with the WLC which fails as the AP has not
been configured yet by the WLC:
*Oct 22 17:19:02.625: %CAPWAP-5-SENDJOIN: sending Join Request to 10.175.244.250
*Oct 22 17:19:02.627: %CAPWAP-3-ERRORLOG: Invalid eve!!!!!!!!!nt 10 & state 5
combination.
*Oct 22 17:19:02.627: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message
type 10 state 5.
*Oct 22 17:19:02.627: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from
controller
*Oct 22 17:19:02.627: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from
10.175.244.250perform archive download capwap:/c1140 tar file
The AP will therefore download both a new firmware image and the configuration file, both compiled
and provided by the WLC:
*Oct 22 17:19:02.629: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP.
Downloading image from Controller.
examining image...!
extracting info (288 bytes)
Extracting files...
c1140-k9w8-mx.152-4.JA1/ (directory) 0 (bytes)
extracting c1140-k9w8-mx.152-4.JA1/T2.bin (8080 bytes)
extracting c1140-k9w8-mx.152-4.JA1/img_sign_rel_sha2.cert (1371 bytes)
extracting c1140-k9w8-mx.152-4.JA1/8001.img (186308 bytes)!!!
[Extracting goes on for 10-15 lines]
New software image installed in flash:/c1140-k9w8-mx.152-4.JA1
Configuring system to use new image...done.
The LAP will then reboot and complete the association to the WCS by loading its configuration. This
time the CAPWAP tunnel is successful and once finished the AP brings its interfaces up:
Loading"flash:/c1140-k9w8-mx.152-4.JA1/c1140-k9w8-mx.152.JA1"...##############....
File "flash:/c1140-k9w8-mx.152-4.JA1/c1140-k9w8-mx.152-4.JA1" uncompressed and
installed, entry point: 0x4000
executing...
[logs]
[logs]
In order to convert the AP, the proper firmware should be downloaded from cisco.com. Following are
the three type of IOS available for download:
To proceed to the conversion, a PC should be either directly connected to AP’s ethernet port or
through a switch (if the AP is powered through PoE). A TFTP server (ex: tftpd32) must be installed
on the PC and host the previously downloaded IOS firmware. In the example below PC, the PC has
been assigned a 10.10.10.1/24 address and the AP is a 1140 model and is assigned the
10.10.10.102/24 IP address.
// Before entering this command, make sure the TFTP server is running
AP5475.d0f5.2ee7#archive download-sw /force-reload /overwrite tftp://10.10.10.1/c1140-
k9w7-tar.124-25d.JA.tar
"examining image...
Loading c1140-k9w7-tar.124-25d.JA.tar from 10.10.10.1 (via GigabitEthernet0): !
extracting info (283 bytes)
Image info:
Version Suffix: k9w7-.124-25d.JA ...................."
Once conversion process is over, verify the right image has been loaded:
For the reverse conversion from standalone to controller-based, download the recovery image (in
this example: c1140-rcvk9w8-tar.124-25d.JAL.tar) and use the same command on the autonomous
AP privilege mode:
1. Login to the WLC: From a laptop, browse to the WLC IP, log in using your credentials.
2. Verify TFTP -> WLC connectivity: Go to “COMMANDS” -> “Upload File”. Leave all default but
update the server IP address with the laptop IP address. Click “Save Configuration” and once
confirmed, click “Upload”.
If communications with the tftp server work, you should read a confirmation message and the
configuration file should have been transferred to the current tftp folder.
The WLC should request to reboot, click “reboot” or go to “COMMANDS” -> “Reboot” and click
“Reboot”. All communications with the WLC will be lost and the WLC will take a while to reboot (20-
30 minutes), make sure you have enabled the serial connection so you can monitor WLC’s upgrade
process.
4. Download the IOS firmware, for ex: AIR-CT2500-K9-8-1-121-0.aes. Follow the exact same
instructions as in point 3. But this time the File Name in “COMMANDS” -> “Upload File” should be
“AIR-CT2500-K9-8-1-121-0.aes”. Once the upgrade is done, login to the GUI again, you should be
redirected to the new dashboard. Click on “Advanced” to access the previous default page and verify
the “Software Version” have been updated:
The last paragraph of the handbook details the configuration process for setting up point-to-point and
point-to-multipoint bridges. We will consider a situation where a humanitarian agency would need to
extend Internet connectivity from its main office to 2 remote locations (staff accommodation and
warehouse) and will setup bridges as follow:
Warehouse
Main Office
Bridge Switch AP
Accomodation
Bridge Switch AP
Bridge systems usually consists of a weather proof transmission unit (with integrated or external
antennas), a Power Injector, a Power Adaptor and a grounding block (also called surge protector) at
the building entrance. The Bridge and the external antennas, if used, are installed outdoors. The
grounding Block is installed at the building entrance and the Power Injector and DC power supply
are installed indoors. The overall diagram is shown below:
Before mounting the bridges to the roof or mast, the installer should always make sure the setup is
working in a lab environment.
When routing the cable down a radio tower one must secure the cable to the tower. This is typically
done by using plastic or nylon ties securing the cable to either one leg of the tower or to the existing
Tip: It is good practice to create a small cable loop around all outside connections. Should the
weatherproofing fail, this would limit the water damage to the loop preserving the rest of the cable so
that it could be spliced and reused.
Lightening Protection
Lightning is caused by the build up of electrical potential between the clouds and ground, between
clouds, or between clouds and the surrounding air. During thunderstorms, static electricity builds up
within the clouds. A positive charge builds in the upper part of the cloud, while a large negative
charge builds in the lower portion. When the difference between the positive and negative charges
becomes too great, the electrical charge jumps from one area to another, creating a lightning bolt.
Most lightning bolts will strike from one cloud to another, but they can also strike the ground or other
metal objects. Static electricity from wind, snow or the electrical energy from a lightning strike or
nearby strike can cause damage your Bridge or other electronic equipment. Always use a grounding
block on the bridge and make sure the grounding block is attached to a suitable ground.
Use a heavy gauge wire and keep ground wire as short as possible. The use of a good ground will
lessen the chance of damage due to a nearby strike and helps to “bleed off” any static charges that
may build up on the cable.
a. Getting started
Configure the Ethernet adapter on your computer with a static IP address on the 192.168.1.x subnet
(for example, IP address: 192.168.1.100 and subnet mask: 255.255.255.0). Then launch your web
browser and enter https://192.168.1.20 in the address field.
Both default username and passwords are ubnt. Also select the country of operations (by default
USA). Once logged in, the dashboard looks like as follows:
A best practice is to change the default password as highlighted by the red message on top of the
screen.
b. Wireless Parameters
The Wireless tab contains everything needed to set up the wireless part of the link, including the
wireless mode, SSID, channel and frequency, output power, data rates, and wireless security:
(*) The mode depends on the product model and network topology requirements:
- Access Point PTP: If a single device acts as an access point (AP) in a Point-to-Point (PtP) link.
The device functions as an AP that connects a single client device (the client device must be in
Station PTP mode).
- Station PTP: If a client device connects to an AP in a Point-to-Point (PtP) link. The client device
acts as the subscriber station while connecting to the AP (the AP must be in Access Point PTP
mode).
- Access Point PTMP: If a single device acts as an AP in a Point-to-MultiPoint (PtMP) link. The
device functions as an AP that connects multiple client devices (client devices must be in Station
PTMP mode).
- Station PTMP: If multiple client devices connect to an AP. The client devices act as the subscriber
stations while they are connecting to the AP (which must be in Access Point PTMP mode).
c. Others Parameters
The Network menu is used to adapt the bridge IP settings to the local office network addressing.
Make sure the parameters are set to their default (Network mode = Bridge) and assign static IP
addresses for easier remote management and monitoring. In the service tab, it is recommended to
enable the NTP client (Ubiquiti default or 158.113.18.9) and the devise discovery (CDP). Last the
system menu can be used to modify the administrator name (ex: admin), update the date settings
and save the configuration.
d. Verifying Association
Once all bridges have been configured correctly, they should automatically associate after scanning
all frequencies (30 seconds). For example, here’s a main bridge configured as Access Point PTMP
associated with 2x remote bridges configured as Station PTMP:
Emergency preparedness and response planning in the area of ICT is to a large extent governed by
the Core Commitments for Children (CCCs) in Humanitarian Action. The CCCs state clearly the
responsibilities of ICT functions at the global, regional and country office level, to ensure adequate
preparedness, and actions to take in response and early recovery phases. Below is chapter 3.6
outlining the ICT commitments of the CCCs.
COMMITMENT
Ensure the immediate availability of essential emergency information and communication technology
(ICT), and telecommunications equipment and services, by having supply contracts in place with an
emergency delivery clause (HQ/RO).
- Pre-position essential rapid-deployment emergency ICT solutions in high-risk offices (RO/CO);
and put in place licensing and agreements with host governments on importation and licensing
of key telecommunications-response equipment and services (CO/interagency).
- Ensure the timely availability of trained and experienced emergency ICT responders by
maintaining internal and external emergency response rosters (HQ/RO).
- Ensure that all UNICEF COs have a minimum of one emergency-trained ICT professional
(CO/RO).
- Ensure that ICT is included in all UNICEF country and regional emergency-simulation exercises
(RO/HQ); and conduct annual emergency ICT training and simulation exercises (HQ/RO/CO).
- Ensure that CO ICT personnel are trained in MOSS/security telecommunications requirements
(HQ/RO/CO) and that evaluation of and reporting on MOSS telecommunications compliance is
included in regular office ICT activities (RO/CO).
- Support implementation of inter-agency and NGO emergency ICT/ telecommunications working
groups at the field-office level (CO/RO/ HQ).
- Support and ensure inter-agency standardization for emergency ICT/ telecommunications
equipment, services and procedures (HQ).
- For the purpose of business continuity, ensure that critical staff have the requisite remote
connectivity and access to UNICEF core systems (RO/CO), as per individual office requirements
and established from Information Technology Solutions and Services Division and business and
continuity plans (HQ).
- Conduct remote connectivity tests as per individual office requirements and established policies
and guidelines from Information Technology Solutions and Services Division and business
continuity plans. Ensure remote execution of office-critical processes, where applicable
(RO/CO).
- Ensure, where applicable and as per individual office requirements, remote access to vital
records requirements to execute critical processes for critical staff on-site and for those working
from home (RO/CO).
ANNEXES 209
PROGRAM ACTION IN THE RESPONSE
- Perform an immediate emergency ICT and telecommunications gap assessment to identify
critical gaps in MOSS/security telecommunications compliance and data communications
(Internet, email, etc.) service availability; determine resource requirements and need for eventual
external support (RO/CO).
- Collaborate with cluster partners to identify opportunities for shared telecommunications and
data-communications service delivery, and take responsibility as cluster lead at the local level, if
required and as per inter-agency agreements (CO/RO).
- Request deployment of trained emergency ICT/telecommunications responders and emergency
telecommunications project coordinators, as required (RO/CO).
- Produce a consolidated supply plan covering identified ICT and telecommunications equipment
and service requirements (CO).
- Provide key UNICEF users with remote access to corporate applications using secure
connectivity solutions, such as virtual private networks (CO)
Region:
Country Office:
Prepared by (name/function)
Date updated:
M. All BCP Critical staff (with support from Local IT staff) have
tested all remote access methods (prior to predicted emergency).
Head of Operations
ANNEXES 211
Emergency Telecommunications/ MOSS Select One notes Responsibility
A. Office country is MOSS compliant in terms of telecommunications. Security Officer
F. All UNICEF vehicles being used for field operations in high-risk areas are
equipped with HF/VHF and Satcom equipment as per the Country MOSS Security Officer
requirement.
G. Staff are equipped with portable radio equipment as per the local MOSS
Security Officer
requiremnets.
H. Staff received training on the use of HF/VHF radio duiring last 6 months. Security Officer
I. Office has communication tree, and it is tested every three months. Security Officer
ANNEXES 213
ANNEX C – SIMPLIFIED STANDARD OPERATING PROCEDURES FOR LEVEL II AND III EMERGENCIES
ANNEXES 215
SSOP: Level III Emergencies
Sector: ICT
Business Owner: ICTD
Procedures: The below are identified as key actions to ensure a rapid and efficient emergency response in area of ICT. Many of the outlined actions build on
existing ICT emergency preparedness guidelines, as specified in the ICTD Emergency ICT Checklist (on IT-Explorer/Emergency Portal). In situations where
the country office installations and staff are directly affected by the emergency, primary responsibility for actions indicated as country office ICT responsibility
below may be transferred to Regional Chief of ICT (RCICT).
Immediately at activation (first 24 hours)
Action Considerations Approval
Responsibi To consult
/
lity /engage
clearance
1. Conduct a quick ICT assessment and RCICT
share information with CMT, RCICT ▪ If access to emergency location is difficult, seek to obtain
CO ICT (Regional CO Ops
and ICTD emergency focal point information about ICT status and gaps from non-ICT staff
manager Chief of officer
visiting area or from other agencies.
ICT)
The ICTD Simplified Standard Operating Procedures for Level 3 emergencies build on the ICT component of the CCCs as well as current ICTD policies and
procedures related to emergency response and business continuity, including ICT Guidelines & checklist, ICT Assessment templates, ICT Budget tools, TOR
for Interagency ICT working group, etc. Where possible, these policies and procedures have been simplified.
ANNEXES 219
ANNEX D – QUICK ICT ASSESSMENT
EXECUTIVE SUMMARY
This response plan covers the ICT requirements for the on-going emergency in (insert country name),
based upon information collected during the initial assessment organized by (insert office who did the
assessment). The objective is to provide Internet access, security telecommunications and help desk
services to support UNICEF program and operations in (insert location(s)).
This project will be done in 3 phases (this parameter may change depending on scenarios) for a duration
of (enter duration) months. It will be led by (insert Country Office name) under the guidance of the
UNICEF Regional Office in (insert RO name) and the Information Technology Solutions and Services
(ICTD) in Headquarters.
This response plan includes budget and related costs for the necessary ICT equipment, services and
additional staffing. It also describes procurement methods, logistics, exit strategy and risk mitigation.
IMPLEMENTATION TIMELINE
Starting (insert date), phase 0 aims at upgrading existing UNICEF offices in (insert office name(s)) to
cope with the additional surge staff responding to the emergency.
In (insert new sites), where UNICEF had no prior presence, the implementation is divided in two phases:
• Phase I aims at establishing basic ICT infrastructure and services in all additional sites. This
includes Country MOSS compliant telecommunication facilities, depending on the local security
level, and basic e-mail and voice services. In this phase, voice and data communication is
guaranteed through satellite terminals and/or 3G equipment where applicable;
• Phase II aims at strengthening and extending the existing infrastructure to cater for the planned
number of users, including cost-effective Internet access for all staff, the establishment of a secured
network, Wifi infrastructure, remote sites and local help desk;
2/5/14 16/5/14
28/4/14 6/6/14 27/9/14
Upgrade Start of Phase II
Initial Start of Phase II Closure
CO Location X
Assessment & Location Y Location X
Capacity
Response plan
DESCRIPTION OF SERVICES
In existing UNICEF offices (insert office locations), the increase of surge staff will stress the local ICT
capacity. Phase 0 will therefore focus on upgrading ICT structures:
• Increase of the office WAN/Internet bandwidth
• Installation of additional WIFI equipment
As for additional sites, priority should be given to the establishment of basic Internet connectivity and
security telecommunication networks compliant with the country MOSS. Start-up of ICT services has
been divided in two installation phases as detailed below.
Notes (*): If above services are covered by the Interagency project then they should be omitted
The total equipment and recurring cost amounts to US$ (insert the equipment/recurring cost from
budget), while the estimated staffing cost is US$ (insert staffing cost including travel, DSA, hazard –
staffing costs should clearly highlight the initial deployment costs from the long-term costs).
See Appendix “Budget” for complete cost breakdown by equipment, staff and recurring cost.
The deployment will start/have started on advances from the following sources:
• (insert amount) from the xxx Fund
• (insert amount) from the xxx fund
• …
The project will be implemented under the direct management of (choose function: Operations Officer/
ICT Officer/Regional ICT/Emergency Coordinator).
The staffing plan includes a total of (insert staffing numbers) staff deployed – using a combination of
(list staffing resources, country office personnel re-assigned, regional staff, global roster staff, locally
recruited staff, stand-by partners and private sector partners).
ANNEXES 227
A detailed staffing plan (organogram) including roles and names, for both phases, is attached in Annex
“ICT Organogram”.
The initial response will be achieved using the existing country office contingency equipment. Additional
equipment will be procured from: (include procurement source:
• Local procurement: specify equipment type
• Regional stock: specify equipment type
• ICTD stock: specify equipment type
• Global LTAs: specify equipment type
The procurement of this equipment will be handled by (specify which office will be responsible
all/specific procurements: country office, regional office, ICTD)
This chapter should also describe shipment routes and pre-positioning of the equipment in staging
areas when applicable.
The office will guarantee that ICT requests from staff are met by implementing real time monitoring
which will be achieve through: daily calls, operational and emergency meetings, weekly conference
calls with the Regional Office and Head Quarters and field trips.
Key performance indicators that will be used to monitor the implementation of the project are as follow:
• Number of Users per common UNICEF operational area.
• Number of registered devices (ex: DHCP leases) per common UNICEF operational area.
• Cost per beneficiary and per device
• Performance against initial baseline (including budget) – not a separate indicator as such but a
measurable milestone to monitor progress
• Sustainability and long-term benefits
• Optimized use of local resources and partnerships
• Adequate resources in place (including staff number and level, funding, etc.)
• Percentage of service availability
• Average bandwidth usage per location
• Cost efficiency and savings resulting from sharing of resources and minimizing service duplication
• Funding distribution
PHASE-OUT/EXIT STRATEGY
Specify how the office will transition from the emergency phase to normal operations, either via the
project closing, a downsizing of operations or the establishment of a permanent office.
Include key activities during transition (ie Internet access discontinuation, equipment to be dismantled
and/or to be submitted for PSB, return of equipment to ICTD stock, etc.), the timeline for each activity
and potential costs, associated risks and how will the process be monitored.
RISKS MITIGATION
INTER-AGENCY COLLABORATION
This chapter only applies if inter-agency arrangement such the Emergency Telecoms Cluster is
deployed.
The Emergency Telecommunications Cluster (ETC) will aim at providing Security Telecommunication
and “Internet café” type of connectivity to UN agencies and Cluster partners in the following operational
areas (name of sites).
(name of agency) is the implementing agency responsible for the assessment of security
telecommunications and data-communications needs, preparation of project proposals, establishment
and maintenance of services.
UNICEF will seek to make the best usage of such services by collaborating with the implementing
partner on the following (list arrangements, examples :):
• Share VHF and HF radio configurations to access the common security network
• Use data connectivity as main or backup link via point-to-point wireless links
ANNEXES 229
• Participate in inter-agency / ETC meetings and teleconferences when necessary
• Share UNICEF services when necessary
The section below includes details of the services established / to be provided for each of the sites. It
is based on information available as of (insert date) on the sites to be covered, the security phase in
place and the number of staff planned. The “Service available” column indicates whether services and
equipment are available at the moment of writing of this document. The following column, “Provider”
lists the provider of the services (ex: CO stock, LTA supplier, ETC, ISP…).
The office upgrade in (insert location name) will start/started on (insert date), and is continuing to cater
for additional staff arrivals. Services are scheduled for completion by (insert date).
Assumptions:
1. (Insert number) additional staff to the existing (insert number) person team,
2. UN security Level (insert level number),
Planned
Service Availability Provider
for P0
Mobile phones for surge critical staff Yes/No X
Satellite phones for surge critical staff Yes/No X
ICT Help desk capacity increase Yes/No X
Main Internet link upgrade Yes/No X
Backup Internet link upgrade Yes/No X
LAN & WLAN infrastructure upgrade Yes/No X
Printing services upgrade
Emergency Team Site (Sharepoint) Yes/No X
Assumptions:
Planned Planned
Service Availability Provider
for PI for PII
Mobile phones for critical staff Yes/No X
Satellite phones for critical staff Yes/No X
BGAN or Thuraya IP for the office Yes/No X
ICT Help desk Yes/No X
Printing / Scanning Yes/No X
Main Internet link Yes/No X
Backup Internet link Yes/No X
Firewall Yes/No X
Team Site (Sharepoint) Yes/No X
LAN & WLAN infrastructure Yes/No X
Voice router & VOIP equipment Yes/No X
Public telephone line Yes/No X
PABX Yes/No X
Audio-conference service Yes/No X
Video-conference service Yes/No X
Servers Yes/No X
Backup Power (generator, solar) Yes/No X
24/7 radio room Yes/No X
VHF base in the office Yes/No X
VHF mobile in the vehicles Yes/No X
VHF handheld for staff Yes/No X
VHF repeater coverage Yes/No X
HF base and antenna in the office Yes/No X
HF mobile in the vehicles Yes/No X
ANNEXES 231
ANNEX F - UN STANDARD CALLSIGNS / SELCALLS
The United Nations have created a standard to uniquely identify individual, agencies and locations
(countries, cities, bases, vehicles…) using HF/VHF networks. The main goals of those standards are
to:
- Increase the safety and security of aid workers and their properties.
- Increase the efficiency of and the communication within the UN and NGO community.
- Identify each base and vehicle with a unique callsign and selcall within one HF/VHF network.
- To convey as much critical information as possible (e.g. the agency a user belongs to, its
location) through the callsign and selcall structure.
- Keep the callsigns as short as possible and easy to use.
- Support NGOs and smaller agencies.
Sellcalls and callsigns are based on a number of secondary standards defining the standard call letters
(or abbreviation) for locations, agencies and departments. These secondary standards are described
in next paragraph.
N.B The official call sign, allocated by the ITU, for the UN is 4U i.e. 4UA – 4UZ
If ever questioned by Telecoms authorities about call signs being used then you should quote the ITU
callsign first then the list of callsigns you have created e.g. 4UA AF mobile 3654
LOCATION, AGENCIES AND DEPARTMENTS IDENTIFICATION
To uniquely define each location within one VHF or HF radio network, the United Nations are
maintaining a database containing the identifiers for each country and city where humanitarian
organizations are operating. The full document is available is the flash drive ( ►Sell Call and Call sign
list Nov 2011.xlsx) and following is an extract:
Numerical Numerical
Agency Id Assigned Agency Agency Id Assigned Agency
sequence sequence
Finally most commonly used departments within an agency are defined by a call number system as
follow:
Of course, dedicated prefixes should only be used for departments or user groups large enough to
justify a dedicated prefix. Note that department’s numbers are only used for VHF callsigns.
All locations, agencies and departments identifiers are used with the call sign and selcall structure as
explained in the following paragraphs.
ANNEXES 233
VHF CALLSIGN ASSIGNEMENT
A callsign is a code used to name individual or entities when discussing on the network. When using
VHF, one usually wants to communicate with an individual, a base or a vehicle:
VHF Callsigns for individuals
B – C – X – YZ
Examples:
- Bravo Romeo 3 = UNHCR Baghdad Head of Logistics
- Bravo Romeo 3.1 = UNHCR Baghdad warehouse supervisor
- Bravo Romeo 3.11 to 3.19 = UNHCR Baghdad warehouse staff
- Kilo Charlie 5 = UNICEF Kampala Security officer
- Hotel Papa 8.11 to 8.19 = WHO Prishtina (Kosovo) ICT staff
Notes:
- The ‘dots’ in the calls are not to be pronounced.
- Each number is pronounced individually (e.g. Papa Delta Three One One, not Papa Delta Three
Eleven).
If a VHF network covers more than one country or in cross border operations, it is advised that a full
regional callsign is used:
A – B – C – X – YZ
If a VHF network covers more than one country or in cross border operations, it is advised that a full
regional callsign is used:
A – B – C + “Base”
1 + A - BC - DE - F - GH
Note: Vehicles are typically not identified with VHF callsigns but some operations may require this. If so
we recommend: A – C + “Mobile” + XXX
ANNEXES 235
HF SELCALL ASSIGNMENT
Main HF suppliers and various UN agencies collaborated to implement a six digit selective calling
(selcall) protocol in all newly manufactured HF radios. The selcall number is then entered in the
transceivers to reach a particular destination. An easy analogy to HF selcalls is the numbering system
used in phone networks.
A-B-CD-EF
Example:
- WFP base in Kampala (Uganda), Kilo Uniform Foxtrot, “110611”
- UNICEF base in Bogota (Colombia), Charlie Bravo Charlie, “540302”
- FAO base in Bamian (Afghanistan), Alpha Alpha Bravo, “120102”
Selcall assignment for mobiles:
A is the one digit number identifying the region where the base is located (figure 14)
B is the one digit number identifying the country within the region (figure 14)
CD is the two digit numerical sequence used the agencies (+ 30/60) (figure 15)
EF is the two digit numerical sequence used for the location ID (figure 14)
Notes: In the mobile numbering plan each agency is allocated selcalls for two fleets of 90 vehicles
(avoiding “0” as the last digit as this may cause a group call on certain type of radios). If a particular
agency requires a larger fleet allocation, one of the unused fleet numbers from 27-30, 57-60 or 87-98
can be allocated.
Example:
Ahmed: Well, there was more shooting last night, its fine now though.
Fred: I’m planning to go the back road to you via the small bridge
Ahmed: $2000
Ahmed: Yes
Fred: OK
Fred: Around 3pm, I’ll call you when I leave town and when I pass the small bridge
ANNEXES 237
PHONETICS AND PROCEDURE WORDS
An international phonetic alphabet is used to spell out words and acronyms so that critical combinations
of letters and numbers can be pronounced and understood by those who transmit and receive voice
messages by radio regardless of their native language.
In some countries letters like India, Whiskey and Yankee are considered to be unsuitable. Therefore
substitutes can be used from other phonetic alphabet variations e.g. Indigo, William, Young
In general numbers are transmitted digit by digit except that exact multiples of hundreds and thousands
are spoken as such. For example:
12: ONE TWO
90: NINE ZERO
136: ONE THREE SIX
500: FIVE HUNDRED
7000: SEVEN THOUSAND
16000: ONESIX THOUSAND
19A: ONE NINE ALFA
Following is a list of the most common pro-words to be used and their meaning:
NEGATIVE No/Incorrect SILENCE LIFTED Silence is lifted. The net is free for
ALL AFTER…. Everything that you (I) transmitted after traffic.
….. (keyword) END OF MESSAGE This concludes the message just
OVER (OUT) transmitted (and the message
ALL BEFORE Everything that you (I) transmitted instructions pertaining to a formal
before …. (keyword) message)
CORRECT (THAT IS What you have transmitted is correct,
CORRECT) you are correct. END OF TEXT The textual part of a formal message
ends. Standby for the message
CORRECTION a. An error as been made in this instructions immediately following.
transmission. I will continue with the FETCH….! I wish to speak on the radio to that
last word (group) correctly transmitted. person (appointment title).
b. An error has been made in this
transmission. The correct version is… … Speaking Requested person is now using the
c. That which follows is a corrected radio by himself
version in answer to your request for FIGURES Numeral or numbers will follow. (This
verification. proword is not used with the callsigns,
time definitions, grid references,
WRONG Your last transmission was incorrect. bearings, distances, etc)
The correct version is.... FROM a. THIS IS….
DIREGARD THIS This transmission is an error. b. The originator of this formal
TRANSMISSION - Disregard it. (This proword shall not be message is indicated by the address
OUT used to cancel any message that has designation immediately following.
been already completely transmitted
and for which receipt or TO The addressees whose designations
DO NOT ANSWER - Station(s) called are not to answer this will immediately follow are to take
OUT call, acknowledge this message, or action on this formal message.
otherwise transmit in this connection.
THIS IS… This transmission is from the station
whose designation immediately
follows.
MESSAGE I have message for you.
ANNEXES 239
PROWORD MEANING PROWORD MEANING
OUT This is the of my transmission to you. ROGER I have received your last transmission
No answer or acknowledgement is satifactorily.
expected.
SEND! Go ahead with your transmission. I VERIFY That which follows has been verified at
your request and is repeated. To be
SEND YOUR Go ahead, transmit: I am ready to copy used only as a reply to VERIFY.
MESSAGE! WAIT-WAIT-WAIT I must pause for a second
… SPEAK SLOWER! Reduce the speed of your
transmission. (normally used in
connection with request for repetition) WAIT-OUT I must pause longer than some
I SPELL I shall spell the next word, group or seconds, and will call you again when
equivalent phonetically. ready.
RELAY TO… Transmit the following message to all WORD AFTER… The word of the message to which I
addressees or to the address have reference is that which follows…
designation immediately following.
Example of conversation:
Reports of readability:
CLEAR – Excellent quality
READABLE – Good quality
DISTORTED – I have troubles reading you
WITH INTERFERENCE – I have trouble reading you due to interference
NOT READABLE – I can hear that you transmit but I cannot read you at all
ANNEXES 241
GLOSSARY
Alternating Current, an electric current that reverses its direction many times a second at regular intervals, typically
AC
used in power supplies
ALE Automatic Link Establishment. In HF is a system that automatically selects the best frequency.
Amplitude Modulation. The modulation of a wave by varying its amplitude, used chiefly as a means of radio
AM
broadcasting, in which an audio signal is combined with a carrier wave
Access Point. A type of base station that wireless LANs use to interface wireless users to a wired network and
AP
provide roaming throughout a facility.
Business Continuity / Disaster Recovery. Process, policies and procedures related to preparing for recovery or
BC/DR
continuation of technology infrastructure critical to an organization after a natural or human-induced disaster.
Business Continuity Planning, identifies an organization's exposure to internal and external threats and synthesizes
BCP hard and soft assets to provide effective prevention and recovery for the organization, while maintaining competitive
advantage and value system integrity
Bit Error Ratio. The rate at which erroneous Bits are received over a link, expressed as a proportion of the overall
BER
bit rate.
BGAN Mobile satellite terminal offering voice and high-speed Internet access, up to 492kbps.
Bit Smallest information unit. A bit can be 0 or 1.
Basic Service Set, is an IEEE 802.11 definition of a managed wireless network that comprises a single access
BSS
point and its wireless devices.
Block Up Converter. Used in the transmission or uplink of satellite signals, a BUC used on an antenna converts a
BUC
band or block of frequencies from a lower frequency to a higher frequency on a Ka, Ku, or C band satellite.
The C band is a name given to certain portions of the electromagnetic spectrum, including wavelengths of
microwaves that are used for long-distance radio telecommunications. The IEEE C-band (4 GHz to 8 GHz) - and
C Band
its slight variations - contains frequency ranges that are used for many satellite communications transmissions,
some Wi-Fi devices, some cordless telephones, and some weather radar systems.
C/N Carrier to Noise Ratio. Ratio of received carrier power and noise power in a given bandwidth, expressed in dB.
CallSign Unique designation for a transmitting station
CALM Codan Automated Link Management (CALM) is a function that automates the selection of channels. (See ALE)
UNICEF core commitments for children in emergencies. CCCs contains minimum requirements also for the ICT
CCC
preparedness and response
CCNA Cisco Certified Network Associate certification from Cisco
Code Division Multiple Access. A process where each user modulates their signals with a different, noninterfering
CDMA
code.
American multinational corporation that provides server and desktop virtualization, networking and cloud computing
Citrix
technologies
Command Line Interface: a user interface in which you type commands instead of choosing them from a menu or
CLI
selecting an icon
CO UNICEF Country Office
Codan Manufacturer and UNICEF LTA provider of standard HF radio equipment
CPS Motorola Customer Programming Software, is the only way to program Motorola two-way radios.
CVG Company manufacturing UNICEF's ETR1 kits. UNICEF holds a Long Term Agreement (LTA) with CVG.
CW Continuous Wave. An electromagnetic wave, esp. a radio wave, having a constant amplitude.
Protocol to control the access of packet-radio transmitters to the frequency channel they share. The user stations
(DAMA-slaves) must transmit only if they get the permission by the central node (DAMA-master). This makes it
DAMA
possible that all stations controlled by a DAMA master are priviledged equal. DAMA was developed by Nord<>Link
for Packet-Radio and is standard in Europe but not in most other countries.
Danimex UNICEF's LTA provider for VHF/UHF equipment
Decibel: a logarithmic unit of sound intensity; 10 times the logarithm of the ratio of the sound intensity to some
Db
reference intensity
The decibel watt or dBW is a unit for the measurement of the strength of a signal expressed in decibels relative to
one watt. It is used because of its capability to express both very large and very small values of power in a short
dBw
range of number; e.g., 1 milliwatt = −30 dBW, 1 watt = 0 dBW, 10 watts = 10 dBW, 100 watts = 20 dBW, and
1,000,000 W = 60 dBW.
DC Direct Current. An electric current that flows in one direction steadily.
Dynamic Host Configuration Protocol. A protocol that automatically assigns unique IP parameters (adress, mask,
DHCP
gateway, DNS…) within an assigned range to network devices.
In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes
DMZ
an organization's external services to a larger untrusted network, usually the Internet.
Domain Name Server, the system that automatically translates Internet addresses to the IP addresses that
DNS
computers use
GLOSSARY 243
Institute of Electrical and Electronics Engineers. Non profit organization that establishes standards for the data
IEEE
communications industry, especially for LANs.
IFL Inter Facility Link. The link between an antenna and its associated ground communications equipment.
International Protection rating that describes the protection a fitting has from intrusion of solid and liquid material
IP54
(54 = limited dust ingress and water spray protection from all directions)
International Protection rating that describes the protection a fitting has from intrusion of solid and liquid material
IP65
(65 = totally protected against dust and low pressure jets water)
IP (Internet Protocol) PBX (Private branch exchange). Business telephone system designed to deliver voice or
IPBX
video over a data network and interoperate with the Public Switched Telephone Network (PSTN)
IP Security. A protocol that supports secure exchange of packets at the network layer of a network. IPSec is
IPSec commonly implemented in VPNs and encrypts data packets across the entire network; often referred to as end-to-
end encryption.
Iridium
Is a 2.4 kbps dial up Iridium service allowing users to connect to email (ccmail)
/PPP
iSite Is the default software used to configure iDirect modems
ICTD UNICEF's Information Technology Solutions and Services department based in New York Head Quarters
A portion of the RF spectrum located between 10.9 GHz and 17 GHz, a part of which is dedicated to satellite
Ku Band communications. Satellite downlink frequencies are located between 11.7 GHz and 12.2 GHz and uplink
frequencies are located between 14 GHz and 14.5 GHz.
Left/Right Handed Circular Polarization. Polarization of an electromagnetic wave where the tip of the electric field
L/RHCP
vector, at a fixed point in space, describes a circle as time progresses.
LEO Low Earth Orbit. An orbital altitude typically around 350 - 1400 km above the Earth's surface.
Low Noise Amplifier. Equipment that receives the satellite signal reflected by the antenna and amplifies it to the
LNA
level needed by the satellite receiving equipment.
LNB Low noise blocker, a circuit on a satellite dish that selects the required signal from the transmission
Line of Sight. Straight line between the transmitter and the receiver. The line between the two needs to be clear,
LOS
as anything blocking the path will result in a signal disruption.
Long Term Agreement. Agreement between UNICEF and a supplier or service provider to provide goods or
LTA
services as required, over a specific period of time, at determined price.
Media Access Control address (MAC address). Unique identifier assigned to network interfaces for
MAC
communications on the physical network segment.
Medium Earth orbit. A satellite system used in telecommunications. MEO satellites orbit the earth between 1,000
MEO
and 22,300 miles above the planet's surface.
Multiple-Input and Multiple-Output. Use of multiple antennas at both the transmitter and receiver to improve
MIMO
communication performance.
MiniM Inmarsat's previous generation of mobile satellite devises. Used to deliver voice and 2.4kbps data.
Minimum Operating Security Standards. A generic document that sets the minimum operating security standards
MOSS
for United Nations field operations globally.
Motorola Manufacturer of UNICEF/UN standard VHF and UHF radio equipment
MoU Memorandum of Understanding. Document describing a bilateral or multilateral agreement between parties.
MSK Minimum shift keying. Type of continuous-phase frequency-shift keying that was developed in the late 1960s.
MSS Mobile Satellite Services (BGAN, Thuraya, Iridium, etc.)
Network Address Translation. A protocol that maps official IP addresses to private addresses that may be in use
on their internal networks. For example, a broadband Internet service provider may offer only one official IP address
NAT
to a home owner. NAT, along with DHCP, enables the homeowner to have multiple PCs and laptops sharing the
single official IP address.
NGT Codan New Generation Transceiver. Family of Codan HF radios for bases and vehicles.
Network Policy Server. Microsoft's implementation of a Remote Authentication Dial-in User Service (RADIUS)
NPS server and proxy in Windows Server. It performs centralized connection authentication, authorization, and
accounting for many types of network access, including wireless and virtual private network (VPN) connections.
NSP NGT System Programmer. Codan's software used to configure and program NSP radios.
Near Vertical Incidence Skywave. A wave that is reflected from the ionosphere at a nearly vertical angle and that
NVIS is used in short-range communications to reduce the area of the skip zone and thereby improve reception beyond
the limits of the ground wave.
NYHQ UNICEF's New York Head Quarters
Outdoor Unit. Equipment located outside of a building close to the satellite dish or antenna and typically includes,
ODU
a low noise block converter (LNB), and a block-up-converter (BUC).
Orthogonal Frequency Division Multiplexing. A type of modulation technology that separates the data stream into
OFDM a number of lower-speed data streams, which are then transmitted in parallel. Used in 802.11a, 802.11g, and
powerline networking.
On the Job Training. Advance UNICEF's emergency telecoms curiculum for standby partners, held in a field
OJT
location and usually 3 weeks long.
Port Address Translation. A feature of a network device that translates TCP or UDP communications made
PAT
between hosts on a private network and hosts on a public network.
Transmission Control Protocol. A protocol that establishes and maintains connections between computer devices
TCP
attached to a network. TCP is used in conjunction with IP, which is commonly referred to as TCP/IP.
Time Division Multiplexing. Two or more bit streams or signals are transferred apparently simultaneously as sub-
TDM
channels in one communication channel, but are physically taking turns on the channel.
Time Division Multiple Access. A process that allows only one user to transmit in any given time slot. Each user
TDMA
has use of the entire bandwidth during its assigned time slot.
Network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented
Telnet
communications facility via a virtual terminal connection
GLOSSARY 245
ThurayaIP MSS terminal offering high-speed Internet access, up to 384kbps
Terms of reference, describe the purpose and objectives in a mission. ToRs are required to deploy standby partner
ToR
staff and consultants.
Telecoms Sans Frontieres. Humanitarian-aid non-governmental organization specialised in telecommunications in
TSF
emergency situations.
Traveling Wave Tube Amplifier. High Power RF Frequency Amplifier that works by transferring energy from an
TWTA
electron beam to the RF signal.
User Datagram Protocol. Used to provide fast data transfer between two IP endpoints, but is not as reliable a
UDP
method as TCP.
Ultra High Frequency radio: Operating around 450MHz, useful for short-range communication (5-50km, dep on
UHF
network infrastructure)
UNDSS United Nations Department for Safety and Security
UNICEF United Nations International Children's Emergency Fund, more commonly known as United Nation's Children Fund
Upper/Lower Sideband. Modes of SSB transmission. Band of frequencies higher than or lower than the carrier
USB/LSB
frequency, containing power as a result of the modulation process.
VAC Volt Alternating Current, see AC
Very High Frequency radio: Operating around 150MHz area, useful for short-range communications (5-50km, dep
VHF
on network infrastructure)
A virtual LAN, known as a VLAN, is a logically-independent network. Several VLANs can co-exist on a single
VLAN
physical switch. It is usually refer to the IEEE 802.1Q tagging protocol.
VOIP Voice over Internet protocol, a communications protocol that allows for telephonic communication via the Internet
Virtual Private Network. The use of special software on the client device that controls access to remote applications
VPN
and secures the connection from end to end using encryption.
Very Small Aperture Terminal: Satellite system using antennas of ~1-3.8 meter, for international
VSAT
Internet/email/corporate applications, at fixed cost
Voltage Standing Wave Ratio. The ratio of the maximum/minimum values of standing wave pattern along a
VSWR transmission line to which a load is connected. VSWR value ranges from 1 (matched load) to infinity for a short or
an open load. For most base station antennas the maximum acceptable value of VSWR is 1.5.
VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer 2 messaging protocol that manages the addition,
VTP
deletion, and renaming of Virtual Local Area Networks (VLAN) on a network-wide basis.
VTY Virtual Terminal Line, see Telnet
WAN Wide Area Network: a computer network that spans a wider area than does a local area network
Wired Equivalent Privacy. A part of the 802.11 standard that defines encryption between devices connected to a
WEP
wireless LAN.
WFP World Food Program
Wireless LAN in Disaster and Emergency Response. Ericsson's Response standard ETC solution for WIFI guest
WIDER
user access.
WIFI Wireless Fidelity. A trademark of the Wi-Fi Alliance, commonly used to refer to 802.11g
Worldwide Interoperability for Microwave Access. A wireless technology based on the IEEE 802.16 standard
WIMAX
providing metropolitan area network connectivity for fixed wireless access at broadband speeds.
Wireless Local Area Networks. A network using radio waves instead of a cable to connect a user device, such as
WLAN
a laptop computer, to a LAN
Wi-Fi Protected Access. A security protocol, defined by the Wi-Fi Alliance, that enables computer devices to
WPA periodically obtain a new encryption key. WPA version 1 implements Temporal Key Integrity Protocol (TKIP) and
WEP; whereas, WPA version 2 implements the full 802.11i standard (which includes AES).
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
NOTES 247
NOTES
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________