Emergency Telecommunications Handbook PDF

EMERGENCY
TELECOMMUNICATIONS
HANDBOOK
United Nations Children Fund (UNICEF)

Information and Communication Technology Division
December 2017 Edition (v5.1)
Permission is required to reproduce any part of this handbook. Permission will be granted freely to educational or
non-profit organizations. Contact:
Division of Information and Communication Technologies
3 United Nations Plaza, New York, NY 10017, USA
Tel: + (212) 326 7528
(page intentionally left blank)
2 EMERGENCY TELECOMS HANDBOOK

FOREWORD
UNICEF’s ICT mission is to “transform and build partnerships with our stakeholders to successfully
implement UNICEF programmers globally through the use of innovative, technology-enabled solutions
for better outcomes for children”. To achieve this strategy, our ICT professionals abide by three main
pillars: Operational Effectiveness, Programme Effectiveness and the Innovative use of Technology. In
alignment with these pillars, one of our main priorities is to ensure emergency preparedness, response
planning and leadership in the area of ICTs at the global, regional and local level. The ICT division,
along with our partners and emergency responders, have provided their technical expertise to establish
this extensive training manual. Presented are a set of guidelines and detailed instructions to support
teams in facilitating the delivery of effective emergency telecommunications at the field level. I
appreciate the effort and professionalism that has been put in the creation of this handbook and I am
sure you will find this a useful tool.
Daniel Couture
Chief Information Officer, UNICEF
SCOPE
Emergencies strike in the blink of an eye. Responding to an emergency without the essential
communication technology resources runs the risk of being unable to deliver vital assistance to the most
affected communities. This edition is built on the foundation of three critical components that facilitate
a successful ICT response in humanitarian emergencies: equipment, procedures and local capacity.
Responders will find this as a useful tool, enabling them to make immediate decisions in the face of
emergencies in order to deploy the necessary equipment in challenging environments. In seven well-
written chapters, it successfully conceptualizes the nature of ICT in emergency preparedness and
response, and addresses the overall integration of various standard telecommunications systems. This
information proves vital in the first few days of an emergency.
Hani Shannak
Chief, ICTD Operations and Services
AKNOWLEDGEMENTS
This handbook is the fruit of collaboration among many individuals and institutions. The editorial team
would like to thank all who gave so generously of their expertise and energy, in particular:
Simon Genin (UNICEF); Runar Holen (UNICEF); Johnni Bundgaard (Danimex); Mickael Da Silva (IEC
Telecoms); Karim Ghalaini (UNICEF); Josua Hunziker (Open Systems); John Jacobs (Codan); Charles
Lomotey (UNICEF); Cecile Lussi (Open Systems); Callum McEwen (Codan), Rado Ramanahadray
(UNICEF), Jean-Claude Rutayisire (UNICEF), Roberto Salazar (UNICEF) and Laurent Zimmerli (Open
Systems).
REVISION HISTORY
VERSION DATE DESCRIPTION
V1.0 Oct. 2011 - Initial version created as a support document to the ETT2011 workshop. Handbook is
composed of 7 chapters (EPR, HF, VHF, MSS, VSAT, LAN, WLAN), each subdivided
into 3 topics (theory, standards, configuration).
V2.0 Oct. 2012 - Modifications to the EPR chapter: addition of UNICEF’s strategy, move of the EPR
checklist to annexes, removal of the chapter aimed at non-ICT staff.
- Modification to the HF chapter: theory knowledge additions, revamping of callsigns /
selcall chapter, addition of step by step installation and configuration instructions for the
Codan NGT radios.
- Slight amendments to the VHF theory chapter, revamping of callsigns / selcall chapter.
- Minor modifications to the LAN theory chapter, addition of a chapter dedicated to the
operations of UNICEF emergency kits
- Addition of WLAN hardware standards
- Removal of all training quizzes
V2.1 June 2013 - Updated HF theory contents, addition of Codan Envoy hardware
- Addition of configuration guidelines for the BGAN 700 and Thuraya Satsleeve
- Revamped LAN chapter, especially information related to the new emergency kits,
switching & VLANs, IP telephony
- Addition of a chapter focusing on Cisco Wireless LAN controllers and standard WiFi
V3.0 Oct. 2014 - Conversion from a training support document to a handbook that can be used in any
situation, removal of all exercise and quiz sheets, uniformization of the handbook
structure and contents.
- Added forewords, scope and new cover
- Revamped EPR chapter: move of the CCCs to annexes, addition of a scope and
definitions chapter, country risk index, BCP and ICT-DR, prestocking guidelines, minor
alterations to the response chapter
- Minor alterations to the HF chapter, addition of HF hardware standards and step-by-
step configuration instructions for the Codan Envoy
- Minor alterations to the VHF theory, addition of VHF hardware standards and
configuration instructions for the Motorola Mototrbo
- Major revamp of the MSS chapter, addition of hardware standards and selection
guidelines, airtime service plans
- Major revamp of the VSAT chapter, addition of hardware standards, bandwidth pricing
and step-by-step VSAT installation
- Major revamp of the LAN chapter, addition of theoretical content, hardware standards
and specific instructions for the operations of UNICEF kits
- Minor updates to the WLAN chapter
V3.1 Nov. 2014 - Minor corrections to the technical procedures
V3.2 Jan. 2015 - Minor corrections to the technical procedures
V4.0 Aug. 2016 - New forewords, scope and cover
- Changed from letter to A4 format
- Corrected VHF Mororola Motorbo configuration guidelines
- Update Mission Control security gateway configuration instruction
V5.0 July 2017 - Adapted overall wording for an Inter-Agency audience
- Updated EPR chapter (BCP, ICT-DR, IA/ETC guidelines), MSS chapter (BGAN 510/710
configuration guidelines), VSAT chapter (Inmarsat GX) and VHF chapter (latest VHF
radio models, DMR, antennas).
- Major revamp of LAN/WLAN chapters to focus more on standard emergency office
setup rather than emergency kit procedures. Addition of Meraki and Ubiquiti hardware
standards and configuration instructions. Additional configuration guidelines for security
gateways, switches, voice routers and WLCs.
V5.1 Dec. 2017 - Minor corrections (VHF, LAN chapters)

CONTENTS
CHAPTER 1 – ICT EMERGENCY PREPAREDNESS & RESPONSE GUIDELINES
1 SCOPE AND DEFINITIONS .................................................................................................................... 9

1.1 HUMANITARIAN EMERGENCIES ...................................................................................................................... 10
1.2 EMERGENCY MANAGEMENT CYCLE ................................................................................................................ 10
1.3 CLASSIFYING THE LEVEL OF RESPONSE.......................................................................................................... 10
1.4 ICT STRATEGY IN HUMANITARIAN EMERGENCIES ............................................................................................ 11
2 EMERGENCY PREPAREDNESS GUIDELINES........................................................................................ 12

2.1 COUNTRY RISK INDEX .................................................................................................................................. 12
2.2 PREPAREDNESS PLANNING ........................................................................................................................... 12
2.3 BUSINESS CONTINUITY ................................................................................................................................. 13
2.4 ICT DISASTER RECOVERY ............................................................................................................................ 14
2.5 SECURITY AND MOSS.................................................................................................................................. 14
2.6 TRAINING OF ICT RESPONDERS .................................................................................................................... 14
2.7 PRE-STOCKING GUIDELINES ......................................................................................................................... 15
2.8 LONG TERM ARRANGEMENTS ........................................................................................................................ 16
3 EMERGENCY RESPONSE GUIDELINES ............................................................................................... 17

3.1 STANDARD OPERATING PROCEDURES ........................................................................................................... 17
3.2 ICT ASSESSMENTS ...................................................................................................................................... 18
3.3 RESPONSE PLAN ......................................................................................................................................... 20
3.4 MONITORING AND EVALUATION ...................................................................................................................... 20
3.5 SUPPLY & LOGISTICS ................................................................................................................................... 21
3.6 DEPLOYING ADDITIONAL RESPONDERS........................................................................................................... 23
3.7 COORDINATION ............................................................................................................................................ 24
3.8 EQUIPMENT ................................................................................................................................................. 26
CHAPTER 2 – HIGH FREQUENCIES (HF) RADIOS
1 ABOUT HIGH FREQUENCIES.............................................................................................................. 30

1.1 THE IONOSPHERE ........................................................................................................................................ 30
1.2 PROPAGATION ............................................................................................................................................. 31
1.3 SKIP ZONE .................................................................................................................................................. 32
1.4 MODULATION ............................................................................................................................................... 33
1.5 FREQUENCY PREDICTION .............................................................................................................................. 34
2 HF HARDWARE STANDARDS ............................................................................................................ 35

2.1 HF TRANSCEIVERS ...................................................................................................................................... 35
2.2 HF ANTENNAS ............................................................................................................................................. 36
2.3 CABLES AND TOOLS ..................................................................................................................................... 37
3 DEPLOYING CODAN NGT SRX RADIOS ............................................................................................ 39

3.1 EQUIPMENT ASSEMBLY ................................................................................................................................. 39
3.2 NGT SYSTEM PROGRAMMER (NSP) ............................................................................................................. 41
3.3 PROGRAMMING SEQUENCE ........................................................................................................................... 43
3.4 TESTING THE RADIOS .................................................................................................................................... 46
4 DEPLOYING CODAN ENVOY X1/X2 RADIOS ....................................................................................... 48

4.1 RADIO ASSEMBLY ........................................................................................................................................ 48
4.2 ENVOY TRANSCEIVER PROGRAMMING SOFTWARE (TPS) ................................................................................. 49
4.4 TESTING THE RADIOS .................................................................................................................................... 55
CHAPTER 3 – VERY / ULTRA HIGH FREQUENCIES (VHF/UHF) RADIOS
1 ABOUT VHF/UHF ............................................................................................................................ 58

1.1 COVERAGE .................................................................................................................................................. 58
1.2 PROPAGATION ............................................................................................................................................. 58
1.3 CHANNELS .................................................................................................................................................. 59
1.4 NETWORKS ................................................................................................................................................. 60
1.5 SIGNALING .................................................................................................................................................. 60
1.6 DIGITAL RADIOS (DMR) ............................................................................................................................... 61
2 HARDWARE STANDARDS .................................................................................................................. 63

2.1 HANDSETS, MOBILES AND BASE STATIONS ..................................................................................................... 63
2.2 REPEATERS ................................................................................................................................................. 65
2.3 ANTENNAS .................................................................................................................................................. 66
3 INSTALLATION BEST PRACTICES ....................................................................................................... 68

3.1 BASE STATIONS & RADIO ROOMS .................................................................................................................. 68
3.2 MOBILE STATIONS ......................................................................................................................................... 68
3.3 GROUNDING SYSTEM..................................................................................................................................... 69
3.4 ANTENNAS .................................................................................................................................................. 69
4 GM/GP RADIOS PROGRAMMING ....................................................................................................... 70

4.3 CPS SOFTWARE OVERVIEW ......................................................................................................................... 71
4.5 RAPID CLONING OF RADIOS .......................................................................................................................... 75
4.6 UPGRADING CODEPLUGS .............................................................................................................................. 75
5 DM/DP RADIOS ANALOGUE PROGRAMMING...................................................................................... 75

5.1 REQUIREMENTS ........................................................................................................................................... 76
5.2 MOTORBO PROGRAMMING SEQUENCE ........................................................................................................... 77
CHAPTER 4 – MOBILE SATELLITE SERVICES (MSS)
1 INTRODUCTION TO MOBILE SATELLITE SERVICES .............................................................................. 80

1.1 INMARSAT ................................................................................................................................................... 80
1.2 IRIDIUM ....................................................................................................................................................... 82
1.3 THURAYA .................................................................................................................................................... 83
2 HARDWARE AND SERVICE STANDARDS ............................................................................................. 85

2.1 HARDWARE SELECTION CRITERIA .................................................................................................................. 85
2.2 HARDWARE STANDARDS ............................................................................................................................... 86
2.3 SIM CARDS AND COMMISSIONING ................................................................................................................. 88
2.4 SERVICE PLANS ........................................................................................................................................... 88
2.5 SERVICE LEVEL AGREEMENTS (SLA) ............................................................................................................. 90
2.6 CONSIDERATIONS WHEN USING MSS TERMINALS FOR BCP AND EPRP............................................................. 91
3 DEPLOYING MSS TERMINALS ........................................................................................................... 93

3.1 INMARSAT’S BGAN ...................................................................................................................................... 93
3.2 INMARSAT’S ISATPHONE 2 ............................................................................................................................ 98
3.3 THURAYA XT PRO/LITE .............................................................................................................................. 100
3.4 THURAYA SATSLEEVE ................................................................................................................................ 102
3.5 THURAYA IP/IP+ ........................................................................................................................................ 103
3.6 IRIDIUM 9555 / EXTREME ............................................................................................................................ 104

CHAPTER 5 – VERY SMALL APERTURE TERMINALS (VSAT)
1 INTRODUCTION TO VSAT TECHNOLOGIES ....................................................................................... 108

1.1 ORBITS & COVERAGE ................................................................................................................................. 108
1.2 BEAMS ...................................................................................................................................................... 109
1.3 SATELLITE FOOTPRINTS .............................................................................................................................. 109
1.4 FREQUENCY BANDS ................................................................................................................................... 110
1.5 TRANSMISSIONS ......................................................................................................................................... 111
1.6 NETWORK ................................................................................................................................................. 115
2 VSAT HARDWARE STANDARDS ..................................................................................................... 116

2.1 ANTENNAS ................................................................................................................................................ 116
2.2 FEED ASSEMBLY ........................................................................................................................................ 119
2.3 INTER FACILITY LINKS (IFL) CABLES ............................................................................................................. 120
2.4 SATELLITE MODEMS ................................................................................................................................... 121
2.5 VSAT KITS ............................................................................................................................................... 123
3 VSAT SERVICE PLANS .................................................................................................................. 124

3.1 DEDICATED BANDWIDTH ............................................................................................................................. 124
3.2 SHARED BANDWIDTH .................................................................................................................................. 125
4 VSAT INSTALLATION ..................................................................................................................... 126

4.1 PRELIMINARY REQUIREMENTS ..................................................................................................................... 126
4.2 SITE SURVEYS ........................................................................................................................................... 126
4.3 OUTDOOR UNIT INSTALLATION ..................................................................................................................... 129
4.4 INTER FACILITY LINK INSTALLATION .............................................................................................................. 133
4.5 INDOOR UNIT INSTALLATION ........................................................................................................................ 135
4.6 GROUNDING & LIGHTNING PROTECTION ....................................................................................................... 139
CHAPTER 6 – IP TECHNOLOGIES (LAN/WAN/VOIP)
1 LAN/WAN ARCHITECTURE PRINCIPLES ......................................................................................... 142

1.1 STANDARD LAN DESIGN............................................................................................................................. 142
1.2 ACCESS TO THE INTERNET, WAN & CLOUD .................................................................................................. 144
1.3 IP & ROUTING ........................................................................................................................................... 146
1.4 VIRTUAL LANS .......................................................................................................................................... 146
1.5 SECURITY AND FIREWALLS .......................................................................................................................... 147
1.6 VOICE OVER IP (VOIP) .............................................................................................................................. 147
1.7 HIGH AVAILABILITY AND LINK REDUNDANCY .................................................................................................. 148
2 LAN HARDWARE STANDARDS ........................................................................................................ 149

2.1 SECURITY GATEWAYS ................................................................................................................................ 149
2.2 SWITCHES ................................................................................................................................................. 149
2.3 VOIP GATEWAYS ....................................................................................................................................... 149
2.4 IP PHONES ................................................................................................................................................ 150
2.5 EMERGENCY KITS ...................................................................................................................................... 150
3 M ANAGING AND CONFIGURING IP NETWORKS .................................................................................. 151

3.1 MERAKI MX/Z1 SECURITY GATEWAYS ......................................................................................................... 151
3.2 OPEN SYSTEMS SECURITY GATEWAYS ........................................................................................................ 154
3.3 CISCO SWITCHES ....................................................................................................................................... 163
3.4 CISCO VOIP GATEWAYS ............................................................................................................................. 169
CHAPTER 7 – IP TECHNOLOGIES (WIFI)
1 INTRODUCTION TO WIRELESS NETWORKS ....................................................................................... 174

1.1 WLAN PROTOCOLS - IEEE 802.11 FAMILY .................................................................................................. 175
1.2 WLAN FREQUENCY BANDS ........................................................................................................................ 176
1.3 WLAN TOPOLOGIES .................................................................................................................................. 178
1.4 MODULATION AND CODING SCHEME (MCS).................................................................................................. 179
1.5 W IRELESS SECURITY.................................................................................................................................. 181
1.6 GUIDELINES TO OPTIMIZE RADIO COVERAGE .................................................................................................. 184
2 WLAN HARDWARE STANDARDS .................................................................................................... 189

2.1 W IRELESS ACCESS POINTS ......................................................................................................................... 189
2.2 W IRELESS ROUTERS................................................................................................................................... 190
2.3 W IRELESS BRIDGES ................................................................................................................................... 190
2.4 W IRELESS LAN CONTROLLERS ................................................................................................................... 190
3 DEPLOYING WLAN SOLUTIONS ...................................................................................................... 191

3.1 WLAN SITE SURVEY .................................................................................................................................... 191
3.2 STANDALONE CISCO ACCESS POINTS .......................................................................................................... 193
3.3 CONTROLLER BASED ACCESS POINTS AND CISCO 2504 ................................................................................ 195
3.4 W IRELESS BRIDGES ................................................................................................................................... 203
ANNEX A - CORE COMMITMENTS FOR CHILDREN .................................................................................. 209

ANNEX B – ICT PREPAREDNESS CHECKLIST........................................................................................ 211
ANNEX C – SIMPLIFIED STANDARD OPERATING PROCEDURES FOR LEVEL II AND III EMERGENCIES ........ 214
ANNEX D – QUICK ICT ASSESSMENT ................................................................................................... 220
ANNEX E – RESPONSE PLAN TEMPLATE .............................................................................................. 226
ANNEX F - UN STANDARD CALLSIGN/SELCALL STANDARDS................................................................... 232
ANNEX G - PROCEDURES FOR RADIO COMMUNICATIONS ....................................................................... 237
Emergency Telecoms Handbook

CHAPTER 1
CHAPTER 1
ICT EMERGENCY
PREPAREDNESS
AND RESPONSE
GUIDELINES
EPR GUIDELINES 9
1 SCOPE AND DEFINITIONS
1.1 HUMANITARIAN EMERGENCIES
A "Humanitarian emergency” is defined as a situation that threatens the lives and well-being of large
numbers of a population and requires extraordinary action to ensure their survival, care and protection.
Examples of some major occurrences include natural disasters such as the South Asia Tsunami (2004),
the Pakistan and Haiti earthquakes (2005, 2007) or man-made emergencies such as decade long
conflicts in Afghanistan, Sudan, Somalia, DRC, Syria… Most involved five or more operational areas
and an impacted population in excess of 500,000.
From a practical and operational viewpoint, humanitarian organizations responds to the following
situations or types of emergencies:
- Sudden disasters (or sudden-onset emergencies) – usually triggered by natural disasters that
damage infrastructures, hospitals, schools, water plants...
- Slow-onset crises – such as drought or severe economic crises that erode livelihoods, undermine
food and water supply systems and hence affect the ability of vulnerable populations to meet their
needs and the ability of communities to support them.
- Complex emergencies – conflict and widespread social and economic disruption resulting in
severe humanitarian crises and insecurity. Complex emergencies can be either sudden disaster or
slow onset.
1.2 EMERGENCY MANAGEMENT CYCLE
The emergency management cycle is a continuous process that can be sub-divided in the 3 phases:
The Preparedness phase takes place before the emergency. By definition, it is referred as the process
of an office complying with a list of preventive measures that would seek to contain the effects of a
disastrous event. This process ensures an office have the capability to continue to sustain its essential
functions without being overwhelmed by the demand placed on them. An office’s preparedness
requirement is directly related to its level of exposure; for instance, an office in Pakistan, being in an
earthquake zone, would have higher preparedness requirements than a country such as Kazakhstan.
The emergency threshold refers to the real-

time event of a hazard occurring and affecting
populations at risk. The duration of the event
will depend on the type of threat, for example,
ground shaking may only occur for a few
seconds during an earthquake while flooding
may take place over a longer period of time.
The Response phase (also referred as Early

Recovery phase) is the actual implementation
of the response plan. The best response plans
should be simple and modifiable when
improvements are needed. Response activities
need to be continually monitored and adjusted
to the changing situation, this is commonly
referred as “Monitoring and Evaluation”.
Figure 1 - Emergency Management Cycle
As the response is considered accomplished, the organization returns to the preparedness phase.
1.3 CLASSIFYING THE LEVEL OF RESPONSE

When a humanitarian emergency is “declared”, UNICEF ICT follows Executive Director and EMOPS'
decisions for the type of response to the emergency. UNICEF and the UN system identifies 3 levels of
emergencies and humanitarian response:
- Level 1 (L1): localized response lead by the affected country. UNICEF responds using in country
resources (offices, personnel, funding and supplies). The local ICT Officer is in charge of the ICT
response.
- Level 2 (L2): large scale localized or regional emergency. The Regional Office (RO) provides
leadership and coordination support to the country office. Additional staffing and equipment needs
can be met at the regional level. The RO ICT Chief supports the local ICT Officer in the response.
- Level 3 (L3): very large scale localized or regional emergency requiring an institution-wide
mobilization. Mechanisms such as the Emergency Programme Fund (EPF) and the Immediate
Response Team (IRT) are triggered while Head-Quarters (HQ) and Regional offices dedicate all
resources to the response. UNICEF Information Technology Solutions and Services Department
(ICTDD) in HQ and RO ICT Chief supports the local ICT Officer in the response.
While UNICEF ICT has well established standard emergency response procedures for each level of
response (refer to Annexes Simplified Standard Operating Procedures for Level II and III emergencies),
they still may need to be adapted to the specific country’s profile (importation restrictions, availability of
standard equipment in the local market, Internet Service Provider capacity...) and to the type and size
of the required response (upgrade to an existing office, new space or additional sites requirements,
inter-agency arrangements...).
1.4 ICT STRATEGY IN HUMANITARIAN EMERGENCIES
UNICEF has adopted a decentralized approach to emergency response: Country Office ICT staff and
equipment are the organization’s first line of response. A main advantage of such approach, is the deep
local knowledge of its ICT staff, which accelerates procedures such as telecoms regulations,
importation, supply... Such approach implies however a large ICT workforce and a long-term presence
in high-risk countries. It also requires significant investment in terms of preparedness at local, regional
and global levels (information sharing, training, standards, procedures).
Another commonly used strategy is to adopt a more centralized approach to emergency response. For
example, having a dedicated global emergency response unit, capable to deploy within 24/7. This is a
privileged approach for governments (military, medical, police…) but also humanitarian organizations
with smaller global footprint. Such approach is particularly efficient for quick response, as the same
personnel is deployed multiple times and familiar with equipment and procedures. It also however
requires partnerships at local / global level, maintenance of global rosters (as staff rotation is higher)
and prestock.
The last approach is to adopt a combination of both strategies. Local presence supplemented by an
emergency response team. It combines both advantages but also requires clear reporting lines as
global and local teams must collaborate on-site.
EPR GUIDELINES 11
2 EMERGENCY PREPAREDNESS GUIDELINES
Maintaining an adequate preparedness level is essential for an efficient and timely response. When the
emergency strikes it is often too late to acquire essential telecoms and ICT equipment, and much time
can be saved and problems avoided by ensuring a good preparedness.
2.1 COUNTRY RISK INDEX
The country risk index is a measuring stick highlighting the risk for humanitarian crises in a particular
country that could overwhelm national response capacity. It is based on the Index for Risk Management
(InfoRM, www.inform-index.org) which is determined by indicators such as hazards (events that could
occur), vulnerability (the susceptibility of communities to those hazards) and capacity (resources
available that can alleviate the impact).
The resulting InfoRM map, as of January 2016, is as follow:
Figure 2 - InfoRM Risk Index Map
Country offices with a high risk index should consider prioritizing resources and advocate for
preparedness, including in the ICT area. In 2016, the 12 countries with highest overall risk are:
Afghanistan, Chad, Central African Republic, DR Congo, Iraq, Mali, Myanmar, Sudan, South Sudan,
Somalia, Syrian Arab Republic and Yemen.
2.2 PREPAREDNESS PLANNING
An important part of the field-office’s ICT preparedness is the development and maintenance of a solid
Emergency Preparedness Plan. A good guide on developing such plan is to revise every 6 months the
ICT Emergency Preparedness Checklist for Field Offices (see annexes) which should be uploaded to
the UNICEF’s ICT Office profile portal. Field ICT should work closely with other operations and security
staff to ensure a realistic preparedness. Some general guidelines:
- In most emergencies, the security situation will deteriorate quickly, requiring rapid access to
additional security telecoms equipment - such as radios and personal satphones. Staff should be
able to work from home if required, using 3G, mobile satmodems (BGAN, Thuraya IP) or other high-
speed data-solutions (local and reliable ISPs). It is a good practice to ensure that every office has

a stand-by stock of such equipment and that critical staff receive a backup communication
equipment at home along with portable solar panels.
- In addition, each office should stock a basic ICT Response kits, such as UNICEF’s Emergency
Telecoms Response 1 kit (ETR1), suitable for individual or small team immediate deployment
(suitcase size). Such kit should include at least mobile satellite equipment, 3G routers, printer,
scanner, portable solar panels and basic IT tools.
- Regularly update the office's equipment inventory and internal office database (in UNICEF: ICT
Office profile). These are important tools especially in the early phase of the emergency, allowing
RO and HQ to quickly determine what bandwidth, equipment and staff is available in the country
office.
- Frequently perform equipment test sessions, radio-checks and drills. If a back-up/alternate location
exists, make sure to run tests and simulations also from this location (this could be Rep house;
other agency offices; etc.).
- Consider all aspects of Business Continuity and Disaster Recovery. The Emergency ICT Checklist
and the UNICEF Emergency Handbook offer important information and guidance on how to ensure
good BC/DR preparedness.
- UNICEF’s CCCs (see annexes) state that every country office should have at least one emergency-
trained ICT specialist. Only with such capacity at the local level can adequate ICT emergency
preparedness and response, and business continuity plans be developed and implemented.
Humanitarian organizations should have developed a comprehensive training curriculum covering
all aspect of emergency preparedness and response in the area of ICT (refer to the training
chapter).
- Regularly train end-users in operation of emergency telecoms related equipment such as two-way
radios and mobile satcoms equipment. All new staff should be instructed as part of the office
induction course; in addition, it is recommended to run regular refresh training for example during
the office’s regular retreats or emergency response simulations.
- Seek to involve other UN and NGO partners in preparedness activities: experience shows that when
the emergency strikes, agencies will have to work together other and time can be saved if plans
are made and tested during the preparedness phase. The local interagency ICT group, and/or local
Emergency Telecoms Cluster (ETC) group are the best forums for such activities. If such groups
are not in operation in the country, it is highly recommended to initiate one!
2.3 BUSINESS CONTINUITY
All humanitarian organization’s offices, whether it is Headquarters, a Regional Office or Country Office,
must be able to maintain continuity of highly critical functions during and following a disaster and/or
crisis event. Events such as major power outages, natural disasters, terrorist attacks, and a possible
global avian and human influenza pandemic specifically highlight an urgent need for humanitarian
organizations to implement a corporate Business Continuity Management strategy, the central element
of which is the Business Continuity Plan.
A Business Continuity Plan (BCP) is a series of procedures to restore normal organizational office
operations following a disaster and/or major event – within a pre-determined time. The BCP will address
specific scenarios where an office or personnel is directly impacted by the emergency.
Objectives of a BCP are:
1. Improve the organization’s ability to maintain highly critical business functions in high-risk situations,
thereby significantly enhancing emergency preparedness and operational capacity at all levels and
locations;
2. Continue highly critical/critical business operations in the event of a disaster to ensure that the
organization’s strategic objectives are being met;
3. Establish clear management procedures, transitions and emergency decision-making authority;
4. Streamline recovery of internal information, processes and systems.
EPR GUIDELINES 13
Each humanitarian organization office therefore maintains a completed and tested Business Continuity
Plan that is supported by the following:
- A Business Risk Assessment and Impact Analysis;

- Strategic recovery measures dealing with the Disaster Recovery Phase;
- Plans and procedures for managing and testing the Business Recovery Process;
- Training of staff in the Business Recovery Process;
- Procedures for ensuring that the Business Continuity Plan is kept current.
These plans are thoroughly documented and accessible either through UNICEF’s Early Warning Early
Action portal or ICT office profile.
2.4 ICT DISASTER RECOVERY
IT systems are vulnerable to a variety of disruptions triggered by man-made, natural, or environmental

causes. The extent of ICT service interruption can be minimized/avoided through technical,
management, and operational planning. While UNICEF ICTD and its service providers have a
comprehensive ICT-DR plan for centrally hosted IT systems in the global data centers, each country
office is required to have an ICT-DR plan covering the local environment to mitigate the potential/known
risks.
As part of the ICT-DR plan, data back-up must be done on a daily basis by the Country Office ICT staff
and stored away from the office in a safe and secure place. Periodically, ensure that the backup data
can be restored and is useable. While backup of data/files on individual computers is the responsibility
of the users, it is important that the users be advise/informed to take backup copy of their important
data/files and keep it in safe/secure place.
There should be regular testing and validation of ICT-DR plans, including the preparation of a lessons-
learned report after testing activities.
2.5 SECURITY AND MOSS
The country-specific Minimum Operating Security Standards (MOSS) baseline is a UN specific

document which includes concrete emergency telecommunications requirements. It is the responsibility
of the office management to follow these recommendations and to ensure that any office (including
newly created ones such as in emergency situations) is C-MOSS telecommunications compliance.
A revised, country-specific Security Risk Assessment (SRA) system is in effect, wherein each country’s
security level is determined by the DO/SMT based on country-specific SRA. The country ICT team
(UNICEF and partners) will need to support this process; assess need, evaluate gaps and provide
DO/SMT with appropriate recommendations for the telecoms sector.
It is essential that an office in emergency maintains MOSS compliance. Much can and should be done
in the preparedness phase – such as pre-stocking back-up equipment; however, most emergencies will
require procurement/loan of additional equipment to ensure MOSS compliance. When considering the
office’s MOSS compliance, the country specific Security Risk Assessment must be consulted; this
requires collaboration with the office’s security officer/focal point.
MOSS compliance usually requires that staff, vehicles and offices are equipped with adequate
communications to call for help when required. In most emergencies this means VHF or UHF (for
personal and office use) and HF radio or mobile satcoms (for mobile and inter-office use). If the office
doesn’t have a preparedness stock to rely on, it is urgent to order additional VHF (or UHF) radios.
2.6 TRAINING OF ICT RESPONDERS
To achieve the objective of minimizing the negative impact of a natural disaster or conflict on IT and
telecoms infrastructure or services, UNICEF has developed, in collaboration with the private sector and

partners such as WFP, a complete training curriculum aimed at ICT professionals at all levels.
Personnel is trained in every aspect of ICT emergency preparedness and response, including
management, data-communications and radio-communications.
Following diagram summarizes the recommended training curriculums and path for UNICEF ICT
responders:
Figure 3 – Useful ICT Courses for the Emergency Response
 Refer to training catalogue located in the flash drive and portal for further detail on each course.
2.7 PRE-STOCKING GUIDELINES
Every UNICEF Country Office should maintain a minimum amount of equipment as a preparedness
measure. Such equipment could include:
- An ETR1 kit or equivalent, used for field assessment missions, mobile units and initial response
- 3G/LTE mobile hotspots (if available) with SIM cards ready to be activated
- Spare VHF handsets radios
- Spare office IT equipment such as a laser printers (+toners) and digital scanner
- A couple of satellite phones and at least one satellite data transmitters (such as a BGAN or Thuraya
IP) with SIM cards, either pre-activated or ready to be activated (institutional contract signed)
- Set of tools for hardware installations, ideally a small generator for IT equipment and UPS
UNICEF maintains at the global level a significant emergency pre-stock of IT and Telecoms equipment
at Supply Division's warehouse in Copenhagen, in Regional Offices and at New York’s headquarters.
This equipment is organized in a kit format which can be put together based on requirements identified
during the assessment phase. Such kits are composed of VSATs, LAN, WLAN, IT and tools.
EPR GUIDELINES 15
2.8 LONG TERM ARRANGEMENTS
Most large scale humanitarian organizations maintain global and local Long Term Arrangements (LTA)
for all manner of IT, telecoms and power equipment and in some cases LTAS (Long Term Arrangement
for Services) which would include services (airtime, bandwidth, equipment rental, on-site installation
services...). A best practice is to require suppliers to maintain a minimum of stock which could be
shipped within 48 hours.
In UNICEF, as of writing, LTA/LTAS for global ICT equipment include:

- LTA for HF radios kits, antennas and accessories (Codan)
- LTA for mobile satellite equipment kits and LTAS for airtime (IEC Telecoms)
- LTA VHF/UHF radios kits, repeaters, antennas and accessories (Danimex)
- LTA for end user IT equipment such as desktops, laptops, printers, scanner… (Atea, Planson,
Atlantic Business Systems and Danoffice)
- LTA for Cisco LAN and WIFI equipment (Atea, Planson, Danoffice)
- LTAS for Security Gateways managed services (Open Systems)
- LTA for Global Positioning Services (Garmin)
- LTA or LTAS for VSAT hardware kits and bandwidth (EMC, UtilSat, Airbus)
- LTA for Solar panels kits (Naps, Trama, Gamma)
- LTA Generators kits (Coelho, Johs. Grams, Younes Bro)
Other procurement options in emergencies include:

- Using other UN agencies stock, such as WFP or HCR
- Using other UN agencies LTAs
- Using UNICEF local LTAs

3 EMERGENCY RESPONSE GUIDELINES
As the emergency strikes, the country office ICT responsible should immediately take action to ensure
the ICT component of the emergency response is handled in a quick and effective manner while
ensuring compliance with the CCCs ICT component. It is the responsibility of the country office ICT, in
collaboration with Regional Chief of ICT and ICTD NYHQ to ensure that the office at all stages in the
emergency response is CCCs compliant.
3.1 STANDARD OPERATING PROCEDURES
When a sudden humanitarian emergency impacts a Country Office, a good practice is to follow the
Simplified Standard Operating Procedures. Procedures for L1, L2 or L3 emergencies slightly differ but
can be summarized with the following steps:
During the first 24 to 48 hours, whether the emergency has affected the office or a remote location,
the ICT staff must perform a quick ICT assessment. If the emergency has impacted ICT systems in the
office, the BCP must be immediately enabled. Standby equipment should be checked and radio and
satphone batteries charged.
After 48 hours, as the impact of the emergency becomes clearer, emergency responders or teams
travelling to the field must be provided with a GSM/3G phone, a satellite phone, data-capable satphone
(BGAN or Thuraya IP) and VHF radios (operating in simplex if no repeater is available yet), if security
requires it. Ideally the first response team should travel with the Office in-a-Box or ETR1 kit (see
Equipment). The staff to lead the ICT emergency response must have been identified and have started
internal and inter-agency coordination (teleconference call, short ICT situation report to be shared with
the CO management/RO/HQ). Local and global ICT providers will be alerted about a possible
requirement for additional capacity in the field. If the response is likely to trigger an increase of staff in
an already existing office, Internet service providers should be contacted to anticipate an upgrade of
the bandwidth, wireless infrastructure or ICT support staffing.
By the end of the first week, as the overall emergency response requirements become clearer, the
ICT response plan must be finalized. The plan shall include replacement for the equipment used at the
initial stage of the emergency, one-time-cost for the additional requirements, budget to cover recurring
costs for the response duration, list of service providers, procurement strategy (locally or out-sourced
to RO, HQ or SD) and accountability for follow-up. A dedicated file sharing mechanism (for example, a
SharePoint portal) is created and IT requests (such as email or Intranet access) for responders are fast-
tracked.
Starting the second and following weeks, real-time monitoring of the situation is required to
permanently assess needs of field responders. The objective being to quickly identify any ICT gap that
could possibly impact the overall response. If a new office is considered, it is essential that an ICT
responder is part of the premises first assessment, to verify requirements such as satellite visibility for
VSATs, height of radio antennas, distance to power source, potential interferences, LAN and WiFi
infrastructure requirements, grounding, etc.; all factors that are critical when considering a new location.
Continuing the coordination effort, weekly conference calls and situation reports must be produced by
the local ICT officer in collaboration with the Regional ICT officer, HQ and the inter-agency community.
Refer to the Simplified Standard Operating Procedures in annexes for step-by-step instructions. The
diagram next page summarizes the recommended chronology of actions in a typical humanitarian
response.
EPR GUIDELINES 17
Preparedness EMERGENCY RESPONSE
CHRONOLOGY OF ACTIONS
CRISIS
Initial
Assessment
Existing Offices Information Sharing Additional Sites

Response Plan +
budget
On-site On-site
Assessment Assessment
Implement Implement Implement

Response Plan Response Plan Response Plan
in CO/ZO in site 1 in site 2
Monitoring Monitoring Monitoring

& & &
Evaluation Evaluation Evaluation
Closure Closure Closure
Final Report
Lesson s
learn
Figure 4 - Chronology of ICT actions in an Emergency Response
3.2 ICT ASSESSMENTS

3.2.1 Initial Assessment
As a country office encounters an emergency situation, the ICT responder must rapidly carry out an
initial assessment to determine the impact of the situation and any immediate ICT needs. The ICT
officer should therefore participate in all internal meetings related to the emergency, consult with
operations and program colleagues, engage with the inter-agency ICT working groups, inquire local
service providers (Internet, GSM,...) status and capacity, and local authorities position (if applicable, for
example telecoms authorities).
The initial assessment shapes the response plan, as such the ICT officer should determine:
- if the office ICT system are affected and whether the BCP should be deployed;
- if UNICEF personnel is deploying to the affected areas;
- if surge UNICEF personnel is deploying to reinforce capacity in existing offices;
- if new offices will be required;
If one or several of the conditions above apply, the ICT officer should then seek to determine:
- if there is enough equipment pre-stocked in the office to cover immediate needs, and if such
equipment is deployable;
- if the actual network and bandwidth will cope with the increase of users;
- if there is enough ICT personnel available to support at the office and on-site (if applicable);
- what is the capacity of local service providers and other agencies;
- if the emergency telecoms cluster (ETC) is activated and who is leading it.
Based on the emergency level, the initial assessment should then be shared and discussed with the
country Operations Officer, Regional Office and NYHQ to determine whether any further support is
required and what would be the next actions.
3.2.2 On-Site Assessments
On-site ICT assessment only apply to emergencies requiring the deployment of responders for an
extended duration. It should therefore focus on the location where UNICEF responders are operating
from. This can be a hotel, an inter-agency office, a dedicated office space. Such assessment addresses
detailed ICT situation including: local ISP(s) capacity (services, coverage and quality), VSAT site survey
(if applicable), security telecommunications requirements, ETC service quality, staff requirements,
power status...
The outcome of the on-site assessment will either confirm the initial response plan, identify any
unplanned gap or determine whether the requirements have been over-estimated.
 Refer to the template for site ICT assessments in annexes
3.2.3 Interagency/ETC assessment
In cluster-activated emergencies, the ICT/ETC lead agency is responsible for carrying out an ETC gap-
assessment. Such assessment may indicate that there are gaps (i.e. needs) in the areas of security
(radio) communications and/or in the area of common data-communications. Examples of such gaps:
- Lack of repeater coverage in a specific location, requiring installation of additional repeater(s)
- Lack of radio-rooms for interagency security coordination, requiring establishment of a common
radio-room
- Lack of capacity among agency staff in radio programming, requiring the deployment of a radio-
trainer
- Lack of Internet access, requiring installation of a VSAT with Wi-Fi connectivity.
In this process, the ETC lead agency will seek to involve UNICEF and other major UN agencies and
NGOs operating in the country, to jointly develop an ETC project that would cover any of the identified
gaps. The ETC lead agency will seek to include this as part of a consolidated emergency funding
request, typically included in an emergency Flash-Appeal. The Flash-Appeal will – in addition to ETC
needs – include funding needs for all areas of program and operational activities in the specific
emergency.
EPR GUIDELINES 19
In some emergencies UNICEF may be requested to serve as local ETC cluster lead and take
responsibility for the ETC gap assessment and subsequent project plan and funding request.
Note that the ETC assessment and subsequent project plan/budget is targeted at covering inter-agency
needs (radio back-bone; common VSAT, for instance) and is not meant to cover each agency’s internal
ICT needs. Therefore it does not substitute UNICEF’s own ICT assessment and procurement needs.
3.3 RESPONSE PLAN
The response plan is an important document that applies when an office does not have the capacity or
budget to cover the medium/long term ICT needs of the emergency. A typical scenario applies to level
2 or 3 emergencies, when one or multiple offices must be upgraded or created very quickly, and the IT
department does not have enough budget to cover such requirements. The response plan is used to
present the ICT project to management and justifies the required investment in equipment, services
and staffing.
As such it should include:

- an executive summary describing the main components of the ICT project (locations, durations,
services, cost and staffing);
- An implementation timeline, including the description of each phase;
- The description of each of the ICT services;
- The summary of costs and funding required;
- The governance and staffing structure;
- The supply and logistic strategy;
- Monitoring & Evaluation measures;
- The exit strategy;
- The risks, their possible impact on the project and how to mitigate such;
- The Inter-agency collaboration mechanisms;
- The detail detailed ICT services per site (if there are more than one site);
- A list of annexes including detailed budget and organogram for example.
 Refer to the Response Plan Template for further details
3.4 MONITORING AND EVALUATION
Monitoring and Evaluation (M&E) is a critical component of any project, whether it applies to
programmatic or operational areas.
The OECD defines monitoring and evaluation as follows:

- Monitoring is a function that uses data collection focusing on key performance indicators to provide
management with a clear overview of the project progress and achievements, while also indicating
the use of allocated funds.
- Evaluation is an objective assessment of an on-going or completed project, including its design,
implementation, and results. The aim is to determine the relevance and fulfilment of objectives,
development efficiency, effectiveness, impact, and sustainability. An evaluation should enable the
incorporation of lessons learned into the decision making process.
When applied to ICT in emergencies, the following measures are required to ensure a formal M&E
process is in place and systematically applied:
1. Establish a clear and measurable list of performance indicators

2. Ensure that an initial needs assessment is conducted at the initial phase of an emergency response
as a basis to decide if ICT services are required and to justify a related ICT response/project plan.
3. Establish a process to monitor the project performance (see performance indicators list below)
including financial reporting during the project execution phase.
4. Establish formal and systematic evaluation mechanisms especially during and after the project
closure phase. A mid-term evaluation for example is recommended at the mid-term marker (3 or 6
months) for each project.

5. Ensure that the essential ICT project documentation is published for level II and III emergencies on
the SharePoint site.
6. Promote collaboration and information sharing, by sending (at least) weekly activity reports, attending
all emergency related meeting and participate in teleconference calls (RO/HQ, ETC).
7. Major ICT projects should include a funding element to cover M&E activities.
Note that a final independent evaluation covering the organization’s response as a whole may be taken
by donors or auditors. It is critical that the ICT emergency responders share their inputs and lesson
learned in this evaluation.
Key Performance Indicators stems from the list of essential services as defined in the Service Catalog
(see Global IT services portal). In addition, following Key Performance indicators can be useful when
monitoring ICT projects in emergencies:
- Number of Users per operational area or office.

- Number of registered devices (ex: DHCP leases) per operational area or office.
- Cost per beneficiary and per device
- Performance against initial baseline (including budget) – not a separate indicator as such but a
measurable milestone to monitor progress
- Sustainability and long-term benefits
- Optimized use of local resources and partnerships
- Adequate resources in place (including staff number and level, funding, etc.)
- Percentage of service availability
- Average bandwidth usage per location
- Number of IT support cases and average time for resolution
- Cost efficiency and savings resulting from sharing of resources and minimizing service duplication
- Funding distribution
3.5 SUPPLY & LOGISTICS
3.5.1 Budgeting
A component of the response plan is to estimate how much additional funding is required and present
this to the Operations Officer to ensure it is included in the office’s overall request for emergency
funding. It is highly recommended that such budget is shared with the Regional Office and HQ to make
sure nothing is missing. Various funding mechanisms exist and many of these require quick action so
the ICT budget should be available within the first week of the response.
The budget must cover the costs for the entire project duration, including potential handover/closure
expenses and the post emergency evaluations such as lessons learned exercises. Some guidelines
key cost considerations when drafting an emergency ICT budget:
- Equipment one-time costs (OTC);

- Equipment storage costs;
- Licenses;
- Staffing costs (including any required travel and DSA);
- Mission costs (on-site assessment, follow up or evaluation mission)
- Procurement and logistics costs (such as transport, use SD’s freight estimator);
- Recurring costs for IT and telecommunication's services (mobile satellite monthly and usage fees,
VSAT bandwidth,...) support, administration, possible licensing, maintenance, fuel, etc.;
- Demobilization/closure costs;
- Training costs for staff outside ICT (ex: radio user training).
In addition, there can be unexpected additional costs related to:

- Equipment delivery delays;
- Local regulations;
- Customs transit delays;
- Staff mobilization/recruitment delays;
- Changing of operational requirements.
EPR GUIDELINES 21
 Refer to the budget tool located in the flash drive or portal
The IT manager will always need to be aware of the total ICT budget, funds spent or committed,
purchase orders (PO), planned expenditure (purchase requisition - PR) and future needs. In general, it
is necessary to track on a weekly basis the budget reports in the organization’s Enterprise Resource
Planning tool (Oracle, SAP, salesforce…), and compare it to manually recorded records (maintain a
tracking spread sheet). This is crucial to ensure best use of funds and insure against under or over-
spending. In addition, it is necessary to work closely with the supply team to ensure follow-up and
verification of expenditures.
3.5.2 Supply
Experience shows that lack of timely ordering of emergency ICT equipment can be a major obstacle to
an efficient response. The Supply Plan is therefore a critical component of the response plan and much
effort should be put into ensuring that orders for ICT equipment and service are properly anticipated
and correctly initiated. The ICT responsible should ensure that the equipment needs are established as
quickly as possible and work with the CO supply officer/focal point to have ICT equipment prioritized in
the ordering and shipping process.
Some guidelines to be aware of when ordering equipment:
- In large scale emergencies, it may be beneficial to outsource the procurement of ICT equipment to
a Regional Office or to Head-Quarters to free-up time at the local level. Local procurement officers
are indeed often overloaded with important procurements related to program areas, risking that ICT
orders are delayed.).
- Large scale humanitarian organizations typically package equipment into emergency ICT “kits” and
pre-position them in strategic locations (in UNICEF: Copenhagen global warehouse, Regional
Offices and New York Head-Quarters). Usually it’s the fastest way to obtain equipment. Kit solutions
can also be a buffer for response plans that may have been over-estimated as a result of the "no-
regret" policy; since these kits can be shipped back if not used and therefore limiting costs to
shipping only.
- Standard emergency IT and Telecoms equipment and services are available through Direct Order
(DO) Long Term Agreements (LTAs), either through Supply Division (equipment) or ICTD
(services). Emergency telecoms related LTAs contain emergency clauses requiring vendors to
maintain a minimum stock, thus ensuring rapid shipping. (UNICEF example: IEC maintains stock
of mobile satcoms terminals; Danimex maintains stock of VHF and UHF radios; ATEA maintains
stock of laptops and other IT equipment). It is recommended to work closely with the procurement
officer in order to enable such option in Vision and ensure vendor is aware that this is an
“emergency order”.
- For LTA equipment without emergency clause, such as IT equipment (laptops, printers, LAN,
WLAN...), delivery lead time can be various weeks, it is therefore urgent to initiate procurement as
early as possible. Consider assigning "temporary laptops" from the office stock for surge personnel
without equipment.
- Avoid ordering non-standard material as this may require a bidding process that can delay
shipment. If non-standard equipment is required, make sure to separate these out in a dedicated
Purchase Order.
- When procuring items which value is higher than 2,500 USD, IPSAS recommends to create an
asset number / inventory tag and link them to the organization’s ERP.
- Assigned ERP budget codes should be verified before committing any expenditure. Before
providing a budget code the following must be confirmed:
o Are sufficient funds available for the project?
o Can the budget be utilized for the said expenditure?
o If spending is from a funding source managed by another unit/person, ensure that
unit/person authorizes the expenditure in advance, even if previously agreed.
- Separate orders by supplier – this facilitates for tracking of orders
- Work closely with the supply focal point to ensure orders are correctly processed.
- Keep RO ICT and ICTD informed about status of orders – they can support and speed things up.
- Frequently visit the warehouse and check at the delivery schedule, it can happen that equipment
has been delivered without notifying the ICT team.

3.5.3 Logistics
Build a strong working relationship with the logistics' team handling reception and dispatch of
equipment. If there are emergency relief flights leaving from global warehouses and if timing allows,
seek to have the ICT equipment delivered to the warehouse, for subsequent inclusion in relief flights.
HQ ICT teams can support country offices to liaise with their global supply and logistics emergency
units.
Upon reception of the equipment:
- Take pictures of all received boxes, including serial numbers.

- Note any damage or discrepancy with the shipping list.
- Confirm reception of the equipment with admin or supply unit.
- Update the ICT inventory and serial numbers as soon as equipment is received. Since such devices
will be quickly dispatched, it may be challenging to do so later on.
- Ideally, an inventory tag number, linked to an asset number, should be placed on the equipment.
- Keep track of the location of an installed equipment or the name of the person it was handed over
to. Personal Property Receipts (PPR) should be issued in close collaboration with administration.
3.6 DEPLOYING ADDITIONAL RESPONDERS
3.6.1 Rosters
Large humanitarian organizations maintain a local/regional/global ICT rosters of personnel that are
trained and experienced in emergency response and possess a wide range of skills, including ICT
management, VSAT installation, VHF and HF radio setup (handhelds and repeaters), LAN and WLAN
as well as mobile satellite devise. In addition members have important personal attributes such as
teamwork and problem-solving skills, cultural sensitivity, tolerance, flexibility, and the ability to function
effectively in a demanding emergency environment.
3.6.2 Standby Partners
During an emergency there is often a need for surge capacity in specific areas. Humanitarian
organizations have usually implemented standby arrangements with several public or private
organizations to cater for this. These arrangements allow a field office to quickly obtain trained and
experienced ICT professionals to support emergency response and in some cases also preparedness
activities. Standby partners are “free”; the only cost for the country office is in-country flights.
Standby arrangements can be used for various areas of ICT support, such as:
- Install VSAT, radio, power and data network equipment

- Implement radio rooms
- Fill a temporary gap when the country office ICT personnel is dispatched to an emergency
- Support emergency preparedness and training activities
Key organizations that frequently deploy technicians in emergencies include:
Figure 5 - Standby Partner Agencies
In UNICEF, three standby arrangements also include provision of equipment (typically shipped back
once the deployment is over):
- Ericsson Response can deploy the "WIDER", a networking technology providing captive WIFI
portals and a user registration/authentication mechanism (airport or hotel type). This is a
recommended solution for inter-agency sharing type scenarios (ex: ETC deployments).
EPR GUIDELINES 23
- TSF is an NGO specialized in first response. They can be deployed to install temporary Internet
and voice access (30/45 days maximum) and cover all costs related to it. TSF usually relies
on mobile satellite terminals (BGAN) and small Ku-band VSATs.
- The Government of Luxembourg can deploy the emergency.lu solution, preferably in an inter-
agency shared scenario (ETC type). The emergency.lu solution includes a "rapid deployment" kit
composed of an inflatable 2.4m VSAT (GATR model) and Voice-Over-IP phones. The largest
emergency.lu solution is called "Regular deployment kit" and is composed of a 2.4m Quick-Deploy
VSAT antenna (Viking model) and a network rack (VOIP, server).
EMOPS Geneva acts as the focal point for standby partner support. Before contacting EMOPS Geneva
to request ICT surge capacity, the requesting office should develop a Terms of Reference/Job
Description for the secondment. The link below to the UNICEF standby partner arrangements
homepage has information about this and examples of such ToR for ICT/telecoms staff.
3.7 COORDINATION
Coordination, collaboration and information sharing are important components of the emergency
response. Such activities take place both within and outside the agency.
3.7.1 Internal coordination
Typically, the field office ICT staff will be supported by the Regional Chief of ICT (RCICT) and by
ICTD/HQ, where the RCICT handles day-to-day coordination and support while ICTD/HQ handles the
global interagency/ETC (Emergency Telecoms Cluster) related coordination – in addition to facilitating
access to ICTD’ in-house stock of emergency telecoms equipment and roster of emergency ICT
response staff.
To ensure the best possible coordination and collaboration within an organization (CO-RO-HQ), regular
sharing of information is essential. This is especially important in the early stages of an emergency,
where bi-weekly or weekly conference call and minutes are organized with the RO and ICTD (for
eventual further distribution). Similarly, findings of initial / on-site assessments and response plans
should be shared with RO/HQ, to ensure these are also leveraged at HQ and regional level. A hand-
over note should be also be agreed on between responders when there is a staff replacement.
3.7.2 Interagency coordination and collaboration
During an emergency, many organizations will face the same challenges in terms of urgent need for
ICT equipment, additional staffing and emergency funding. Through collaboration and resource sharing
at the global and local levels, individual agencies’ resources can be better utilized and shared. Such
sharing and collaboration mechanism should already be in place as a preparedness activity.
The Inter Agency collaboration can take the form of collaboration on one or more specific projects or
activities or, typically in a larger emergency, in the form of overall shared security and data
communications services, systems and networks. The ICT Working Group at the local level can be an
instrument for collaboration, coordination and information sharing between UN agencies, NGO’s and
INGO's in ICT related matters, thereby reducing gaps and avoiding overlaps and duplication of effort.
Typical areas of collaboration are:
- Resource mapping and gap assessments;

- Definition and agreement of common services to be provided;
- Sharing of equipment stock;
- Joint Emergency Preparedness & Response Planning (EPRP);
- Sharing of human resources (interagency secondment and level 1 support);
- Shared supply contracts.
The local ICT working group can be chaired by one agency or on a rotational basis. The ICT working
group is a tool for joint emergency preparedness and response, and as such it should be established

before an emergency strikes. Through formal collaboration and sharing in such a group, benefits can
be achieved both for normal operations and during the emergency response. Communication with the
UN Country Team is also facilitated when the ICT sector communicates as a common interagency
group rather than on an individual agency basis. Examples of situations where collaboration in the ICT
working group can benefit the agencies:
- One agency takes on field mission tasks on behalf of one or more sister-agencies, thereby avoiding
duplication of field missions;
- Agencies support one another in developing Emergency Preparedness and Response Plans
(EPRP);
- Agencies share a VSAT installation in a field office, thereby reducing equipment and installation
costs. Monthly recurring costs are shared among the agencies;
- One agency seconds ICT support staff to another agency for short term support. Within the ICT
working group, each member can have special experience and training that can benefit other
agencies;
- Equipment that is no longer needed in one agency can be handed over to another agency. The ICT
working group can improve the design and implementation of interagency services (such as a radio
network) by facilitating discussion and fact sharing.
3.7.3 Emergency Telecommunications Cluster (ETC)
Clusters are groups of humanitarian organizations, both UN and non-UN, in each of the main sectors
of humanitarian action (for example water and sanitation, health, logistics...). They are designated by
the Inter-Agency Standing Committee (IASC) and have clear responsibilities for coordination. It is
designed to strengthen the "collaborative response" and improve predictability, timeliness and
effectiveness of humanitarian response. It also aims to strengthen the leadership and accountability in
key sectors where gaps have been identified, which includes emergency telecommunications.
Figure 6 - IASC's Cluster Coordination Model
When the Emergency Telecommunications Cluster (ETC) is activated, it facilitates access to additional
funding for common emergency telecoms. In most emergencies, WFP (as global ETC lead and Provider
EPR GUIDELINES 25
of Last Resort) or HCR (in conflicts scenarios with refugees) will be tasked to take the lead; however, if
another agency has a strong presence in the country/operational area, the Humanitarian & Emergency
Relief Coordinator may request that agency to take the lead in that specific emergency. Example: If
UNICEF has a well-developed ICT infrastructure and staffing in a given country, UNICEF may be
chosen as cluster lead agency in that specific emergency. More information on ETC deployments
(activation, situation reports, guidelines, technical information…) can be found on the ICT emergency
website.
Note: UNICEF was initially mandated to deliver common data-communications services for the cluster.
As of June 2009, UNICEF handed over this responsibility to WFP, with WFP now providing both
common data and security-communications.
3.8 EQUIPMENT
3.8.1 Data Communications
Data-communications for first responders are typically obtained using 3G modems (“dongles”), if
coverage is available; BGAN/Thuraya IP; or Emergency Telecoms Cluster (ETC) connectivity in the
early stages of an emergency. Such solutions are acceptable as long as the response timeframe is kept
short (less than 2 weeks). There are indeed limitations with each of such solutions when considering
the longer term:
- 3G dongles are not easy to share as a team, often requires one device per responder (making it
hard to track) and are easy to lose. In addition the multiplication of data plans can be a costly
solution for the office.
- Mobile satellite communications services (MSS) airtime can lead to substantial usage costs.
Country Offices are recommended to closely monitor their airtime consumption (using the
equipment log and provider's portals) and to modify the subscription plans accordingly. In addition,
transmission speed of such terminals is poor (in practice data-rates reach 20-30 KB/s) and latency
high (900-1500ms).
- ETC connections (often VSAT) are shared among a large number of responders and can therefore
be equally slow. Responders must also commute on a daily basis to the ETC location where such
service are provided, making it inconvenient and inefficient over the longer term.
If the response continues beyond 2 weeks, the solutions mentioned above should be replaced with
conventional local Internet Service Providers if available (such as DSL, fiber) or VSAT (either from local
provider or a global LTA/LTAS provider. These services all offer guaranteed data-rates at fixed cost.
3.8.2 Security Communications
Security telecommunications should be determined by the UN security level and requirements for the
Emergency Communications System (ECS). Such information should be available with the agency’s
Security Focal Point. Alternatively, UNDSS or the lead ETC agency (if activated), which often has the
senior advisory role for staff security and radio infrastructure, should be able to provide such
requirements. In most cases humanitarian organizations will use an inter-agency radio infrastructure. If
such arrangements cannot be obtained or if operational requirements impose the setup of dedicated
radio rooms, a dedicated and experienced radio technician should be deployed.
3.8.3 Electrical Service
Electrical service can have huge negative impact if not done properly. An unstable, unreliable or badly
designed electricity supply network will not only damage or destroy the equipment, but it poses a danger
to staff safety. There are two main solutions for electricity supply that are used as follows:
- Mains with generator backup: Publicly provided electricity is the main source with agency provided
generators used as a backup. To ensure stable power when running the mains, all electricity
provided to ICT equipment should be filtered through voltage regulators and UPSs.

- Generator only: When public electricity supply is not available or is too unstable and/or low voltage
to be utilized, it will be necessary to operate an agency generator(s) on a permanent basis. The
main generator may need to be shut down overnight to save fuel, then the plan must include a
smaller generator to continue powering vital ICT equipment as well as security flood lights.
It is important that all security telecommunications equipment (radios, repeaters) and LAN/WLAN
infrastructure are additionally backed up by Uninterruptible Power Supplies (UPS) and/or solar power
systems. If electricity supply and distribution networks (public and office) are unreliable, an electrician
should be included in the staffing plan. Electricians can usually be recruited locally but oftentimes it can
be difficult to get the right technical level. It is therefore recommended to seek for temporary / standby
personnel to fill the gap for the initial period, assist with networks and grounding upgrades, and to train
a local electrician who eventually can take over the responsibility.
------------------------------------ END OF CHAPTER 1 ------------------------------------
EPR GUIDELINES 27
(Page left blank intentionally)

CHAPTER 2
HIGH FREQUENCY RADIO (HF)
HIGH FREQUENCY RADIO 29

1 ABOUT HIGH FREQUENCIES
Using frequencies in the range of 3 to 30MHz, HF can offer reliable communications over thousands of
kilometres with independent and limited infrastructure. Although its usage has declined with the
emergence of new terrestrial technology such as GSM networks, it is still considered as last resort
communication and equips most vehicles and offices in countries where staff security is considered as
a priority. The possibility to reach any humanitarian vehicle, no matter the location in a country and
without any infrastructure (other than in the office and vehicle) remains HF's greatest asset. It can also
be used for operational voice communications, SMS type text messaging, GPS tracking and
communications with aircrafts.
1.1 THE IONOSPHERE
Before discussing further detailing HF transmissions an understanding of the ionosphere is required.

Although the theory can get complex, this book will stick to the principles and try and keep things simple.
The ionosphere is comprised of regions of the upper atmosphere in which there are free electrons. It is
this ‘electron soup’ that has the ability to act on HF radio waves as if it had a refractive index different
from the surrounding non-charged layers of the atmosphere. This is similar to light passing through
different layers of heated air in the desert and producing a mirage or image of the sky that appears to
be on the ground. In their simplest form, the layers of the ionosphere may be thought of as “mirrors in
the sky” that reflect radio waves. It is, however, refraction and not reflection that redirects the radio
waves and the degree of bending of these waves is dependent on several factors.
The free electrons are generated by powerful radiation from the sun such as extreme ultra-violet (EUV)
striking gas molecules in the upper atmosphere so violently that they knock an electron from the outer
orbit. As in the upper atmosphere gas molecules are thinly spread, it takes considerable time for the
free electrons to find positive ions and recombine. This process is called photo-ionisation and leaves
layers of electrons and positive ions high above the earth, hence the name ionosphere.
More than twenty years after Marconi’s first transatlantic radio transmission, the British scientist Edward
Appleton discovered the existence of the ionosphere. Further research revealed that the ionosphere
was not just one layer but composed of four layers, designated D, E, F1 and F2. It is the changing
nature of these layers that makes HF propagation an interesting and challenging discipline.
- D Layer: This is the lowest layer of the

ionosphere, around 50 to 90 km altitude. It is
only ionized during the day, reaches a
maximum around noon and due to the density
of the ionosphere, collapses rapidly as the sun
sets. It doesn’t support HF communications as
it absorbs weak HF signals. It is the absence of
the D layer at night that enables a radio listener
to pick up faint broadcast transmissions from
far distant stations that cannot be heard during
the day.
- E layer: This layer exists from 90 to 150 km

altitude. It also exists during the day but takes
longer to dissipate after sunset than the E
layer. It does support some skywave
transmission and because of its low altitude is
particularly useful for short distance
communications. Within the E layer there
randomly exist patches or clouds of more Figure 7 - Layers of the ionosphere
densely ionized gas. These have the ability to support long distance communications at low power.
It occurs more frequently in Polar Regions at night and over equatorial regions during the day. This

‘sporadic E’ communication is beloved by radio amateurs, but due to its unpredictable nature should
never be relied on for regular communications.
- F layer: The F layer actually comprises two layers during the day (F1 and F2) which combine at
night to form one layer. It is the F2 layer, right at the top of the ionosphere, at an altitude of around
250 km which receives the most solar radiation and is hence the most strongly ionized. This layer
is the most useful for long distance communications. Its electron density varies between day and
night and also with the seasons and the sun’s activity cycle.
The degree of ionization of the ionosphere (and hence its ability to refract radio waves) changes with
the amount of solar radiation. This is most clearly seen in the difference in the frequency required to
reach a given distance between daytime and nighttime. The ionosphere is not a stable medium, but
varies with different factors. These cause reasonably predictable changes in the ionosphere which
affect HF communications.
In mid and high latitudes, during the spring and summer there are more hours of sunlight. This increases
ionization in all the layers of the ionosphere. Higher frequencies are required to pass through the D and
E layers and to compensate for the extra refraction of the F layers. Likewise in autumn and winter,
ionization is less and so lower frequencies are required for a given communication distance.
The radiation emitted by the sun is also not constant. It varies with the (approximately) 11 year sunspot
cycle. A sunspot is a region on the sun’s surface that shows intense magnetic activity and generates
higher levels of radiation, which in turn cause higher levels of ionization in the ionosphere. They are
visible to optical instruments because the strong magnetic field inhibits the normal convection currents,
creating a cooler spot on the sun’s photosphere. The more sunspots the greater the levels of ionization.
The frequency required to make a link at the peak of the solar cycle may be double that required at
solar minimum.
1.2 PROPAGATION
There are three main ways that an HF radio transmission travels or propagates to its destination:
- The ground wave, as its name implies, travels parallel to the earth’s surface and has a relatively
short range. It may reach a short way over the horizon. Its range depends on two factors, the
frequency used and conductivity of the ground. Low frequencies and highly conductive ground or
seawater give the longest ground wave transmission distances. The terrain is also a factor. A high
ridge of non-conductive rock or ice will effectively block ground wave propagation.
- A direct wave is one that travels a ‘line of sight’ from the transmitter to the receiver. HF radio offers
line-of-sight propagation, but where this signal is mostly used is in VHF and UHF radios, wireless
data systems, and satellite communications. On the ground, the range of direct wave is limited by
the height of the transmitting and receiving antenna.
- Sky wave transmission is the most common HF propagation mean as it uses the ability of the
ionosphere to refract HF radio waves back to earth. Dependent on the frequency and the electron
density of the ionosphere the distance covered (skip) may be hundreds or even thousands of
kilometers. More on the sky wave transmission below.
Earlier in this section the analogy of light refraction was given to illustrate the bending of radio waves
by the ionosphere. This analogy should be extended to understand that the degree of bending of the
radio wave is proportional to the frequency being used. Think of white light passing through a prism.
The degree of bending is different for each colour (frequency) and so we see the colours of the visible
spectrum. In a similar way, radio waves are bent differently according to their frequency.

Figure 8 - Sky wave transmission paths
An HF radio transmission that uses too low a frequency will be absorbed by the ionosphere and not
returned to earth. A frequency that is too high will only be bent a little as it passes through the ionosphere
and will go on into space and be lost. Between these extremes, there is a range of frequencies that will
be sufficiently refracted by the ionosphere so as to be returned to the earth’s surface at a distance from
the origin. The higher the frequency the less will be the degree of bending and so the greater the
distance before the transmission returns to earth. Such phenomenon results in the HF rule of thumb
number 1:
The longer the distance to be covered, the higher the frequency used
During the day, as the sun gets higher in the sky the level of solar radiation increases and so does the
electron density of the ionosphere. This higher density of electrons increases the refraction of radio
waves so that to reach a given distance in the middle of the day, a higher frequency is required than
during the night or early in the morning. Such phenomenon results in the HF rule of thumb number 2:
The higher the sun, the higher the frequency used
1.3 SKIP ZONE
Because the most useful layer of the ionosphere (F layer) is high in the upper reaches of the
atmosphere, there is usually minimum practical distance (skip distance) before skywave communication
is possible. This minimum distance is almost always greater than the maximum possible distance
achievable by ground wave. This leaves a problem area between the end of ground wave
communication and the start of skywave communication. This zone of silence is called the skip zone
and is illustrated in figure 8.
Fortunately, with modern antennas and an understanding of the problem, there

are several techniques to mitigate or even eliminate this problem. If an antenna
that transmits almost straight up is used, the shortest horizontal distance to the
ionosphere can be covered. When also considering using a very low frequency,
refraction off the E layer (lower than the F layer) can be achieved, thus reducing
Figure 9 - NVIS antenna
the skip distance. Also, low frequencies are refracted more than high installed on a vehicle
frequencies and so cover a shorter horizontal distance before returning to earth.
The antennas that transmit at a high angle are called Near Vertical Incidence Skywave (NVIS) and are

particularly designed to reduce skip zone problems. Codan has NVIS antennas for both base and
mobile stations.
1.4 MODULATION
Modulation refers to the addition of information (voice) to a signal carrier in the HF frequency band. One
can think of blanket waving as a form of modulation used in smoke signal transmission (the carrier
being a steady stream of smoke).
There are many types of modulation technique and Amplitude Modulation (AM) is typically used in HF-
radio frequencies. In AM the amplitude or size of the constant frequency carrier varies with the voice or
other audio signal. The modulated carrier is transmitted to the receiving station where the changes in
amplitude are lifted from the carrier and the original audio is recovered.
Amplitude modulation, in its original form suffers from some disadvantages. The first is that noise and
other interfering signals will affect the amplitude of the received signal, hence making this method of
transmission inherently noisier than other methods. This can make conversations over HF radio difficult
to understand for inexperienced operators. Another drawback with traditional AM transmission (such as
shortwave broadcasting), is that it requires a significant transmit signal (watt), which means expensive
and bulky transmitters. The process of creating an AM signal is to combine the audio signal and a carrier
in a device called a mixer. This produces two products, the carrier plus the audio band and the carrier
minus the audio band. These are called upper and lower sidebands (USB, LSB) as they lie above and
below the carrier in a frequency plot. In a commercial broadcast radio, where there is ample power
available and where transmission distances are often short, simple AM is used. Because the same
information is sent on both sidebands, the two signals can be combined in the receiver, reducing the
effect of noise on one sideband.
Modern two-way communication radios use a more efficient

method called single sideband (SSB). Instead of sending (the
same) information on both sidebands, only one sideband is used.
In addition, no carrier is sent, the method relying on the receiving
radio being accurately tuned to the sending frequency and
“reinserting” the carrier frequency. All the power that would have
been used in sending carrier and the ‘other’ sideband is now
used in transmitting the audio information on a single sideband.
This gives greatly enhanced power efficiency and lower power –
and cost - transmitters. The other advantage is that the frequency
bandwidth is reduced by half, allowing more efficient use of the
radio spectrum as one frequency (the carriers) can be used by
two different stations – one on USB and the other on LSB. The
main drawback when using SSB is that the receiver has to be
more accurate than in a standard AM receiver: the carrier
frequency insertion has to be correct otherwise the audio will be
distorted or even lost. SSB receivers therefore typically have
special, temperature controlled oscillators, guaranteeing correct
insertion frequency and stability. This makes SSB receivers quite
costly.
Figure 10 - AM broadcast vs. AM SSB transmission

1.5 FREQUENCY PREDICTION
HF radio refers to the band of frequencies between 3 MHz and 30 MHz, although modern radios transmit
between 1.6 MHz and 30 MHz and have an extended receiving range down to 250 kHz. The width of
an HF signal is 7 kHz (compared to 12.5 kHz for VHF or 20/80 Mhz for 802.11 wifi). Radio transmissions
made in the HF band travel to their destination differently from other radio frequencies in that they a)
follow the earth curvature for some distance and b) can be reflected (refracted) in the earth’s
atmosphere, thereby extending range significantly.
For a practical HF network, the frequencies needed may be chosen by experience, they may be
imposed by the local telecommunications authorities, or they may be calculated. In every case it is
vitally important that radio operators comply with the laws of the country in which they operate.
With so many variables, one may be forgiven for thinking that finding the optimum frequency for a
communications link is difficult. This would certainly be the case if one made all the calculations by
hand. One would need to know great circle distances between stations, zenith angle of the sun, solar
flux prediction among other factors.
Fortunately, there are many computer programs which; given the geographical coordinates of the
locations, and the solar flux or sunspot number, can calculate the optimum frequency for each hour of
the day. These programmes usually calculate the Maximum Usable Frequency (MUF) that will be
refracted back to earth for that distance and from that derive the optimum working frequency (OWF)
and the required take-off angle from the antenna. Some programmes calculate the differences in
propagation using different antennas and power levels. Our HF radio supplier can assist with obtaining
frequency predictions for multiple sites where the frequencies are chosen to accommodate the local
variations due to the solar cycle.
Some of the available HF frequency prediction programmes are as follows:
- ASAPS (http://www.ips.gov.au)
- VOACAP (http://www.voacap.com)
- ICEPAC (http://www.voacap.com)
- ACE-HF (http://www.acehf.com)
In addition, most HF radio suppliers will be able to provide guidance on HF network/frequency planning.
Once having obtained a suitable frequency combination for the location (taking into account distances,
working hours, variability due to solar cycle, traffic loads, etc.); it then falls to the radio operator to select
the best frequency to communicate over a given link at a given time.
Most modern radios, Codan included, offer an automatic link establishment (ALE) system. These
systems exchange information between radios to build a database of link quality information between
them and other radios in the network. This is then used when calling to select automatically the best
available frequency.

2 HF HARDWARE STANDARDS
2.1 HF TRANSCEIVERS
The Codan Envoy X1 and X2 models are the current standard and the latest in the line of Codan HF
transceivers. The radios can be installed in an office (base) or in a vehicle (mobile). In addition to the
features of previous generation of Codan radios (NGT series), the Envoy series integrate additions such
as IP compatibility, remote or USB flash drive configuration, a colored LCD screen with a modern
"mobile phone" type operating system, multi-lingual user interface, while digital voice processors and
improved noise filter are enhancing voice transmission quality. The software used to program the Envoy
radios (TPS) interface changes significantly and was praised for its simplicity over the NGT's (NSP).
The Codan Envoy replaces the previous standard, known as Codan NGT series radios. The table below
compares features between Envoy and NGT series:
Feature Envoy X1 Envoy X2 NGT VR NGT SRx
Max No. of channels 100 1000 20 400

Selective calling Y Y Y Y
Text Messages Y Y - Y
Emergency Calls Y Y Y Y
Remote Diagnostic Y Y Opt Y
Phone Call capable Y Y Opt Y
GPS Tracking Y Y - Opt
GPS Receiver Opt (Ext) Opt (Ext) - Opt (Ext)
ALE / CALM Y Y Y Y
Data Modem capable - Y (Int) - Y (Ext)
Remote Control capable Y Y - Y
Serial Interface Y Y Y Y
USB Interface Y Y - -
Ethernet Interface Y Y - -
IP networks integration Y Y - -
Digital Voice Processing Y Y - -
Multi-Language Y Y - -
Table 1 – Comparison of Codan Radio Models
The ENVOY is the latest in the line of Codan HF

transceivers. It’s a software-defined, IP capable, HF
transceiver with a smart interface and multi-language
display. There are two models for the Envoy
transceiver, the X1 and X2. Dimensions and
interconnecting cables are the same as used in the
older NGT series. This allows for a plug and play style
change over between the NGT and the Envoy
transceivers i.e. there is no need to replace cables
installed in a vehicle. The Envoy can be installed as Figure 11 - Codan Envoy Base and Mobile
either a base station or vehicle and has two types of
handsets available: the full key 2220 and the limited
key 2221. While the 2221 is a limited key handset it does have an on screen virtual keyboard.
The Codan NGT series of radios have been part of the UN fleet of radios since 2001 and have proven
to be reliable, easy to use and easy to install. However the NGT is now coming towards its end of life
and is being replaced by the Envoy. There were 2 models of NGT radios, both of which could be
installed as base or in a vehicle:

- NGT VR was the entry level, voice only radio with limited
features and options. It was meant for low cost networks only Figure 12 - NGT SRx Transceiver
requiring voice communications.
- NGT SRx: This has been the most common UN HF-radio since the early 2000s. It was a versatile
HF radio to which an auxiliary device, such as a GPS or data modem, could be attached.
2.2 HF ANTENNAS
The antenna and its corresponding transmission line (typically a coaxial cable) are arguably the most
important components of a radio system. Through the antenna and transmission line we seek to ensure
that as much as possible of the transmit signal is converted into radiating energy; and in reception the
antenna has to pick up as much as possible of the often extremely weak receive signal (while avoiding
noise and interference). It is therefore essential that both antennas and transmission lines are adequate
and appropriate to the system, power and frequencies we seek to operate on.
Various antennas exist for different types of stations, radiation-pattern needs, etc. Typically a simple
single-frequency antenna - or half-wave dipole antenna - is only useful for a very limited frequency
span, for which it is in tune and presents the characteristic impedance to the coax/radio (i.e. 50Ohms
in our case).
The half-wave dipole is therefore the simplest antenna available but also
a very good antenna – if one is operating on one channel/frequency only.
This antenna resonates at a certain frequency and cannot be used
(efficiently) much above or below this resonating frequency. A 5 MHz
dipole is therefore only useful for a small deviation around 5MHz – it
cannot be used (efficiently) at 10 or 15 MHz. However, as a station often
uses five or ten different frequencies, it would be impractical to have 5-
10 such dipole antennas. Figure 13 - Simple frequency
antenna
A compromise antenna is the so-called broadband-dipole antenna. This is constructed to give a near
overall resonance from fo.i. 5 – 30MHz and can be used at all frequencies in-between. These antennas
therefore cover large parts of the HF-radio spectrum with relatively good efficiency. They are not the
“best” antennas but good compromises. Codan’s kits come standard with such antennas. They can be
mounted horizontally – for best range/directivity, or as inverted-V, for more omnidirectional
operation/less gain.
Figure 14 - Broadband Dipole Antenna
Antennas are often on the tallest part of a building or mast and as such are prone to lightning strikes.
Such strikes can easily follow the transmission line down to the radio, and destroy (with possibly all
other equipment in the radio-room!) it if it is not
properly protected grounded. Lightning
protection and grounding are therefore an
essential component of building a radio station
and the installer, unless being an expert himself,
should seek for advises and guideline. As a very
minimum, an in-line protector that is inserted on
the transmission line (coaxial) where this enters
the building. This in-line protector should be well
and have a separate ground, to allow high-
Figure 15 - In-line Coaxial Surge Protector

voltage spikes to be routed to earth rather than to the radio. All Codan base station kits are provided
with such lightning protector as standard.
Mobile antennas are different from the base station antennas mentioned
above. Their small dimensions do not allow them to resonate in the
same way as a half-wave or a broadband dipole antenna. Instead an
internal tuning mechanism (a coil that is being mechanically tuned)
adjusts the “electronic length” of the radiating element until this is in tune
(i.e. has the characteristic impedance) for a specific frequency. The
efficiency of this antenna, with its small dimensions, is significantly
reduced compared to fixed antennas. Another characteristic with mobile
antennas is that these are (nearly) always vertical antennas, meaning
that they transmit and receive equally well in most directions (the car
Figure 16 - Mobile Antennas chassis has some effect though). This is however not the case when the
mobile antenna is used with an NVIS ad-on. In this case the antenna
transmits with most power upwards, to allow for short-range skywave reflection, and improved skip-
zone performance. NVIS add-on is recommended in operations with mountainous terrain and shorter
distances.
2.3 CABLES AND TOOLS
The cable is responsible for ensuring the signal is transmitted with minimum
loss between the antenna and the transceiver. As these cables often can be
tens of meters long, the quality, impedance and conditions of the cable are
crucial. Codan standard antenna kits come with 30 meter RG-58 coaxial cable.
This type of cable is thin (~5mm) and therefore easy to install while offering a
good compromise in terms of power transfer. For systems with antennas more
than 30 meters away, thicker cables such as the ~10mm RG-213 coaxial must be Figure 17 – RG213 vs
used. RG58
Two errors often made when installing cables are a) letting cable hang full weight on the connector at
the antenna, causing too much stress on connector and b) too much bending on the cable, such as
letting cable hang over a window sill. Use a cable stress-reliever where it has to hang over long
distances and always allow cable to run smoothly and with ample diameter in curves. Consider
additional support – such as a plastic tube cut in half, where the cable runs over a sharp bend. Also
avoid tightening cable-ties too hard as this can affect impedance.
Coaxial cables are very different from other “electric” cables. The distance between the different
elements of the cable (inner conductor, shield) is crucial and any change in these parameters will affect
the cables impedance and create SWR, heat and loss. It is therefore nearly impossible to properly repair
a coaxial cable. If a cable shows cuts or other damage, always substitute the entire cable. If the cable
needs to be shorten because of too much loss, crimping guidelines for coaxial cable are available in
the VSAT chapter, make sure the proper connectors are used.
Another important factor is the impedance; transceivers output/input in HF (and most other radio-
systems) typically have a characteristic impedance of 50 Ohms (there are systems that use 75 or 300
Ohms but these are rare). In order to ensure impedance matching – and through this transmission of
maximum power between transceiver and air, there has to be impedance matching between all
elements, i.e. transmission line (cable), antenna and transceiver all have to have an impedance of – or
close to – 50 Ohms. If we do not have impedance matching, some of the output (and input) power will
be reflected back to its origin, with less efficiency and loss of power being transferred to and from the
air.
Causes of poor impedance matching can be:
- Cable has wrong impedance (ex. 75 instead of 50 Ohms)

- Cable has been bent too sharply or has damages/cuts where water has entered
- Connectors have been wrongly installed or are corroded
- Antenna has wrong impedance or is out of tune

The Standing Wave Ratio, SWR (also known as Voltage SWR - VSWR), is a measure of an
antenna/transmission line’s performance. The SWR increases as the system gets misaligned (for
instance if a tree-branch falls on the antenna; a car drives over the coax cable; a connector corrodes;
etc.). Using a SWR meter at the transceivers output, we can measure the standing wave ratio of the
system. If all impedances are aligned (i.e. 50 Ohms), there will be no reflected power and the SWR will
be valued at 1:1 – an ideal system. In practice an efficient system will have an SWR of 1.1:1 or higher.
If SWR goes beyond 2:1, the technician should investigate what the problem may be (in a professional
radio-room set-up, each antenna would have a SWR meter permanently installed and the SWR
measured every day to track down eventual long-term degradation). SWR meters are cost affordable
tools (~$50) and can be used for any system involving coaxial cables (HF, VHF, VSAT, WLAN…).
Table 2 - SWR Meter

3 DEPLOYING CODAN NGT SRX RADIOS
3.1 EQUIPMENT ASSEMBLY
a. Checking the equipment. Although Codan equipment is very resistant, damage during shipping can
always happen. Special attention should be taken if the equipment is not being shipped in its original
factory packing, as it could happen in an emergency. Indeed it is common practice to rush equipment
from a neighbouring country by any means of transportation.
The most vulnerable parts of the equipment are the cable connectors, which are partially made out of
plastic, and can be broken (therefore exposing and possibly bending the pins) during shipping. Other
vulnerable parts requiring special care are the heavy power supply units (PSU).
If the original packing material for the Codan equipment is not available before shipping, it is a good
practice to protect well all units and to wrap the connectors in bubble packing material. Also make sure
the connectors are not left underneath heavy equipment that could possibly crush them.
Another crucial detail to consider before sending/receiving the equipment is to make sure the PSU will
match the power requirements of the receiving country. This applies not only to Codan devices but also
any emergency telecoms device; A frequent mistake being to order 220VAC power supply for a country
relying on a 110VAC nationwide standard and different AC wall plug. Codan equipment uses 12V DC
as standard, however the PSU providing that voltage can be configured for either 220VAC or 110VAC.
In an emergency scenario, this detail is often neglected and could lead to irrevocable damage on the
radio.
Once the equipment is received, make sure the inventory is complete with all following items:
Figure 18 - NGT SRx contents

b. Assembling station units. Codan Radios are very straight forward to assemble. The following
scheme summarizes the necessary steps and connections to achieve such operation:
Figure 19 - NGT SRx base (left) and mobile (right) assembly
Note: when using the Desk Console Unit, the seven pin male connector from the handset connects to
the back of the Desk Console Unit as seen in the pictures below, and not to the handset and speaker
connector.
► Refer to the “mobile VHF and HF installation manual.pdf” and “Codan vehicle installation.pdf” files
in the HF documentation for the detailed information on how to install the radio in following vehicles:
- Land Cruiser Station Wagon
- Toyota Hilux
- Land Cruiser Prado

3.2 NGT SYSTEM PROGRAMMER (NSP)
NSP, The NGT System Programmer is a software program that enables to modify, via a serial
port, the settings (channels, modes, networks, station addresses, control settings…) of any
software-configurable NGT series equipment, including the SRx series. This is the software
used for anyone required to configure or reconfigure a transceiver’s information, for example
Codan agents or field service personnel.
In addition the software can also be used for:
- Printing a report of the transceiver’s parameters

- Saving settings to an electronic file
- Compare settings in a transceiver with those in NSP
- Import Codan channel list files from other Codan systems used by other UN Agencies and/or
NGOs into the NGT series Channel Lists
- Load profiles from transceiver systems and edit them
- Easily program an entire transceiver system
Connecting radios and computer is done with the Codan’s NGT software interface
cable and a serial to USB converter (at the time of this publication, laptops have no
longer built in serial ports, therefore a converter is required). On one side the normal
Serial DB9 Port female connector connects to the USB to serial converter while on
the other side, the stereo audio plug connects to the handset (lift the rubber cover
and plug in the connector).
Lauch NSP and select the COM port:

Figure 20 -
Programming
Cable
Note: The serial to USB

converter should not be used for
firmware upgrades.
1. Go to “View” and select “Preferences”.
2. Click on “Communications” and make sure the

COM port matches the one assigned to the USB to
Serial converter
Figure 21 - Selecting COM Port
IMPORTANT: NSP software has been designed to work with COM Ports 1 to 10. If the Serial to USB
interface defaults to other ports outside the Ports 1 to 10 ranges, then manually change the port number
allocated to the converter (indications next page).

1. Go to windows “Start”, right click on Computer 2. Double click on the USB to serial com Port
and select “Device Manager”. and select Port setting and Advanced
Figure 22 - Changing COM Port
Configure NSP to access the radio, back to the preference menu make sure of the following:
1. The transceiver type is correctly selected with the 2. In the List Processing tab, the option “Allow
Codan model being configured (here SRx) and the selection of lists before processing” is ticked
“Prompt for… profile” option is ticked. and correct lists are selected.
3. In the General tab, the option 4. In the Access right tab, make
“Enable toolbar” is selected. sure the correct options are ticked

3.3 PROGRAMMING SEQUENCE
This chapter details the necessary steps to program a Codan NGT SRx model based on the standard
parameters implemented in UN HF networks. The recommended programming sequence is similar as
follow:
b. Channel c. d. e. Control
a. Profile f. Write
List Networks Addresses List
Figure 23 - NGT SRx Programming Sequence
a. Introducing profiles.
A profile is a file containing all user-definable settings that control a transceiver system. The settings
are organized into lists within the profile. A basic transceiver profile contains the Channel, Network,
Phone Link, Address, Control, Keypad, and Mode information. In order to achieve the programming of
the Codan devise, each list must be duly completed with all the necessary information. A profile can be
saved anytime to the hard drive and can be used as a template to program different Codan units.
b. Creating the channel list.
A channel (ex: ICRC1, UN Ch 1…) is a name given to a frequency or pair of frequencies within the HF
range. As described in Chapter 1.1, each channel has one or more modes associated with it, indicating
which sideband can be used with the channel (USB and/or LSB)
4. Leave the Access Rights

1. Go to View, Channels
column empty
Figure 24 - Channel List
2. Enter the channel names, RX and TX 3. Make sure the appropriate USB/LSB is
frequencies as per UN country network marked at the Allowed Modes drop down list
standards. Use the TAB key to advance to the based on the country HF network
next column.
List of a channel’s parameters include:
- Name: uniquely identifies the channel

- Tx Frequency: transmit frequency associated with the channel
- Rx Frequency: receive frequency associated with the channel
- Mode: channel mode, for example the Upper Side Band (USB)

c. Creating the network.
A network is a group of stations sharing channels, a calling system and other characteristics. A direct
field application could be a agency network communicating exclusively with the agencie’s
vehicles/bases and a second network used to communicate security purposes with UNDSS (or other).
Networks that use the UN selcall call structure make calls by entering the address of the remote station
and then by selecting the appropriate channel (frequency + mode). The transceiver can also be set to
scan the channel used by the network to detect incoming calls. It is therefore recommended that when
the transceiver is not used to communicate, the scanning function is switched on.
2. Enter the network name, the scan mode,

1. Go to View, Networks
the call system and the preamble.
Figure 25 - NGT Networks

3. Define which channel(s) should belong to the Network by clicking on the Channel Name drop
down list and by adding all relevant channels
List of the network’s parameters include:
- Name: network name

- Scan: network can be ‘scan’ or ‘don’t scan’
- Call system: Selcall, ALE/CALM or voice
- Call Detect Time: set for appropriate time interval (ex: 6 secs for selcall, 1 sec for ALE/CALM)
- Sounding Intervals: time between sounding calls (for ALE/CALM networks only)
- Privacy Mode/Key: privacy mode on or off and associated key
- Nominal preamble: preamble time for selcall or ALE/CALM
- Channels: channels associated with this network
The Codan Automated Link Management (CALM) is a function that automates the selection of
channels. It enables the transceiver to test the signal propagation qualities of the channel and build a
profile for each channel’s suitability for use at different times of the day and night. The transceiver can
then automatically select the most suitable channel/mode when a call is made. This function is
particularly suitable in countries with many different HF frequencies allocated is also recommended to
use in an inter-agency project where humanitarian organizations would share their frequencies.
d. Pre-defining Addresses.
The Address List acts as a personal address book: it stores the names and addresses of stations the
user often calls. For example, if a station is called O mob 1 and has a “GP” (Get Position) Call Type.
This address, when selected, automatically generates a call on the assigned channel asking the remote
radio to return its GPS position every (GP request). Note that for such case, the GPS option must be
enabled on the radio and a compatible GPS connected. Similarly one can create an entry on the address
list to call the base with predefined channels in the day or night. Following are the required parameters
for the vehicle earlier mentioned:
5. Define which network,
channel and mode should the
radio automatically use when
44 EMERGENCY TELECOMS HANDBOOK selecting this address
4. Enter the selcall ID
1. Go to View, Addresses (if applicable)
2. Enter the entry name 3. Define the call type
Figure 26 - NGT Addresses
List of the addresses’ parameters include:
- Name: name of the person/place to be called

- Call type: can either be a selective call, a phone number, a text message, an emergency call,
a GPS position request or transmission, a status report, a channel test…
- Address: address (call ID or callsign) of the person or place
- Message: the message to be sent if using a message call type
- Network: the network that will be used to make the call
- Channel: the channel that will be used to make the call
- Phone link: phone link (if applicable) to make the call
► Refer to the Codan NGT SRx Reference Manual located on the flashdrive for further information on
the different call types available.
e. Control Lists
Last step is to configure the transceiver with the Control List. The Control List stores the settings that
control the operation of the transceiver, such as the unit self-ID, a power-up passwords, the time and
date. One can also find more advanced configuration settings such as the frequency range, the output
power, TDM mode, etc… Most of these settings however, are usually configured by a system
administrator and it is advised not to change them. Without the admin password, most of the parameters
won’t be visible.
1. Go to View, Controls
2. Double click on the address

(self) field
3. Enter the assigned sellcall

of the radio and the network
4. Back to the main control list, scroll
down until the message 10 field.
Type the command #$! LM-AO
The special #$! LM-AO command will restrict access to normal users to the List Manager via the
Handset. AO means that this function is “Administrator’s Only” selectable.

5. Create an admin password. UNICEF
default admin password is “864233” which is
equivalent to typing the word UNICEF on the
digital keypad of the handset. This will prevent
users from modifying the parameters from the
handset.
6. Enter the correct time zone by adding the

corresponding offset of you country.
7. Last enter a welcome text to display on the

handset once switched on. Best practice is to
include the selcall ID of the radio.
8. Finally one can save the profile by clicking

on the Save icon. This completes the profile
and it can be used to program the Codan SRx
Radio.
Figure 27 – NGT Control List

f. Writing from NSP to the radio.
This step is straight forward once one has completed the profile. Click on File, Program Transceiver:
1. If the following warning is

displayed, make sure the
admin password is known.
2. Make sure all items but the 3. Wait for the progress bar to 4. Press OK once the operation
modes are selected and press be a 100%. is finished
Program.
3.4 TESTING THE RADIOS
Turn off the radio and on again by using the Headset Power Button, to make sure it starts up with the
new programming in place.

As configured in NSP, the welcome text should be displayed on the handset screen when turning on
the equipment. One should also see the radio’s Selcall ID. Since the radio was programmed to scan
the Network, it will automatically start scanning (see chapter 3.2.3.c).
To further modify the configuration:

- Apply changes to the profile saved on the hardrive and program the radio.
- Import the profile from the radio (it should prompt for the password), modify it and program again.

4 DEPLOYING CODAN ENVOY X1/X2 RADIOS
4.1 RADIO ASSEMBLY
Although Codan equipment is very resistant, damage during shipping can always happen. Special
attention should be taken if the equipment is not being shipped in its original factory packing, as it could
happen in an emergency. Indeed it is common practice to rush equipment from a neighbouring country
by any means of transportation.
The most vulnerable parts of the equipment are the cable connectors, which are partially made out of
plastic, and can be broken (therefore exposing and possibly bending the pins) while the shipping.
If the original packing material for the Codan equipment is not available before shipping, it is good
practice to protect all units and to wrap the connectors in bubble wrap packing material. Also make sure
the connectors are not left underneath heavy equipment that could possibly crush them.
AC Power Supplies: All Codan equipment requires 12VDC to operate. To obtain the 12VDC required
a Power Supply is used to convert AC mains power to DC.
3020 Power Supply: The 3020 power supply is a switch mode power supply (SMPS) which operates
on AC voltages from 90 to 250VAC. Ensure the correct AC mains cable suits the country.
Once the equipment is received, make sure the inventory is complete with all following items:
Figure 28 – Envoy Base & Mobile contents

Codan Radios are very straight forward to assemble. The following scheme summarizes the necessary
steps and connections to achieve such operation:
Figure 29 - Envoy Base and Mobile Assembly
► For detailed mobile installation guidelines, refer to the “mobile VHF and HF installation manual.pdf”
and “Codan vehicle installation.pdf” files in the HF documentation for the detailed information on how
to install the radio in following vehicles:
- Land Cruiser Station Wagon

- Toyota Hilux
- Land Cruiser Prado
4.2 ENVOY TRANSCEIVER PROGRAMMING SOFTWARE (TPS)
TPS is a Windows only program that enables administrators to modify, via a USB port, the settings
(channels, modes, scan tables, HF networks, station addresses, control settings…) of any software
defined Envoy series HF transceiver. This is the software used for anyone required to configure or
reconfigure a transceiver’s information, for example Codan agents or field service personnel.
In addition the software can also be used for:

- Saving settings to an electronic .sp file (Profile or Codeplug)
- Compare settings in a transceiver with those in TPS
- Import Codan channel list files from other Codan systems used by other UN Agencies and/or
NGOs into the Envoy series Channel Lists
- Load profiles from Envoy transceiver systems and edit them
- Easily program an entire Envoy transceiver system
- Enter GPS waypoints
- Upgrade Envoy firmware
Note about TPS Registration & License: During the installation process, TPS will show a registration
screen which requires a license. Contact ICTD if such license has not been provided since after 30
days TPS will lock until it has been registered with a valid licence key. Note that the licence key given
is unique to the TPS installation, i.e. it cannot be installed on PCs.

Hardware and Software requirements
- A Codan Envoy Radio with latest firmware installed.

- Laptop, with Windows XP, 7, 8 & 8.1. Windows Vista is not supported.
- A USB A to USB micro cable.
- Codan TPS (Transceiver Programming Software) with a valid license key.
- The country specific callsign and selcall allocation table.
- (optional) Firmware files for upgrading old hardware to latest Firmware.
From a computer, connect the Codan handset or desktop microphone using the USB cable to a
computer and turn on the radio.
Launch the TSP software (Transceiver Programming Software).
This chapter details the necessary steps to program a Codan Envoy based on the standard parameters
implemented in UN HF networks. The programming sequence is similar to the Codan NGT series:
b. Channel c. Scan d. e.
a. Profile f. Settings
List Table Networks Contacts
Figure 30 - Envoy programming sequence
Before proceeding ensure the Envoy is reachable by clicking the auto-connect icon have selected the
correct model (X1/X2) as the transceiver type. The Envoy uses IPv4 addresses to connect the TPS
software to the Handset or RF Unit. The default IP addresses are listed in the table below, enter the CP
IP address in the IP address field and press connect or alternatively select “auto-Connect to display a
list of accessible devices:
Device IPv4 Address

CP or Handset (USB) 192.168.234.1
RF Unit (Ethernet) 192.168.0.248
Figure 31 - Connecting to the Radio

a. Creating a new Profile
A profile, or codeplug, is a file containing all user-definable settings that control a transceiver system.
The settings are organized into lists within the profile. A basic transceiver profile contains Channel,
Scan Table, HF Network, Contact, Setting, Macro, and Customise information. In order to achieve the
programming of the Codan device, each list must be duly completed with all the necessary information.
A profile can be saved anytime to the hard drive and can be used as a template to program different
Codan units.
To create a new profile click on the button in the Welcome tab.
b. Creating the channel list
A channel (ex: ICRC1, UN Ch 1…) is a name given to a frequency or pair of frequencies within the HF
range. As described in Chapter 1.1, each channel has one or more modes associated with it, indicating
which sideband can be used with the channel (USB and/or LSB)
1. Go to Channels Tab
2. Enter the channel names, Tx and Rx 3. Make sure the correct mode(s) is marked
frequencies as per UN country HF network. at the Allowed Modes drop down list
Use the TAB key to advance to the next according to the country HF network.
column.
Figure 32 - TPS Channel Tab

List of a channel’s parameters:
- Name: uniquely identifies the channel

- Tx Frequency: transmit frequency associated with the channel
- Rx Frequency: receive frequency associated with the channel
- Allowed Modes: channel mode(s), for example the Upper Side Band (USB)
c. Creating the Scan Table.
A scan table is a group of channels used to either make an outgoing call or listen for an incoming call.
List of the Scan Table parameters:
- Scan Table Name: Scan table name

- Scan: Select to Scan, deselect to disable scan
- Channel Name: Selected Channel to Scan
- Tx Frequency: Automatically filled when a channel has been selected.
- Rx Frequency: Automatically filled when a channel has been selected.
- Mode: Only one mode can be selected

1. Select Scan Tables
tab
2. Enter Scan Table Name 3. Select Scan
4. Select the required channels 5. Select the Mode
Figure 33 - TPS Scan Tables
d. Creating an HF Network
The HF Network sets the calling system and self-address to be used with a Scan Table. There can be
multiple HF Networks and, therefore, multiple self-addresses per Envoy
1. Select HF Networks tab
2. HF Network Name
4. Enter the Self Address
3. Select the Call 5. Select the Scan Table

System
Figure 34 - TPS Networks

List of the HF Network parameters:
- HF Network Name: Set the name for the HF Network

- Call System: Select the Call System to use (Open Selcall or ALE/CALM is used by the UN)
- Self Address: Set the Self Address or Self ID of the HF Network
- Scan Table: Select the Scan Table to be used for the HF Network
- Global: Tick to use ALL channels for calling (Not used)

e. Creating Contacts
The Contacts List acts as a personal address book: it stores the names and addresses of stations the
user often calls.
1. Go to Contacts tab
2. Enter the Contact name

5. Enter the Selcall ID (Optional)
4. Define the call type

3. Define which HF Network, the radio should use when selecting this Contacts Call
Figure 35 - TPS Contact List

List of the Contact parameters:
- Contact Name: Name of the person/place to be called

- HF Network: Select from the list of previously created HF Networks
- Call Type: Select from the list of Call Types e.g. Selective, Message, Emergency etc
- Address: Enter the selcall ID of the radio to be called. Leave blank to enter the selcall ID
manually before calling
- Call Description: A description for the Contact Call. This description can be any
alphanumeric text
-
► Refer to the Codan Envoy Reference Manual located on the flashdrive for further information on the
different call types available.
f. Peripherals and Settings
This is the last step to configure the transceiver. The Peripheral contains various selections for the
external connectors i.e. Antenna, RFU 15way & RFU 6way. Ensure the correct antenna type is selected
i.e. BB, 9350, 3040 etc. The Settings list stores control parameters for the operation of the transceiver,
such as the Admin PIN, time and date and Status Areas. Users can also find more
advanced configuration settings such as the frequency format, language, output
power, etc… Most of these settings however, are usually configured by a system
administrator and it is advised not to change them. Without the admin password,
most of the parameters won’t be visible. To continue select the Admin and
Advanced buttons.
Antenna Type. Change the Antenna Type under Peripherals to

BroadBand. When installing the Envoy into a vehicle the correct
antenna type must be selected. The default antenna type for a vehicle
will either be a 9350 or a 3040. A 3040 ATU can be used if the antenna
type selected is 9350. However if a 9350 ATU is used the antenna
type must be set for 9350.
Select Change the Antenna Type to BroadBand.
Welcome Text, Time & Date, Status Area & Admin PIN settings

Select
1. Enter the Welcome Text ‘UNICEF [Call Sign]’
2. Select the Status Area values

based on your country standards
3. Select the Time Zone for the

current location.
Figure 36 - TPS Advanced Settings
4. Select the Configuration tab then enter the Admin PIN as ‘2222’
Entering an Admin PIN will prevent users from modifying the parameters from TPS or the handset.
g. Saving the profile. Finally save the profile by clicking on the icon at the top and select Save
As. Provide a name for the profile and save it. This completes the profile and it can be used to program
the Envoy Radio. Profiles with an Admin PIN set will require the TPS user to enter the PIN before
viewing or editing the profile is allowed.

h. Exporting/Programming the profile from TPS to the radio can be achieved in two ways, using TPS
or the USB adapter and a USB Flash drive. For this exercise we will use TPS to program the Envoy.
Ensure the Envoy to be programmed is ‘connected’ . Correct connection will display a ‘TPS Connected’
popup window on the Envoy handset.
Also the TPS button will change to
Press the button to start the programming process.
The Program Transceiver window will appear
Use the Program Transceiver window to select what parameters should be programmed in to the Envoy
e.g. if changes have been made to Channel Names then only select Channels and Modes from the list.
Press the Program button. If the PIN window is displayed, enter the Admin PIN before the Envoy can
be programmed. Press OK to continue.
Wait for the progress bar to be a 100%.
The Program Transceiver window will close automatically

once programming is complete.
Once programming is complete simply press the button or simply unplug the USB
programming cable from the handset.
4.4 TESTING THE RADIOS
The radio requested by the radio to restart by pressing the Handset Power Button. This is to ensure the
Envoy starts up with the new programming parameters in place.
As configured in TPS, the welcome text “UNICEF [Call Sign]” should be displayed on the handset
screen when turning on the equipment. If a Welcome Image was also programmed this will be displayed
before the Welcome Text. Since the radio was programmed to scan the Network, it will automatically
start scanning.
To further modify the configuration:
- Apply changes to the profile saved on the hardrive using TPS and program the radio.
- Read the profile from the radio, modify it and program again. If an Admin PIN has been set TPS
will prompt you for the PIN before reading the profile from the radio.
Testing the radios by making a call.
1. To make a call, press the Call button, 2. The Handset should prompt for the
either on the handset unit or the desk HF Network to be used. Select UNICEF
console. and press OK.
3. Using the left and right arrow buttons 4. Enter the selcall ID of the radio to
make sure the Call Type is set for Selective be called. Then press Call
5. Select the channel to make the call on. 6. The call will be sent to the remote
Press Call to call the radio. radio using Open Selcall.
If the dialed radio is reached, an acknowledgment return sound called a revertive is heard on the
transceiver. On the remote radio, a call in progress sound is heard. The receiving operator only has to
press the PTT button and start talking to respond to the call.
------------------------------------ END OF CHAPTER 2 ------------------------------------

CHAPTER 3
VERY / ULTRA
HIGH FREQUENCY
(VHF/UHF)
VERY / ULTRA HIGH FREQUENCY 57

1 ABOUT VHF/UHF
Very High Frequency (VHF) and Ultra High Frequency (UHF) bands cover the range of 30-300MHz and
300-3000 MHz, respectively. Within these ranges, commercial two-way radio operate in 146-174MHz
(VHF) and 403-470MHz (UHF).
VHF and UHF communications are primarily used for local communications related to security and/or
for operations. Typically UN agencies (and often NGOs) share a common infrastructure (network of
repeaters; common channels) and radio-rooms, where operators make the daily or weekly security
checks and monitor all vehicle movements.
There are basically four types of equipment to be considered:

- Handheld or portables for individual users
- Mobile stations: vehicle fitted with VHF/HF radio
- Base Stations: equipment for fixed locations, typically offices or radio-rooms
- Repeaters: relay stations mounted on high buildings or mountains, to extend the range of the
network
The UN standardizes on Motorola GP/GM series (analogue radios) and – as of 2014 - Motorola
Mototrbo DP/DM series (digital radios).
Scope of this chapter: This handbook provides information directly applicable to the UN standard
Motorola equipment used in emergencies: handhelds, mobile and base stations. Programming of
repeaters for example is not covered; although repeaters are maintained by UNICEF in some cases,
most of the time these are installed by WFP or UNDSS. Similarly this handbook does not include
information about designing and configuring VHF equipment for digital communications, therefore
guidelines for the Mototrbo equipment focus on operating in analogue mode only.
1.1 COVERAGE
The actual range of a VHF (or UHF) network will depend on many factors, including: man-made or
natural obstructions (buildings, mountains); transmit power; sensitivity of receiver; height, type and
quality of antennas; antenna cable quality and length; etc. VHF and UHF max range is determined by
Line-of-Sight (LOS), i.e. if there is an obstruction between sender and receiver the signal will be
interrupted, causing lack of communication.
Power and antenna size are also significant factors: portables, as they have little power (4-5Watt) and
small antennas can only communicate over a couple of kilometers, while mobiles and base stations
(typ. with 25 Watts and bigger antennas) may be able to reach each other over tens of kilometers.A
theoretical (ideal) distance guide for VHF would be as follow:
Coverage without repeater Coverage with a

Handheld (5W) Mobile (25W) Base (25W) Repeater (45W)
Handheld (5W) 3 km 10 km 20 km ~20 km
Mobile (25W) 10 km 40 km 60 km ~60 km
Base (25W) 20 km 60 km 100 km ~100 km
Table 3 - Maximum Range of VHF equipment
Realistically, in most operations these ranges will be significantly reduced due to obstructions. By using
a repeater however, portable range can be increased to many tens of kilometers, while base and
mobiles may be able to reach a repeater at distances of 100km or more.
1.2 PROPAGATION

Unlike high frequencies (HF), the ionosphere does not usually reflect VHF/UHF radio signals and
propagation characteristics of VHF/UHF are therefore ideal for short-distance terrestrial
communications. VHF signals typically reaches somewhat further than line-of-sight (LOS, i.e. the
horizon), whereas UHF range is limited by LOS. VHF/UHF are also less affected by atmospheric noise
and interference from electrical equipment than HF radio frequencies, making communications clearer.
On the other hand, both UHF and VHF signals are interrupted and reflected by mountains, buildings,
etc.
VHF typically offers a better range than UHF in suburban/rural areas, whereas UHF typically offers
better coverage in city-environments (the UHF signal bounces and reflects off buildings and reaches
further). Ultimately, however, the band to be used will depend on what the local telecom authorities
make available. In UN networks, probably 95% of networks operate on VHF.
1.3 CHANNELS
VHF and UHF radios typically use 2 types of channels, simplex or (semi-)duplex:
- A simplex channel radio system transmits and receives on one single frequency. Simplex is used
when no repeater is available, or to communicate directly between two or more users where users
are close to one another and to avoid using repeater-space. Since VHF radio signals are generally
limited to line-of-sight, range is short.
- When using repeaters, these are said to work on a full duplex channel, i.e. the repeater receives
and transmits at the same time (and often using one shared antenna). This is possible because the
receive frequency (“input”) and transmit frequency (“output”) are separated (typ 3-5MHz), thus
avoiding that the strong output signal goes straight into the sensitive receiver (in addition, strong
filtering is employed). The radio (for instance a hand-held) operating over a repeater channel is
said to be operating in semi-duplex, i.e. it uses two separate frequencies for Tx and Rx, but can
only receive or transmit at a given time (not simultaneously).
- Repeaters are usually placed on a mountain (where available/accessible), on top of tall buildings
or on large towers/masts to increase the range. Due to their importance in the network, repeaters
are typically powered by non-interruptible power supplies, such as generators, solar panels and
batteries.
Figure 37 - Simplex and Duplex Channels

1.4 NETWORKS
A radio is always part of a network with two or more radios which operate on the same
frequencies/channels in the same geographical area. Networks can have multiple channels: an
interagency calling or security channel, a dedicated agency repeater (duplex) channel, and a dedicated
agency simplex (no repeater) channel. Individual channels can be configured for simplex or duplex use,
according to the requirements and coverage required.
1.5 SIGNALING
Similarly to the Internet Protocol headers, radio networks can use signaling to transfer information other
than the voice communication. This functionality can be used to improve privacy, limit interferences,
identify the caller, remotely disable or enable a radio… There are two types of signaling used in standard
UN analogue VHF/UHF networks: Select 5 and PL/DPL.
1.5.1 PL/DPL signaling
PL (Private Line) or DPL (Digital Private Line) signaling are used both for network privacy and to avoid
interference with other networks that may transmit on the same frequency. PL uses sub-audible tones
(below about 250 Hz) to carry the selection information. These are transmitted in addition to the normal
voice channel, but as they appear below the audio range passed by most mobile radios (roughly 300-
3000Hz), they are filtered out and therefore not heard. Only when the correct tone is transmitted will the
receiver be opened and the transmitted audio will be heard. Whereas PL is purely analogue, DPL is a
square wave signal (0’s and 1’s).
Using PL or DPL in a network helps eliminate disruptive conversations and interference from other
networks who may be sharing radio frequencies. This also creates privacy by only allowing calls that
have the network’s specific PL or DPL code. In other words; even if a neighboring radio transmits on
the same frequency but uses another PL or DPL code, the receiver will not open. All radios in the same
channel must have the same PL or DPL code in order to be able to communicate – this includes also
the repeater station.
“PL encoding” refers to as radios transmitting their tone code whenever the transmit button is pressed.
The ability of a receiver to mute the audio until it detects a carrier with the correct PL/DPL tone is called
“decoding”. There are as many as 50 PL tone codes, ranging from 67 to 257 Hz, identified with a 2-digit
code, for example:
PL XZ WZ XA WA XB WB YZ YA YB ZZ ZA ZB
Hz 67 69.3 71.9 74.4 77 79.7 82.5 85.4 88.5 91.5 94.8 97.4
Table 4 - PL Codes & Corresponding Frequency
1.5.2 Select 5 signaling
Traditionally to identify users in a network, each user is assigned a dedicated verbal call-sign (refer to
Point 3 – UN Call-Sign and Sell-Call standards). If the user had the radio switched on with a sufficient
audio volume, others would get in touch using a verbal call sign protocol. The weakness of this system
is that all users have to constantly monitor all the traffic on the channel, waiting to hear their own call
sign. This can be a challenge to anyone’s patience and creates the risk of users turning down their
volumes, or even switching off their radios.
Signaling can again be used to address such problem. For example, a radio can transmit a specific
code that is targeted – and decoded - only by one radio, or a specific group of radios. In this system, all
radios in the network can keep the audio volume turned down and still be reachable whenever required.
When the code is received, the radio will open its loudspeaker and “ring”, inviting the user to increase
the volume and respond to the call.

The standard selective calling protocol used by UN and NGO agencies is Motorola’s proprietary “Select
5” protocol. This is a 5-tone protocol, whereby a combination of 5 tones consists the code (also called
a “telegram” by Motorola). As opposed to PL, tones are audible, making Select 5 enabled networks
easy to recognize.
In addition to selective calling, Select 5 signaling can be used for the following functionalities:
- Caller ID and Call Back displays the identity code of the caller enabling easy call back.
- Group Call allows a user to selectively call a dedicated group of radio users, allowing for instance
specific teams to communicate with each other without disturbing others.
- PTT ID identifies the radio that is transmitting and thus discourages inappropriate use of a radio.
- Auto-acknowledgement provides for a called radio automatically to send back its ID; an automatic
radio “handshake” and confirmation that the message was received.
- Kill Mode (Stun/Unstun) provides a way to prevent unauthorized use of a stolen radio by disabling,
and re-enabling the radio.
- Emergency Alarm sends a priority message silently from a radio to the network control base station
(typically the UNICEF radio room and the Security Officer) allowing security personnel to quickly
track a person in danger and take necessary action.
- Lone Worker facility allows the radio to be programmed to issue an Emergency call if the radio
hasn’t been activated for a predefined period of time. Typically it is used for making certain that a
lone worker, for example a night guard has his radio switched on, and is awake/that nothing has
happened to him.
1.6 DIGITAL RADIOS (DMR)
In 2014, the Inter-Agency community determined a new standard for VHF radios: Motorola Mototrbo.
Mototrbo radios operate with a protocol known as DMR (Digital Mobile Radio), which bring significant
enhancements to the previous PMR standard (Portable Mobile Radio):
- Medium Optimization: Mototrbo uses

Time-Division Multiple-Access (TDMA)
technology to provide twice the calling
capacity compared to analogue systems.
Practically this mean that two channels
are available with a single frequency.
- Twice more users: networks can handle
doubles the number of users on a single
licensed 12 .5 kHz channel.
- Individual, group and broadcast calls. Figure 38 - Analogue vs TDMA 12.5 kHz cnannel
- Clearer communications: rejecting static and noise, Mototrbo radios provide clearer voice
communications over a greater range than comparable analogue radios. The coverage by itself is
not improved but the ration coverage / voice quality is definitively.
- Text messaging: an SMS text messaging service allows communication between radios and
dispatch systems, between radios and email-addressable devices, and to remote PC clients
attached to radios. Furthermore, the dispatcher PC can act as a gateway to email, enabling
messaging between email-addressable devices and radios.
- Enhanced battery life: digital TDMA two-way radios can operate up to 40 percent longer between
recharges compared to typical analogue radios.
- Backward analogue compatibility: easy migration from analogue to digital with the ability to operate
in both analogue and digital modes.
- Location services: provides the ability to track people and assets, such as vehicles. This advanced
approach takes advantage of the GPS- receiver integrated within both the portable and mobile
radios, combined with the software applications from one of the many Mototrbo application
partners. GPS-equipped portable and mobile radios can be configured to transmit their
geographical coordinates at pre-programmed intervals, on demand and in case of an emergency.
Software applications provide dispatchers with a real-time display of fleet activity on a customized,
high-resolution, color-coded map. Using a location service application and MOTOTRBO’s
integrated GPS, your customers can enjoy the benefits of location tracking.

Figure 39 - Asset tracking using DMR
Repeater Modes
Depending on the geographical area to cover (number of sites) and the size of the network (number of
users and traffic), repeaters can be installed in the following 5 modes:
Figure 40 - DMR Repeater modes

- Conventional mode is the most basic repeater setup. A single repeater is installed in an elevated
area covering an area of 20km to 100km (depending on the user station).
IP Site Connect allows radios to extend conventional communication beyond the reach of a single
site, by connecting to different available sites which are connected via an Internet Protocol (IP)
network. When the radio moves out of range from one site and into the range of another, it connects
to the new site's repeater to send or receive calls/data transmissions. Depending on your settings,
this is done automatically or manually. If the radio is set to do this automatically, it scans through
all available sites when the signal from the current site is weak or when the radio is unable to detect
any signal from the current site. It then locks on to the repeater with the strongest Received Signal
Strength Indicator (RSSI) value. In a manual site search, the radio searches for the next site in the
roam list that is currently in range (but which may not have the strongest signal) and locks on to it.

- Capacity Plus is a single-site trunking configuration of the digital radio
system, which uses a pool of channels to support hundreds of users and up
to 254 Groups. This feature allows radios to efficiently utilize the available
number of programmed channels while in Repeater Mode. A user does not
need to select a channel or time-slot for making a call. In a capacity-plus
system, the number of timeslots in the system can be increased by adding
more repeaters. Up to 6 voice repeaters can be connected in a Capacity Plus
system, providing a maximum of 12 timeslots. Capacity-plus system also
provides the option of setting up dedicated data repeaters. The dedicated
data repeaters can be used for data applications, such as for transfer of GPS
data from handset to the control station.
Figure 41 - C+
- Linked Capacity Plus is a multi-site multi-channel trunking configuration of the Mototrbo radio
system, combining both Capacity Plus and IP Site Connect configurations. Linked Capacity Plus
allows radios to extend trunking communication beyond the reach of a single site, by connecting to
different available sites which are connected via an Internet Protocol (IP) network. It also provides
an increase in capacity by efficiently utilizing the combined available number of programmed
channels supported by each of the available sites. When the radio moves out of range from one
site and into the range of another, it connects to the new site's repeater to send or receive calls/data
transmissions. Depending on the radio settings, this is done either automatically or manually. If the
radio is set to do this automatically, it scans through all available sites when the signal from the
current site is weak or when the radio is unable to detect any signal from the current site. It then
locks on to the repeater with the strongest Received Signal Strength Indicator (RSSI) value. In a
manual site search, the radio searches for the next site in the roam list that is currently in range (but
which may not have the strongest signal) and locks on to it. Any channel with Linked Capacity Plus
enabled can be added to a particular roam list. The radio searches these channels during the
automatic roam operation to locate the best site.
Repeater
Repeater
Digital VHF network
Digital VHF network Repeater Location C
Location A
Channel 1 Digital VHF network
Channel 2
Location B IP LINK Channel 1
Channel 2
Channel 3
Channel 4
IP LINK Channel 1
Channel 3
Channel 4
Channel 5 Channel 2
Channel 6 Channel 5
Channel 3
Channel 4 Channel 6
Channel 5
Channel 6
Figure 42 - Linked Capacity Plus
2 HARDWARE STANDARDS
2.1 HANDSETS, MOBILES AND BASE STATIONS
Listed below are the standard analogue and digital mobile and base stations recommended for
UN/UNICEF emergency communication systems and/or operations. Models exists for VHF (136-
174MHz) or UHF (403-470MHz) distinctively (determining the is required when procuring) and are
compatible with the DMR technology and PL/DPL signaling:

Model SL1600 DP3441e DP2600e DP3361e DP4801e DM4400e DM4601e
Price $315 $490 $510 $545 $645 $445 $625
Power 2W 4W 4W 4W 4W 25W 25W
Channels 99 32 128 1000 1000 99 1000
Display 1 line scroll No 2 lines B&W 5 lines color 5 lines color 2 digit 4 lines color
Keypad No No Menus Menus No Menu Menu
GPS No Yes No Yes Yes No Yes
Programmable
button
1(7) 2 4 4 5 4 4
Emergency
button
No Yes No Yes Yes No No
SelV No Yes Yes Yes Yes Yes Yes
OTAP No Yes Yes Yes Yes Yes Yes
Size (mm) 126x55x22 100x56x30 122x56x36 100x56x30 130x55x36 44x169x134 53x175x206
Weight (g) 166 254 282 290 330 1300 1800
IP rating IP54 IP68 IP67 IP68 IP68 IP54 IP54
Table 5 - VHF/UHF Handsets, Mobiles and Base stations
When selecting models it is important to take into consideration not only the current needs but also
eventual future network changes. Example: If the network is expected to be upgraded to GPS tracking
in for instance two years, it would make sense to purchase radios with GPS already enabled or with
GPS option.
It is highly recommended that field offices seek the advice of the regional ICT and/or HQ technical units
before procuring equipment. The following tables have been created to help offices in procuring
handheld equipment:
Digital PL Select Blue- Capacity Connect

Kit $ Cost Voice Text GPS IPSC LCP
(DMR) DPL V tooth Plus Plus
DP4801 645
DP3361 545
DP2600 510
DP3441 490
SL1600 315
Table 6 – Comparison of Portable Motorola UHF/VHF Models
Notes:
- DP4801e uses programming cable (PMKN4012)

- DP3461e, DP3441e and DP2600e use the same programming cable (PMKN4115)
- SL1600 require a standard USB to mini-USB cable for programming
The following tables have been created to help offices in procuring mobile equipment:
$ Cost
Kit VHF Voice Text GPS IPSC LCP
UHF
624.46
DM4601
611.70
799.34
DM4401
786.60
541.96
DM4400
529.20
Table 2 – Comparison of Mobile Motorola UHF/VHF Models
Notes:
- DM4801e and DM4401e can be procured with the “remote mount” option, allowing the
transceiver unit to be hidden.
- DM4601e, DM4401e and DP4400e use the same programming cable (PMLN6404)
The following tables have been created to help offices in procuring base equipment:
$ Cost
Kit VHF Voice Text GPS IPSC LCP
UHF
1,507
DM4601
1,315
1,425
DM4401
1,232
1,375
DM4400
1,183
Table 3 – Comparison of Base Motorola UHF/VHF Models

Notes:
- DM4601e, DM4401e and DP4400e use the same programming cable (PMLN6404)
2.2 REPEATERS
The SLR5000 repeater is the new UN repeater standard for

emergency operations. Available in UHF and VHF frequency
bands, the SLR5000 enables easy migration from analogue to
digital by utilizing a dynamic mixed mode that automatically
switches between analog and digital mode.
Figure 43 - SLR5000
Compatible with Motorola DMR protocol, the repeater offers all the
advantages of digital communications:
- TDMA digital audio capability
- IP Site Connect
- Capacity Plus (additional license)
- Connect Plus (additional license)
- Transmit Interrupt: interrupts on-going conversations to deliver critical communication if needed.
- Analogue, digital or Mixed Modes
- One to one or group calls
- Continuous full-duty cycle at 40 W.
- Wall or rack mountable

Always specify receive and transmit frequencies when ordering. It is recommended to order repeater
station as a kit, complete with antenna and antenna cables, power supply, temperature-controlled fan,
shorting plugs, technical manual and programming hard and software.
2.3 ANTENNAS
The antenna is a device which converts the electric power transmitted by the radio into radio waves,
and vice versa. A good antenna is one of the most valuable assets to increase transmitting range,
enhance reception of weak signals and reduce interferences. All VHF equipment (handhelds,
mobiles/bases, repeaters) use antennas for both the transmit and receive signals. Motorola antennas
are generally of a high performance, durable, and very efficient but yet fragile (never grab a handset by
its antenna). On the other hand, when properly installed and maintained they can last from 10 to 25
years.
There are various types of antennas based on the application, all of them vary depending on the
frequency used. Before procuring the antenna, always communicate the intended frequency to the
reseller!
2.3.1 Helical antennas for handsets
Helical antennas present the particularity of having their

conductive wire wound in the form of a helix. This type
of antenna is very common in portable handsets, such
as the Motorola GP and DP series. The loading provided
by the helix allows the antenna to be shorter than its
electrical length of a quarter-wavelength.
Since the antenna is directional, it is recommended to

orientate the radio toward the repeater antenna to
improve the voice clarity.
Note that VHF antennas for handset do not cover the

whole range of the VHF spectrum (136-174 Mhz). It is
therefore very important to select the appropriate
antenna model, based on the local repeater frequencies, Figure 44 – VHF Helical antennas
when procuring a handset:
- QA02425AA covers the 136-155MHz range

Figure 45 - Motorola helical antenna frequency range

2.3.2 Folded dipole antennas for repeaters and bases
The folded dipole antenna is among the most widely used

VHF/UHF class of antenna. Its radiation pattern is
considered omnidirectional but includes an offset and
therefore should be correctly oriented toward the location to
cover.
Using a single dipole antenna, such as the Polar 214 (VHF)

or 314 (UHF) series provides very limited gain. Instead it is
recommended to stack two dipoles together, resulting in
better gain (5dBi) and improved reception than with a single
dipole. Stacking 4 dipoles will improve further the gain (8dBi)
but will also narrow the beam, making the antenna more
directional.
Figure 46 - VHF Folded dipole antenna
Since the spacing of the dipoles is very important and depends on the frequency used,
it is recommended to procure an already assembled stack of dipoles (Polar 214-2 or 214-4 and
Kenbotong KE-TQJ-150I). One can then direct the dipoles independently based on the desired
coverage (single direction, bi-direction or omni-direction).
2.3.3 Collinear antennas for repeaters and bases
Collinear antennas are a good alternative to dipoles and

are the most deployed in the UN. The Procom CXL 2-3C
(VHF) and CXL 70-3C (UHF) standard models (5dBi) are
heavy duty 2 to 3 meter tall antennas (depending on the
frequency used) made of fiberglass that can offer better
coverage that 2 dipole antennas stacked together.
The radiation pattern is truly omnidirectional making it a

good choice for repeater installations in offices that are
located in the middle of a city. It can be set on top, or side
mounted to the tower.
Note that such antennas are cut for a specific frequency

range and therefore might not be optimized for all existing
channels. If the channel frequencies are spreader, then a
folded dipole is more adequate.
Figure 47 - VHF Colinear Antenna
2.3.4 Yagi antennas for repeaters and bases
Yagi antennas are commonly referred to as "beam

antennas" due to their high gain and directional
beam. The standard LTA model is the Polar 225
(VHF) and 325 (UHF). Both are 6-elements
antennas offering 11dBi gain.
Another particularity of Yagi antennas is that their

beam is narrow (65°) and therefore directional.
Such type of antenna is therefore rarely used in
UNICEF, unless to cover a particular corridor or to
link two repeaters together. Similarly to folded
dipole antennas, Yagi antennas cover a Figure 48 - VHF Yagi Antenna
wider frequency range than collinear antennas.

2.3.5 Whip antennas for vehicles
“5/8 wave” omnidirectional antennas (Procom MH-3Z and 3-

BZP4) are the standard antennas for vehicles in UNICEF.
They offer a 3dB gain in the horizontal plane, so that it works
well when the repeater site is not nearby but on a tall tower or
mountain at a further distance. A 1/4 wave antenna (such as
the Procom MH-1-Z), radiating better in the horizontal plane
(see pattern) is recommended for communications close to
the repeater in high raise building areas.
Such antennas should be assembled on top of the vehicle and

point straight up for best performance.
Figure 49 - Whip Antennas
3 INSTALLATION BEST PRACTICES
3.1 BASE STATIONS & RADIO ROOMS
- 2 or more VHF (or UHF) base stations mounted so

they are easy to view and handle
- Radios should be powered from battery
- Charger galvanic separated from the mains power
- 24/7 secure power supply - generator and/or solar
power!
- All cables secured
- Batteries shall be covered and well ventilated
- Chassis should be grounded
Figure 50 - Radio Room
► Refer to the VHF/HF Base Station Installation Guideline in the flash drive for additional guidance
3.2 MOBILE STATIONS
- Are dependent on high quality installations in order to be efficient and reliable

- Use only original cables, connectors and fuses!
- Make sure that the antenna has a good ground plane (remove paint/rust to ensure good
connection with chassis/roof)
- Adjust the antenna length according to the cutting instructions
- Observe protection of cables and connectors (use rubber grommets)
- Use self-amalgamating tape on all connections
- Make sure the drivers follow up on first line maintenance and that they report to IT on
malfunctions immediately
- All staff must know how to operate a radio; the driver is supposed to drive!
► Refer to the Vehicles installation Guides (Nissan/Toyota) in the flash drive for additional guidance

3.3 GROUNDING SYSTEM
A proper grounding is required for effective radio-communications and lightning protection. It is

mandatory for all radio installations utilizing outdoor antennas for personnel and equipment safety. Both
of these requirements can be achieved by the proper installation of a lightning arrestor on the coaxial
cables prior to entry into the radio room. The lightning arrestors should be installed on the outside of
the building.
In addition to lighting protection on the antenna cables, it is

important to also ground towers/masts and create a
common ground for the radio room.
Grounding and lighting protection is best done by skilled and

experienced experts, such as radio-technicians or
electricians. For more details on grounding and installation
practices, refer to the flash drive or ICTD Emergency Portal.
Figure 51 - Lightning protectors
3.4 ANTENNAS
- Installed on tall building, allows for maximum extended coverage

- Requires 24/7 power supply – often solar power or separate generators
- Good quality, high gain, installed in a tower or mast
- Antenna cable – good quality, low loss
- Try to keep the antenna cable as short as possible
- Lightning arrestor/lighting protector in-line with the antenna cable
- Power supply and batteries should be kept secured but easy accessible to service, if possible.
Figure 52 - Antenna installation best practices

4 GM/GP RADIOS PROGRAMMING
This manual explains how to develop and program Motorola GM/GP series radios, using “select V”, a
5-tones tone-calling and unique identification system.
VHF radios are programmed using configuration files, called “codeplugs”. The process is fairly straight
forward: load the codeplug (a *.cpg file) with a programming software (“CPS”), modify parameters to
the desired configuration (basically Rx/Tx frequencies, signalling code and user ID) and “programming”
(write) it back to a radio.
In standard emergency and regular operations, codeplugs are usually handled by UNDSS or WFP.
Therefore make sure to contact representatives of respective agencies if required.
Note that codeplugs are unique to each radio model (ex: GP360 or GP380) and firmware version
(example: version 5 or version 6). Therefore a GP380 cannot be programmed with a GP360 codeplug,
neither a GP380 with a v.5 firmware can read a codeplug initially designed for GP380 with a v.6
firmware. The procedure described in this document only applies to post-version 6 firmware.
4.1 REQUIREMENTS
Hardware and Software
- A Motorola GP/GM series radio with latest firmware installed (R03.17.01 or above).
- Laptop, with windows 98 or higher. Note: if PC is running Vista or Win7, only 32 Bits will work.
- A programming cable:
o For GP340, GP360 and GP380: RKN4075
o For GM360 and GM380: RKN4081
o For GP388: MDJMKN4123 in conjunction with RLN4008
- A USB to RS232 serial adapter.
- Motorola CPS (Customer Programming Software) for "Professional GP300/GM300 Series CPS"
software. (Software version R03.11.16 or higher is recommended).
- A standard radio codeplug according to the model of the radio.
- (optional) Firmware files for upgrading old hardware to latest Firmware.
From a computer, connect the programming cable to your computer via a serial to USB adapter (drivers
should have been installed). If using a GP3xx radios, remove the plastic cover located on the right side
of the radio and connect the programming cable. Insert the locking screw gently but firmly. Turn on the
radio.
If using GM3xx radios, disconnect the microphone plug and connect the appropriate programming cable
to the RJ45 socket and turn on the radio.
Launch the CPS software and load the Codeplug by clicking [Open] and search for the (standard)
codeplug file (Example: GP380_Nyala.cpg).

4.3 CPS SOFTWARE OVERVIEW
The Motorola CPS is a typical windows-based software which supports typical windows-commands:
copy, paste, file, save, save as, open etc. In addition to this the CPS interface allows for reading and
writing codeplugs to the radio. The software contains a quick access menu bar.
The icons represent: read radio, open file, write to radio,

save file, cut, copy, paste, print, help, itemized help.
(Single left click on icon, and go to the field in the software,
single click and the help file opens for the relevant topic.)
Figure 53 - CPS Menu Bar
On the left of the screen is the tree view. The tree view
expands into following submenus:
- Radio information: Contains serial number, radio
model number, codeplug version and other
information.
- Per Radio: Contains Parameters common to the
whole radio.
- Per channel: Contains channel specific
parameters, frequency, PL codes, display and other
information. Figure 54 - CPS Tree View
- Per Personality: Contains parameters common to
one or more channels.
- Encoder definitions: Contains sequences and telegrams (a part of the select 5 Standard).
- Decoder definitions: Contains decoder specific parameters (part of the select 5 standard).
- Signaling definitions: Contains information about which Select 5 system the radio utilizes.
Once the codeplug has been loaded, following steps should be followed to personalize the radio:
a. Startup b. Contact c. Status d. Per f. Decoder

e. Own ID
Display List Encode Channel Definitions
Figure 55 - Programming Sequence Pre-version 6 codeplugs

a. Modifying the Welcome Message
It is recommended to use the user callsign as startup

display for an easier visual identification of the radio
and its owner:
- Open the “Tree View” by clicking the small [+]
sign.
- Expand the Per Radio tree with the [+], click
[Miscellaneous], and click [Display and Keypad].
- On the “Radio On message” field enter the Figure 56 - CPS Start-up Display
Country name abbreviation and the user
callsign. (Examples: SEN DR 1, SUD NF7.2, GUI CS 4.8.4, C Mobile 123) This adjustment is not
required on the GP340 radio as it does not have an LCD)
- Click [Close].
b. Adding and Importing Contacts
A contact list will allow the user to quickly set the

Select 5 code. For example, an agency in a certain
location. The user now only needs to enter the digits
of the requested callsign in order to make a quick
Figure 57 - CPS Contact Lists
Select 5 call:
- Expand the Contact List tree with [+], click
Contact List – 1.
- Insert the correct identification in the “Alias” field (Examples: GUI CF Conakry, |GUI F Mobile).
- (A maximum of 14 characters can be used).
- Insert the correct sequence in the “Address Book” field (Examples: 140306, 140036).
- Add as many agencies and/or locations as required in the contact list. (A maximum of 255 contacts
can be added).
- Click [Close]
It is also possible to load an existing contact list into the radio. Use the menu bar File, click [Import],
select Contact List and search for the contact list file. This file requires a .txt extension.
c. Status Decode
The status decode list allows a called radio to display the

identification of the caller. Expand the Status Decode tree
with [+], click Status Decode – 1.
- Insert the correct identification in the “Alias” field
(Examples: Base, Head of Office). (A maximum of 5
characters can be used). Figure 58 - CPS Status Decode
- Insert the correct sequence in the “Status” field (Examples: 001, 100. (A maximum of 3 digits can
be used).
- Click [Close].
d. Channel Configuration
Expand the Per Channel tree with [+], click Per Channel

 TX/RX Tab
- TX Frequency: Type the transmit frequency of the

radio for the selected channel. In case of repeater
channel, this is the repeater RX frequency.
- RX Frequency: Type the receive frequency of the
radio for the selected channel. In case of repeater
channel: this is the repeater TX frequency.
- Channel spacing: 12.5 KHz is standard.
- Reference Frequency: Must be set to Automatic.
- Power Level: High is the standard. Figure 59 - CPS Rx/Tx Tab
(Note: If a GM3xx radio base station is located in the same compound as the repeater then the
power level is set to LOW so as to not overpower the repater).
- Adding a New Channel into the Radio: Click in the green plus button located in the bottom
of the window. A new Per Channel page will be added at the end of the Channel List.
- Deleting an Existing Channel: Use the [◄] or [►] buttons to select the channel to be deleted.
Click on the red [X] button.
 Display Tab
Determines information to be displayed when the channel is selected if the alias

box is ticked. The standard is Channel Numbers (Note: The channel number
shown on the radio display could be different from the “Per Channel” page
number). Figure 60 - CPS
Display Tab
 PL/DPL Tab
Encode PL Type
- Select “Disabled” if a carrier squelch is used, or
- Select “PL” if a PL squelch is in use for this channel
Encode PL code
- Select the tone code in use for this channel, normally
141.3 HZ (4A).
- Tick the PL Reverse Burst/DPL TOC box.
Decode PL Type
- Select “Disabled” if no tone squelch is used, or
- Select “PL” if a tone squelch is in use for this channel.
Decode PL Code or Decode DPL Code
Figure 61 - CPS PL/DPL Tab
- Select the PL tone code in use for this channel.

 Miscellaneous Tab
- None of the boxes should be ticked.

- If the current channel uses PL, select “Personality 2”.
- If the current channel uses carrier type, select “Personality 1”.
- Click [Close].
Figure 62 - CPS Misc Tab
e. Setting the radio ID
Go to Per Radio / Miscellaneous / Global and enter

the Radio ID.
The radio ID must match the individual selcal

(select 5). For example: UNICEF ICT Officer in
Bogota (Colombia), Bravo Charlie 8, “150203801”
Figure 63 - CPS Own ID Field

f. Decoder Definitions
- In the tree view, expand the Decoder Definitions

tree with [+].
- Expand the Decoder Definitions tree with [+], click
Decoder Definitions – 1.
- Insert the same select 5 selcal in the “Decoder
Sequence – 1”
- (Note: Group sequence 1 digits 2 to 9 are ticked
and that Decoder sequence 2 matches the string
(A1A2A3A4A5A6S1S2S3). Figure 64 - CPS Decoder Definition
- Click [Close].
g. Writing the Codeplug to the radio
Finally the codeplug can be programmed back into the radio.
- Use the menu bar File and click [Write Device]

- Check if there are no errors in the incompatibility sheet.
- Click [OK].
- Click [Yes].

4.5 RAPID CLONING OF RADIOS
Once a codeplug has been configured according to previous chapter, it’s easy to quickly program
additional radios just by modifying the radio ID, Own ID sequence and decoder definitions.
4.6 UPGRADING CODEPLUGS
4.6.1 Old codeplugs and new radios
Sometimes old codeplugs are not compatible with new radios that are shipped with recent firmware. It
such scenarios, it may be necessary to upgrade codeplugs to later versions. One can upgrade
codeplugs to match a newer radio but not downgrade codeplugs.
4.6.2 Procedure
Open a Codeplug of previous version and perform a File / Export /

Upgrade Codeplug (as illustrated)
The software will give a warning - press Ok. The software will give
you the option of labeling the file with an appropriate name and
which version you want to save the Codeplug in, please select
appropriate version to match your radio!
Figure 65 - CPS Upgrading
Save the file and open it for editing. Codeplugs
5 DM/DP RADIOS ANALOGUE PROGRAMMING
As GP380 is being phased out, only DP and DM series radios will be available for procurement.
Therefore being able to program DP and DM radio series in emergencies is crucial. However, since the
analogue radio park (GP/GM series) is still very important, taking possibly up to 5-10 years to clear,
most repeaters will remain in analogue mode to ensure backward compatibility. It is moreover likely that
digital features will not be implemented in the first months of a response, digital radio network design
and planning being significantly more complex.
Scope: This document focus on how to program a digital radio DP 4801 to use on an analogue network
with SELECT 5 features. The following SEL 5 Features have been tested to be working:
- Radio ID in radio room
- Radio stun
- Radio unstun
- Emergency call using emergency button.
Similarly to GP/GM series, Motorola’s DP/DM digital radios use configuration files called “codeplugs”
(*.cbt). In standard emergency and regular operations, codeplugs are usually handled by UNDSS or
WFP. Therefore make sure to contact representatives of respective agencies if required.

5.1 REQUIREMENTS
Computing Hardware and Software
- A Motorola DP4801 radio with latest firmware (R02.30.13 or above)

- Laptop, with windows 98 or higher. Note: if PC is running Vista or Win7, only 32 Bits will work.
- A USB programming cable (PMKN40128).
- Motorola CPS (Customer Programming Software) for "Mototrbo Series radios" software. (Software
version 10.5 or higher is recommended).
- The standard radio codeplug for DP4801 (see flashdrive or ICTD emergency portal).
- The existing analogue network parameters: simplex / repeater frequencies assigned, squelch type
and PL/DPL code.
From a computer, launch the CPS software and load the Codeplug by clicking [Open] and search for
the (standard) codeplug file (Example: DP4801 - Analogue - Normal User.ctb). Note that the radio does
not need to be plugged to change the codeplug configuration. Make sure the expert view is checked by
thinking the option in the view tab:
Figure 66 - Mototrbo CPS Main Page

5.2 MOTORBO PROGRAMMING SEQUENCE
Once the codeplug has been loaded, following steps should be followed to personalize the radio:
a. Radio b. 5 Tone
c. Channels d. Contacts e. Write
Name & ID Radio ID
Figure 67 - Analogue Programming Sequence for Mototrbo Handsets

Note that step c) and d) may not be required if already integrated in the standard codeplug.
a. Change the Radio Name and Radio ID
From the Tree View (left menu) go to General Settings, change the Radio Name as per standard Call
sign (ex: AC8.2 or Alpha Charlie 8.2) and the Radio ID as the Selcall (ex: 2003802). The radio ID should
not contain the country identifier of the SELECT 5 Feature. One can also modify the welcome image,
however if selected, the radio ID will not show upon startup:
Figure 68 - Motorbo CPS - General Settings
b. Define the 5 Tone radio ID
Still under the General settings, scroll down and edit the
U1U2U3U4U5U6U7U8 sequence under “5 tone Radio
ID”: enter the full select V selcall of the radio.
Figure 69 - Mototrbo CPS - 5 tone Radio ID
c. Create and configure channels
This step is only required if the channels/frequencies require to

be modified.
Open the channel folder from the Tree View and select the
channel named “CH1 – UN” under the “Analogue CH” folder.
One can copy/paste the same channel multiple times to match
the amount of frequencies available in the network (example:
CH1 - security, CH2 - UNICEF talk, CH3 - WFP talk, CH4 - HCR
talk…).
Each channel must be independently configured by entering the

associated Rx/Tx frequencies, the squelch type (note TPL=PL)
and code. Such values are usually defined by the network owner
Figure 70 - Mototrbo CPS - (usualy WFP or DSS).
Configuring channels

Continuing with the channel configuration, make sure that the 5
tone decode telegrams has been added to the list, for each newly
created channel.
Figure 71 - Mototrbo CPS - Decode Telegrams
d. Adding Contacts
Analog call allows the radio to communicate with another radio using pre-saved contacts. The user
builds an analog call list by creating new call members under the Contact / 5 Tone folder. A call member
is an entry that contains the Contact name and address (unique ID of another radio = selcal). The user
may access this list via a short or long programmable button press (Button Features - Contacts) or
access the Contacts menu.
Go to the Contact folder in the Tree View and Right-click the 5 tone folder. Select Add->5 Tone Call. A
new member is inserted at the end of the folder list. The user may rename it and enter the individual
address. Valid characters are alphanumeric, spaces and special characters. An empty string cannot be
used for a name. Also make sure the telegram “Tel3” is selected:
Figure 72 - Mototrbo CPS - Adding Contacts
e. Writing the codeplug to the radio
Connect the USB programming cable to Handheld and computer. Power on the Handheld. The
computer will establish a private LAN connectivity with the handheld. Wait for that step to be finished.
Once done, simply type on the “write” icon in the tool bar.
------------------------------------ END OF CHAPTER 3 ------------------------------------

CHAPTER 4
MOBILE SATELLITE SERVICES (MSS)
MOBILE SATELLITE SERVICES (MSS) 79

1 INTRODUCTION TO MOBILE SATELLITE SERVICES
Mobile satellite services (MSS) refers to networks of communications satellites intended for use with
mobile wireless telephones, data communications and geo-positioning (GPS). Such devices – aside
from the GPS - work similarly to mobile phones, communicating wirelessly with antenna relays that
are themselves connected via fiber optics to the Internet and public switched telephone network
(PSTN). However, instead of using terrestrial antennas, MSS devises use network of satellites
(antenna relay) that retransmit the signal to satellite Land Earth Stations, which themselves are
connected to the Internet and PSTN.
UNICEF globally uses an estimated amount of 1,000 satellite handsets and around 250 satellite data
modems. Since such devices are not linked to national terrestrial networks, they have been the main
choice of communication when national infrastructure is either not available (remote areas), disrupted
(natural disaster, conflicts) or controlled (censorship, monitoring).
There are 3 major players in the mobile satellite market:
1.1 INMARSAT
Inmarsat is the leading mobile satellite service company. Based in London, UK, it maintains a global
satellite internet and telephony network using portable terminals. The company is famous for
developing market flagship such as the BGAN, the IsatPhone and the - now discontinued - Mini-M,
GAN M4 and RBGAN. Terminals can connect to the Internet and can make phone calls from
anywhere in the world, making popular tools for humanitarian responders.
Another advantage of Inmarsat equipment for emergency response when compared to other satellite
systems (such as VSAT) is that terminals are portable and can be easily set up by anyone. Devices
work on the L-band (Rx=1,525-1,559 Mhz, Tx=1,626-1,660 Mhz) which make them very resistant to
fading caused by precipitation, dust-storms and other similar phenomena known to traditional larger
satellite systems utilizing Ku or Ka bands.
1.1.1 Coverage
Inmarsat has launched around 20 satellites since

1976. All of them being in a geosynchronous orbit,
they cover all parts of the world except for Polar
Regions. The actual generation used for mobile
satcoms (Inmarsat-4 or I4) is among the largest and
most powerful commercial satellites ever designed,
covering the Indian Ocean Region (IOR 64 East), the
Atlantic Ocean Region West (AOR-W 53 West) and
the Pacific Ocean Region (POR 178 East).
In 2016, Inmarsat launched its 5th generation satellite

service deployment (Global X-Press). These
satellites however won't provide services in the L
band but in the Ka band, terminal antennas will be Figure 73 - Inmarsat's I-4 Constellation

parabolic and modems run under the iDirect platform. Hence the Global X-Press is considered more
as fixed-service (VSAT) than a mobile service, despite having small and portable antennas.
1.1.2 Network
Inmarsat operate Land Earth Stations (or "Satellite Access Stations"), located in Hawaii, Holland and
Italy, to manage the satellite networks and BGAN terminals. Inmarsat then uses "Distribution
Partners", or DPs, (see the full list here) from which users can access the public internet, the
international public switched telephone network (PSTN), and the international cell phone network. It
also caters for Virtual Private Networks (VPN) in order to have secure links to corporate applications
from the field (with a BGAN terminal). DPs handle the billing, end-user clients never directly
interacting with Inmarsat. The following diagram shows how the BGAN service work and the
demarcation lines between Inmarsat, DPs and end-user:
Figure 74 - Inmarsat's BGAN Network Infrastructure
1.1.3 Services
Services offered with the Inmarsat network are presently:
- Background IP “always on” public internet (BIP) with theoretical maximum shared bandwidth 492
kbps, in practice 150-240 kbps. It serves most browsing and emailing requirements;
- Streaming (32/64/128/256/384/450kbps) on demand with dedicated bandwidth (1:1) charged per
minute connected. Used especially for media applications and live video transmissions;
- High Data Rates (HDR), only available with the BGAN 710, are 4 symmetric and asymmetric
streaming rates (325x325, 64x325, 64x650, 650x650 kbps);
- 64 kbps ISDN for “high quality” voice service, 4 kbps telephony and facsimile service;
- Public IP address available on demand.

1.2 IRIDIUM
Iridium Satellite LLC is a private company based in USA, which offers voice, data, fax, short
messaging services (SMS) and paging services via satellite from portable handheld terminals
worldwide. Iridium is the only mobile satellite services system with complete global coverage. Users
can place phone calls via the satellite network to/from any international fixed line, cell phone or other
satellite phones.
1.2.1 Coverage
Figure 75 - Iridium's LEO Constellation
Iridium has true global coverage. The network
comprises of 66 satellites, all in a Low Earth Orbit
(LEO) 780km above the earth’s surface. The satellites
orbit from pole to pole (polar orbit) with an orbit time of
approximately 100 minutes. Transfer of user
connection from one satellite to the other is performed
through inter-satellite cross links operating at 10 Mbps.
Each satellite can have 4 cross links operating
simultaneously.
The LEO configuration – and subsequently the short distance between satellites and users on
ground - offers little signal path delays, and the terminals can operate with relatively low signal
power levels for increased battery life-time. The inter-satellite links also lower costs for terminal to
terminal calls, as terrestrial gateways and networks are not utilized for that purpose.
1.2.2 Network
Figure 76 - Iridium Network

On the ground, Iridium’s network includes gateways in Arizona and Alaska; a satellite network
operations center in Virginia; a technical support center in Arizona; and four tracking, telemetry and
control stations in Canada, Alaska, Norway and Arizona - all interconnected by advanced fiber-optic
and broadband satellite links. As with the satellite constellation, the ground infrastructure is designed
with resiliency, permitting voice and data traffic, as well as satellite backhaul data links, to be rerouted
as needed.
1.2.3 Services
Services offered from Iridium are presently:
- Voice communications with handhelds or fixed terminals

- Short message service (SMS) with maximum 160 characters
- 2.4kbps (Iridium claim up to 9.6kbps for their compressed direct internet through special
software) circuit switched data & fax
- Emails through an SMS gateway received as SMS
- Unanswered call indicator
Note that circuit switched data (2.4/9.6kbps) provides only limited capacity for emailing/web-
browsing, and would normally be regarded as a last resort. Field tests came back unsuccessful most
of the time.
1.3 THURAYA
Thuraya is a regional satellite phone provider, with service in CEE/CIS, WCARO, ESARO (excluding
South Africa, Lesotho, Swaziland; not recommended in Namibia, Botswana, Zimbabwe,
Mozambique, Comoros and Madagascar), MENA, ROSA and EAPRO. The company is the main
competitor for Inmarsat in both the mobile satellite service. It is based in the United Arab Emirates
and distributes its products and service through authorized service providers. As long as the user is
within the coverage area, Thuraya offers satellite connectivity, including voice, data (9.6kbps to
444kbps), fax, SMS and GPS.
1.3.1 Coverage
Thuraya operates two geostationary satellites in

their space segment. Those were launched in June
2003 (Thuraya-2, 25° East) and January 2008
(Thuraya-3, 154° West). Their geosynchronous orbit
makes them appear at a fixed point above the earth
from the users’ perspective. Because Thuraya does
not have a satellite over the Americas, it's service is
not accessible to countries in the LACRO region (as
of 2014).
Figure 77 - Thuraya Coverage
1.3.2 Network
The Thuraya network is very similar to the other MSS or conventional satellite networks. A GEO
satellite, which constitutes the Space Segment, is operated and managed by a ground network
known as the "Ground Segment" (equivalent to the LES in VSAT terminology or SAS by Inmarsat's).
The Ground Segment includes the satellite operation Centre (in Sharjah, UAE), which monitors and

controls satellite movement, ensuring the overall and on-going maintenance of satellites in geo-
synchronous orbit. The User Segment comprises the user terminals which enables subscribers to
interface with the satellite system and obtain network access:
Figure 78 - Thuraya Land Network Infrastructure
1.3.3 Services
- Services offered with the Thuraya network are presently:

- Voice communications with handhelds terminals or smartphone (with adapter)
- Short message service (SMS) with maximum 160 characters
- 9.6 kbps of circuit switched data & fax
- 60 kbps GmPRS data (limited usage)
- 444 Kbps data with the notebook-sized data modem (Thuraya IP/IP+)
- GPS is supported by handhelds and terminals
- A number of value-added services, such as news, call back, call waiting, missed calls, voicemail,
WAP, etc.
As the most commonly used service; voice over satellite is on average US$ 0.60-0.70 to other
Thuraya phones, and US$ 0.80-1.50 for calls made to land lines, cell phones and other satellite
phones, dependent on destination party. Detailed pricing is available in the LTA, Thuraya often
providers a cheaper monthly subscription than Inmarsat or Iridium but its usage is slightly higher.
Circuit switched and GmPRS data services provide very limited capacity for emailing/web-browsing,
and would normally be regarded as a very last resort. Most of the field tests came out with negative
comments and a Thuraya handheld should therefore be regarded as a voice terminal. For most
users, Thuraya IP or IP+ would be the best alternative in terms of data connectivity.

2 HARDWARE AND SERVICE STANDARDS
Global standard for Mobile satellite equipment are based on field proven design, functionalities,
sturdiness and support availability. Standardization facilitates the negotiation of Long Term
Agreements (LTA) with equipment and service resellers, allowing for competitive pricing, continuous
and immediate service and support, training and pre-stock (quick delivery) for rapid deployment.
2.1 HARDWARE SELECTION CRITERIA
As of writing, standards equipment for mobile satellite equipment are:
- Inmarsat voice and data modems: BGAN Explorer 510 and 710 models
- Inmarsat voice handsets: IsatPhone 2
- Thuraya data modems: Thuraya IP+
- Thuraya voice handsets: Thuraya XT Pro, XT Lite and SatSleeve
- Iridium voice handset: Iridium 9555 and Extreme
Most voice handset come with multiple accessories such as docking stations for bases or vehicles,
solar panels, external antennas.
Main criteria when selecting a terminal are:
1. The intended usage: voice / data, emergency response / business continuity, individual / team;
2. The service geographic coverage: for example, offices in Americas do not have Thuraya coverage;
3. The hardware and service pricing;
Following table is intended to guide offices when procuring a terminal based on its intended usage:
Small Large
Field Staff Radio
Equipment Cost $ Data Voice office office
Trip (BCP) Room
(BCP) (BCP)
BGAN 510 1,920
BGAN 710 5,185
Thuraya IP+ 2,625
Isatphone 2 720
Iridium 9555 980

Iridium Extreme 1,200
Thuraya XT Lite 455
Thuraya XT Pro 750
SatSleeve 600
Table 7 - MSS Terminals Applications to UNICEF

The following table lists pros and cons of each terminals:
Terminal Pros Cons

Combines both voice and data services. Geo- Expensive. Needs to be closely monitored
BGAN
stationary satellites, global coverage. Ease of when used due to high usage costs (~5$ /
510 / 710
use, smartphone apps, rugged, wide support. MB). Slow data rates (20/30 KBps).
Aggressive pricing for service plans: no
Thuraya No global coverage. No voice service. Slow
monthly fee and advantageous long term
IP+ data rates (20 KBps).
high-volume plan (30GB for ~$2,300/m).
Geo-stationary (fixed) satellites, global
Isatphone coverage. Long battery life. Strong antenna
Imposing size.
2 sensitivity provides excellent overall voice
quality. Rugged.
Roaming LEO satellites can occasionally
Iridium
Global coverage. Rugged “voice only” trigger a cut in the communication if no hand-
9555 &
terminal available (Extreme). No voice delay. over is available. Higher terminal and service
Extreme
costs.
Most friendly terminal to use. Elegant design,
smallest and lightest form factor. Most
Thuraya
complete line of accessories (docking Partial coverage
XT Pro
stations, iPhone/Galaxy sleeves, indoor
repeaters). Cheapest terminals and service.
Convert smartphones (iPhone / Galaxy) into a
satellite phone. Same advantages as the XT.
Thuraya Same as the XT. Cannot be used without a
Immediate access to phone contact list
Satsleeve smartphone.
(phone, email). Extends smartphone battery
life.
Table 8 - MSS Terminals Pro & Cons
2.2 HARDWARE STANDARDS
2.2.1 Data Terminals
In theory all mobile satellite terminals, including satellite phones, have data capacity. This chapter
focuses on terminals that can be used by one to multiple responders in an emergency office
environment. The segment has been dominated by Inmarsat since its flagship BGAN product was
released in 2005 but was lately challenged by Thuraya, which IP+ offers similar services at a more
competitive pricing.
Mobile data terminals are flexible enough to suit different operational needs. Terminals combine
voice telephony (BGAN only) and up to 492 kbps connectivity (~20-30KB/s in practice); they can
easily be connected to a laptop or smartphone/tablet (USB/Bluetooth/Wifi), or to the office network.
UNICEF standardizes on Cobham (previously Thrane & Thrane) devices for the BGAN service and
on Hughes for the Thuraya IP+ service.
There are also specific BGAN/Thuraya models that can be mounted on a vehicle but which will not
be detailed in this handbook. Similarly, satellite phones having extremely low data rates (unusable
in an office environment), they will not be considered as “data” terminals.

The following table compares all Inmarsat standard equipment:
BGAN 510 BGAN 710

Model Thuraya IP+
(Cobham Explorer 510) (Cobham Explorer 710)
Network Inmarsat Inmarsat Thuraya
Price $1,920 $4,895 $2,600
Size (mm) 202x202x52 332x279x54 216x216x45
Weight 1.4 Kg 3.2 Kg 1.4 Kg
Data Speed (U/D) 464/448 Kbps* 492/492 Kbps* 444/202 Kbps*
Streaming Up 128 Kbps Up to 650 Kbps Up to 384 Kbps

4 kbps 4 kbps
Voice N/A
ISDN ISDN
SIP server Yes Yes No
Interfaces USB RJ11, 2x Ethernet, USB Ethernet
Wireless Wifi, Bluetooth Wifi, Bluetooth Wifi
External Antenna No Yes No
Protection IP54 IP52+IP66 IP55
* shared channels, in practice, divide the speed by 2

Table 9 – Data terminals specs
When procured, terminal include power adapter, international adapter kit, car charger, carry case,
cables, software and manuals. Accessories such as solar panels and their voltage limiter, docking
stations, wall mount kits and coaxial cable for longer antenna runs should be procured separately.
2.2.2 Voice Terminals
This chapter covers standard satellite phones aimed at providing voice telephony. The segment is
occupied by the 3x providers named earlier, each having advantages and disadvantages as covered
is paragraph 2.1.
Inmarsat's service is called the IsatPhone. In addition to voice, the terminal come with a variety of
data capabilities, including SMS, short message emailing, GPS look-up-and-send, and a limited
Internet service of up to 20kbit/s (~2.5KB/s). Thuraya’s lineup includes the Thuraya XT Pro/Lite and
the Satsleeve, which is adapter that can be fixed to a smartphone (IOS or Android), converting it into
a satellite phone. Last Iridium equipment consists of 2x voice handset’s model (9555/Extreme). The
following table compares all model’s features:

Inmarsat Thuraya Thuraya Thuraya Iridium Iridium
Model
IsatPhone 2 XT Pro XT Lite Satsleeve 9555 Extreme
Price ($) 700 750 455 465 945 1,200
Size (mm) 169x52x75 128x53x27 128x53x27 138x69x20 170x54x39 169x52x29
Weight (Kg) 0.318 0.212 0.186 0.171 0.266 0.254
Data (Kbps) ~20 ~60/15 N/A ~60/15 2/10 2/10
GPS Yes Yes No Yes Yes Yes
Interfaces USB USB USB N/A USB USB
Wireless Bluetooth N/A N/A BluetoothWifi N/A N/A
Protection IP65 IP54 N/A N/A IP54 IP65
Table 10 – Voice Equipment Specs
Satellite phones cannot be used indoors or inside vehicles unless attaching them to docking stations
and external antennas (for example the FDU-XT or SAT-VDS for the Thuraya XT PRO). Thuraya
also offers an indoor repeaters that can extend the coverage to inside buildings, even with non-line
of sight.
2.3 SIM CARDS AND COMMISSIONING
All mobile satellite terminal integrate a Subscriber Identity Module (SIM), which is a small card
containing a separate and unique identity. When the card is inserted into a MSS terminal, it adopts
the identity of the card. Thus all data and voice services made over the terminal will be billed to the
SIM card, and not to the phone itself. This can facilitate usage control in an environment where many
users share a terminal, or if one wants to be able to utilize different terminals but maintain one identity
or when a terminal stops functioning, it makes it easy to switch the SIM to another one.
SIM card purchases and activations are not done directly through the MSS service providers but to
distribution partners. These are telecommunications companies who provide an interface between
the service provider and end user. As of writing, UNICEF’s distribution partner handling all MSS
terminal activations is IEC Telecoms. Usually MSS terminals are not locked from the supplier to a
specific distribution partner, hence SIM cards from different distribution partners can be used with
the same terminal.
The SIM card requires an activation from the distribution partner before it can be used. Depending
on distribution partners, this can be done by login to the billing portal (for example, IEC Telecoms
uses OptiSIM) and selecting the desired service plan in the interface. Alternatively SIM cards can
also be activated by calling the distribution partner help desk and providing the SIM card number.
Activations usually take 2 hours before being effective.
2.4 SERVICE PLANS

MSS billing is similar to conventional mobile phones plans. When selecting a mobile phone, aside
from the equipment cost, one also needs to consider a service plan. MSS Plans usually include
Monthly Recurring Costs (MRC), monthly or yearly allowances (= “free” MB and minutes), in addition
to the usage (air-time) fees per MB or minutes. Therefore the total cost for an MSS device is:
MSS = Equipment cost + MRC + [usage (minutes and MBs) - allowance]
2.4.1 Postpaid Plans
With Postpaid plans, offices are billed per use of services at the end of each month. In such situation,
there is typically no limit on use of services, therefore the office must implement some cost control
mechanism (spending limit, alerts, content blockage…). In some cases, SIM card activation have a
one-time fee (OTC) and a monthly recurring cost (MRC).
Postpaid plans are recommended for the majority of offices, especially in countries with "high" and
"very high" risks profiles according to the InfoRM index (see chapter 1). The following table compares
postpaid plans pricing for the standard satellite equipment:
Usage
OTC MRC Allowance
Cellular Landline Internet
($) $/month ($/month)
($/min) ($/min) ($/MB)
BGAN 35 51 0.8 0.6 4.5 22
Thuraya IP+ 27 0 N/A N/A 4 0
IsatPhone 0 31 0.7 0.65 N/A 10
Thuraya XT/Satsleeve 0 16 1.2 1.2 N/A 0
Iridium 0 38 0.9 0.9 N/A 0
Table 11 - MSS Postpaid Plans
For example, an office using 100MB of data and 120 hours of calls to cellphone with BGAN for a
month would be charged 100 x 4.5 + 120 x 0.8 + 51 – 22 = $575.
2.4.2 Prepaid Plans
Prepaid Plans are plans which credit, or voucher, is purchased in advance of service use. The credit
pays for voice and/or data services when the devise is utilized. If there is no available credit left, then
service is denied. Usage costs are 30-40% higher when compared to postpaid plans. Such plans are
not recommended unless the office has a low InfoRM risk profile index (see chapter 1).
Plan Max Allowance Equivalent Usage Costs

Validity
Cost Cellular Landline Internet Cellular Landline Internet
(months)
($) (min) (min) (MB) ($/min) ($/min) ($/MB)
270 6 225 270 30
BGAN 1.2 1 9
530 12 440 530 59
40 1 30
IsatPhone 75 3 60 1.3 1.3 N/A
375 12 290
110 1 75 N/A
Iridium 1.45 1.45 N/A
575 12 500
50 12 75
Thuraya XT 100 12 150 1.5 1.5 N/A
200 12 300
Figure 79 - MSS Prepaid plans

2.4.3 Humanitarian SCAP Plans
Humanitarian SCAP (Shared Corporate Allowance Plans) plans have been introduced by Inmarsat
in 2011 with the objective of reducing costs for NGOs/UN organizations operating multiple BGANs
terminal s. The idea behind the SCAP is to share a common credit pool between multiple SIM cards
(5, 10, 15, 20...).
The plan can bring significant savings to large organizations SCAP 20 SIM Bundle Costs in USD
centralizing MSS payments or management. For 1 Yearly subscription fee 3450
decentralized organizations (such as UNICEF), it’s relevant 2 Yearly allowance 1950
only to country offices requiring at least 5 BGAN devises. An 3 Internet ($/MB) 5
example of pricing is available in table 12 for a 20 SIM card 4 Calls to PSTN ($/min) 0.82
bundle. The longer the plan (1, 2 or 3 years options) the
Table 12 - Humanitarian SCAP Plans
cheaper the subscription.
2.4.4 High Volume Data Usage Plans
Both Thuraya and Inmarsat propose high volume or unlimited data plans for their BGAN (700/710)
and IP+. Those plans are recommended for offices using those devices as primary connectivity link
as there is no usage costs:
- BGAN Standard + is a postpaid plan which charges vary based on the monthly usage, ranging from
$51 (for less than 5MB usage) to $3,450 per month (between 10GB and 30GB usage).
- BGAN Unlimited is a prepaid 1 month plan providing 30GB at full speed and a 128 Kbps throttling
beyond. Plan costs $4,195 and is to be renewed on a monthly basis.
- Thuraya’s high volume data plan for the IP/IP+ is similar to the BGAN unlimited as it includes 30GB
and throttling to 144 Kbps beyond. Plan costs $2,650 and is to be renewed on a monthly basis.
2.5 SERVICE LEVEL AGREEMENTS (SLA)
The satellite service-level agreement (SLA) specifies what quality of service the network providers
(Inmarsat, Thuraya and Iridium) and distribution partner (IEC Telecoms, Telespazio, Marlink…) will
guarantee to the end user.
2.5.1 Satellite Network SLA
There are 2 mains SLA indicators when considering mobile satellite services:
- Network availability: measured in percent and calculated from the total outage (minutes) in each
calendar month as opposed to the total minutes in month.
- Service quality / Call success ratio: For voice, the call success ratio is defined as the ratio of calls
successfully completed to call attempts.
INMARSAT
# Measurable value Target value
1 Inmarsat availability (BGAN/Isatphone) 99.9% availability
2 Inmarsat call success ratio (BGAN/Isatphone) 95% success
THURAYA
3 Thuraya availability for voice and SMS services 94% availability
4 Thuraya call success ratio for voice and SMS services 94% availability
5 Thuraya availability IP services 94% success
IRIDIUM
6 Iridium call success ratio (9555/Extreme) Best effort
Table 13 - MSS Network SLA

2.5.2 Support SLA (Distribution Partner)
In addition, a support service-level should be provided by the mobile satellite distribution partner.
These are measurable values that shall reflect the distribution partner obligations towards the client
for the provision of:
- Access to SIM card management, billing and customer support portals

- Delivery of equipment
- Activation, deactivations and reactivations of Services
- Invoicing and Payment

1 Portal - number of minutes down per year 0 – 432 minutes max (99%)
2 Average resolution time for help desk queries:
- High priority queries < 1 hour
- Normal priority queries < 1 day
- Minor priority queries < 3 days
3 Delivery of Equipment <10 working days
<48 hours emergency orders
4 Activation, deactivation, reactivations of services < 30 min (95%)
< 90 min (100%)
5 Amount of inaccurate invoices reported <1%
Table 14 - Distribution Partner SLA
2.6 CONSIDERATIONS WHEN USING MSS TERMINALS FOR BCP AND EPRP
As critical operational (SAP, Office365, Sky for Business...) and program oriented applications (donor
reporting, ICT4D projects...) are increasingly dependent on a fast and reliable access to the Internet,
there are important limitations when considering BGANs or Thuraya IPs as the tool of last resort for
Internet access in emergency response or for business continuity:
1. As with all geosynchronous satellite connections, latency is an issue. Common latency is 1–1.5
seconds round trip for the Background IP service. SAP and DirectAccess for example are
sensitive to latency and will not perform well.
2. Inmarsat and Thuraya classify their data as "broadband". It is important to clarify that since these
terminals use shared channels, in practice the bandwidth fluctuates from 160 to 240 kbps.
Nowadays such value is considered as very little in comparison to conventional terrestrial
services.
3. Standard services charge per usage. 1MB usually equals $4.5. Putting this in perspective,
considering that the "normal" daily traffic for an office of 15 people totals 1GB, the resulting bill
would be equivalent to $4,500 per day or $135,000 per months! As for the streaming service,
considering a 256kbps dedicated connection valued at $11.5/minute, a permanent 24 hour
connection would result in a $16,560 per day bill!
There is unfortunately no remedy to leverage such drawbacks. If there is no other options but to use
a BGAN or Thuraya IP, UNICEF recommends to apply following tips:
- If a BGAN or Thuraya IP is required for a long time (more than 1 month), it is recommended to
switch from postpaid to high volume data usage plans. By doing so, the office will save thousands
of dollars every month. (see chapter 2.4.4)
- If the link is shared (LAN or WiFi), educate responders to limit usage to email, preferably using
a webmail client rather than local client (which usually downloads attachment by default).
- Limit applications by blocking specific ports, for example email only could be enabled.

- Assign 1 or 2 laptop that would be shared between users.
- Cloud syncing solutions such as OneDrive/Dropbox, antivirus update, Windows updates and
other popular sites such as facebook or youtube should be banned.
- Skype type VoIP communications should be banned, use satphones or a BGAN handset instead.
- Latency performance can be slightly improved by using the TCP accelerator software
(downloadable on Inmarsat's website).
- Compress pictures before sending. Same applies to videos. Upload large files using an FTP
software that can resume uploads and start uploads during the night.
- Do not consider streaming as an alternative to standard data for permanent links. It may faster
but since it charges per minute, one can end up jeopardizing an operation, hence the service is
deactivated by default on UNICEF terminals. Streaming should only be considered for temporary
requirements such as live coverage from the field or video-conferencing with VIPs.
- Always monitor the BGAN link usage on a daily basis by extracting the logs in the terminal and
calculating the data (MB) and call (min) amount. In addition, the distribution partner should have
a portal where one can set alert triggers when a pre-determined amount of MB is reached.

3 DEPLOYING MSS TERMINALS
3.1 INMARSAT’S BGAN
3.1.1 Basic BGAN Configuration
SIM Verification & powering on
The SIM card is provided by the airtime provider. Make sure that the SIM card is positioned correctly
and press gently until it clicks. Slide the lock to close the SIM slot. You can now power on the
terminal. Push the power button next to the display and hold it down until the green Power indicator
lights up.
Pointing the antenna
In order to obtain the best possible signal at the lowest possible time, it is
important that the BGAN antenna is pointed correctly toward the Inmarsat satellite
(See Inmarsat I-4 coverage map). The antenna must have a clear line of sight to
the satellite without any obstacles blocking the signal, and the pointing direction Figure 80 - MSS
of the antenna should be as accurate as possible. pointing
As a rule of thumb, the signal strength should typically be 45 dBHz or more for the BGAN to be able
to establish a call or data session. To obtain the maximum signal strength, the BGAN uses a sound
that indicates the signal strength during pointing. The frequency of the tone increases with the signal
strength. When the maximum signal is reached, press OK on the keypad. The BGAN now tries to
register to the network.
Registering with the network
The LCD display shows the progress as follows:

- SEARCHING: The BGAN searches for the network operator. Note that the search procedure
can be very short, so you may not see this text.
- REGISTERING: The BGAN is registering itself on the network. If the GPS position has not yet
been acquired at this point, the display will show NO GPS. The GPS status can be checked in
Menu > Properties > GPS status.
- READY or DATA ACTIVE: READY means the BGAN is registered on the network and is ready
to go online. If you have already connected a computer, the display shows DATA ACTIVE.
Placing and receiving voice calls
Analogue or Bluetooth handsets (BGAN 500/700) must be connected to the phone/fax interface of
the BGAN. Alternatively, any SIP client (hardware or software based) can be registered with the
terminal (BGAN 510/700/710) and issue voice calls (see advance BGAN configuration).
To make a call, dial:

00 <country code> <phone number> followed by #.
To receive incoming calls, correspondents should dial

00 870 <BGAN subscriber number>.

Connecting the Computer to a BGAN
Any BGAN terminal integrates a DHCP server, therefore a laptop connected to the BGAN LAN port
will automatically receive IP parameters, as far it’s been configured accordingly.
When connected, the laptop should obtain a private IP address in the 192.168.0.0/24 range. This
information can be checked by opening the command prompt (start->run->cmd) and typing “ipconfig
/all”).
Creating a Standard data connection via Inmarsat’s Launchpad
This step implies Inmarsat’s LaunchPad software has been previously installed in the computer.
Once launched the software should look and find automatically the BGAN terminal (does not applies
to the BGAN 710) and redirect the user to the default screen.
The default screen provides information about the

battery level, location on the map, the BGAN
model, the signal strength and the status of the
connection.
By default, BGAN LaunchPad opens a standard IP

data connection after successful registration. The
status zone should read “Standard Data
Connection Open. Ready for Phone, Text and
Data”. At this stage, the terminal should be able to
browse the Internet.
The automatic connection feature can be disabled

by Selecting BGAN Services > LaunchPad Figure 81 - Inmarsat Launchpad - Dashboard
Automatic Connection from the BGAN LaunchPad
main menu and uncheck the box. Alternatively the standard data connection can also be configured
to be automatically created once the terminal has been registered to the network, hence removing
the need for the Launchpad software.
The standard connection is an always-on, best effort connection and is suitable for most basic data
applications. It is charged by the amount of data sent and received.
Creating a streaming data connection via Inmarsat’s launchpad
Form the default Launchpad screen, click on the “data” icon:
If the standard connection is open, the

words “Disconnect Standard” are displayed
below the connection icon. If the standard
connection is closed, the words “Connect
Standard” are displayed below the
connection icon. Click on the icon to open
any streaming connection (warning: heavy
fee applies when using streaming). Figure 82 - Inmarsat Launchpad - Connection control

3.1.2 Advanced BGAN Configuration (500/510/700 models)
Most of the features described below are enabled from the BGAN web GUI. In order to access the
GUI, make sure the terminal is connected and browse to its IP address http://192.168.0.1. The web-
GUI illustrated in this chapter is from a BGAN 700. The web-GUI of the BGAN 510 and 710 has quite
a different look but the menus and rationale instructed below applies equally to all terminals.
Monitoring usage costs, exporting call logs
This feature is possible either using the Web-GUI of the

BGAN or Inmarsat’s Launchpad and when knowing the
billing detail for the subscribed voice and data services.
The device can track the usage and automatically calculate
the charges for all calls and data sessions:
- From the left navigation pane, select “Administration” Figure 83 – BGAN Usage Calculation
(user/pass is admin/1234) and “Call charges”
- Select the currency from the “Currency” drop-down list.
- Enter the pricing for each of the services and validate.
- From the main left menu, select “Calls” to view the overall usage and related costs. A detailed
call log can also be exported from this menu.
Setting up data limits
Although not recommended in an emergency, one can

implement a limit or cap for the amount of data that can be
transferred over a BGAN. Administrators specify a maximum
number of MB for the standard data connection, once the
entered limit is reached, the connection is automatically
stopped. This could be useful to avoid accidental high data
usage: Figure 84 – BGAN Data Limits
- From the left navigation pane click on the “Administration” link (user/pass is admin/1234), select
“Data limits”.
- For Standard data type in the number of megabytes (MB) allowed.
- Click “Apply” to save the settings.
Restricted dialing
Another measure to limit accidental usage of a

BGAN terminal, the administrator can restrict out-
going calls to a specific list of allowed phone
numbers only. To setup the terminal for restricted
dialing:
Figure 85 - BGAN Call Restrictions
- From the left navigation pane, select
“Administration” (user/pass is admin/1234)
- Go to “Restricted dialing”.
- Select whether restricted dialing should be “Enabled” or “Disabled”.
- Type in the allowed numbers or masks in the entry fields.

The numbers or masks must be max. 32 digits and may start with +. No other special characters are
allowed. A mask is the first part of a phone number, and it covers all numbers that start with that first
part.
Port based traffic filtering
BGAN Explorer models include a basic port

filtering service, enabling or disabling
specific traffic to go through. For example, an
administrator could allow only email traffic by
opening ports for POP3, IMAP and SMTP
while HTTP browsing would be disabled.
This option can be useful to limit costs and
bandwidth congestion and prevent
unnecessary traffic (ex: windows or antivirus Figure 86 - BGAN Traffic Filtering
updates) when a BGAN is shared among a
large number of users:
- From the Web GUI (http://192.168.0.1), select the “Administration” menu (user/pass is
admin/1234)
- Select the “Traffic flow filters” menu and create a new entry
- Enter the authorized ports in the “Source Port Range” section as above. A best practice is to
block all traffic first and then authorize specific ports one by one (example port 110 for POP3
email).
Improving TCP based applications performance using an accelerator
Inmarsat has released a software TCP Accelerator that can be

installed on a BGAN user’s computer and significantly enhance
performance when sending TCP traffic over BGAN. Since latency on
MSS networks is very long (~1s), some TCP based solutions tend to
time-out before receiving the answer. Once installed, enabling or
disabling the TCP accelerator can be done from Inmarsat’s Launchpad Figure 87 - BGAN TCP
software, select “BGAN Services” > “TCP Accelerator”. Accelerator
Upgrading the firmware
It is recommended to keep BGAN terminals with the latest firmware as these often introduce new
functionalities and solve bugs. Firmware can be downloaded from Inmarsat’s portal and uploaded to
the terminal using its web GUI:
- The BGAN terminal should be switched on
and connected to a PC via Ethernet.
- Access the Web GUI using a web-browser by
entering address http://192.168.0.1
- Select “Settings” and “Upload”
- Select “Browse”, locate the file “*.dl” and
“Open”. Figure 88 - BGAN Firmware Update
- Choose “Upload” and verify that the upload is
in progress.
- Select again the address http://192.168.0.1 and verify the software version at “Dashboard”.

Factory reset via AT commands
This action can be helpful if your terminal becomes irresponsive or when having difficulties registering
following a change of service provider. Connect a laptop to the BGAN using the Ethernet interface.
- Open a command prompt (start->run->cmd)
- Run: telnet 192.168.0.1 5454
- Write the following at-command: ‘at+cmar=1234’
- Response from the AT should be ‘OK’
- The BGAN will reboot and reset all settings to factory default.
Configuring a BGAN as a WIFI hotspot
This procedure only applies to the BGAN 510, 700 and 710 models.
These model can act as WIFI routers, making it easier for users to
share the access. Attention is recommended though since this would
possibly trigger an increase in traffic and as a result expensive usage
charges. To enable the Wi-Fi service of the BGAN 700:
- Connect your computer to the BGAN 700 using the Ethernet
cable
- Browse to the Web GUI (http://192.168.0.1)
- Go to “Settings” > ”WLAN”
- Enable the WLAN interface
- Select the Country code for your present location
- Select any channel number
- Enable “Broadcast SSID”
- Select the WLAN mode “802.11b/g”
Figure 89 - BGAN WiFi
- Secure your WLAN access using a WPA-2-AES encryption key Configuration
- Click “Apply” and reboot the device.
Enabling SIP clients (PC, smartphone) to issue calls through the BGAN
This procedure only applies to the BGAN 510, 700 and 710 models. These models can act as SIP
servers, registering SIP clients installed on Smartphones or PCs, making it easier for users to dial
from anywhere in the office. Up to 16 SIP clients can be registered this way, note however that only
one client can issue a call at the same time and all clients ring when receiving a call. The call cost is
the same than a call through an analog phone connected to the BGAN.
There are numerous free SIP clients in the market. The procedure below applies to 3CX (available
for download on PC, IOS, Android) but should work with any SIP client. The BGAN SIP server is
activated by default so there is no particular configuration required. The client and server must be on
the same network or same WIFI for clients on smartphones. For example smartphones can connect
to integrated BGAN Wireless access point.

Most configuration happens on the client side, after
installing and opening the 3CX application, add a new
profile:
- SIP server address: 192.168.0.1
- Port: 5060
- User name: 0501 to 0516
- ID (if required): same as user name
- Password: same as user name
- Codec priority (if required): G711
These settings can be confirmed by browsing to the Web-

GUI, under SETTINGS > IP handsets. Figure 90 - BGAN SIP Client Setup
Once the configuration is done, users can dial a phone number and make a call through the SIP
Client application.
Static public IP assignment
In the default Router mode, the BGAN acts as a router, NATing the
private network (by default 192.168.128.0/24) into a single public
IP which is dynamically assigned at each connections.
Some applications, such as VPN or video-conferencing require a

static public IP to work. Such service can be provided on-request
by distribution partners for a monthly fee (usually $40/month). In
modem mode, the public IP address assigned to the BGAN is
pushed to the device connected to the LAN port. This mode is
required for VPN or videoconferencing. Note that ideally the IP
address should be “static”, meaning not assigned by a DHCP
server. To activate Router or Modem modes, Go to Settings > LAN. Figure 91 - Static Public IP
Assignment
Static IP parameters can be entered in the TCP/IP section.
3.2 INMARSAT’S ISATPHONE 2
Installing the SIM card and battery
The SIM card slot is located under the battery. To access the slot, the battery
cover should be removed using a coin to turn the screw slot until it is vertical.
If the battery is in place, lift it out. Slide the catch down on the SIM holder and
flip it outwards. Make sure the angled corner of your SIM card is on your left
and slide it into the holder. Flip the holder back into place and slide the catch
back up. Insert the battery by pressing the battery forward and down. It will
click into place. Remove the battery by pressing the battery forward, then lift
up and out of the phone. Replace the cover and lock the screw.
Acquiring the GPS position
Before being able to place calls on the network, the phone needs to acquire a GPS fix so it can be
located by the satellite. This happens automatically when starting the phone, the GPS fix icon will be
displayed. Keep the phone in the open with a clear view of the sky until the icon disappears.

To view the GPS information, go to Menu > GPS position > Options > View location information to
view date and time of last GPS fix was taken and related latitude and longitude.
After obtaining the GPS fix, the phone will register with the Inmarsat network. Stand outside with a
clear view of the sky with the phone antenna pointing toward the Inmarsat satellite (See Inmarsat I-
4 coverage map). There must be a clear line of sight between the phone’s antenna and the satellite.
“Searching for satellite service” will appear on the screen. The top left of the screen will display
“Inmarsat” when the phone is connected to the satellite. The signal bars indicate the signal strength.
At least two signal bars are required to make and receive calls. The phone antenna should be
pointing toward the satellite and user should remain static. Land or cellular lines can be reached by
dialling the full international number:
00 <country code> <telephone number> area code (without the leading 0)

Example: 001 212 326 7123 (UNICEF Global Help Desk number)
To receive incoming calls, correspondents should dial
00 870 <IsatPhone subscriber number>.
Checking the voice mailbox
Inmarsat’s voice mailbox number (+870772001899) is already recorded in the phone:

- Press “Menu” then “Settings”
- Select “Call settings” then “Voicemail number”
- Press “Options” and “Call”
- Default password to access the mailbox center is 1234.
Making a data connection
WARNING: due to high usage costs ($5/MB) and extremely slow service, it is not recommend to use
the data service of the IsatPhone.
To establish a data connection, connect the IsatPhone Pro terminal to a laptop using the USB cable.
CAUTION: the phone must be OFF. When switching the phone on, USB Drivers will be prompted.
Once the phone driver installed, it should be defined as a data modem:

- Close all applications.
- Choose Start > Control Panel.
- Double click on Phone and Modem Options.
- Select the Modems tab, identify the “IsatPhone Pro 1.0 Modem.
- Double click the above Modem
- Select the “Modem” tab and select 2400
- Select the “Advance” tab
- Enter “&FE0&D2” in the Extra Settings box. Select Apply > OK

Then create a dial-up connection:
- Choose Start > All Programs > Accessories > Communications > Network Connections.
- Click “Create a new connection”. Click Next>.
- Select “Connect to the Internet” and click Next>.
- Select “Set up my connection manually” and click Next>.
- Select “Connect using a dial-up modem” and click Next>.
- If a “Select a Device” window appears, check the box next to “IsatPhone Pro 1.0 Modem”, and
uncheck all other devices. Click Next>.
- Enter a connection name (e.g., “IsatPhone Pro Dial up”) and click Next>.
- In the Phone Number box, enter 28 and click Next>.
- Username and password are both INMARSAT. Click Next> and finish
3.3 THURAYA XT PRO/LITE
Accessing the SIM card slot
Similarly to any cellular phone, BGAN or Iridium,

Thuraya SIM cards are the key to accessing Thuraya
services. This small chip contains all the information
about your phone and enables you to access the
network. To install or verify the presence of a SIM
card:
- Switch off the Thuraya XT and remove the battery.
- Insert and slide the SIM card into the SIM card slot
and insert the battery.
Acquiring the GPS position
A Thuraya XT requires a GPS fix before accessing the network. This step
is mandatory in order to register your phone with the Thuraya network.
The process is automatic upon bootup and can take from 30 seconds to
couple minutes depending on the GPS satellite visibility. Coordinates can
be accessed from Menu > Navigation > Current Position.
After receiving the current GPS data, the phone should automatically and
successfully register (as long as the SIM card has been activated) and display
should indicate “Thuraya + Current Country”. To obtain the best voice
experience consider that the antenna should be fully extended during
incoming and outgoing calls. The antenna is directional and users should
therefore point it antenna toward the sky in facing Thuraya satellite (see
coverage map), without any obstacle (free line of site). The SAT signal
indicator reflects the signal strength.

Placing and receiving calls
Phone numbers must be entered using the in international format:
00 <country code > <phone number>
Thuraya XT phones can be reached from any phone by dialing:
00 88216 <thuraya number>
Dial 123 to access the voice mail system and follow the instructions. Choose the language by
pressing, 1- For English, 2- For Arabic, and 3- For French etc. Create a password (4-8 digits) and
press #, re-enter your password and press #. To program a voice mail message, press 3.
Creating a data connection (GmPRS)
WARNING: due to high usage costs ($5/MB) and very slow service, it is not recommend to use the
GmPRS service, especially when coupled with a SatSleeve.
NOTE: GmPRS data is only accessible to SIM having subscribed to the GmPRS plan (+$10/month)
Thuraya GmPRS can provide an “Always On” mobile satellite Internet connection at speeds up to
5/1 KB/s downlink/uplink. The service is supported by the latest generation of handsets; SG-2520,
SO-2510, XT, XT Dual and SatSleeve.
First, verify the service is enabled in the satphone, for example from a Thuraya XT:
- Check the Software version is XT_1.90 or above - Menu> 9 Security > 7 S/W Version.
- Select APN ‘get’. Go to Menu> 7 Settings > 3 GmPRS > 1 APN to ensure the APN ‘get’ is
selected, otherwise, select Option and insert the APN as ‘get’ and select it.
- Select preference on Auto Reject option. Menu >7 Settings >3 GmPRS >2 Auto Reject > ON. If
Auto Reject is set to OFF, subscriber will have the option to either accept the call or reject it. If
Auto Reject is set to ON, incoming voice call during an active Thuraya GmPRS data session will
be rejected. However subscriber will be able to view missed calls.
Second setup the laptop: Connect the Thuraya phone to a PC using the USB cable. CAUTION: the
phone must be OFF. After that switch ON the phone and install the USB Drivers.
Third, create a dial up connection:

Go to Start and “Click Control Panel”
Select “Network and internet “
Select “Network and Sharing Center”
At the Windows Seven network and sharing centre: Click on “Setup
a connection or network “
Select “Set up a dial-up connection” and click on “Next”.
Select “Thuraya XT USB Modem”

A new window will open:
- Enter the Dial-up phone number as *99#
- Leave the fields of username and password blank
- Put the name which will indicate your new connection (ex: Thuraya
Gmprs)
To establish the GmPRS connection, open the “Network connection

panel”, double click the Dial-up connection and click on “dial“.
The phone must have the maximum signal strength to ensure a

minimum quality of service and speed.
Fixed dialing
Fixed dialing is a function that permits only predefined numbers to be called.

- Go to Menu > 9. Security > 4. Fixed dialing > 1. Show list
- Add an authorized number: Menu > 9. Security > 4. Fixed dialing > 2. Add new
- To enable/disable the function: Menu > 9. Security > 4. Fixed dialing > 3. On/off
3.4 THURAYA SATSLEEVE
Installing the SIM card and SatSleeve
The Thuraya SatSleeve uses satellite communications which requires direct line of sight to the
Thuraya satellite. A Thuraya SIM card is required to use satellite services when connecting to satellite
network. SIM card previously linked to an older device (SO, SG, XT…) will be compatible with the
SatSleeve.
Attach your iPhone/Galaxy to the docking adaptor pin and press the top side of the phone into the
adaptor. Press and hold the power button down for about 2s to power on the Thuraya SatSleeve.
The blue LEDs will blink and you will hear a beeping sound. The Thuraya SatSleeve is now ready to
pair with the phone.
Making a voice call
First the phone and SatSleeve must be paired via Bluetooth:

- On most phones, Bluetooth is enabled from the settings
menu.
- The SatSleeve should show as a nearby Bluetooth
device: SAT0000000
- Pair the phone and SatSleeve by selecting SAT0000000
- If for some reason the device cannot be paired, remove
the phone from the sleeve and press the pairing button
on the back of the sleeve.

All communications (voice calls, SMS, voice mail…) are handled from the Thuraya SatSleeve App
available from Apple’s App Store or Google Play. There is no configuration on the app, it should work
out of the box if the phone and sleeve are paired. The app should also synchronize with the existing
phone contacts, making it easier to reach correspondents.
SOS call button
The SatSleeve can initiate a SOS call, even when not paired to a smartphone.
The SOS call button is located between the main unit and the docking cradle.
To setup the SOS number, from the SatSleeve app:
- Select settings
- Tap Call > SOS number
- Enter the emergency phone number
- Tap “Done”
Note that the SOS Button works even if there is no emergency number stored or if there is no SIM
card inserted in the SatSleeve. In such a case, the call will be routed to 112 as a default (not available
in all countries).
3.5 THURAYA IP/IP+
Acquiring the GPS fix
Place the Thuraya IP/IP+ outdoor on a flat surface with a clear view of the sky away from building,
trees and other obstructions. Power up Satellite Modem by pressing the Power button. Once
powered up, the device will automatically attempt to locate itself using GPS. This may take up to five
minutes. The small GPS satellite icons on the display (shaded area in the picture below) show how
many GPS satellites are in view at any given time. All three satellite icons should be on to obtain a
GPS fix. If any is missing or flashing, then the GPS signal is being blocked.
When the GPS icon stops flashing then Thuraya IP has successfully updated its GPS position.
The terminal should be pointed toward the Thuraya satellite. The receive signal strength can be
optimized by fine tuning the antenna position and based on the signal strength display on the Thuraya
IP/IP+. Slowly rotate the device a few degrees clockwise and counter clockwise. Likewise, slowly
raise and lower the antenna a few degrees until the maximum signal strength is reached (~80-85%).
Once the Thuraya IP/IP+ consider the signal strength enough, it will automatically register and
establish an IP data session. This can be verified by browsing to the Web GUI
(http://192.168.128.100) and confirm the “Network Status” line shows “Connected”.

Managing IP data connections
Verify on the Web GUI homepage that “Actual”

column shows “Standard”. In this page you can
check the signal strength, the battery level, the
GPS status and connect/disconnect Standard or
Streaming connection. Likewise BGAN,
streaming is not recommended for UNICEF
applications.
NAT mode / Relay mode
In the default NAT mode, the Thuraya IP/IP+

acts as a router and DHCP server (range starts
from 192.168.128.101). Each PC connected to
the Thuraya IP/IP+ should automatically receive
the IP parameters.
In Relay mode, the public IP address assigned

to the Thuraya IP is pushed to the device
connected to the LAN port. This mode may be
required for VPN or videoconferencing.
To activate NAT or Relay modes, Go to “Menu” > “Settings”.
3.6 IRIDIUM 9555 / EXTREME
Installing the SIM card and battery
Remove the battery and slide the SIM card into the SIM card slot. Follow the card
orientation shown on the decal. Be sure the gold contact is facing down.
Align the battery pack pegs with the slots on the bottom of the battery compartment.
Rotate the top end of the battery pack into the 9555 satellite phone. Press the battery
until it is flush with the case.
Keep your phone battery charged to ensure that the phone is ready for use when
needed. Fully extend your antenna then rotate into position. Make sure the antenna
has a clear unobstructed view of the sky.
The screen should display a good signal level and “Iridium”:

To dial a land or cell number with an Iridium, the phone number

must be entered in international format:
00 <country code> <phone number>
To reach an Iridium phone, use again the international numbering

plan:
8816 <Iridium number>
For the convenience of the subscriber, it is suggested that the Iridium Message Centre Number be
programmed in the terminal:
- Press “Menu” then “Voicemail”
- Select “Voicemail Settings” then “Number”
- Type the voicemail number into the unit 00881662990000. Press “Save”
- Press “Back” to exit options
You can now use the “Call voicemail” menu (programmed with the Iridium Message Centre Number):
- From the terminal, press “Menu” then “Voicemail” and “Call Voicemail”.
- Enter the Iridium voice number (8816…)
- Wait for the recorded greeting to begin and press the * button
- When prompted enter your password
Creating a DATA connection
WARNING: similarly to the IsatPhone and Thuraya XT, data connections are not recommended with
the Iridium handsets.
Connect the Iridium terminal to a PC using the provided USB cable. CAUTION: the phone must be
OFF. Switch ON the phone and install the USB Drivers when prompted.
Iridium’s Direct Internet Data Service allows customers to connect directly to the Internet through the
Iridium gateway. Installing Iridium’s Direct Internet 3 software is recommended to enhance Internet
connectivity:
- Launch the Iridium Direct Internet 3 Installer executable file.
- Click Next> on the Setup – Iridium Direct Internet Installer welcome screen.
- The installer prompts to read a printed copy of this install guide. When ready, click Next> and
click OK on the pop-up dialog box.
- Check the Create a Desktop shortcut to launch Iridium Direct Internet checkbox. Click Next.
- Enter the location information and click OK in the Location Information dialog box.
- Click Add… from the Modems tab in the Phone and Modem dialog box.
- Select the check box next to Don’t detect my modem; I will select it from a list and click Next>.
- Select Iridium from the Manufacturer list box and click Next>.

- Select the COM port that is currently connected to your Iridium
phone click Next>.
- Click Finish to complete the modem installation.
- Click OK in the Phone and Modem dialog box once the Iridium
PPP Data has been installed.
- Assign the modem to all desired COM ports.
- Click Next> in the Iridium Direct Internet 3 Web Accelerator
installer welcome screen and Click Finish
- Select the Desktop shortcut to launch Iridium Direct Internet
- The Iridium Direct Internet 3 Web Accelerator connection does
NOT require authentication.
Press “Dial” and check your Iridium DATA connection (9.6Kbps).
a. GPS Tracking (Iridium Extreme only)
The Iridium Extreme GPS and Location-Based Service features allow users to view, send, or restrict
location information. There are three main security options using these features:
- Programmable SOS button: a red button is located on the top of the phone, under a protective
cover. By removing the cover and pressing the red button users can send their location
information to a designated contact (example: the radio room) in the event of an emergency.
- Location Convenience Key: located on the right side of the phone, this button allow users to
quickly view and share their GPS position.
- Regular update: located in the Iridium Extreme main menu in the setup section, Location
Options, Message Options. Users can program their phone to send its GPS location to pre-
determined contact on a regular basis.
To enable the various GPS features, go to Menu / Setup / GPS Options / GPS On
------------------------------------ END OF CHAPTER 4 ------------------------------------

CHAPTER 5
VERY SMALL APERTURE

TERMINALS (VSAT)
1 INTRODUCTION TO VSAT TECHNOLOGIES
VSAT technologies are widely used by humanitarian organizations for regular and emergency
operations. In UNICEF, about 120 offices rely VSATs for their primary link, secondary link, Internet
off-load and voice services. In some locations where terrestrial connections are unreliable or
unavailable, two VSATs are used as primary and secondary links. In the early stages of an
emergency response (2 to 4 weeks after the disaster), VSATs remain the best tool when terrestrial
networks have been damaged (eg: due to natural disasters or conflicts). Data rates can assigned
based on the number of responders operating in the area and the operational capacity of the VSAT.
Other advantages for emergency response include high network availability (99.9%) and quick
installation (quick-deploy models can be installed within 30 minutes). Challenges when deploying
VSATs are linked to logistics (transport, location to setup) and government licensing/regulations.
1.1 ORBITS & COVERAGE
The first satellite, Sputnik 1, to be put into orbit around Earth

was in the geocentric orbit. By far this is the most common type
of orbit with approximately 2,456 artificial satellites orbiting the
Earth. Geocentric orbits may be further classified by their
altitude, inclination and eccentricity. The commonly used
altitude classifications of geocentric orbit are Low Earth orbit
(LEO), Medium Earth orbit (MEO) and Geostationary Earth orbit (GEO). Low Earth orbit is any orbit
below 2,000 km. Medium Earth orbit is any orbit between 2,000 km-35,786 km. High Earth orbit is
any orbit higher than 35,786 km.
LEO MEO GEO
Altitude (km) 700 – 1400 10,000 – 15,000 36,000

Satellites needed for global coverage 40+ 10 – 15 3 – 4(1)
Link Characteristics
One-way transmission delay 0.05s 0.10s 0.25s
Elevation angle Low Medium to high Low to medium
Operations Complex Medium Simple
Building penetration Poor Poor None
Satellite Characteristics
Space Segment Cost High Low Medium
Satellite Lifetime (years) 3–7 10 – 15 10 – 15
Telephony Network Characteristics
Terrestrial Gateway costs High Medium Low
Hand held terminal costs Low Low Low
Mobile terminal costs Medium Medium High
Fixed terminal costs Low Low Low to medium
Data and TV network characteristics
Point to point connections possible No No Yes
VSAT’s possible Yes Yes Yes
Broadcast TV possible No No Yes
Table 15 - Comparing Satellite Orbits

1.2 BEAMS
Signals sent down to earth from the satellite are said to form a “beam” like the light beam of a torch.
The area covered by the satellite beam is called its “foot print” (see below). As can be clearly
illustrated with a torch in a dark room; the larger the floor area covered, the less bright is the
illumination on the floor. The same happens with satellite beams, with the brightness or intensity
analogous to the satellite’s power (technically referred to as the Effective Isotropic Radiated Power
or EIRP). Thus the larger the beam, the less power is generally available within the beam.
Figure 92 - Wide & Narrow Beams
Traditional satellite technology utilizes a “wide” single beam (usually in the order of 1000s of
kilometers) to cover wide regions or even entire continents. This is highly efficient for large-scale,
one-way communication such as television broadcasts but not for on-demand two-way
communications. Global beams are classified as wide beams.
When using “narrow beams”, the satellite signal is specially concentrated in power (i.e. sent by a
high-gain antenna) so that it will cover only a limited geographic area on Earth. Narrow beams allow
satellites to transmit different data signals using the same frequency. Because satellites have a
limited number of frequencies to use, the ability to re-use a frequency for different geographical
locations without interfering with each other allows more local channels to be utilized. Latest High
Throughput Satellite (HTS) systems (O3B, Epic or Global Xpress…) rely on such beam technology
to achieve high data rates, the drawback being a significantly higher cost of manufacturing due to
the number of antennas on the satellite, the increased power consumption and the overall complexity
of the system. Spot beams are also classified as narrow beams.
1.3 SATELLITE FOOTPRINTS
The footprint is the geographic area towards which a satellite downlink

antenna directs its signal; conversely it is the area from where the satellite is
visible from the surface of the earth. Satellites that do not support maritime
activities have most of their downlink power focused on population centers.
The measure of signal strength of this footprint is the Effective Isotropic

Figure 93 - Satellite
Radiated Power (EIRP). It is important to note that there is an inverse
Footprint
VERY SMALL APERTURE TERMINALS (VSAT) 109

relationship between EIRP and antenna diameter. The higher the EIRP the smaller the required dish.
A station which is located near the center of the footprint will have an advantage in the received
signal compared to another located at the edge of the same beam of the satellite. The satellite
antenna pattern has a defined beam edge to which the values of the satellite EIRP are referenced,
therefore a footprint as shown in the figure above has contours representing a 1 dB increments
toward the beam center. Footprints and EIRP details of every satellite and its transponders can
usually be found on the satellite operator’s website.
1.4 FREQUENCY BANDS
Essentially all commercial satellite communications transmit and receive in the microwave frequency
band, between 1 and 30 GHz. The figure below illustrates the relative bandwidths available for each
of the currently-used satellite bands:
Figure 94 - Frequency Bands used in Satellite Systems

L band is in the range of 1 to 2 GHz and is typically used in VSAT systems typically on the Interfacility
Links between the modem and antenna. It is also widely used by mobile satellite services (MSS),
refer to Chapter 4 for further information.
C band is the first band used for commercial Fixed

Satellite Services (or VSAT). A disadvantage is that its
available bandwidth of 500 MHz is used simultaneously
by satellite and terrestrial microwave users which may
result in serious interference problems. Nearly all C-
band communication satellites use the band of
frequencies from 3.4 to 4.2 GHz for their downlinks, and
the band of frequencies from 5.925 to 7 GHz for their
uplinks. C band technology is well proven and
propagation effects such as rain and depolarization do
not significantly affect signal transmission.
X band has been reserved by the ITU for military

Figure 95 - C-band Satellite Assignment
communications satellites. However it is gradually being
used for commercial purposes with specific service
providers and satellite operators. The uplink frequency
band (for sending modulated signals) ranges from 7.9 to
8.4 GHz while the downlink frequency band (for
receiving signals) is from 7.25 to 7.75 GHz.
Ku band is not shared by terrestrial microwave systems,

this significantly reduces the need for frequency co-
ordination and terrestrial interference analysis. However
Ku band transmissions incur signal strength reduction,
depolarization and distortion due to rain. Ku-band
frequency allocation depends on the regions, in the
Figure 96 - Ku-band satellite assignment

Americas (ITU region 2) for example, downlink range from 10.7 to 11.2 GHz while uplinks start at 14
to 14.5 GHz.
Ka band (20-30 GHz) is used in the latest communications satellites (Global Xpress, Iridium Next…).
Uplink frequencies start from 27.5 GHz to 30 GHz. Unlike the Ku and the C bands, it is far more
susceptible to signal attenuation under rainy conditions, therefore targeted towards dry regions of
the world.
Based on the above bands, one may notice uplink and downlink frequencies are different. This is to
avoid interference between the two signals on the satellite and at the earth station. To further isolate
the signals, one polarization is usually used for the uplink and the other for the downlink. The principal
reason for polarization, is for frequency reuse, so that two channels can use the same frequency
band. The uplink frequency is higher because it reduces the complexity of the satellite by; permitting
a smaller receive antenna on the satellite, reducing the size of amplifiers and reducing the amount
of power required.
The gain of the antenna is proportional to the square of the frequency, so by using the higher
frequency the receive antenna can be smaller. Thus the practice has been to use the higher
frequency for the uplink and the lower frequency for the downlink and "put the burden on the ground."
It is easier to increase the size and power of the earth station antenna than the one of the satellite.
1.5 TRANSMISSIONS
1.5.1 Access Methods
The main access methods for satellite networks are Time Division Multiplexing (TDM), Time Division
Multiple Access (TDMA), Frequency Division Multiple Access (FDMA), Single Channel Per Carrier
(SCPC) and Multiple Channels Per Carrier (MCPC).)
When using multiple access networks like TDM/TDMA, the remote VSATs “listen” to same high
speed data stream using TDM from the hub. They then extract information/data that is addressed
uniquely to each of them. For the return to the hub, the VSATs transmit taking turns using a common
channel (TDMA) Service providers usually prefer this solution because it maximizes their channel
capacity, hence also a lower cost for the subscriber. iDirect platforms, for example, widely uses
TDM/TDMA.
Figure 97 - Time Division Multiplexing (TDM) and Time Division Multiple Access (TDMA)

Single Channel per Carrier (SCPC), also called “fixed FDMA” or point-to-point, uses a separate
dedicated carrier to each remote VSAT to receive information from the central site, and another
dedicated carrier for each VSAT to transmit information back to the central site:
Figure 98 - SCPC Network
The limitation with SCPC relies in the fact each channel requires a separate modem at each end of
the link. From the satellite provider SCPC circuits are an inefficient use of satellite bandwidth as
when the station does not transmit, the bandwidth cannot be reallocated to other stations (“bursting”,
see point 3.2). SCPC circuits are therefore more expensive than TDM/TDMA systems.
With Hybrid MCPC/SCPC Networks the hub combines several subcarriers into a single bit stream
before transmitting it as one carrier to all the remote sites (MCPC or Multiple Channel per Carrier).
The remote sites typically use SCPC for the return channel:
MCPC-S2/SCPC Network
Multicast - A Multicast - B
Satellite
Outbound MCPC Outbound MCPC
(hub–remote) (hub–remote)
Inbound (remote to hub) SCPC carriers
Hub
Antenna
Remote Remote
MPLS Terminals
Terminals
Headquarters Cloud Internet
Figure 99 - Hybrid Networks

1.5.2 Polarization
A Polarization is determined by the orientation of the electric and magnetic fields radiating from the
transmitting antenna. If polarization is used, two different signals can be transmitted in the same
frequency range without interference, even if they overlap in frequency. In this way, twice the number
of channels can be transmitted in a given bandwidth (frequency reuse). Satellite systems typically
use either linear polarization (horizontal/vertical) or Circular Polarization (LHCP/RHCP).
Figure 100 - Electromagnetic Polarization
1.5.3 Modulation
The frequency spectrum is a limited resource that must be shared to meet the demand for
communication services. At the same time, developers of communication systems are constrained
with restrictions on the permissible transmission power and challenges with the inherent noise of the
system.
Modulation is a facility used to address these challenges. In telecommunications, modulation is the

process of varying one or more properties of the transmitting signal, called the carrier signal, with a
modulating signal that typically contains information to be transmitted. In the past, modulation
techniques were mainly analogue (AM, FM, PM...); simple and cheap hardware was used in
transmitters and receivers. However analogue modulation is inefficient in terms of spectrum usage.
With the progress of science and the advent of micro-processors, highly complex but spectrally
efficient modulation techniques were created. A major transition occurred from simple analogue type
modulation to new digital modulation techniques. Examples of digital modulations applied in satellite
communications include Quadrature Phase Shift Keying (QPSK), Frequency Shift Keying (FSK) and
Binary Phase Shift Keying (BPSK). By using better modulation techniques, satellite operators are
able to provide higher data rates and host more users on their transponders.

Figure 101 - Digital Modulation Techniques (FSK, BPSK, QPSK)
1.5.4 Link Quality
When procuring VSAT services, all providers should be able to meet a certain level of performance.
Performance indicators are usually determined as “link availability” (percentage of time the link is up)
and the minimum Bit Error Ratio (total number of erroneous bit divided by the total number of bits
received). For example, a service provider may guarantee a 99.5% availability and BER=1e -6,
meaning that for the entire year, except for 44 hours, the link will perform much better than the BER
threshold. During these 44 hours, VSAT subscribers may expect slowness or disruption of the signal.
Usually the higher the availability the higher the monthly cost.
Elements that affect the link quality include:
- Weather conditions, such as rain, snow, ice or fog can disrupt Ku and Ka Band systems (but
only marginally on C Band). High frequencies are more susceptible to attenuation caused by the
absorption and scattering effect of water in the atmosphere. Interestingly the signal could be
down not only because of bad weather conditions on the VSAT site, but also at the operator’s
teleport. Other rare events such as solar eruptions and eclipses can also affect the signal.
- Interferences are the major concern of satellite operators. These can be located at the
transponder or at the earth station. For example a damaged cable can pick up TV signals that
are in turn radiated to the satellite or an antenna on the ground pointing to the wrong satellite.
Inference can also be caused by a cable running too close to electrical equipment such as
motors, elevators, air conditioners or interferences caused by nearby microwave or TV towers.
- Noise from the environment, either external (atmosphere, sun, earth…) or internal electronics
(resistors in the circuit, semi-conductors…). As the signal bandwidth increases, the receiver will
pick up additional noise.
- Power failures account for 80% of all station outages. All indoor equipment should therefore be
backed up with a UPS and ideally a generator or batteries powered by solar panels.
- Latency, which ranges typically from 500ms to 1s in satellite networks because radio waves
have to travel from the earth station to the satellite and back. This factor is a problem for some
Internet transmission protocols. Notably, the Transmission Control Protocol (TCP) requires each
data packet to be acknowledged as received intact before sending further packets. While
designed to operate efficiently in terrestrial networks with delays of typically less than 100
milliseconds, therefore TCP does not perform as well over satellites. This limitation of TCP can
be overcome in a number of ways by using techniques such as acknowledgments, compression
and protocol emulation to reduce the amount of acknowledgment traffic. Other techniques simply

replace TCP with a more efficient protocol for use with the unique characteristics of satellite
networks. In reality, many users will not even notice the satellite delay and the impact of TCP/IP.
1.6 NETWORK
A typical VSAT network has many VSAT stations communicating with the provider hub which is then
connected to a public network (Internet, the telephone network) and UNICEF’s WAN:
SATELLITE
PSTN
VSAT 1
Internet VSAT 2
HUB VSAT 3
(NOC)
WAN VSAT 4
Suungard
NYHQ
Figure 102 – UNICEF VSAT Architecture
As of writing, the vast majority of UNICEF VSAT stations are using 3 satellites: Arabsat 5A (30.5oE),
Yahsat 1A (52.5oE) and Telstar 18 (138oE). The network management is outsourced to EMC which
has teleports in Germany, UK and Hawai. Marine Fiber optic cables link the teleports to UNICEF’s
data centers in New Jersey (SunGard) and New York HQ.

2 VSAT HARDWARE STANDARDS
A VSAT is composed of a dish, technically referred to as an antenna and a receive/transmit device,

called a feed assembly. The combination of both is referred as the outdoor unit (ODU). The feed
assembly is connected via two cables referred to as an Inter Facility Link (IFL) to indoor electronic
equipment (Indoor Unit / IDU) that processes the information (voice, video or data) received or for
transmission:
Dish
Satellite
Router / Modem
Feed
Indoor Unit (IDU)

LAN
Outdoor Unit (ODU)
Figure 103 - VSAT Composition
2.1 ANTENNAS
The primary goal of an antenna is to reflect and concentrate the signal from and to satellites that are
36,000 km above earth. Most of the VSAT antennas have a parabolic dish shape, which focuses the
signal towards the satellite. In other terms, parabolic antennas are highly directional, a necessary
feature when considering the distance to the satellite. Note that a dish is generally incorrectly termed
“antenna”, the true receiving antenna being the LNB. Depending on the purpose and wavelength,
antennas are made in various forms and sizes. The higher the frequency for example, the smaller
the antenna, hence C Band stations being larger than Ku or Ka band stations. Similarly, antennas
located in the satellite operator’s teleport must accommodate large data rates (usually 155 Mbps),
hence their very large size (7 to 15m) while subscriber’s models range
from 98cm to 3.8 meter. There are four main types of parabolic antennas:
- Prime focus antenna: The prime focus antenna is round and has its
feed / LNB assembly at the focal point directly in front of the antenna.
A prime focus antenna is easy to manufacture and inexpensive. They
are also the easiest to point.
- Offset feed antennas have smaller diameters (30 cm-4 m) and the
feed is located below the lower edge of the offset block of the antenna
aperture. Offset antennas achieve a better radiation pattern because
of less aperture blockage. The offset must be taken into consideration
when pointing the dish.
- Cassegrain antennas can be either composed of a main center or
offset feed and uses a secondary hyperbole as sub-reflector. These
models usually achieve better efficiency and are used by most earth
station dishes or in mobile compact systems. Such antennas are
usually more expensive than Prime or Offset antennas.
- Gregorian antennas are physically similar to Cassegrain antennas
as they employ dual reflection to achieve compact structures. Figure 104 - Types of
Parabolic Dishes

Figure 105 - Prime Focus, Offset, Cassegrain and Gregorian Antennas
There is no official standard antenna model, however, for emergency response, antenna
manufacturer GD Satcom (who acquired Prodelin and Vertex RSI) is recommended. Inmarsat’s
release of the Global Xpress platform leaded to the addition of multiple Quick-deploy antennas,
Cobham’s model is listed below.
Fixed Models include:

- GD Satcoms series 1135, a 1.2m Ku-band antenna
- GD Satcoms series 1184, a 1.8m C/Ku-band antenna
- GD Satcoms series 1244, a 2.4m C/Ku-band antenna (Offset antenna
pictured above)
- GD Satcoms series 1385, a 3.8m C/X/Ku band antenna
Quick-deploy or “flyaway” models include:

- Cobham Explorer 5075GX, a 0.75cm auto pointing Ka-band antenna
- GD Satcoms series 1138QD, a 1.2m C/X/Ku/Ka-band antenna
- GD Satcoms series 1189QD, a 1.8m C/X/Ku/Ka-band antenna Figure 106- Cobham
Explorer 5075GX
- GD Satcoms series 1259QD, a 2.4m C/X/Ku/Ka-band antenna
Quick deploy antennas are recommended for operations needing flexibility; antennas can be
assembled and disassembled within 30 minutes and do not usually require any tools. Fixed antennas
are aimed at permanent installations, require up to 3 days for installation as civil engineering (such
as installing the mast) might delay the setup. Quick Deploy antennas ($10k to $40k) are significantly
more expensive than fixed antennas ($500 to $3k). UNICEF pre-stocks GD Satcoms Quick Deploy
VSAT series in Copenhagen so they can be shipped immediately upon request. Fixed VSAT can be
obtained through the LTA suppliers.

Another parameter when comparing antennas using different frequency bands is their beam width. As illustrated in the image above, a 60cm C-band antenna
could potentially receive three satellites within its main beam (-3dB point) if the satellites are separated by 3 degrees in longitude. Satellites are usually separated
by 2 degrees so this is clearly not desirable! Hence most C band VSAT start at 1.8m as a minimum. When comparing with same size Ku and Ka band antennas,
beams are significantly smaller (hence smaller antennas) and the gain is higher (hence lower transmission power required)! In practice this enables better
systems efficiency when using Ku/Ka bands.
2.2 FEED ASSEMBLY
In a VSAT system, the electronics refer to the equipment attached to the antenna feed. Their function
is to shape the signal beam to match the parabolic dish and achieve the best transmission. In
addition, electronics also separate transmit and
receive signals with minimum loss and interference.
A typical antenna is composed of the following
electronics:
1. The Feed-horn is used to convey radio waves

between the transmitter and/or receiver and the
reflector. It converts the radio frequency alternating
current from the transmitter to radio waves while
incoming radio waves are converted to a tiny radio
frequency voltage which is then amplified by the
LNB.
2. The Ortho Mode Transducer (OMT) isolates the

signal polarizations and transfers transmit and
receive signals to different ports.
3. The Transmit reject filter which prevents any

Figure 107 - VSAT Feed
outgoing transmit signal to mix with the incoming
signal travelling to the LNB.
4. The Low Noise Block (LNB) is a combination of low-noise amplifier,

frequency mixer, local oscillator and IF amplifier. It receives the high frequency
microwave signal (C/Ku/Ka) from the satellite collected by the dish, amplifies it,
and down-converts the block of frequencies to a lower block of intermediate
frequencies (IF). This down-conversion allows the signal to be carried to the
indoor unit using coaxial cable; Figure 108 - LNB
5. The Block Up-Converter (BUC) is used for the uplink transmission. It

converts the signal coming from the modem via the coaxial cable at a low
frequency (L band) to a higher frequency (C/Ku/Ka), then amplifies it before
it is reflected off the satellite antenna towards the satellite. To perform both
functions, BUCs are composed of a local oscillator and a power amplifier.
A typical VSAT system use 2W to 8W BUC in the Ku band and 5W to 30W
BUC in the C band.
Figure 109 - BUC
6. Waveguides are usually required when
the BUC is too heavy (10W+) to be attached to the OMT directly. Since
the signal exiting the BUC travels at high frequencies (3 to 30 GHz
depending on the band used), using coaxial cables would trigger at
the very least 5 times higher losses than waveguides. There are two
types of waveguides depending on the system polarization, circular
waveguides discriminate left and right hand polarization while Figure 110 – Flexible
rectangular waves discriminate vertical and horizontal waves. Waveguide

There is no official standard equipment in UNICEF for the VSAT electronics. Usually pre-assembled
“feeds” composed of the feed-horn, OMT and transmit reject filters are specifically selected and
shipped with the antenna model. BUC and LNB come in different capacities depending on the
frequency and output power required. Usually their choices are dictated by the satellite service
provider, based on their capacity over a region. Recommended BUC and LNB models are New
Japan Radio and Norsat.
2.3 INTER FACILITY LINKS (IFL) CABLES
VSAT systems require a total of two Inter Facility Links (IFL) cables to be installed between the ODU
location and the IDU. The path and length of the IFL cable should be determined during a site survey
while approval from the building landlord should obtained as routing the cable may impose some
drilling in walls or ceilings. Transmit and receive intermediate frequencies (500 to 700 MHz) are
carried by shielded coaxial cables. Failure to use high quality low loss coaxial cable for extended
lengths will result in significant reduction in the ODU output and excessive signal distortion.
Coaxial cable conducts electrical signal using an inner conductor (usually a solid copper, stranded
copper or copper plated steel wire) surrounded by an insulating layer. All are enclosed in a shield,
typically one to four layers of woven metallic braid and metallic tape. The cable is protected by an
outer insulating jacket. Larger diameter cables and cables with multiple shields have less leakage
but are also more expensive:
Figure 111 - Coaxial cables and shielding
There is no official standard coaxial model in UNICEF, however for emergency operations, high
quality cable standards such as RG11 (75Ω), LMR400 (50Ω) and LMR600-75 (75Ω) from
Manufacturers such as Belden, Pasternack or Times Microwaves come highly recommended. For
example, UNICEF ships 200 ft. Pasternack RG11A/U cables with all Quick-Deploy VSAT pre-stocked
in Copenhagen while EMC (LTA holder as of writing) uses LMR400/LMR600 for the long runs
(>100m). RG6 cables, commonly used for TV, might also be considered but only for short runs (less
than 30 meters) since they suffer greater signal loss.
12
10
8
dB
6
4
2
0 Hz
0 100 200 300 400 500 600 700 800 900 1000
Belden 8215 (RG6) Belden 8213 (RG11) TMS LMR400
Figure 112 - VSAT Coxial cable loss at 100 ft (30m)

The ends of coaxial cables usually terminate with connectors. Coaxial connectors are designed to
maintain a coaxial form across the connection and must have the same impedance as the attached
cable. Coaxial cables used in VSAT systems either have a characteristic impedance of 50Ω or 75Ω.
The cable impedance must also match the modem impedance and LNB/BUC impedance. iDirect
modems for example use 75Ω while BUC/LNBs can be ordered in 50 or 70Ω versions.
There are many coaxial connectors in the market, the most common used in VSAT systems are F
connectors (75Ω) and N connectors (50Ω). No all connectors and coaxial cables are compatible. The
following are a set of recommended connectors for the cables mentioned above:
- RG6: Pasternack PE44312 (75Ω male connector, F type)
- RG11: Pasternack PE44315 (75Ω male connector, F type)
- LMR400: TMS EZ-400-NMC-2-D (50Ω male connector, N type)
- LMR600: TMS EZ-600-FMH-75 (75Ω male connector, N type)
Figure 113 - F & N connectors
Other important IFL elements to consider:
- Surge arresters, installed in line with a coaxial cable to protect modem from damage induced
by lightning striking the antenna and travelling through the cable. Recommended models are
Pasternack PE7301-1 (N male to N female) and PixelSatRadio Surge Protector 4645F (F male
to F female).
- Impedance matching pads can solve mismatching impedances between the cable/connector
and modem/BUC/LNB. Pasternack PE7070 for example is a N male 50 Ω to F female 75 Ω
impedance adapter.
- 2-way splitters with DC block are used to connect a spectrum analyzer during
the pointing procedure. Note that most Standard 'consumer-grade' splitters are
designed for TV frequencies and will not pass the higher frequencies of the
satellite signal, it is recommended to look for F female 75Ω or 50Ω, 0-2Ghz
splitters.
Figure 114 -
2.4 SATELLITE MODEMS Splitter
A "modem" stands for "modulator-demodulator". Its main function is to transform an input bit stream
to a radio signal and vice versa, the process is called “modulation”. Data to be transmitted is typically
received from a router. Probably the best way of understanding modem's work is to look at its internal
structure:
Figure 115 - Satellite Modem Internal Structure
VERY SMALL APERTURE TERMINAL (VSAT) 121

- The Analog tract converts the signal's frequency (usually L band) and adjust its power.
- A digital modulator transforms a digital stream into a radio signal on Intermediate frequency
(IF). Popular modulation types being used for satellite communications are BPSK, FPK and
QPSK (refer to Point 1.3.3). A modulator is generally a much simpler device than a demodulator,
because it doesn't have to recover symbol and carrier frequencies. Digital demodulation implies
that a symbol clock (and, in most cases, an intermediate frequency generator) at the receiving
side have to be synchronous with those at the transmitting side.
- FEC coding is an error correction technique that is essential to satellite transmissions since
signals received usually have a poor signal to noise ratio. Error correction works by adding
artificial redundancy to a data stream at the transmitting side (FEC encoder), and using this
redundancy to correct errors at the receiving end (FEC decoder).
- Differential coding is used to provide unambiguous signal reception when using some types of
modulation (QPSK, BPSK). It enables data to be transmitted to depend not only on the current
bit (or symbol), but also on the previous one.
- Scrambling is a technique used to randomize a data stream to eliminate long continuous '0'- or
'1' bit sequences and to assure energy dispersal. Long '0' and '1' sequences create difficulties
for timing recovery circuits. The scrambler randomizes the data stream to be transmitted.
- The multiplexer transforms several incoming digital streams into one single stream. The
demultiplexer is a device which transforms one multiplexed data stream to several streams.
UNICEF uses various types of modems: the iDirect Satellite routers for TDM/TDMA systems (shared
bandwidth) and the Radyne, Datum and Comtech series for SCPC and MCPC links (dedicated
bandwidth with bursting).
Model iDirect X5 Radyne DMD20 Comtech CDM 750
Data Rate Outbound up to 7.5 Mbps up to 20 Mbps up to 169 Mbps

Data Rate Inbound up to 15 Mbps up to 20 Mbps up to 169 Mbps
L Band tuning range 950 to 1700 MHz 950 to 2050 MHz 950 to 2150 MHz
2x F-type female, 75 BNC female, 75 Ohm BNC Female, 75 ohm

Connector
Ohm F-Type female, 75 Ohm N-Type female, 50 Ohm
LAN Ports 1x ethernet 1x Gigabit Ethernet 2x Gigabit Ethernet

Access Mode TDMA TDMA/SCPC/MCPC TDMA/SCPC/MCPC
QPSK, 8PSK, 16 BPSK, QPSK/OQPSK,
Modulation QPSK, 8PSK,16APSK, 32APSK
APSK 8PSK/8QAM, 16QAM
Cost 1,200 2500 4500
Table 16 - Comparing Satellite Modem
UNICEF pre-stocks Quick Deploy VSATs (refer to point 2.1) in Copenhagen

that are shipped with either an SCPC/MCPC or iDirect IDU rack.
SCPC/MCPC racks usually come with an IDU composed of the SCPC or
MCPC enabled modem (Comtech, Radyne or Datum), a Cisco 2900 series
router (for data and voice traffic), a Cisco 2960 switch, UPS and an isolation
transformer. The iDirect rack comes with just the Modem and a UPS.
Figure 116 - IDU
Racks shipping with
Quick Deploy
Antennas

2.5 VSAT KITS
VSATs are considered as the last resort long term solution for Internet and voice access in
emergencies. For this reason, a certain quantity of VSAT kits are pre-stocked in the Copenhagen
warehouse, so they can be quickly shipped to the field should an emergency happen.
The challenge with pre-stocking VSAT dishes is that there is no single standard solution that
guarantees worldwide operation, independently of the location of the emergency response. For
example an antenna UNICEF would deploy in Middle-East would be different than the antenna
deployed in South-East Asia. Parameters to consider include: the frequency band (Ku, standard C,
extended C, Ka…), the antenna size (0.9m, 1.2m, 1.8m, 2.4m), the transmission power (4W, 5W,
10W, 40W…), the modem type (iDirect, SCPC…). All of these depend on which ISP UNICEF goes
for (local, regional or global).
UNICEF have designed VSAT kits in a flexible manner, each kit being composed of 4 types of
“blocks”. The kit is assembled by selecting the blocks based on ISP capacity. Therefore a minimum
of communication is required prior shipping the VSAT kit. Following are the block’s composition:
1.2m Ku Band
Quick Feed Horn iDirect
250FT RG11
Deploy + 4W BUC & Modem Rack
Coaxial cable
Antenna LNB
OR
OR +
1.8m Coaxial connectors,
C Band
+ + + =
Quick adapters and DC
Deploy Circular Feed Horn
blockers
Antenna + 10W BUC & LNB SCPC
Modem Rack
OR +
Grounding
2.4m OR VSAT KIT
Quick +
Deploy C Band
Antenna Linear Feed Horn
+ 10W BUC & LNB Assembly and
Pointing Tool Set
ANTENNA ELECTRONICS CABLES MODEM
Figure 117 - UNICEF Universal VSAT Kits
- The antenna block is composed GD Satcom Quick Deploy antennas ranging from 1.2m, 1.8m
and 2.4m. It includes the pedestal, reflector (usually composed of 2 or 4 petals),
positioner/pointing mechanism, sand bags for ballast and the transport cases. Quick deploy
antennas are adequate for emergency response as they are fast to assemble: no tools are
required while just two persons can assemble the structure. Those models also favour
redeployment once the emergency is over or if an evacuation is required.
- The electronics block handles the transmission and reception of the signal. It is therefore
composed of the feedhorn, the BUC and the LNB. ICTD stores 3 types of electronics blocks: a
4W Ku band kit, a 10W standard C band kit and a 5W extended C band kit.
- The cable block is a single standard kit composed of 200 feet (30m) of RG11 bulk cable, F male
connectors, all sort of coaxial adapters (F to N, impedance matching pads, surge arrestors,…),
crimping tools and grounding accessories (rod, wire, wire terminal kit…).
- Eventually there are two modem blocks. One is composed of a network rack, an iDirect modem
and a UPS. The second is similar but replaces the modem with an SCPC model (either Datum
or Radyne) and adds a voice router and a switch.

3 VSAT SERVICE PLANS
Service providers usually offer shared or dedicated bandwidth. Shared bandwidth refers to bandwidth
that is shared with other customers. Dedicated bandwidth is “committed” solely to the office. Shared
bandwidth is obviously cheaper than dedicated bandwidth because costs are being shared among
other users. Unfortunately, some service providers pass off shared bandwidth as dedicated
bandwidth and charge rates equivalent to those for dedicated bandwidth. Such detail should
therefore be clear when a contract is being signed.
3.1 DEDICATED BANDWIDTH
In emergencies, when a VSAT is to be used as main link, it is recommended to subscribe to a

dedicated bandwidth plan. Such a decision could be justified by a large volume of devices accessing
the system throughout the day and requirements for real time applications such as telephony or
videoconferencing.
Service providers apply a formula that is used to determine monthly recurring cost (MRC) of a
dedicated bandwidth plan. Such formula depends on the sum of the download and upload bandwidth
multiplied by a coefficient:
VSAT (dedicated) = OTC + (MRC x C)

Where OTC = equipment value (Antenna + feed + IDU) and installation service
Where MRC = (Download bandwidth in kbps + Upload bandwidth in kbps)
Where C = coefficient applied by the service provider
Coefficients are usually kept secret and varies depending on the service provider. An average
indicative value of the coefficient is 1.1. The following table provides examples of the resulting costs:
Download (kbps) Upload (kbps) MRC (US$)

512 256 1036.8
768 512 1728
1024 512 2073.6
1536 768 3110.4
2048 1024 4147.2
3072 1536 6220.8
Table 17 –Indicative Pricing for a SCPC/MCPC link
To obtain the exact OTC and MRC pricing with UNICEF’s global service provider, contact ICTD.

3.2 SHARED BANDWIDTH
Shared bandwidth on the other hand might be desirable for a VSAT running as backup or secondary
link (for email and Internet traffic) as the bandwidth won’t be used all the time. There are three key
metrics that need to be considered when purchasing shared bandwidth:
- The contention ratio is the number of users sharing the bandwidth. For instance if 1 Mbps
bandwidth is shared among 20 customers (contention ratio of 20:1), then the maximum
connection speed when all the customers are using the bandwidth is 50 kbps, which is equivalent
to a dial up modem connection. Contention is also called “over booking” or “over selling” capacity.
- The Committed Information Rate (CIR) is the minimum bandwidth capacity at all times. In the
example above using a contention ratio of 20:1, the CIR would be 50 kbps, even though the
service provider quotes a bandwidth capacity of 1 Mbps.
- The Bursting Capacity refers to the ability of a VSAT system to utilize capacity above and
beyond its normal allocation. If the service provider has implemented bursting, a portion or all of
the shared bandwidth capacity is pooled. When other subscribers are not using their capacity,
the office may be able to “burst” or use more than its allocated capacity. When other subscribers
need their bandwidth, it is removed from the pool and assigned to the subscriber. Bursting is
also applied on UNICEF SCPC/MCPC links with global service providers.
Shared bandwidth plans are the most common plans available in countries or regions, many of which
rely on the iDirect platform. However because these plans can be deceiving, it is essential to always
inquire about the contention ratio, CIR and entitled bursting capacity.
Similarly to dedicated bandwidth plans, a following formula determines monthly recurring cost of a
shared bandwidth plan:
VSAT (shared) = OTC + MRC

Where OTC = installation service
𝐷𝑜𝑤𝑛𝑙𝑜𝑎𝑑+𝑈𝑝𝑙𝑜𝑎𝑑 (𝑘𝑏𝑝𝑠)
Where MRC = = ×𝐶+𝐷
𝐶𝑜𝑛𝑡𝑒𝑛𝑡𝑖𝑜𝑛
Where C = coefficient 1
Where D = coefficient 2
Considering an average indicative value of the coefficient C = 1.35 and D = 350, resulting MRC is:
Download Upload MRC with 1:5 MRC with 1:10 MRC with 1:20
(kbps) (kbps) contention contention contention
256 256 488.24 419.12 384.56
512 256 557.36 453.68 401.84
768 512 695.6 522.8 436.4
1024 512 764.72 557.36 453.68
1536 768 972.08 661.04 505.52
2048 1024 1179.44 764.72 557.36
3072 1536 1594.16 972.08 661.04
Table 18 –Indicative Pricing for an iDirect link
To obtain the exact OTC and MRC pricing with UNICEF’s global service provider, contact ICTD.

4 VSAT INSTALLATION
This chapter details the necessary steps to install a VSAT based on the usual requirements from
most service providers. The VSAT installation sequence is as follow:
3. ODU 4. IFL 5. IDU 7. Commisioning

1. Preparations 2. Site Survey 6. Grounding
Installation Installation Installation & Testing
4.1 PRELIMINARY REQUIREMENTS
Before even considering installing a VSAT for a new office, one should first consider whether there
is no alternative (cable/DSL technologies are more cost effective) and if authorities will approve the
installation. In most emergencies, requirement will also depend on the UNICEF station in the affected
area:
- If the organization rents its own building for a significant amount of time (at least 1 year), then a
VSAT could be justifiable. Note that an emergency office with more than 20 users should have
a backup link, therefore a VSAT is more likely to be required.
- If UNICEF is located in an inter-agency building where another agency or the ETC cluster is
already providing services, then it doesn’t make sense to add up an additional antenna.
If the VSAT is required, make sure to:

- Liaise with your Regional Office or ICTD Operations to confirm requirements
- Determine the required bandwidth plan (dedicated or shared) and ISP
- Choose the VSAT antenna model
- Inquire which satellite will be used
4.2 SITE SURVEYS
This chapter describes the procedure for conducting a site survey to determine the optimal location
for the VSAT, including:
a. Calculating
c. ODU site d. IDU site
azimuth and b. Checking LOS e. Reporting
selection selection
elevation
Before travelling on-site, the following items should be taken:

- Compass and inclinometer (such as the Suunto Tandem)
- The satellite azimuth and elevation information (refer to point a. below)
- A photo camera, measuring tape and GPS
- Site survey forms (see USB flash drive or visit the ICTD emergency portal)
Figure 118 - Suunto
Note that smartphones can Inclinometer
perform many of the tasks
above and also provide useful additional applications:
- VSAT PRO Satellite Dish Finder, SatFinder Tool
and Satellite AR (Android)
- SatelliteLocator and SatFinder (IOS)
- Satellite Finder (Windows mobile)
Figure 119 - Smartphone VSAT apps

a. Calculating azimuth and elevation
This task should be done even before travelling to the site and results printed out. Go to
www.dishpointer.com, enter the location antenna is to be placed (city) and press go. Select the
satellite to be used and move the cursor to the office location on the Google Map screen. For
example:
The green path defines the orientation

of antenna feed, meaning there should
be no obstacle in that direction. In
addition the software provides the
required feed angle (example above
states 69.9, not including any possible
antenna offset) which will be useful
when determining the Line Of Sight
(LOS).
Figure 120 - Output of dispointer.com
b. Checking the Line of Sight
Communication satellites used in the satcom industry are typically in a geostationary orbit, appearing
to be in a fixed position in the sky directly above the equator, relative to an observation point on
earth. The entire field of geostationary satellites can therefore be found in an arc across the sky.
To communicate with the satellite, the antenna must be able to 'see' the location in the sky above
the equator in which the satellite is located. The situation of an unobstructed view between the
satellite and the antenna is known as 'having a line-of-sight' to the satellite.
To calculate the line-of-sight, consider a triangle, where X is the height of

the obstruction in front of the antenna and Y is the distance between them.
For example, if the obstruction is 8 meters high and 32 meters away from
the antenna, then the minimum elevation equals arc tan (8/32) = α
The following table can be used as a reference for the above calculation:
Table 19 - Maximum Obstacle Heights

c. Selecting the antenna (ODU) site
The antenna location is obviously dependent on the line-of-sight to the satellite. Sometimes this
leaves few possibilities for the installation: garden, terrace, roof top. In addition, it is important to
perform the following checks when determining the terrestrial site for the antenna location:
- Site should be relatively flat and conveniently accessible.
- The antenna must be placed in a controlled area with restricted human access to the physical
air space between the antenna reflector and the output of the radio frequency amplifier.
- Site should have no underground obstructions, such as buried cables or pipes.
- Site should have no interference from nearby telecoms towers or airports (WiMAX, microwave
transmissions, cellular telephone towers, and airport radar).
- Site should be free from constructions or planned constructions.
- Confirm that installation at the site will follow all local building regulations and standards
regarding drilling, grounding, foundation requirements.
If the antenna is to be installed on the rooftop, the following arrangement should be considered:
- A lightning arrestor that is properly grounded.
- A point-of-entry for two coaxial cables and a clear path or empty conduit to run a coaxial cable.
- An antenna surface is capable of supporting the weight of the VSAT plus its wind load.
- 230V AC or 110V AC outlet near the installation site for use during both the installation process
and subsequent maintenance work.
At this stage, the type of mount and ballast should be determined, there are various options:
- Wall mounts can only be used with small antennas (1.2m max). They are only approved for use
on solid concrete walls. If the wall is too tin, a back plate would be necessary to balance the
weight. Very small antennas (0.90m) could also be attached to a vertical steel beam.
- A penetrating mount is recommended for 1.8m antenna size and above. These are the most
challenging mount to handle since they usually require a significant amount of civil engineering
work: digging a 1.5m to 2m deep square hole depending on antenna size, fill up with cement
around the mount. Alternatively such mount could be
welded or bolted to a suitable pole.
- A non-penetrating mount (NPM) is the preferred solution
in emergencies as it fits all antenna sizes, is easy to
assemble, and offers a low uniform distribution. Since
NPMs are not fixed to any structure, the installer must find
ballast, such as concrete blocks to hold the mast vertical
and avoid moving.
Figure 121 - Non Penetrating
d. Selecting the Indoor Equipment (IDU) site Mount
The equipment room should meet the following minimum requirements:
- Be within less than 70m from the ODU, otherwise there might be too much cable loss. If the ODU
is between 30m and 70m, RG11 type cable will be required.
- Space for a mobile 24U rack OR availability of an appropriate number of units of vertical rack
space in standard 19" equipment racks.
- Power should be provided using an uninterrupted power supply with either rectified 230V AC or
110V AC outlets in each rack.
- Ambient temperature range between 20 and 25 degrees Celsius.
- Relative humidity between 20% and 50%.
- Continuous air cycling with filtration for proper ventilation to ensure that equipment is kept free
of contaminants and particle matter.
- Fibrous material and gaseous elements should not be present in the equipment room and
measures be implemented to prevent the build-up of electrostatic discharge (including
appropriate straps and mats, and no carpeting).

e. Writing the site survey report. This task can be performed using site survey templates. Also
taking a lot pictures during the survey is always beneficiary.
The following diagram can be used for a quick site survey checklist:
Table 20 - Site Survey Checklist
4.3 OUTDOOR UNIT INSTALLATION
This chapter describes the procedure for performing a VSAT installation, following sequence is
recommended:
a. Getting all b. Antenna c. Spectrum d. Elevation & e. Peaking &

the pre-requisits Assembly Analyzer Azimuth Locking
a. Obtaining all pre-requisites
- Verify all equipment versus the shipping list and manual contents, including Antenna and feed,
modem or IDU rack, coaxial cables and connectors, mast and ballast, Grounding rod and cables
- The site configuration sheet, to be provided by the service provider. It usually included NOC
contacts, satellite pointing information, expected plot to be observed on the spectrum analyser
and the modem configuration.
- Check licenses have been obtained
- Prepare the VSAT installer tool kit:
o Compass and Inclinometer
o Set of wrenches (at least a 1-1/2”), Allen wrenches and screwdrivers
o A Spectrum Analyzer, such as the Rhode & Schwartz FSH series
o A coaxial splitter, Assorted coaxial connectors and adapters
o Black cable ties (never use white color)
o Crimp or compression tool depending the connector type and coax stripping tool
o Self-fusing, electrical tapes, silicon grease and lithium grease
o GSM or satellite phone
o Console cable and serial to USB converter

b. Antenna Assembly
Manufacturer’s installation instructions should have been included with the antenna. Make sure to
carefully read all steps and assemble properly the antenna following this sequence:
- Assemble the mount (or base for Quick Deploy antennas)
- Install the ballast
- Install the antenna
Usually the feed horn, OMT and transmit/reject filter come

already pre-assembled while BUC and LNB are stored
separately. The installer must first attach the LNB and the
BUC to the OMT, using the Allen wrench and by placing the
“O”- Ring on its corresponding groove along with silicon Figure 122 - VSAT Waveguide
grease. Flanges
Importantly, if the system uses a circular polarization, the circular polarizer should be aligned
following the arrow and writing (LHCP or RHCP) on the OMT.
The fully assembled feed is then attached to the antenna feed support (follow instructions manual).
c. Connecting the Spectrum Analyzer
Use the two-way splitter, connect the spectrum analyzer to the LNB, with the input connected to the
F connector incoming from the LNB. One of the outputs connected to the spectrum analyzer, and
the other output connected to the L band satellite modem input. As the L band modem includes an
internal power supply, it will feed the LNB with the necessary power to make it work properly. The
spectrum analyzer should include a DC Block to avoid DC current to go into it. Alternatively, you can
use a splitter with DC block included on the output, or a spectrum analyzer with DC voltage tolerance,
such as the R&S FSH3. Once all connections have been done, boot up spectrum analyser first then
the modem.
VSAT Feed
L
N
B
Internal DC
Power
DC Power Modem
RX IF Signal
L-Band 2-Way
Splitter
RX Out
DC Power DC Block
RX in RX IF Signal
RX Out
RX In
Spectrum Analyser settings:
- Resolution Bandwidth: 100 kHz
Spectrum
-Video Bandwidth: 100 Hz
Analyzer
- Span:1 Mhz
- Sweep time: auto
- Amplitude scale: 1 dB / div
- Center Frequency: either Rx frequency or satellite beacon frequency
in the L band
Figure 123 – Connecting the Spectrum Analyzer

The spectrum analyzer should be configured with the indicated parameters in the previous figure.
The so called “beacon frequency” is a known receive frequency of satellite and can be used to identify
the correct satellite. Obtain the beacon frequency from your NOC. Examples are:
- Rascom-QAF1: 4799.0 MHz (LHCP - C Planned band)
- Arabsat 5A: 3705.1 MHz (LHCP - C Normal band)
- Arabsat 5A: 4191.0 MHz (RHCP - C Normal band)
To set the spectrum analyzer, the beacon or Rx frequency should be converted to L band values,
since the received signal is obtained after the LNB down-conversion. The following formula applies:
FL = LO - FC
Where LO is the LNB local oscillator frequency (refer to specs)

FL is the frequency in L band
FC the frequency in C band
d. Setting the Elevation and Azimuth.
Going back to the antenna, make sure the position is oriented correctly to the center of the satellite
orbital arc (all visible satellites from that particular site) and the canister is locked tightly against the
mast by tightening the lock screws.
Set the antenna to the elevation values
provided by service provider.
Note that, for offset type antennas, the

real line of sight to the satellite on the
elevation axis is different from the
physical antenna dish elevation. The
elevation to be physically set at the
antenna can be calculated using the
following formula:
Em = Et - 
Where Et is the true elevation

Em is the measured elevation
 is the offset angle
Figure 124 - Azimuth and Elevation Pointing
To adjust the elevation, first place the inclinometer (which may have a magnetic strip) on the back of
the antenna, behind the reflector support. The inclinometer should be parallel to the dish. It shows
the current physical elevation of the antenna, by pointing an arrow to the ground, and showing the
elevation in degrees with a scale. Ensure that the inclinometer is showing 0° when the antenna
elevation is 0° (i.e. pointing to the horizon), and increases when the elevation is increased (i.e.
moving up to the sky).
Once the inclinometer measurement is ready, raise or lower the antenna to find the desired elevation
by turning the 1" nuts located at the elevation block using the appropriate tool (1-1/2” wrench).
Position the top nut so that it will not interfere with adjustment. Turn the bottom nut clockwise to
increase elevation and counterclockwise to decrease elevation until desired satellite elevation is
reached.
Use the compass to set the azimuth values. The compass needle always shows north, which
represents 0°. Place the compass horizontally and move the base until the arrow matches North on
the printed scale. The complete azimuth values are represented on the compass, for example, E is

+90° and SW is 225°. Note that some error may be introduced by the antenna metal parts or metal
structures near it, magnetically affecting the compass behavior, make sure measurements are taken
away (at least 15 feet) from the antenna or structure. For proper measurements, a correction still has
to be applied, since the true north does not exactly match the magnetic north pole that the compass
uses for its measurements. The correct value to be set at the azimuth when using a magnetic
compass can be calculated using the following formula:
Am = AT - 
Where Am is the measured value at the compass

AT is the actual true value you want to obtain.
The correction factor  is called the “magnetic declination angle” and changes across time. Actual
value can be obtained from the National Geophysical Data Center (visit the website).
The azimuth supplied by the service provider should both indicate the true value and the measured
value on the compass. Once the compass measurement is ready, open the azimuth movement by
unlocking the two 1” adjustment nuts on the azimuth adjustment rod using appropriate tool (1-1/2”
wrench), to allow free movement of the dish for the whole length of the azimuth rod. Standing behind
the satellite dish, grasp the outer edges of the satellite dish and move right or left, until the antenna
is adjusted to the desired azimuth direction.
At this stage the installer should see the beacon on the spectrum Analyzer. The beacon shows as a
thin peak rising around the noise floor, and getting higher as long as the antenna beam is closer to
the satellite. If no signal is present keep moving the satellite dish slowly in a 20 degrees sweep in
one azimuth direction, and then the other until you get a signal. If still no signal is picked, verify all
parameters and start a large azimuth sweep (-20 to +20 degrees) starting from -20 degree elevation
to +20 degree elevation.
Some satellites share the same beacon, which may cause the installer to point at another satellite
than the desired one. To ensure that the correct satellite has been found, change the center
frequency of the spectrum analyzer to the site Rx carrier and compare with the plot the NOC
provided. Take a picture of the spectrum analyzer plot and send it to the NOC for confirmation:
Figure 125 - Shared SP plot vs. observed plot on a spectrum analyzer
e. Signal Peaking
If you reach this stage, the most difficult – finding the satellite - has been achieved, congratulations!
At this stage, the installer should make small adjustments on the Azimuth then Elevation repeatedly
one at a time until the strongest signal is obtained, which is defined as the greatest beacon height
on the spectrum analyzer. Adjustments should be no more than 1 degree in azimuth or elevation
while giving enough time to spectrum analyzer (5 seconds) to display the new signal. Once the fine-
tuning process is done, lock the dish by tightening all of the hardware used for adjustments and
making sure the amplitude of the signal does not drop, proceed to apply to the azimuth and elevation
rods the lithium grease provided with the installation kit and move to the IFL installation.

4.4 INTER FACILITY LINK INSTALLATION
Most of the time, the coaxial will come already assembled. Unless requested by the NOC, for
example if there is too much signal loss, it is recommended not to cut the coaxial to the exact length
ODU -> IDU. In other situations where the cable is shipped in bulk, a connector might be need or
replaced. Section 4.4.1 covers the assembly process for F connectors and RG11 cables. In any
VSAT installation, connectors must be weatherproofed to ensure a long lasting installation which is
described in section 4.4.2. Section 4.4.3 describes IFL installation standards to ensure the maximum
longevity of the overall coaxial cable.
4.4.1 F Connectors Assembly on an RG11 Cable (Compression method)
Figure 126 - Assembling an RG11 F connector
4.4.2 Weatherproofing Connectors
Figure 127 - Weatherproofing a coaxial connector

Optionally, for an even better protection, a flame retardant sleeve is used as last layer. In that case
only one layer of self-fusing tape and one layer on top of electrical tape is required:
Figure 128 - Weatherproofing using a heat-gun
4.4.3 IFL protection
Coaxial cables can be damaged through every day wear and tear. To ensure cable longevity, it is
recommended to:
- Weatherproof any coaxial cables kept outside (see previous chapter). This will prevent any
rusting of the cable while protecting the cable itself from various outdoor forces of nature
(sunlight, rain, animals etc.).
- Avoid bending the cable. The cable is easily capable of being curved, but should never be
crimped or turned at an angle. Many wires are inside the coaxial cable and bending these wires
could disrupt the cable's ability to transmit information. Each cable type has a different bending
radius, refer to the cable technical specifications.
- Surround outdoor cables with PVC pipes. Make sure the cable is not bent inside.
- Leave extra coax cable on the rear of the antenna in case it has to be pointed toward another
satellite.
- Create “drip loops” before the indoor entry point and connectors. This will prevent fluids
and moisture from entering either the building or the connectors.
- Install surge arresters by the modem connectors.
Figure 129 - Protecting coaxial cables

4.5 INDOOR UNIT INSTALLATION
4.5.1 iDirect Modems
WARNING: NEVER CONNECT THE TX PORT TO THE BUC UNLESS PROVIDER APPROVED
The procedure below details the configuration steps for iDirect VSAT modems. It applies to all
models: Infiniti 3000/5000/7000 and X series (X1, X3, X5).
Pre-requisites:
- A computer with serial or USB port
- A serial to USB converter and a serial cable
- iSite software
- Package (.pkg) and Configuration files (.opt) as shared by the service provider
a. Connect the computer to the modem using the console cable:
Serial LAN
RJ45
USB to Serial
Laptop running iSite
Feed
horn
L
N
B
Figure 130 - iDirect Connection diagram
b. Obtain the modem IP address, ID and serial number
Using Putty or another serial, connect to the console port of the modem. The default login user is
root and password is P@55w0rd! (or sometimes “iDirect”).
iDirect Linux 2.4.24-uc0-iDirect0

Kernel 2.4.24-uc0-iDirect0 on an armv5b
iDirect login: root
Password:
Linux iDirect 2.4.24-uc0-iDirect0 #1 Tue Jun 7 17:38:22 EDT 2011 armv5b unknown
#

Enter the command telnet 0 to enter the falcon mode. The default login user is admin and password
is P@55w0rd! Continue with the command laninfo to display the IP address of the modem. The IP
address is required for the configuration file upload using iSite.
# telnet 0
Entering character mode
Escape character is '^]'.
Username: admin
Password: *********
[RMT:79058] admin@telnet:::ffff:127.0.0.1;1036
> laninfo
Address: 10.3.1.1
Netmask: 255.255.255.0
c. Using the iSite software to manage the modem
iSite is a software tool to manage the remote device by direct connection through the
Ethernet port in the rear modem. Depending on the iSite version, not all iDirect modem
are supported, thus make sure the service provider shares the adequate software
version along with the configuration files. For iDirect X series modem, the version has
to be 12.0.0.0 or higher (go to Help menu -> About iSite).
Before being able to configure the modem, make sure your computer has an IP address in the same
range as the one obtained through the “laninfo” command. In the example above, the computer could
be configured with any IP in the range 10.3.1.2-253 with a network mask of 255.255.255.0.
As the iSite software is launched, the modem will be automatically surveyed. If not found, verify the
IP and firewall parameters then go to File -> new, right click over the “unknown” device and click on
“login”. The default password should be “iDirect”.
Figure 131 - Discovering the iDirect modem through iSite

e. Uploading package files
Once discovered, the installer must upload the package and options files provided by the service
provider to the modem. Select the remote and right click on the “Download Package”. Browse for the
service provider *.pkg file. Then make sure the “Don’t check version”, “download images only” and
“don’t reset” options are ticked. Then click start to commence the upload process.
Figure 132 - Uploading the pkg file
f. Uploading options files
Perform likewise the package file, go back in the three view and select “download option from disk”.
Browse and install the appropriate option file. The option file is built by the service provider and
matches the specific site, as such it contains:
- - the Geographic location, which is important to determinate the timing delay.
- - the antenna information, such as its power voltage, BUC/LNB oscillator references.
- - the DID number. The HUB identifies each remote using a “HDLC number”, which it is related
to the DID of the modem.
This means a modem replacement cannot be done without generating a new OPT file.
At this stage, the pointing can be verified by going back to the tree
view, right clicking on the remote, selecting “Align Antenna” and
then click “Antenna pointing”. A graph showing a green bar
indicating the signal strength should be displayed.
Call the service provider to finalize the installation. This might

include further fine tuning the antenna, performing the cross-
polarization test and establishing the 1dB point.

4.5.2 SCPC modems
Once the antenna has been pointed and fine-tuned, reach the service provider for a step by step
modem configuration. The installer should have received a modem configuration file similar to the
following:
Figure 133 - Sample Configuration file for SCPC modem

4.6 GROUNDING & LIGHTNING PROTECTION
To avoid any potential grounding problem BUC & LNB must be connected with a 16 mm2 grounding
cable to the indoor rack using the termination lugs provided with the installation kit.
Notes:
• Telecom equipment grounding is separate from building electrical grounding
• Always use the shortest and most direct path to ground point
• Avoid sharp bends in ground cable
• Do not connect the equipment ground to the lightning arrestor
• Lightning protection is not the VSAT installers’ responsibility
• Lightning protection reduces the risk of fire and does not protect the equipment
► Refer to the VSAT Installation Grounding.pdf file in the USB Flashdrive.
------------------------------------ END OF CHAPTER 5 ------------------------------------


CHAPTER 6
IP NETWORKS
(LAN/WAN/VoIP)

1 LAN/WAN ARCHITECTURE PRINCIPLES
1.1 STANDARD LAN DESIGN
When creating a LAN for an emergency office, the best practice is to adopt a modular approach to
the network design. Network should be segmented into functional areas or modules, following the
idea of flood chambers in a boat which minimizes the global impact of a localized event on the LAN.
Apart from a positive impact on security, stability and day-to-day operations (easier troubleshooting),
this approach also creates scalable networks where a module can be added or removed without
having to redesign the rest of the network.
There can be many modules in a LAN: remote access module (VPN termination), video-conference
module, PSTN module, etc… In most networks however, three main modules (core, access, server)
are the common denominator:
As illustrated, servers
should not be
Servers
connected to the
Servers Access layer but to
the Server Block
“Server Access Layer”

Module
for all centralized

Server
Data Center Switch services: AD, DHCP,

Shared Drives etc...
Core Module
Dotted box: two

different modules,
Core LAN To Firewall usually both hosted in
device Internet, WAN a secure centralized
Data Center.
Access Layer
Typically, one Access

Module per wiring
closet. Up to four
switches can be
stacked in one Access
Module.
Access Module 1 Access Module 2
Printers, laptops
devices
desktops, VC devices.
End
WiFi Access Points

and IP Phones if
applicable.
Figure 134 - Standard LAN Design
In the case of emergency offices, the above model can be simplified by combining the Access, Core
and Server Layers creating what is called a “Collapsed Core”. In a nut-shell, all emergency offices
can be represented by three categories, the differentiating factors being as follows:
• Less than 100 staff AND • More than 100 staff AND/OR
• No local IT Support AND
• No VLAN-segregated IP Telephony AND • VLAN-segregated IP Telephony AND/OR
• No local services except Internet
• No remote office or hot standby BCP • Remote office or hot standby BCP site to
connectivity/printing provision
site to connect connect
Case 1: Server-Less Office Case 2: Flat LAN Case 3: Routed LAN
Figure 135 - Office LAN classification

1.1.1 Server-Less Office (case 1)
An office is classified as “case 1” (server-less) if it requires a minimal ICT infrastructure footprint. In

this case, all layers would be collapsed and network services performed by an all-in-one appliance:
Figure 136 – Server less networks
This solution is only recommended for small temporary offices (1-15 responders, less than 6 months)
that would require basic Internet access to personnel through WiFi and relies on simple and cost
effective equipment (all-in-one wireless routers: Meraki, DD-WRT…).
1.1.2 Flat LAN (case 2)
An office is classified as “Case 2” (Flat LAN) if it has less than 100 staff, no remote office or “hot
standby” BCP site to connect. Functional VLANs might be necessary when adding modules (Corp
WiFi, Guest WiFi, IP telephony…):
Figure 137 - Flat LAN
IP NETWORKS (LAN/WAN/VoIP) 143

1.1.3 Routed LAN (case 3)
An office is classified as “Case 3” (Routed LAN) if it has more than 100 staff, need to connect remote
office(s) or “hot standby” BCP site(s), requires geographical VLAN segregation and possibly network
redundancy:
To Firewall
HSRP .30
.28 .29
.124 .125
HSRP .126
Core 1 Core 2
.252 .253
HSRP .254
.252 .253
HSRP .254
.252 .253
HSRP .254
Figure 138 - Routed LAN
Case 2 are very rare and would only apply for large long-term emergency offices.
1.2 ACCESS TO THE INTERNET, WAN & CLOUD
Determining the correct bandwidth is essential to avoid congestion. Usually the bandwidth is
calculated based on the type of connectivity, quantity of Internet links and amount of users:
Amount of Single Terrestrial ISP Dual ISP/VSAT VSAT No local server

users Down Up Down Up Down Up Down Up
5 1762 384 1536 384 896 256 5120 1024
15 3072 640 2816 512 1792 384 9216 1792
30 4608 1024 4096 896 2560 512 13824 2816
45 6144 1280 5632 1280 3584 640 17920 3584
60 7680 1536 6656 1280 4096 896 22016 4608
75 8704 1792 7680 1536 4608 1024 25600 5120
Figure 139 - Bandwidth (Kbps) guidelines for emergency offices
Depending on countries and scenarios, Internet access would be available through following means:
- Local ISPs, can provide terrestrial or satellite links, oftentimes with more advantageous terms
than global providers but with a lower quality of service.
- Corporate terrestrial links: a global provider is contracted to ensure that offices benefits from the
best terrestrial connectivity option. In such case the operator also maintains dedicated leased
connections to Corporate global data centers.
- Corporate VSAT: a global VSAT provider is contracted to maintain the satellite network and the
leased lines from field offices to Global data centers. Providers usually implement MPLS

(Multiprotocol Label Switching), which is an improvement to the classical IP routing as data is
directed based on short path labels rather network addresses.
- Mobile Satellite (BGAN or Thuraya IP): are rarely used as main Office connectivity due to their
high usage costs. Similarly to local ISPs, an IPSec tunnel should be implemented to access the
WAN.
Wide Area Network (WAN) refers to the organization’s worldwide network, which is basically the
addition of all country LANs and their linkage to the main data centres. The WAN is accessed through
the establishment of IPSec tunnels which can be initiated either directly from the client machine
(OpenVPN, Cisco Any Connect, DirectAccess) or from a network appliance (router, firewall...). In all
cases IPSec tunnels are terminated in datacenters by an appliance called a VPN concentrator.
Thanks to the advent of cloud computing, humanitarian organizations no longer need to maintain
local or global servers. This allows to deploy “lighter” networks and reduce the ICT footprint, which
is also advantageous for emergency response, pending enough bandwidth is available. Services
generally hosted in the cloud are:
- Office 365, which includes email (Outlook), file sharing (SharePoint and OneDrive) and Active
Directory Federation Services (ADFS) for the end user authentication;
- Enterprise Resource Planning (ERP) software, based on Oracle, SAP, Salesforce…
- Windows Server Update Service (WSUS), which provides updates to Microsoft applications;
- AntiVirus updates;
- Domain Name System (DNS), which translates Intranet and Internet website addresses into
numerical IP addresses;
- Telephony and Voice over IP, for example with Skype for Business.
Because centralizing IT services in global data centers or in the cloud increases the load on existing
link bandwidth, and instead of systematically procuring additional capacity (which is not a solution to
congestion), UNICEF implements a number of WAN optimization techniques. These techniques
are usually performed by the security gateway or PC client and are summarized as below:
- Deduplication: eliminates the transfer of redundant data, sending references instead.

- On-the-fly compression applied to data passing through the appliance.
- Latency optimization: include TCP refinements such as window-size scaling, selective
acknowledgements, congestion control algorithms, and even co-location strategies in which the
application is placed in near proximity to the endpoint to reduce latency. In some
implementations, the local appliance will directly answer requests of the client instead of
forwarding it to the remote server.
- Caching/proxy: storing data in local caches.
- Forward error correction: mitigates packet loss by adding another loss-recovery packet for every
“N” packets that are sent, and this would reduce the need for retransmissions in error-prone and
congested WAN links.
- Protocol spoofing: multiple requests from “chatty applications” are bundled and sent together.
- Traffic shaping: controls data flow for specific applications and enables to decide which
applications take precedence over the WAN. A common use case of traffic shaping would be to
prevent one protocol or application from hogging or flooding a link over other protocols deemed
more important.

1.3 IP & ROUTING
Usually the Routing/NAT/PAT functions are performed by a router CICR Hosts Netmask
or security gateway. The automatic distribution of IP parameters /30 2 255.255.255.252
(DHCP) to end-user devices can either be performed by a
Windows server or a network appliance (firewall, switch, wireless /29 6 255.255.255.248
controller). Following devices are assigned with IP addresses /28 14 255.255.255.240
either via DHCP or statically: /27 30 255.255.255.224
- Static: routers, Switches, Wireless bridges, Access Points, /26 62 255.255.255.192
servers and WLAN controllers /25 126 255.255.255.128
- DHCP: computers, printers, scanners, smartphones, tablets,
/24 254 255.255.255.0
IP Phones…
/23 510 255.255.254.0
In large humanitarian agencies, each country has a pre-assigned /22 1022 255.255.252.0
private IP address range that can be used when a new LAN is
/21 2046 255.255.248.0
required. A best practice is to assign a /24 range to small or
medium offices and a /23 range for the largest offices. /20 4094 255.255.240.0
Figure 140 - Dimensioning networks
Then, as a rule of thumb:
- First and last addresses of any range are automatically used by IP as network and broadcast
addresses. They should not be allocated to any network interface.
- The last IP addresses of the LAN range, outside of the DHCP scope, are reserved for network
equipment such as routers, firewall, switches... The gateway is always assigned the last IP
available (x.y.z.254).
- End users receive IP parameters from a DHCP server starting at the beginning of the scope.
1.4 VIRTUAL LANS
Virtual networks or VLANs allow network administrators to create groups of logically networked
devices that act as if they are on their own independent network (different IP subnet), even if they
share a common physical infrastructure. Virtual networks carry specific terms defining the type of
network traffic being carried or a specific function the VLAN performs. The following describes
common VLAN terminology:
- Data VLANs are identified by a number and configured to carry only user-generated traffic. Such
traffic would include:
o Functional VLANs such as wired machines, corporate WiFi, guest, IP Telephony…
o Location VLANs such as a wiring closet, a building, a floor, a department (marketing,
finances…).
- Trunk links are required to transfer all VLAN information between switches. A port on a switch
is either an access port or a trunk port. Access ports belong to a single VLAN and only carry
traffic that comes from the VLAN assigned to the port. A trunk port is by default a member of all
the VLANs that exist on the switch and carry traffic for all those VLANs between the switches.
To distinguish between the traffic flows, trunk ports mark the frames with special tags as they
pass between the switches.
- The management VLAN is referred by network administrators as the VLAN used to access the
management and configuration interfaces of the networking devises (ex: CLI, Web GUI…).

1.5 SECURITY AND FIREWALLS
To enforce LAN security, the “zone-based security” approach is used. A zone is a part of a network
that groups a specific function or role, and is rated from “trusted” to “untrusted” depending on the
nature of the traffic that it carries. Zones would restrict a pre-defined set of protocols and/or users
and has well defined inputs and outputs to other zones through a firewall:
Figure - Security Zones
In practice, security zones typically translate into firewall ports (virtual or physical). Several ports
could be part of a specific level or colour of security zone, effectively introducing several “shades” of
color (e.g. “darker” or “lighter” green etc…). As an example, the WAN is typically part of the green
zone but on a separate firewall port: the WAN conveys trusted traffic (green zone) but is still on a
separate firewall port for basic security visibility and control (dark green zone).
A default global security policy should be implemented globally to all firewalls. Such policy is
implemented by creating rules in the firewall, which in turns filters any packet to make sure only
legitimate traffic enters or exits the local networks. Rules can be later adapted on a case by case
basis depending on the site’s specific requirements.
Firewalls implements an algorithm (“Adaptive Security Algorithm”) that inspects the state of TCP and
UDP connections between a client in the network and a server on the Internet. Such inspection
generally protects against common attacks (such as Denial of Service or man in the middle attacks).
2 additional mechanisms, named “Intrusion Detection” and “Application Inspection”, analyses traffic
and prevent the propagation of virus, worms and spam through the network.
1.6 VOICE OVER IP (VOIP)
With the adoption of Microsoft Skype for Business as a standard for IP telephony, users can dial
correspondents either with the Skype for business software or with physical phones (Polycom).
Functioning as a SIP Gateway, a dedicated network appliance (Audiocodes, Sonus…) can be
implemented to enable local coms (PSTN, office communications…).
Another popular solution is Cisco’s IP Telephony solution. The voice traffic is handled by Cisco’s
Unified Call Manager (UCM) or for smaller offices, Cisco’s Call Manager Express (CME) which is
embedded to all Cisco voice routers. CME also allows to deploy IP and analogue telephones and
linking with the PSTN or a PBX.
Most Voice Gateways have slots where additional cards can be inserted, for example:

- BRI, E1/T1 and PRI are digital interfaces used to connect the VoIP Gateway to the PSTN.
- FXS interfaces are configured with a Plain Old Telephony Service (POTS) numbers and can be
used to plug analogue phones.
- The FXO ports are analogue meant to connect PBXs or the PSTN.
When issuing internal “on-net” calls (as opposed to “offnet” calls), the dialing plan for UN offices is
standard and as follows:
COUNTRY CODE – AGENCY CODE – OFFICE CODE – EXTENSION NUMBER

(XXX-XX-XX-XXXX)
The amount of extension digit can vary from 2 to 4 depending on the offices, for example:
UNICEF Global ICT Help Desk in NYHQ, dial 1-03-01-7123

UNICEF Dakar CO, dial 221-03-01
UNICEF Amman CO, dial 962-03-01
For offnet calls, ie calls through the local PSTN or a SIP provider, offices typically have too dial a
prefix then the full number (for example: 00 for international calls or 9 for local calls).
1.7 HIGH AVAILABILITY AND LINK REDUNDANCY
Network High Availability (HA) is a process through which additional

or alternate network equipment and communication mediums are
installed within the network infrastructure. The objective being to
prevent the office from losing Internet connectivity in case of a critical
network device failure. High Availability should only be considered
when an offices reaches 150+ staff, and is therefore not applicable to
most emergency response scenarios.
Link redundancy and automatic failover is however necessary for

any long term deployments (> than 6 months) and when using local
ISPs (reliability is not guaranteed). A recommended redundant link
can be a VSAT or local ISP (different fiber). A network appliance
(usually router or security gateway) should enable the automatic
failover of traffic when a link is down.
Figure 141 -
Redundant Network

2 LAN HARDWARE STANDARDS
2.1 SECURITY GATEWAYS
Meraki Z1 Meraki MX64W Meraki MX65 Open Sytems

Price ($) 150 350 600 OTC + MRC *
2 x WAN 2 x WAN 2x WAN
# Interfaces 8 x 1Gbps
4 x 1Gbps LAN 4 x 1Gbps LAN 4 x 1 Gbps LAN
PoE No No 2 ports No
WiFi Yes Yes No No
Max Throughput 50 Mbps 200 Mbps 200 Mbps 1 Gbpps
Max clients 5 50 50 1000
Max VPN throughput 10 Mbps 100 Mbps 100 Mbps 400 Mbps
Figure 142 - Recommended Security Gateways for Emergencies
(*) Open Systems is the company managing UNICEF firewalls. Please contact ICTD for latest pricing.
2.2 SWITCHES
Meraki Meraki Cisco Cisco Cisco

MS220-8P MS225-24P 2960CX-8PC 2960X-24PS 3650-24PS
Price ($) 650 1,870 600 1,780 2,200
L3 routing No Yes No No Yes
1 Gbps int. 8 x 1Gbps 24 x 1Gbps 12 x 1Gbps 24 x 1Gbps 24 x 1Gbps
10 Gbps int. 2 4 2 4 4
PoE Wattage 124W 370W 124W 370W 390W
Figure 143 - Recommended Switches for Emergencies
2.3 VOIP GATEWAYS
Cisco Cisco Sonus Avaya

881-V ISR 4321 SBC 1000 IP500
Price ($) 750 1,800 5,000 ~1,050
Interfaces 4 x 100Mbps 3 x 1Gbps 3 x 1Gbps 2 x 1Gbps
VoIP Integrated: Optional: Optional: Optional:
Interfaces 4FXS, 1FXO, 8x 1 Gbps 16FXS, 8FX0, 30FXS,
2BRI 8FXS, 8FXO, 4E1/PRI 16FXO
8E1/PRI, 4BRI 8E1/PRI
Max IP phones 5 50 600 270
Figure 144 - Recommended VoIP Gateways for Emergencies

2.4 IP PHONES
Cisco Cisco Cisco Polycom Polycom

8841 8831 XS20 VVX 410 CX5500
Price ($) 300 1,250 5,000 ~1,050

Platform Cisco / SIP Cisco / SIP Cisco / SIP S4B S4B
Capacity Voice Voice Voice / Video Voice Voice / Video
Figure 145 - Recommended IP phones for Emergencies
2.5 EMERGENCY KITS
Because configuring local area networks requires a significant amount of time (which is a limited
resource in an emergency), humanitarian organizations design “emergency kits” based on specific
requirements (WiFi, VoiP, servers…) and hardware. Kit are assembled, configured, tested and then
stored until deployed. In UNICEF, the following kits are available for deployment:
CB
VOICEBRI VOICEBRI FXS FXO
2 1 6 5 4 3 7
Mini Small Medium Heavy Mega

Kit Kit Kit Kit Kit
Price ($) 300 1,100 4,500 7,500 12,500
Max clients 5 20 40 75 100
Security Gateway Meraki Open Open Open
Meraki Z1
MX65 Systems Systems Systems
# WAN ports 1 2 6 8 8
Switch Integrated Integrated 3560CX-12 2960X-24 2960X-48
# Gigabit switch
4 10 14 24 48
ports
# PoE ports 0 2 12 24 48
Access Point Integrated Optional Optional Optional Optional
Default AP # N/A 5 5 15 25
Max AP # 1 10 50 50 50
VoIP Gateway N/A Optional 881-V 4321 4331
Max IP Phones N/A N/A 5 50 100
Server N/A N/A N/A Optional Optional
Case Pelican
Dimensions
30x20x10 42x22x33 65x70x35 70x73x40 70x73x50
(WxDxH)
Rack size N/A N/A 4U 4U 6U
Weight 3Kg 8Kg 30 Kg 40 Kg 50 Kg
Figure 146 - UNICEF Emergency Kits

3 MANAGING AND CONFIGURING IP NETWORKS
3.1 MERAKI MX/Z1 SECURITY GATEWAYS
Plug the MX oor Z1 to the electricity and connect a computer to any of the LAN ports:
Figure 147 - MX/Z1 initial connection
Once the MX has booted (LED rotating colors), the computer should obtain a DHCP IP address in
the 192.168.0.0/24 network, with the MX as gateway 192.168.0.1.
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::4937:7968:e864:6143%12
IPv4 Address. . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
In a web browser, type the MX IP address (192.168.0.1) to access the local web configuration page
(note that since there is no Internet connectivity, the page shows a warning):
Figure 148 - Meraki MX/Z1 local configuration page
Go to the configure tab. The default credentials use the device serial number as the username, with
a blank password field.

Next, setup the IP address for the MX Internet as
follows:
- VLAN tagging: no
- Connection type: direct
- IP Assignment: static
- Enter the IP address, subnet mask, default
gateway IP and DNS server information.
Note: if the office has a secondary internet line, configure static or DHCP IP parameters for:
- Interface Internet 2 for the MX65
- Interface LAN 4 for the MX64
It will take couple minutes before the MX connects to the Meraki Cloud. Once operational, the LED
should turn white. You can connect to the new MX IP from an Internet browser to verify:
If you reached this stage, basic configuration of the MX has been achieved, the devise will connect
to the Meraki cloud and proceed with the download of its configuration (pending a global admin has
pre-configured the devise). You can connect to www.meraki.com to access the network statistics:

Figure 149 - Meraki Dashboard

3.2 OPEN SYSTEMS SECURITY GATEWAYS
This session details the setup process of the Open System (aka “Mission Control”) security gateway
used in the majority of UNICEF offices. A working internet connection as well as a publically available
IP address will be required in the emergency site (DHCP based ISP for example are not supported
at the time of writing).
3.2.1 Mission Control Security Gateway Overview
The Mission Control security gateway is operated as a managed device. This means the Mission
Control operations teams in Switzerland and Australia are responsible for the operational support of
installations, incidents and changes. This applies not only to emergency response but also regular
operations. Support is obtained either by using the ticketing system integrated with the Mission
Control web portal or the 24x7 hotline.
The Mission Control firewall not only carries out regular security operations (filtering, state inspection,
intrusion detection…) but also many routing functions at layer 3:
- Network and Port Address Translation (NAT/PAT). As LAN and WIFI clients have non routable
private IP addresses, the firewall translate all internal addresses to its public IP address(es).
- IP routing, so IP packets coming from the LAN/WLAN are routed through the Internet or the
WAN.
- IPSec tunnelling to link LAN and global UNICEF WAN.
- Automatic IP parameters address assignment (DHCP server) for LAN, WIFI and IP phones.
- Packet filtering to make sure only legitimate traffic enters or exits the local networks. The filtering
is enabled by the implementation of specific rules (defined by the global UNICEF security policy).
- Adaptive Security Algorithm to inspect the state of TCP and UDP connections between a client
in the network and a server on the Internet. Such inspection generally protects against common
attacks (such as Denial of Service or man in the middle attacks).
- Intrusion detection and application inspection, two mechanisms to analyse traffic and prevent
the propagation of virus, worms and spam through the network.
- Monitoring and statistics for all used interfaces.
Next figure illustrates the default interface assignation of the Mission Control security gateways:
Figure 150 - Mission Control interfaces

Following is the list of all available interfaces in the firewall and their pre-configuration:
- E0 – Primary link or WAN: due to the impossibility to pre-configure such interface, a (public) IP
address must be manually assigned from the field. The responder must make sure the Internet
Service Provider (ISP) provides a non-NATted publically routable IP address.

- E1 – LAN + Voice: Interface is preconfigured by default with 2x sub-interfaces E1 and E1:1,
each acting as gateways in their respective VLANs: LAN (10.175.2XX.0/25) and Voice
(172.16.0.0/25). This interface connects to the Core Switch.
- E2 – Secondary link (Internet traffic or failover): similarly to E0 this interface cannot be pre-
configured and IP address must be manually assigned depending on scenarios. Automatic
failover is possible if the primary link goes down.
- E3 – DMZ (optional): Interface is pre-configured by default with a 192.168.0.1/24 IP address.
This interface connects to DMZ services such as the Video-conferencing devises and remote
access (Citrix).
- E4 – WIFI (optional): this interface is sub-divided into 2x virtual sub-interfaces E4.40 and E4.41,
each acting as gateway and DHCP server in their respective VLANs: Charlie WiFi (10.x.y.z/2a),
and Guest WiFi (172.16.1.0/24).
- E5, E6 and E7 are reserved for future usage. Depending on requirements, this interface can be
configured by the Mission Control operations team at a later stage in the emergency.
3.2.2 Firewall configuration pre-requisites
For UNICEF ICT responders, the only configuration required on the firewall will be to assign the ISP
provided public IP address to the external interface. Before doing so, it is mandatory to contact the
24/7 Mission Control Operations Center (+800 00 724 000 (toll-free number) or +41 58 100 11 11,
support@open.ch) and submit the following information:
- Highlight this is an emergency site installation

- Local IT administrator name and contact
- Host name of the security gateway (tag pasted on the device front panel)
- The public IP address provided by the ISP that will be assigned to the E0 interface
- The security gateway geographical location (address or if unavailable at least country and city)
Mission Control personnel will create a ticket which documents the complete
interaction referring to the setup of the emergency equipment. Such ticket will be
available using the security gateway Web Portal. Make sure the security gateway
has booted, it should be displaying the first 16 characters of its hostname as well as
its initially configured external IP address on the display on the front side of the device. Figure 151 –
Firewall Display
3.2.3 Assigning an External IP Address
A computer with a terminal emulator software (such as PuTTY or HyperTerminal), console cable and
USB to serial adapter is required. Plug the console cable to the security gateway console port, start
PuTTY and open a session on the COM port.
The security gateway UNIX prompt should display, enter username menu and password
Sam0cure16. The installer should redirected to the initconf menu. Select menu “3 – Configure
Network”.
Use the predefined hostname / interface name by

hitting enter and configure the IP address, netmask,
and default gateway of the interface eth0. Leave MTU
and NIC speed to default values
After committing changes, the security gateway will

Figure 152 - Configuring firewall IP reboot. Once finished booting, the newly configured IP
parameters address should display on the display on the front panel.

At this stage, the security gateway should be reachable through the Internet. A successful test would
be to “ping” the external IP interface. Reach Mission Control operations and inform the device is
reachable over the Internet. Mission Control operations will then finalize the configuration by
uploading latest OS patches, default security policies, internal network parameters, IP routing and
NAT, DHCP servers and finally IPSec tunnels to US Data Centers (thus connecting the site to
UNICEF WAN). The process should take 5 to 10 minutes.
Once configuration has been finalised, clients in the LAN, WIFI and IP Phones should get IP
addresses assigned automatically upon DHCP requests. Internet and Intranet should also be
accessible. Perform the following tests to verify these functionalities:
- Connect a computer to the LAN and check the correct IP assignment (for Windows use ipconfig
on the command line)
- Access any public website (e.g. www.google.com)
- Access any Intranet site (e.g. icon.unicef.org)
- Launch the Vision client (if it reaches the login prompt, test is successful)
- Proceed similarly using the WIFI networks and IP Phones
If any of these tests did not pass, call Mission Control operations and request live debugging support.
3.2.4 Managing the Security gateway
The security gateway management is available through a web portal that can be used to obtain
current status of services, configurations, statistics, troubleshooting tools and support tickets. URL
is as follow: https://control.open.ch/ Credentials are available to each UNICEF IT admin. A Token
generator will permit the last authentication phase. Press the token button to display the 6 numbers
and enter these in the portal. Once logged in, user is redirected to a page which lists the security
gateway included with the LAN kit.
Figure 153 – Security gateway Home Page
Click on the device to access the dashboard. The dashboard provides a quick status overview of the
security gateway: list of resolved and unresolved tickets, basic network interface parameters and
connection monitoring information for the last 24 hours:

Menu Bar
Open
Tickets
Network
Interfaces
Resolved
Tickets
Firewall
location
Subscribed
services
Link
Availability
Figure 154 - Security gateway Dashboard
In addition to the status overview the dashboard provides a menu link to more detailed security
gateway information:
The Statistics menu lists all sort of graphs, which can be useful to monitor bandwidth usage
patterns, link congestion and amount of LAN and WIFI clients connected… Clicking on each graphs
provides opens a more detailed page with historical graphs data over one day, week, month and
year.
The configuration menu opens a page listing security gateway settings such as IP routing, detailed
interfaces configuration, DHCP settings, failover status and, most importantly, the security gateway
security policy. Click the “Distributed Firewall Policy” link to open current, as well as former, firewall
policies:
Figure 155 - Security Policies
The global policy contains the complete set of rules configured for all UNICEF firewalls worldwide,
including the ones which are not relevant for the emergency location. To access the location specific
security settings, select the “Distributed Firewall Policy for ucef-sg9XX-dk-etr-1”.

Figure 156 - Firewall policy
The security policy consists of the following components:
- Chains consisting of filter constraints (source, destination, port), at least one

rule, and might contain sub-chains
- Rules consisting of a filter constraint and an action, namely accept, reject, or
drop.
The firewall analyses one by one each packet crossing its interfaces and
compares them with the list of rules and chains configured in descending order. If
the packet matches the criteria of a chain, then the firewall will enter this chain,
check for a matching rule and if not found it will enter sub-chains and continue
inspection recursively. If a packet matches the criteria of a rule, then the action
defined in this rule is applied to the packet (accept, drop, or reject the packet) and
it is processed. At the end of every chain there is a policy rule which handles all
packets which didn’t match any rule before.
The minimum global security policy for UNICEF Firewalls is composed of at least three main chains
named respectively “ext2wan”, “wan2ext” and “wan2wan”. Following is the signification of these
chains:
- ext2wan: Chain for rules of traffic from external to the UNICEF WAN.
- wan2ext: Chain for rules of traffic from the UNICEF WAN to external.
- wan2wan: Chain for rules of traffic between different Zones of the UNICEF WAN.
Coming back to the portal, chains can be expanded and collapsed by clicking the “+/-“ icon. For each
chain and rules, matching criteria are displayed:
- Source and destination networks

- Service items, meaning the application or TCP/UDP port
- Action to be taken when a rule matches (accept, drop, or reject).
- Comments, to add clarity to the rule.

- Reference ticket which caused the rule or chain to be implemented, providing useful contextual
reference information and audit tracking.
3.2.5 Troubleshooting tools
- Link Historical Status > Connection monitoring: link stability & SLA
- Statistics > System: view bandwidth congestion per interface
- Statistics > Encryption & WAN routing: verify tunnels are up
- Statistics > VPN Connections: verify tunnel usage, RTT and packet loss
- Configuration> Routing table: view routing table

- Configuration> Interfaces: view IP, speed and MTU of interfaces
- Tools > neighbor detection: scan all devises in the same network
- Tools > Port Scan: tests open ports for a specific devise
- Distributed Firewall Log Viewer: verify if the firewall is not blocking traffic
- Packet Capture: capture detailed traffic on an interface

- Real-time bandwidth monitor: verify congestion or clients using a lot of BW
3.2.6 Ticketing, Change Requests
Tickets are an important feature of the security gateway service since no change can be implemented
directly by UNICEF personnel on-site. Instead, the local administrator will raise a ticket, for example
to require a specific TCP port to be opened. Mission Control engineers will then analyse the request
and apply the change on the security gateway. Some changes require the approval from Network
Operations in NYHQ.
Tickets can either be created by the field administrator or by a Mission Control engineer during
operations to document a phone call or email. Tickets can also be automatically created by the
Mission Control monitoring engine to escalate warnings and alerts. In emergencies, service level
agreements impose a ticket to be resolved in less than 30 minutes.
To open the ticketing page, click on the “Tickets” tab in the main navigation bar at the top of the page.
Figure 157 - Ticketing Page
To create a new ticket, use the link on top of the ticket list next to the green. This
link will open a pop up window, in which the administrator must determine the ticket type (request,

change, maintenance, incident…), level of priority (emergency) and detail the request. If needed,
there is also an option to include attachments.
Any reply from Mission Control will be then logged in the newly created ticket. For example:
Figure 158 - Ticket waiting for input
New comments can be added to the ticket by clicking the “Add Comment” on top of the event list.
Once resolved, the ticket will summarize all events in chronological order.
3.2.7 Modifying Security Policies
As a daily routine, field IT administrator might need to create additional firewall rules to allow
legitimate applications to pass through. Firewall changes must be requested via the ticketing system
(see previous chapter). It is essential to provide as much information as possible so the request is
comprehensible to the Mission Control engineer in charge of applying the rule, for example:
- Source address(es)/network(s)
- Destination address(es)/network(s)
- Service(es) (protocol and port)
- Rule description
An example firewall rule change request might look as follows:
Please add the following new firewall rule:

Source: 192.168.1.0/24
Dest: 8.8.8.8
Service: TCP port 53, UDP port 53
Comment: Access to external DNS server for DMZ servers
Using the portal debugging and traffic analysis tools should prove useful to determine if a rule has
been applied. Also note that field administrators can create a request for a live debugging session in
which case Mission Control will call back and analyse the problem. A live debugging request might
look as follows:
We are not able to reach the Email server in Geneva from our DMZ 192.168.1.0/24.
Please call me back for a live debugging session. You can reach me on my mobile
phone +1 234 567 890. I am reachable all afternoon.

3.3 CISCO SWITCHES
The switch is a crucial component of the network as it forwards all layer 2 frames in the different
VLANs (if applicable) attached to its interfaces and powers low consumption devices (IP phones,
access points…). All wired network devices in the office kit are physically connected to a switch:
security gateway, wireless LAN controller, access points, IP phones… Switches can be managed
either with Cisco’s Network Assistant or with the Command Line Interface (CLI). The CLI can be
accessed via the console port or SSH using a software such as Putty.
3.3.1 Accessing the switch CLI
This method is recommended for responders being familiar with Cisco IOS
command and the CLI. All switch parameters can be modified using the CLI. For
further information about the list of available commands, refer to the following files
located in the flashdrive:
► Catalyst 3560-X - Configuration Guide - Release 12.1(19)SE.pdf
► Catalyst 3560-X - Switch Command Reference.pdf
a. Connect a PC to the switch console port with the provided blue console cable and power on the
switch. If the PC does not have a serial port, use a serial to USB converter.
b. To access the CLI, launch Putty.exe

(flashdrive), a free Telnet and SSH client.
c. From the Session Category, select the

Serial connection type.
d. Check the serial line (COMx) is the correct

one. If the cable is connected to the PC serial
port, it should be COM1. If you are using a
serial to USB converter, check in the device
manager which port was allocated (go to start
and type device manager).
e. Click Open.
Figure 159 - Putty configuration
3.3.2 General configuration
This section highlights how to name the switch, create a username / password, define its IP
parameters (VLAN 1), enable remote access (GUI, SSH, telnet, SNMP) and configure the time.
hostname SS-JBCP-CS-01
username admin privilege 15 secret 5 $1$UQXk$GkzF/itgviIjTel0bmfEY1
ip domain-name unicef.org
crypto key generate rsa
ip forward-protocol nd
ip http server
ip http authentication local

ip http secure-server
ip default-gateway 158.113.205.78
access-list 1 permit any any
interface Vlan1
ip address 158.113.205.76 255.255.255.240
no ip route-cache
snmp-server community unicef RO
snmp-server location Juba UNDP/BCP, South Sudan
snmp-server contact UNICEF ICT RoSS
line con 0
password 7 14311B0E0000233F74
line vty 0 15
access-class 23 in
password 7 1068001C09131B1F5C
login local
transport input ssh telnet
ntp server 158.113.18.9
clock timezone RoSS 3 0
3.3.3 Managing Switches via Cisco Network Assistant (CNA)
The Network Assistant is a network management software

designed by Cisco and providing a centralized network view
through a user-friendly GUI. When installed and launched for the
first time, CNA will prompt for a community (group of network
devices to manage).
Figure 160 - Creating a
To create a community, click OK and follow the instructions below: community with CNA
Enter the community name and company name.
Scan for the core switch by entering its IP

address. The discovery method to apply is “a
single device by IP address”.
The software should prompt for a login and

password. Enter the GUI / SSH credentials
Select the switch that should now be listed in the

devices section. Validate settings by pressing OK.
Figure 161 - Community parameters
The interface is divided into 3 parts. On top the menu bar one accesses the most commonly used
functionalities: rescan the network, save the configuration, upgrade the firmware, port and VLAN
configuration, health monitor, topology view…

On the left part of the screen one
accessess advanced menus and
options:
- The “Configure” menu enables
detailed configuration of the
ports, security, QoS, switching
and device properties.
- The Monitor menu files reports of
your device inventory, port
statistics, bandwidth graphs,
event notification and system
messages.
- The Troubleshoot category can
perform a graphical ping and
traceroute.
- The maintenance is used for
configuration backup, IOS
upgrade, device reload or telnet.
Figure 162 - CNA Interface
The central part of the screen opens the different configuration windows according to what is selected
in the feature bar. As an example here is displayed the topology, health monitor, fron pannel view
and the VLAN configuration menu.
3.3.4 VLANs & Trunk Ports
Using the CNA, go to the “Configure” menu of the features bar, go to Switching and then click
VLANs.
b. The list of ports with associated

VLANs should display. Go to
configure VLANs tab.
c. Create VLANs as needed by

entering its name and number.
Figure 163 - Creating VLANs

In the port configuration tab, select one or multiple ports and click
“modify” to edit the port’s properties:
- Ports with single VLAN should be administered as “static Access”
and with their assigned VLAN number.
- Trunk ports should be specified as “802.1Q Trunk”. One can specify
which VLAN should be included by the “Trunk-Allowed VLANs”
section.
Figure 164 - Assigning ports to a VLAN
An alternative would be to enter following commands using the CLI, here we create the VLAN 200:
switch(config)# vlan 200

switch (config-vlan)# name Guest WiFi
switch (config-vlan)# end
Then add port Ge2 to a specific VLAN:
switch(config)# interface gigabitethernet0/2

switch (config-if)# switchport mode access
switch (config-if)# switchport access vlan 200
switch (config-if)# end
Following commands are required to configure the port as trunk (multiple VLANs):
switch(config)# interface gigabitethernet0/2

switch (config-if)# switchport trunk encapsulation dot1q
switch (config-if)# switchport trunk allowed vlan 40,70
3.3.5 Optimizing the Switch Port Initialization
When connecting a PC to a switch, it may sometimes take 30 seconds or more before the PC can
communicate on the network. This is due to the many negotiations happening between the switch
and the PC network interface card: spanning tree initialization (15s), ether channel configuration test
(15s), trunk configuration test (couple seconds), auto-negotiation of switch port speed and duplex
(couple seconds)….
Although this negotiation phase is important when interconnecting switches, access points or
firewalls (especially the spanning tree protocol), on the other hand if end user equipment such as
desktops, laptops or printers connect to a port (and remains connected), the negotiation phase can
be reduced and optimized:
- Make sure all ports connecting to end users clients are in static access mode: in CNA, go to the
VLANs menu and manually define each ports as “Static Access” (instead of dynamic by
default). This disables trunk negotiation and prevents the port from going through Ether Channel
negotiation, saving about 15 seconds off of the switch port initialization. In the CLI, use the “show
vlan” command.
- Configure PortFast: in CNA go to port settings and check for the “port-fast” column, make sure
it is “enabled” or even better “enabled if static”. This saves the port from going through STP
negotiation and cuts another 15 seconds from the switch port initialization. In the CLI, use the
“spanning-tree portfast” command in the interface configuration mode.
- Optionally, you could also manually configure the switch port's speed and duplex, saving a few
more seconds. In CAN, go to port settings and modify each port via the speed and duplex
columns.

3.3.6 Improving port security
As DHCP is enabled on the LAN interfaces, it exposes the network to users connecting a non-
standard device to a LAN cable and gaining unauthorized access to the corporate network. Using
CAN, the port security functionality can be used to restrict a switch port so that only one device can
use it. When an inappropriate device attempts to send frames to the switch interface, for example a
user removing the LAN cable from a desktop to connect its laptop, the switch would discard frames
from the laptop, or even shut down the interface (not recommended).
a. Make sure the switch c. (Optional) Specify the
interface is on access mode b. Enable port security maximum number of allowed
(doesn’t work on trunks) MAC addresses
Figure 165 - Port Security for Switches

d. Deﬁne the action to take when a frame is e. Specify the MAC address(es) allowed to send
received from a MAC address other than the frames into this interface OR use the “sticky
one allowed (protect | restrict | shutdown). learning” process to dynamically learn first
connected device
This example shows how to configure a secure MAC address and a VLAN ID on a port using the
CLI:
Switch(config)# interface gigabitethernet0/2

Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address 1000.2000.3000 vlan 3
This example shows how to enable sticky learning and to enter two sticky secure MAC addresses
on a port:

Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.4141
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.000f
This example show how to configure a port to shut down only the VLAN if a violation occurs:

Switch(config)# switchport port-security violation shutdown vlan

3.3.7 802.1X Port Authentication
An alternative to the manual port security process would be to use – pending availability - a radius
server to authenticate users connected to the switch against their active directory credentials and
computer unique certificate.
To enable radius server authentication, enter following commands through the CLI:
Switch(config)# radius-server host 1.1.1.2 acct-port 1550 key abc1234

Switch(config-if)# authentication event server dead action reinitialicze vlan 42
switch(config-if)# end
3.3.8 Switch Configuration Backup
Copying to a USB flashdrive inserted in the switch:
CF-BOU-CS-01#copy running-config usb0:

Destination filename [cf-bou-cs-01-confg]?
!!.....
Copying to a TFTP server:
CF-BOU-CS-01#copy running-config tftp:

Address or name of remote host []? 10.16.3.205
Destination filename [cf-bou-cs-01-confg]?
!!.....
3.3.9 IOS Upgrade
If required do an OS update. Download the TAR IOS (warning the bin IOS does not include the full
webGUI) and do the update through the GUI.
Alternatively, the update can be done through console but it’s longer. Copy the TAR file to a USB
flash and adapt the following command:
archive download-sw /overwrite /reload usbflash0:c2960c405-universalk9-tar.152-4.E1.tar
3.3.10 Useful troubleshooting commands
Debugging switch port issues:
show interface status

show ip interface brief
show cdp neighbors
show port interface FastEthernet 0/1
sh ip arp
show mac address-table
Debugging PoE issues:
sh power inline
debug ilpower port
debug ilpower powerman
debug ilpower event

3.4 CISCO VOIP GATEWAYS
3.4.1 IOS Upgrade
Call Manager (Express) 11 is required for the latest Cisco SIP phones. CME 11 is available starting
with IOS version 15.6. If required, upgrade the firmware: copy the IOS to a USB flashdrive and issue
following commands:
copy flash:(Old IOS Image) usb0flash: (backing up the previous image)

Delete flash:(Old IOS Image) (not mandatory if there's plenty of space available in
the flash)
copy usb0flash:(new IOS image) flash:
verify /md5 flash: (New IOS image file name)
configure terminal
boot system flash: (New IOS image file name)
end
wr mem
reload
Note, that latest Cisco routers’ IOS-XE, the boot command is different:
#boot system bootflash:/isr4300-universalk9.16.04.01.SPA.bin
3.4.2 Initial configuration
This section highlights how to name the VoIP gateway, create a username / password, define its IP
parameters (Ge0), enable remote access (GUI, SSH, telnet, SNMP) and configure the time.
hostname SS-JBCP-VR-01
aaa new-model
aaa authentication login default local
aaa authentication login h323 local
aaa authorization exec h323 local
aaa authorization network h323 local
clock timezone Ross 3 0
no ip domain lookup
ip domain name unicef.org
file privilege 0
username admin privilege 15 secret 5 $1$UQXk$GkzF/itgviIjTel0bmfEY1
interface GigabitEthernet0/0/0
description Link_to_Core_Switch
ip address 158.113.205.77 255.255.255.240
no shut
ip default-gateway 158.113.205.78
ip forward-protocol nd
ip http server
!ip http access-class 23
ip http access-class ipv4 199
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:cmegui11.6
ip tftp blocksize 8192
ip tftp source-interface GigabitEthernet0/0/0

ip route 0.0.0.0 0.0.0.0 158.113.205.78
access-list 199 permit ip any any
line con 0
password 7 14311B0E0000233F74
line vty 0 15
access-class 23 in
password 7 1068001C09131B1F5C
login local
transport input ssh
ntp server 158.113.18.9
3.4.3 Enabling the VoIP Service (SIP and SCCP)
If the office needs to register Cisco or generic SIP phones to the CME:
voice service voip

allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
sip
registrar server expires max 1200 min 300
voice register global

mode cme
source-address 158.113.205.77 port 5060
max-dn 200
max-pool 50
load 8841 sip88xx.10-3-1-20.loads // Assigns firmware for the phone, ref tftp-bindings
load 8831 sip88xx.10-3-1-20.loads
authenticate register
authenticate realm unicef.org
tftp-path flash:
file text
ntp-server 158.113.18.9 mode directedbroadcast
If the office needs to register Cisco SCCP phones to the CME:
telephony-service
conference transfer-pattern
max-ephones 50
max-dn 200
ip source-address 158.113.50.119 port 2000
system message Welcome to UNICEF
load 7945 SCCP45.9-4-2SR3-1S
load 7960-7940 P0030801SR02
load 7965 SCCP45.9-2-1S
load 7970 SCCP70.9-2-1S
time-format 24
max-conferences 1 gain -6
web admin system name webAdmin secret 5 $1$Jesq$NiN3aZYnCl.EUrVQm7fyU/
dn-webedit
time-webedit
transfer-system full-consult

3.4.4 Configuring SIP Phones
First create the phone numbers, for example:
voice register dn 1 // Creates the number 236030501 and assigns it to J. Doe

number 211030501
name Cisco 8841 Phone
label 236030501 – J. Doe
mwi
!
voice register dn 2
number 211030502
name Cisco 8831 Conference Phone
label 236030502 – Conf room
mwi
Then create the SIP Phones (example for a Cisco 8831 and 8841)
voice register pool 1

busy-trigger-per-button 2
id mac 00CA.E541.6A00
type 8841
number 1 dn 1 // assigns the number 236030501 specified earlier
dtmf-relay rtp-nte
username cisco password cisco
codec g711ulaw
no vad
// Optional, assigns shortcuts to the phone buttons
presence call-list
blf-speed-dial 1 02 label "Conf rooom" device
blf-speed-dial 2 2110301000 label "UNICEF Juba"
blf-speed-dial 3 2110301242 label "IT Help Desk"
!
voice register pool 2
busy-trigger-per-button 1
id mac AC44.F215.21C7
type 8831
number 1 dn 2
presence call-list
username cisco2 password cisco
no vad
And finally, the following commands will generate the config files for the phones:
voice register global

no create profile
create profile
3.4.5 SCCP Phone configuration
The procedure is similar to SIP phones, first create the phone numbers, for example:
ephone-dn 1
number 01
description Test
name UNICEF Test
hold-alert 30 originator
Then create the SCCP phone entry and assign the number (example for a Cisco 7945)

ephone 1
mac-address 00A2.896D.2354
type 7945
button 1:1
!
telephony-service
create cnf-files
And finally, the following commands will generate the config files for the phones:
telephony services
no create cnf-files
create cnf-files
3.4.6 Dial-peers (On-net / Off-net via SIP gateway)
Dial plans on Cisco routers are manually defined using dial peers. Dial peers are similar to static
routes; they define where calls originate and terminate and what path the calls take through the
network. Attributes within the dial peer determine which dialed digits the router collects and forwards
to telephony devices. To configure a dial-peer which would reach another office through the WAN:
dial-peer voice 1 voip

description UNICEF New York
destination-pattern 10301....
session target ipv4:158.113.16.60
incoming called-number .
dtmf-relay h245-alphanumeric
codec g729r8 bytes 60
no vad
Next example configures a dial-peer to a SIP gateway (for example EMC):
dial-peer voice 1 voip

description Outgoing-Calls
max-conn 4
destination-pattern .T
session protocol sipv2
session target ipv4:172.20.254.252
dtmf-relay rtp-nte
codec g729r8 bytes 40
no vad
!
voice service voip
sip
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0
3.4.7 Useful Troubleshooting commands
Call simulation
csim start 103017528 (test call without IP phone)

sh sip-ua calls (shows status of the line to the SIP provider)
Note: csim only works in telnet mode, not SSH. Because telnet is disabled from the remote access
rule, SSH in the core switch and telnet to the voice router from there.

Phone registration
show ephone summary br(SCCP)

show ephone registered (SCCP)
show voice register pool type all (SIP)
show voice register statistics (SIP)
sip-ua status registrar (SCCP & SIP)
Debug
debug tftp events

debug tftp packets
debug voice register errors
debug voice register events
debug ccsip events
debug ccsip error
Restarting / Resetting IP Phones
SCCP
telephony-service or ephone ephone-tag
restart { all [ time-interval ] | mac-address } or restart
end
SIP
voice register global or voice register pool pool-tag
reset or restart
end
Router Factory Reset instructions
Copy the attached config file to your router flash. Reboot the router by issuing the reload command.
When the router starts type "ctl+break". You should then see the prompt:
rommon 1>
Type:
rommon 1>confreg 0x2142
rommon 2>reset
(router reloads with factory defaults)
Would you like to enter the initial configuration dialog? [yes/no]: no
>enable
(you can do a show run here to check if the config is blank)
#conf t
#config-register 0x2102
#end
#configure replace flash:2951-CAR-new.txt
#wr mem
------------------------------------ END OF CHAPTER 6 -----------------------------------

CHAPTER 7
IP NETWORKS (WiFi)

1 INTRODUCTION TO WIRELESS NETWORKS
Wireless Local Area Networks (WLAN), commonly known as “WiFi”, are usually implemented as the
final link between the existing wired network and a group of client computers, giving these users
wireless access to the ICT services across a building. WLAN are an ideal tool in an emergency
environment as ICT responders need a flexible and quick method to share connectivity between
users. Wireless technologies can also be used to connect buildings to one another without laying
copper or fibre cabling.
The 802.11 specification is the standard for wireless LAN. It was ratified by the
Institute of Electrical and Electronics Engineers (IEEE) in 1997 and been
continuously improved since. Like all IEEE 802 standards, the 802.11 standards
focus on the bottom two levels the ISO model, the physical layer and link layer.
Any LAN application, network operating system, protocol, including TCP/IP, will
run on an 802.11-compliant WLAN as easily as they run over Ethernet.
1.1 WLAN PROTOCOLS - IEEE 802.11 FAMILY
WLAN standards are created by the IEEE and grouped under the IEEE 802.11 protocols set. They
usually operate in the 2.4 and 5HGHz frequency band. Because standards set forth by the IEEE can
have such an impact on the development of technology, they can take many years to be created and
agreed upon. The most known 802.11 protocols are following:
- 802.11a - was ratified by IEEE in 1999 as an amendment to the original 802.11 standard. It
provided much faster data transfer rate than but lacked backwards compatibility with previous
802.11 protocols as it used the 5 GHz frequency bands.
- 802.11g – was the first standard seeing a widespread adoption. It was based on the 802.11
standard, offered data transfer rates equally as fast as IEEE 802.11a in the 2.4GHz band and
boasted backward compatibility with the previous 802.11 generation.
- 802.11n - is an amendment which improves upon the previous 802.11. Because 802.11n works
in both the 2.4 GHz and 5 GHz frequency bands, it is compatible with legacy 802.11a and
802.11b/g users. The key to 802.11n is the use of multiple antennas (MIMO), which improve
distance, reliability and speed. Up to four data streams can be sent simultaneously using 20MHz
or 40MHz channels, providing a maximum data rates of 248 Mbps.
- 802.11ac – is the latest 802.11 protocol, changes compared to 802.11n include wider
channels (80 or 160 MHz versus 40 MHz) in the 5 GHz band, more spatial streams (up to eight
versus four), higher order modulation (up to 256-QAM vs. 64-QAM), and the addition of Multi-
user MIMO (MU-MIMO). Client battery using 802.11ac is extended.
802.11a 802.11g 802.11n 802.11ac

Release year 1999 2003 2009 2013
Frequency Band 5GHz 2.4GHz 2.4-5GHz 5 GHz
Channel width 22MHz 22MHz 20-40MHz 40-160MHz
Maximum Data rate 54Mbps 54Mbps 248Mbps 1-7 Gbps
Spatial Streams (MIMO) 1 1 4 8
OFDM+(BPSK, OFDM+(BPSK, OFDM+(BPSK, OFDM+(BPSK,
QPSK, 16-QAM, QPSK, 16-QAM, QPSK, 16-QAM, QPSK, 16-QAM,
Modulation
64-QAM) 64-QAM, DBPSK, 64-QAM) 64-QAM,
DQPSK) 256QAM)
Table 21 - WLAN Protocols
WIRELESS AREA NETWORKS (WLAN) 175

1.2 WLAN FREQUENCY BANDS
WLAN products currently use the 2.4 GHz

frequency range, which adheres to the IEEE
standard. Recently, many countries also opened
up the 5 GHz band (UNII) for unlicensed use by
high-speed data communications devices. Some
earlier WLAN technologies, such as the legacy
802.11 protocol, used lower frequencies such as
the 900 MHz ISM band. The advantage of using Figure 166 - 802.11 Frequency Bands
those bands is that they are considered as
“unlicensed” in most countries, however some apply their own regulations to both the allowable
channels, allowed users and maximum power levels within these frequency ranges. It is therefore
important to consult local authorities before deploying any type of WLAN. therefore any device
operating in those range should not require approval from the Government.
1.2.1 2.4Ghz Band
The 2.4 GHz band (used by 802.11b/g/n) is 72MHz wide (2401-

2473MHz) and divided into 11 which are spaced by 5 MHz
apart. In some countries, the band might be slightly larger. The
longer wavelengths used in this band penetrate better obstacle,
hence providing a better range than the 5GHz band. The trade-
off however, is that the band is one of the most heavily used for
industrial, scientific, and medical (ISM) applications. For
example Bluetooth, baby monitors, cordless phones,
microwaves, medical instruments… The more interference, the
less speed and range.
Figure 167 – Frequency

1.2.2 5Ghz Band
channels in the 2.4 GHz band
The 5 GHz band, also known as UNII radio band, is another unlicensed band used for wireless
networks. Starting at 5.15GHz and terminating at 5.825GHz, it is significantly wider than the 2.4GHz
band (675MHz vs. 72MHz) thus enabling 20 channels spaced by 20MHz. Another advantage is that
it is much less congested since fewer devices operate in this band. In the US (and most of the world)
the band is subdivided into four ranges:
- UNII-1: 5.15-5.25GHz. 50mW maximum transmission, indoor use only (access points).
- UNII-2: 5.25-5.725GHz. 250mW maximum, both outdoor (bridges / outdoor APs) and indoor use.
- U-NII-3: 5.725-5.825 GHz. 1W maximum. Outdoor use only for microwave links.
Figure 168 – Frequency Channels in 5GHz Band

1.2.3 Channel Overlapping
When a WLAN signal is modulated (see next paragraph) to transmit the information over the air, it
spreads over a wider band (20 to 160 Mhz depending on the protocol). This means that each access
point radiating at a specific frequency (or channel) uses in fact up a much wider frequency band.
This is an issue in the 2.4GHz band, which is only 72MHz wide and uses 11 channels (US) spaced
by just 5 MHz: access points radiating in adjacent channels would overlap and interfere with each
other (thus decreasing throughput and range). For example, if the WLAN is transmitting channel 9,
it will overlap with channels 7, 8, 10, 11. Consequently, when deploying multiple access points in an
office, only channels 1, 6, 11 should be used as they are spaced by 20 MHz:
Figure 169 - Non Overlapping Channels in the 2.4 GHz band
Although most modern access points come with automatic channel selection mechanisms, it is
recommended to scan the environment for wifi signals (refer to paragraph about WLAN site survey)
and analyze which channel would have the least interferences.
In dense locations, such as urban centers, it may be

challenging to find any non-congested channel, leaving no
other choice to share the channel with another WLAN. In
that case, it is recommended to keep a 20dBm separation
from the concurring wireless network in order to minimize
the impact on performance.
Figure 170 - Co-channel sharing
The 5 GHz band, on the other hand, is less vulnerable to
channel overlapping when compared to the 2.4 GHz band and devices should not encounter adjacent
channel interference. Since the available 5 GHz channels are 20Mhz wide, they wouldn’t overlap
and there should be no worry about adjacent channel interference. Having the choice among 20
channels also make it easier to pick an unutilized channel. Challenges might loom however as
802.11ac protocol can use channels from 40 to 160 MHz! Following image represents the 5GHz
utilization when considering 20 to 160MHz width channels:
Figure 171 - Channel usage in the 5 GHz band

1.3 WLAN TOPOLOGIES
Wireless networks use different technologies depending on the distance to achieve, the number of
devices to connect, and the amount of information to transmit.
1.3.1 Basic Service Set
This is the simplest and most common topology for WLANs.

A single access point (AP) acts as a master to control the
clients within its range. Assuming that the AP has an
Ethernet connection, it bridges the 802.11 wireless traffic
from the wireless clients to the 802.3 wired network on the
Ethernet side where all ICT services are located.
Cisco access points commonly called “standalone” or

“autonomous" operate as BSS. Their role is only to interface
wireless clients with the Ethernet network, they do not
perform functions such as DHCP or routing. Each Cisco AP
can accommodate up to 100 clients and range up to 90 Figure 172 - Basic Service Set (BSS)
meters.
All-in-one wireless routers such as Linksys models, function in BSS mode as well. Because they also
perform a layer 2/3/4 functions (switching, routing, firewall, etc…), wireless routers can accommodate
limited amount of clients (15 clients maximum recommended) and have a shorter range in
comparison with standalone APs.
1.3.2 Extended Service Set
Extended Service Set (ESS) uses more than one AP, often
with overlapping cells to allow roaming in a larger area.
Roaming means that users can move around inside the
coverage area and stay connected to the same WLAN. As
a result, the user does not loose connectivity and keep the
same IP addresses. All interconnected wireless access
points share the same SSID (network name), security
credentials and wired local area networks.
2 or 3 standalone APs can be configured to work in ESS

mode, however when the network requires more than 5x
APs, it is recommended to use a wireless LAN controller
(WLC). The WLC function is to manage all access points,
detect and avoid interferences, automatically adjust RF
power and channel assignment, balance the load on each Figure 173 - Extended Service Set
AP, correct “dead spots” by increasing power levels in a
specific AP antenna or reducing the data rate...
Using WLCs also simplifies the addition/removal of APs as it centralizes the configuration that is
pushed to all APs thus eliminating the need to individually connect devices for configuration
purposes. When using a controller, the AP is said “controller based AP”. Cisco AP can be used either
as controller based or standalone based by switching firmware.

1.3.3 Repeaters
A repeater access point is not connected to the wired LAN; it is placed

within radio range of another access point connected to the wired LAN to
extend the range of the network. Only dual band access points having
antennas in both the 2.4GHz and 5GHz bands can be configured as
repeaters. One radio is assigned to repeat the signal, the other to
listening it. It is possible to set up a chain of several repeaters, but
throughput for client devices at the end of the chain will be quite low.
Because each repeater must receive and then re-transmit each packet
on the same channel, throughput is cut in half for each repeater you add
to the chain.
1.3.4 Bridging Figure 174 - Repeater

mode
When configured as bridge, the access point can connect two or more LANs, which are often in
different buildings, through the wireless interface. Oftentimes, wireless equipment manufacturers
include “bridges” in their line-up. These are basically “boosted” access points for outdoor use, they
integrate a directional antenna and can transmit at higher power levels. Bridges can typically reach
up to 20km. The further the distance however, the lower the datarate and the higher the antenna.
Wireless bridges can be used in 2 modes:

- Point-to-point (2x Bridges);
- Point-to-multipoint (1x central bridge and multiple bridge clients);
Figure 175 - Bridging scenario
Applications for bridges in emergencies are multiple:
- Extends connectivity to secondary sites: warehouse, staff guest house;

- Facilitate Inter-agency sharing of Internet access with/from sister agencies or the ETC;
- Can supports UNICEF programs, by providing Internet in project sites (schools, hospitals, etc);
- Enables Business Continuity when a main office is no longer accessible: shadow office, staff
staff residence (Representative, Operations Officer…);
- Deploys backup connectivity between two sites with existing Internet access.

1.4 MODULATION AND CODING SCHEME (MCS)
When a WLAN NIC or access point sends data, it can modulate (change) the radio signal’s
frequency, amplitude, and phase to encode a binary 0 or 1. The IEEE 802.11 standard makes
provisions for the use of several different modulation techniques to encode the transmitted data onto
the RF signal. These modulation techniques are used to enhance the probability of the receiver
correctly receiving the data and thus reducing the need for retransmissions.
Latest 802.11 protocols uses a technique called Orthogonal Frequency Division Multiplexing
(OFDM). OFDM works by splitting the radio signal into multiple smaller sub-signals that are then
transmitted simultaneously at different close frequencies. Each OFDM sub-signals can be modulated
using Binary Phase Shift Keying (BPSK), Quadrature Phase Shift Keying (QPSK), or one of two
levels of Quadrature Amplitude Modulation (16, 64 or 256-QAM).
WLAN protocols also define forward error correction (FEC), or coding, as a technique used for
controlling errors in data transmission. The central idea is the sender encodes his message in a
redundant way by using an error-correcting code (ECC) defined by an algorithm. The redundancy
allows the receiver to detect a limited number of errors that may occur anywhere in the message,
and often to correct these errors without retransmission. The code rate is the proportion of the data-
stream that is useful (non-redundant). Code rate are displayed as “k/n”, where for every k bits of
useful information, the coder generates totally n bits of data, of which n-k are redundant. For example
a coding rate of 3/4 means that one redundant bit is inserted to every block of 3 bit of data. Obviously
a 5/6 rate would result in faster transmission than a ½ rate since fewer redundant bit are inserted.
Since 802.11n, the various modulation

schemes and coding rates are represented by
a Modulation and Coding Scheme (MCS) index.
The table below shows the relationships
between the variables that allow for the
maximum data rate:
Spatial streams was introduced with 802.11n

networks and refer to the amount of transmitting
antennas. Usually MIMO and spatial stream
numbers work together to indicate throughput
potential at given ranges, the greater the
amount of antennas the greater the rate and
distance. 2x3 MIMO indicates for example two
transmitting antennas and 3 receiving
antennas.
800ns and 400 GI (or guard intervals) are used

to ensure that two stations do not interfere with
one another due to delays in the propagation. A
shorter GI results in higher data rates but is also
prone to increased packet errors in large
networks.
Figure 176 - MCS Rates

1.5 WIRELESS SECURITY
IEEE 802.11 networks showed their biggest security vulnerability when the one real security feature
was hacked in the first few years of its existence. This security feature was the WEP; since then
hackers developed numerous methods to gain access to wireless networks, those include denial of
service attacks, Man-in-the-middle attacks, encryption cracking, MAC spoofing...
This chapter details the three recommended methods to secure wireless networks that implemented
in emergencies: WPA encryption, 802.1X authentication and Wireless Guest portals
1.5.1 WIFI Protected Access (WPA)
Wi-Fi Protected Access (WPA) is a security protocol based on 802.11i that were designed to protect
WLANs. There are multiple variants of WPA:
- WPA Personal uses a pre-shared key (PSK) in combination with the Temporal Key Integrity
Protocol (TKIP) for encryption.
- WPA Enterprise also uses TKIP for the encryption part but an authentication server is used to
approve the access and to dynamically generate the encryption keys.
- WPA2 Personal uses the Advanced Encryption Standard (AES) for encryption, which is the
strongest available. It still relies on a user defined pre-shared key.
- WPA2 Enterprise uses AES for the encryption and, as for WPA Personal, a server for the
authentication and dynamic keys. This is the solution implemented with UNICEF Universal wifi.
The “Personal” variants are the easiest security solution to implement and are recommended at the
beginning of an emergency response when a small amount of responders are on-site. This solution
can however easily be “hacked” as all users have the same pre-shared key, which in the end is
known by everybody. Administrator should therefore not attach this type of WLAN to the corporate
network (for example by plugging the access point to a switch in the LAN) but directly to a firewall
interface or to a separate Internet link. Access to corporate applications would only be gained through
Citrix or Client VPNs.
The “enterprise” variant is recommended for longer term deployments where responder since an
authentication server is used to make sure only relevant personnel have access to the network (see
paragraph below referring to 802.1X and Radius) and keys are generated dynamically.
1.5.2 Guest Captive Portal
The principle of this solution is not to configure the

WLAN with a pre-shared key but to insert a captive portal
between users and the Internet to force an
authentication process. This is done by redirecting the
first web session to a web portal which will require
authentication. Such method is commonly deployed in
airports or hotels. The portal management is used to
generate username / passwords, specify spend limits Figure 177- UNICEF Guest Portal
(for example max amount of MB or minutes), issues
reports, etc…
The solution is recommended to provide Internet access only to BYOD equipment, temporary
personnel and visitors. The Guest WiFi segment should be physically or virtually segregated from
the LAN/WAN. The following diagram is an overview of the standard solution as implemented in
UNICEF offices, the captive portal can be a network appliance (such as a Cisco 2504 WLC, Meraki
access point) or a server (such PFSense):

Internet
NAT Option 2: dedicated

Firewall /
link for WiFi: DSL or
modem equivalent
Option 1:
NAT WiFi shares Dedicated switch or
main separate VLAN on
internet link existing switches
CO
Firewall
172.16.0.0 /24 172.16.1.0 /24
Captive
Portal
UNICEF office LAN

WiFi
user
Figure 178 - Guest WiFi solution as implemented in UNICEF Offices
1.5.3 802.1X / RADIUS Authentication
WLAN security can be significantly strengthened by using 802.1X to deliver dynamic pre-shared keys
to authenticated users. 802.1X relies on an authentication servers based on the Remote
Authentication Dial In User Service (RADIUS) protocol. RADIUS was originally defined to enable
centralized authentication for PPP dial-up sessions. Instead of requiring every dial-up gateway to
maintain a list of authorized usernames and passwords, the gateway would issue RADIUS requests
messages to a central Authentication Server which would then reply with RADIUS Accept or reject
messages. This architecture permitted to centralize the user database and consolidated decision-
making at a single point, while allowing calls to be supported by many distributed gateways.
In a wireless network that uses 802.1X, the wireless station plays the role of the Remote User, the
wireless AP (or WLC) plays the role of the dial-up gateway and the domain controller (such as Active
Directory) is the Authentication Server. RADIUS is still used as the communication protocol between
the AP and the Authentication Server. If the server approves access to the wireless station, the AP
and wireless station generate the key that is used by TKIP or AES to encrypt data. Keys are therefore
generated dynamically and change from session to session.
When a user authenticates to an SSID using 802.1X, that individual session is encrypted uniquely
between the user and access point. This means that another user connected to the same SSID
cannot sniff the traffic and acquire information because they will have a different encryption key for
their connection. With a pre-shared key network, every device connected to the access point is on a
"shared encryption" connection so they can all see each other's traffic if they choose to do so.
All these attribute make 802.1X the most robust mean to secure 802.11 networks. Since only domain
joined devices can access the network (basically all UNICEF desktops and laptops), this the
recommended solution to access corporate applications over WiFi.
The UNICEF standard 802.1X solution relies on Access Points broadcasting a hidden SSID
(CharlieWiFi). Internal users connect to the SSID using their usual AD credentials and a unique
certificate hosted in the machine; A Microsoft NPS server acts as the Radius server and the local
Active Directory server is the Authentication Server:

Internet
NAT
internal I P for NAT
internal traffic Public IP
DHCP
WiFi Internal – 172.16.2.0 /24
WPA2
UNICEF LAN
158.113.x.y
or
10.16.x.y
NPS (Radius)
Access Access
Authen tication fo r
Point Point
UNICEF A D acco unts
for WiFi internal. APs WiFi user
Local AD
que ry to Radi us server,
Figure 179 - 802.1X / RADIUS as implemented in UNICEF Offices
Another indirect advantage of the 802.1X solution is that all UNICEF offices can use the same SSID
(“CharlieWiFi”), which favors staff mobility. Indeed staff would be automatically and seamlessly
connected to the corporate network as soon as their computer is in the range of the office WLAN.
This is particularly useful in emergencies where staff movement is very frequent.
1.5.4 Emergency Kits WiFi Solution
UNICEF emergency kits (see LAN chapter) ship with a preconfigured WLAN configuration that is
based on the combination of both the Guest Portal and the 802.1X / RADIUS authentication methods
described previously. A Cisco Wireless LAN Controller is used to implement both functionalities while
the implementation of 802.1X resides between the global Active Directory servers (instead of local
AD in the standard offices) and on a Cisco Identity Service Engine (ISE) appliance (instead of a
Microsoft NPS in standard offices):
SUNGARD
RADIUS Active
Cisco ISE
Directory
Internet
Guest WiFi VLAN 172.16.1.0 / 24
Internal VLAN 10.175.2XX.0 / 25 Charlie WiFi VLAN 10.175.2XX.128 / 25
Firewall - Sends RADIUS messages to

global AD to authenticate
Cisco
UNICEF staff
Wireless
- Manages guest users
EMERGENCY NAT for Controller
credentials
interna l traffic
SITE from UNICEF
Staff WiFi
Cisco AP
SSID 1:
- Hidden SSID SSID 2:
UNICEF G uest
- WPA2 security Charlie WIFI
- 802.1X SSID 1: SSID 2:
UNICEF G uest Charlie WIFI
- broadcasted SSID
- Authentication Portal
Figure 180 - WiFi solution as implemented in the LAN kits

1.6 GUIDELINES TO OPTIMIZE RADIO COVERAGE
1.6.1 Factors affecting wireless signals
In a similar way to light, wireless signals travel in straight lines and are affected by obstructions,
which can alter the radio signal. Wireless behaviour can be predicted and detected; the following
introduce the major RF signal behaviours and their implications:
Reflection and Refraction
If an RF signal bounces off of a smooth, non-absorptive surface, changing the direction of the signal,
it is said to reflect and the process is known as reflection. Reflected signals are usually weaker after
reflection; this is because some of the RF energy is absorbed by the reflecting material. Refraction
can occur when an RF signal is bent while moving between media of different densities (ex: wood or
plastic, layers in the atmosphere). Refraction introduces problems in outdoors point-to-point bridges
when a change in atmospheric conditions is observed (changes in temperature, air pressure, rain…);
the RF signal may change from the intended direction resulting in a broken connection or in increased
error rates.
Diffraction
Diffraction is defined as a change in the direction and/or intensity of a wave as it passes by the edge
of an obstacle. This phenomenon can also result in areas of “RF shadow”. Diffraction is often caused
by buildings, small hills, and other larger objects in the path of the propagating RF signal.
Obstructions and Absorption

Absorption
Material
Rate
Absorption is the conversion of the RF signal energy into heat. This
Plasterboard/drywall 3–5 dB
happens because the molecules in the medium through which the
Glass wall and metal
RF signal is passing cannot move fast enough to “keep up” with frame
6 dB
the RF waves. Many materials absorb RF signals in the 2.4 and 5
Metal door 6–10 dB
GHz spectrum. These include water, drywall, wood, and even
humans. Metal is well know for being the worst enemy of WLAN Window 3 dB
signals. When performing a site survey or troubleshooting a Concrete wall 6–15 dB
communications problem, those effects should be seriously
Block wall 4–6 dB
considered.
Table 22- Absorption rate for common materials
Multipath
When signals bounce around in an environment through reflection, refraction and diffraction, they
create an effect known as multipath. Multipath occurs when multiple paths of the signal, understood
as multiple signals, arrive at the receiving antenna at the same time or within a small fraction of a
second (nanoseconds) of each other. Multipath occurs very frequently
in an indoor environment where there is often no direct signal path
between the transmitter and the receiver (or the access point and the
client station). File cabinets, walls, desks, and doors - among other
things - cause RF propagation patterns that result in multiple paths
arriving at the receiving antenna. The difference in time between the
first and second signals arriving at the receiver in a multipath
occurrence is known as the delay spread. When the delay spread is
greater, so that the signals arrive out of phase, the signal will either be
down faded, corrupted, or nullified.

Loss and Attenuation
These are usually natural or unintentional and happen because of the process of RF propagation
(reflection, refraction, absorption…). The reduction in signal strength is logarithmic rather than linear.
For example, a 2.4 GHz signal, such as that used by many IEEE devices, will attenuate by
approximately 80 dB in the first 100 meters and then by another 6 dB in the second 100 meters.For
this reason, there are limitations in the distance travelled by RF signals.
Distance (miles) 0.5 5 1.5 2 2.5 3 4 5 10

2.4 GHz 98 104 107 110 112 113 116 118 124
5 GHz 104 110 114 116 118 120 122 124 130
Table 23 - Free Space Loss in dB for 2.4 and 5 GHz Spectrums
Fresnel Zone
As an analogy with visible light, visual LOS is defined as the apparently straight line from the object
in sight (the transmitter) to the observer's eye (the receiver). The LOS is an apparently straight line
because light waves are subject to changes in direction due to refraction, diffraction, and reflection
in the same way as RF frequencies. RF works very much the same way as visible light within wireless
LAN frequencies with one major exception: RF LOS can also be affected by obstacles located in the
Fresnel Zone. The Fresnel Zone occupies a series of concentric ellipsoid-shaped areas around the
LOS path, as can be seen in the figure bellow.
Figure 181 - Fresnel Zone
The radius r of the Fresnet Zone at its widest point can be calculated with the following formula:
𝑑1 + 𝑑2
𝑟 = 17.32 × √
4𝑓
Where d is the link distance in Km, f is the frequency in GHz, and r is in meters. For example, with a
2.4 GHz link and 5 Km in length, the resulting Fresnel Zone radius r is 12.4 meters. Objects within
this area such as trees, hilltops, and buildings can absorb or scatter the main RF signal, causing
degradation or complete signal loss. Considering the Fresnel Zone when planning or troubleshooting
an RF link is therefore essential.
As the distance increases, other factors must be considered such as the curvature of the Earth,
where the line of sight becomes difficult at 10 Km and disappears altogether at 25 Km (for two
structures at 3 meters). Paths over 30 Km are extremely difficult to align and install, so caution must
be taken when recommending these types of configurations.
1.6.2 Optimal APs Positioning
The placement of the APs at the correct places is an important factor that accounts in the extension
of the coverage area of the AP. Too many APs in the same vicinity can create radio congestion and

interference, and reduce the throughput while too few APs can create dead spots where users will
complain with unreliable connections. A recommended testing solution is to place the AP “on a pole”
and move around with a power injector and extension while perform a careful site survey to determine
the best placement of APs for maximum radio coverage and throughput (see site surveys chapter).
Figure 182 - AP Coverage map and placement

In order to maximize the radio coverage area, ensure a fifteen percent overlap in the coverage area
between any two APs in a WLAN. A large area with minimal system cost can be covered when APs
are installed with minimal overlap in the coverage area. The total bandwidth available to each mobile
station depends on the amount of data each mobile station needs to transfer, and the number of
stations in each cell. Seamless roaming is supported as a mobile station moves in and out of range
of each AP, and maintains a constant connection to the wired LAN. Below are recommended channel
diagrams for multiple AP deployments ensuring each does not interfere. In the 2.4 GHz deployment,
because of the limited bandwidth available, channels 1, 6, and 11 are reused and spread apart. The
5 GHz deployment is able to use nine different channels without difficulty.
Figure 183 - Non channel overlapping in high density AP deployments
If signals propagate well through the floors of the facility, one can also take advantage of the inter-
floor propagation in a way that reduces the number of access points necessary to cover the facility.
For example, AP-1 and AP-4 in the illustration below can provide coverage on the 2nd floor (where
they are installed), as well some coverage on the 1st and 3rd floors. AP-2 (installed on the 3rd floor)
and AP-3 (installed on the 1st floor) both provide some coverage on the 2nd floor. This allows the
spacing between the access points, such as AP-1 and AP-4, to be farther apart than if the inter-floor
propagation is not taken into account. Of course this reduces the cost of the deployment.
Figure 184 - AP should be placed on ceilings so they can cover 2 floors

Keep in mind that wireless devices have limitations when it comes to their range. For devices that
run on 2.4 GHz, the range can go up to 80-100 meters (without obstructions). One important thing to
remember is that distance affects the signal strength. As the distance between the AP and client
increases, the signal strength decreases. In order to check if the link remains stable, perform a
continuous ping: ping −t X.X.X.X (IP address of the AP). If replies are continuous, this means the
connection is stable. If it times out the majority of the time, the connection is not that stable.
1.6.3 Increasing the Power Level Parameter
You can extend the radio coverage area of an AP when you modify the transmitter power level
parameter. The transmitter power (mW) setting determines the power level of the radio transmitter.
The default power setting is the highest transmit power allowed in a regulatory domain. Government
regulations define the highest power level for radio devices.
Caution: The transmitter power level setting must conform to the established standards of the
country in which the setting is used. Governing bodies specify power rules for 2.4/5 GHz point-to-
multipoint and point-to-point links. Although designed for interior coverage, sector and phased-array
antenna output power levels must also be considered. The reality of output power rules is actually
more complex than most network administrators realize. Data rate is usually improved when the
power is increased; therefore the temptation is high for the administrator to go over the limit.
► for further detail on WLAN maximum allowed power output in different regions of the world, see
contents of the “Regulation” folder in the USB flash drive.
Generally, the transmitted power is reduced to limit the effect of RF interference. The reduction has
a negative effect on the radio coverage. The transmitted power is directly proportional to the radio
coverage area. Therefore, the weaker the transmitted power, the smaller is the radio coverage area.
1.6.4 Using different Antennas
The antenna is the radiating element in an RF system. In other words, it is the device that actually
causes RF waves to be propagated through space. They are most often used to increase the range
of wireless LAN systems, but a proper antenna selection can also enhance the security of your
wireless LAN. A properly chosen and positioned antenna can reduce the signal leaking out of your
workspace, and make signal interception extremely difficult.
There are four general categories into which all wireless LAN antennas fall:
- Omnidirectional or Dipole Antennas are the most common wireless LAN

antennas. Simple to design, they are standard equipment on most access
points. The dipole is an omnidirectional antenna, because it radiates its
energy equally in all directions around its axis. Dipole antennas used with
wireless LANs are small as WLAN frequencies are in the 2.4 or 5 GHz
microwave spectrum. Used outdoors, an omnidirectional antenna should be
placed on top of a structure (such as a building) in the middle of the coverage
area. When used indoors, the antenna should be placed in the middle of the building or desired
coverage area, near the ceiling so they may also provide some coverage to floors above.
- Semi-directional are antennas that focus most of their energy in a particular

direction. Examples include patch / panel or Yagi antennas which usually
focus their energy in a horizontal arc of 90 to 180 degrees or less. Yagi
antennas are most useful for providing RF coverage in one direction, for

example down long hallways or corridors and in some cases they provide such long-range
coverage that they may eliminate the need for multiple access points in a building. Two office
buildings that are across the street from one another and need to share a network connection
would be a good scenario in which to implement patch or panel antennas. A common
misconception is the fear that using a semi-directional antenna will get the signal to the client,
but not the returning signal from the client to the access point. This statement is wrong as those
antennas also have a strong receive gain.
- Highly-directional antennas emit the most narrow signal beam of any antenna type and have
the greatest gain of these three groups of antennas. These antennas are ideal for long distance,
point-to-point wireless links. Some models are referred to as parabolic dishes because they
resemble small satellite dishes. Others are called grid antennas due to their perforated design
for resistance to wind loading. They can transmit at distances of 35 miles or more and usually
require detailed aiming procedures that include a lot of trial and error (refer to satellite dish
pointing).
- Multiple-Input, Multiple-Output (MIMO) is the use of multiple antennas at both the transmitter
and receiver to improve communication performance. It is one of several forms of smart antenna
technology. MIMO technology has attracted attention in wireless communications, because it
offers significant increases in data throughput and link range without additional bandwidth or
transmit power. It achieves this by higher spectral efficiency (more bits per second per hertz of
bandwidth) and link reliability or diversity (reduced fading). Because of these properties, MIMO
is an important part of modern WLANs standards such as IEEE 802.11n (Wifi), 4G and WiMAX.
Omnidirectional Yagi Patch Grid Directional MIMO
Figure 185 - Antenna Types

2 WLAN HARDWARE STANDARDS
2.1 WIRELESS ACCESS POINTS
The Cisco Aironet family is the standard UNICEF hardware used in emergencies. Its rugged plastic
housing and extended operating temperatures makes it ideal for difficult environments like
humanitarian compounds or warehouses. In large installations, the roaming functionality provided by
multiple access points enables wireless users to move freely throughout the facility while maintaining
uninterrupted access to the network.
Cisco Access Points are available in two firmware versions:
- Autonomous or standalone access points are based on Cisco IOS and can therefore be
directly configured using the command-line interface (CLI) or the web-browser interface. These
are the recommended models for small deployments with just 1 or 2 APs.
- Controller based Access Points work in conjunction with Cisco wireless LAN controllers. AP
automatically download appropriate policies and configuration information with no manual
intervention. This configuration is recommended for large deployments requiring more than 5
APs. Note that these are the models to be ordered when installing a LAN kit (refer to LAN
chapter).
The recommended Cisco Access Points models for emergency response are as follow:
Model MR33 1810 2700 3700 1530

Indoor AP Outdoor AP
Function Indoor AP Indoor AP Indoor AP
Access Switch Bridge
Price ($) 600 250 500 800 1250
Protocol a/b/g/n/ac a/b/g/n a/b/g/n a/b/g/n/ac a/b/g/n
Max data rate 1300Mbps 300Mbps 450Mbps 1300Mbps 300Mbps
Security WEP, WPA, WPA2-PSK, WPA2-Enterprise with 802.1X
Band 2.4 / 5 GHz 2.4 / 5 GHz 2.4 / 5 GHz 2.4 / 5 GHz 2.4 / 5 GHz
Channel Width 20/40/80 20/40MHz 20/40MHz 20/40/80 20/40MHz
Antenna gain (2.4/5G) 4/4dBi 2/4dBi 4/4dBi 4/4dBi 3/5dBi
# Interfaces 1 x 1Gbps 4 x 1Gbps 1 x 1Gbps 1 x 1Gbps 2 x 1Gbps
MIMO 2x2 2x2 3x4 4x4 3x3
Max Tx power (2.4/5G) 200/200mW 100mW 160/200mW 200/200mW 800/500mW
# PoE ports 1 IN 1 IN / 1 OUT 1 IN 1 IN 1 IN / 1 OUT
PoE type PoE/PoE+ PoE PoE+ PoE/PoE+ UPoE
PoE Wattage 11W 11.6W 13W 16W 30W
Controller based N/A CAP702W CAP2602I CAP3702I CAP1532I
Standalone N/A SAP702W SAP2602I SAP3702I SAP1532I
AP2602E AP3702E AP1532E
External antennas No No
(6dBi) (6dBi) (14dBi)
Figure 186 - Comparing Cisco APs

2.2 WIRELESS ROUTERS
Cisco MX64W and Z1 appliances are the standard for small emergency
deployments where aid workers would rely on 3G, mobile satcoms or DSL
connection. The MX64W and Z1 includes firewall, intrusion prevention,
content filtering, and auto-VPNs support; A 802.11ac interface enables
resource sharing via WiFi and L7 traffic filtering/shaping features can help
optimizing voice and video applications. Figure 187 - Cisco 881W
Alternatively, as a last resort, robust home routers such as the Linksys WRT1900AC or Buffalo
WZR-600DHP2D are acceptable solutions for less than 6 months deployment and limited amount of
personnel (15 maximum).
2.3 WIRELESS BRIDGES
The Ubiquiti line of bridges are all-outdoor, tri-band systems operating in the UNII-2, UNII-2e and
UNII-3 license exempt bands delivering a 162 Mbps of aggregate throughput (at optimal conditions
and distance). This performance is obtained by implementing 802.11ac protocol. In the past UNICEF
used widely the Cisco 1300 and 1400 series as bridge standard, however these have been
discontinued in 2012 and subsequently replaced with the Cisco Exalt and Ubiquiti models:
Model LightBeam PowerBeam AirFiber

Staff residences, Guest houses,
Recommended application BCP sites
T4D warehouse, partners
Price ($) 90 100 1000
Protocol a/b/g/n/ac a/b/g/n/ac a/b/g/n/ac
Max data rate @ 1Km 100 Mbps 250 Mbps 1.2 Gbps
Max data rate @ 20Km 35 Mbps 90 Mbps 500 Mbps
Security WEP, WPA, WPA2-PSK, WPA2-Enterprise with 802.1X
Band 5 GHz 5 GHz 5 GHz
Figure 188 - Recommended models for Wireless Bridges
2.4 WIRELESS LAN CONTROLLERS
The Cisco 2504 wireless LAN controller (WLC) is recommended

for medium to large deployments requiring centralized
management of more than 5 access points. It is an entry-level
controller that simplifies the deployment and operation of wireless
networks. As a component of the Cisco unified wireless network,
this controller delivers centralized security policies, wireless
intrusion prevention system (wIPS) capabilities, RF management Figure 189 - Cisco 2054 WLC
and quality of service (QoS) for voice and video and flexibility to
scale as network requirements grow.
This models is available for procurement using UNICEF LTAS. Exact reference is AIR-CT2504-5-K9
and costs $700. This specific model come with enough licenses to install up to 5x Cisco access
points. It is however possible to increase the access points capacity by procuring additional licenses.
The maximum recommended amount of AP that the 2504 can support is 50.

3 DEPLOYING WLAN SOLUTIONS
3.1 WLAN SITE SURVEY
The planning of a wireless LAN involves collecting information and making decisions. One of the
most important step in implementing any wireless network is conducting a site survey. The objective
being to discover the RF behaviour, interferences and determine where to properly place WLAN
hardware in a facility. The following is a list of the most basic questions that should be answered
before the actual physical work of the site survey begins:
- What are the regulations in the country?

- What kind of environment am I in? (open, buildings, weather…)
- Is there already a network (wired or wireless) in place?
- Where are the access’ switches located?
- Is the wireless LAN going to be used indoors, outdoors, or both?
- What is the purpose of the wireless LAN? Basic access, guest network or corporate access?
- What level of network security is necessary?
- What bandwidth and roaming requirements are there?
- How many users are typically in a given area?
- What are the available resources?
- Is a facility map available (electronic or printed)?
- Are there any previous site survey reports available?
- Will a tower be required if I setup a bridge?
- Is physical access to wiring closets and the roof available if needed?
In the most basic indoor cases, the tools and equipment needed for the survey is at least one access
point, a laptop computer (or smartphone), some site survey utility software, the map of the facility
and paper/pen.
3.1.1 RF scanning with InSSIDer
inSSIDer is free, open-source Wi-Fi scanning software. It can be assimilated as a software spectrum
analyser for WiFi networks. Following is an overview of what can be achieved using it:
- Inspect the WLAN and surrounding networks to troubleshoot

competing access points
- Shows frequency overlapping
- Measure the strength of received signal in dBm
- Highlight access points for areas with high Wi-Fi concentration
- Export Wi-Fi and GPS data to a KML file to view in Google
Earth.
- Filter through hundreds of scanned access points
Launching InSSIDer should display the list of available Wi-Fi access

points in the surroundings and their frequency space allocation.
Figure 190 – Signal power level
vs data rate in a space free
environment.

The most interesting views are the Channel view as
inSSIDer draws the Wi-Fi overlaps as they occur in the
actual 2.4 GHz spectrum. Following are some details
about this view:
- Curves represent legacy 802.11b Wi-Fi.
- Dotted lines represent APs using no encryption.
- Dashed lines represent WEP encryption.
- Solid lines represent WPA encryption.
- WLANs that appear faded are likely not within usable
range of your computer.
The time view can be used to display the evolution of the signal strength while moving around a
building, hence providing an overview of the WiFi coverage.
3.1.2 Coverage mapping with HeatMapper
HeatMapper is a free tool that can be used to map the wireless coverage of any 802.11 compatible
access point. Similarly to inSSIDer, it also locates all the audible access points, and shows their
configurations and signal strength - in real time and on a map. Following is a sample map, and the
resulting coverage with the software:
HeatMapper is particularly powerful to measure an access point coverage and determine its best
positioning. The image above for example shows coverage comparisons between the 2.4 GHz and
5 GHz bands as seen in HeatMapper. The darkest green in both simulations represents a speed of
150 Mbps, but the darkest reds are what’s different. The red in the 2.4 GHz simulation represents a
speed of 1 Mbps, while the 5 GHz’s red represents a speed of 6 Mbps. One can notice the 2.4 GHz
AP does have slightly more coverage, but the speed at the edges of the 5 GHz coverage are faster.

3.2 STANDALONE CISCO ACCESS POINTS
3.2.1 Standalone AP Configuration (BSS mode)
Note that an access point is not comparable to a “wifi router”. It’s role is more like a switch, therefore
a router is still necessary in the network. The scenario below describes how is to create a basic wifi
network with the following parameters:
IP Address 192.168.0.20
Mask 255.255.255.0
Gateway (router) 192.168.0.254
SSID UNICEF
Channel 2.4GHz/5Ghz dynamic
Encryption WPA2 (AES)
Pre-shared key P@s5w0rd
This setup involves the following steps:
a. Access b. IP
c. SSID d. Encryption e. Save config
to the AP parameters
Figure 191 - BSS Access Point Configuration
a. Accessing the AP
Connect a PC to the AP console port with the blue console cable and power on the
Access Point. If the PC does not have a serial port, use a serial to USB converter.
Launch Putty.exe, a free Telnet and SSH client.
From the Session Category, select the Serial

connection type and 9600 as speed.
Check the serial line (COMx) is the correct one.

If the cable is connected to the PC serial port, it
should be COM1. If you are using a serial to USB
converter, check in the device manager which
port was allocated (go to start and type device
manager).
Click Open.
If everything went according to the instructions, the Access Point command line interface (CLI)
should display. The CLI language is similar to other Cisco equipment. Enter the privileged mode
with the command enable. Out-of the box, the default password is Cisco:
AP>enable //enters the privileged mode

b. Assigning the IP Parameters. The need of an IP is simply to support management traffic, such
as logging into the AP via SSH or with the web interface. When connecting the AP to the wired LAN,

the wireless device links to the network using a bridge virtual interface (BVI). Therefore the IP
address is assigned to the interface BVI, enter the following configuration:
AP(config)#interface BVI 1 //enters BVI 1 interface configuration mode

AP(config-if)#ip address 192.168.0.20 255.255.255.0 //assigns IP to interface BVI 1
The “show” command can be used to verify the IP changed its IP address:
AP#show ip interface brief

Interface IP-Address OK? Method Status Protocol
BVI1 192.168.0.20 YES manual up up
Dot11Radio0 unassigned YES unset administratively down down
Dot11Radio1 unassigned YES unset administratively down down
GigabitEthernet0 unassigned YES other up up
c. Creating the SSID. Use the dot11 ssid command to create the SSID named “UNICEF”:
AP(config)#dot11 ssid UNICEF //created the SSID named UNICEF
In this scenario, we want to use open authentication (meaning there is no 802.1X authentication
mechanism) with pre-shared key management provided by WPA2. In addition, we configure the SSID
to be broadcasted over the air. While in SSID configuration mode:
ap(config-ssid)#authentication open //No authentication server

ap(config-ssid)#authentication key-management wpa version 2 //SSID to use WPA2
ap(config-ssid)#guest-mode //enables SSID broadcasting
ap(config-ssid)#wpa-psk ascii P@s5w0rd //creates the pre-shared key
ap(config-ssid)#exit
d. Configure the Encryption. Now with the SSID profile configured, we need to specify an
encryption method for each wireless interface. Let’s enter interface configuration mode on the
wireless interface Dot11Radio0 (2.4GHz) first:
ap(config)#interface Dot11Radio0 //enters the 2.4GHz interface configuration

ap(config-if)#encryption mode cipher aes-ccm //defines the encryption type
ap(config-if)#ssid UNICEF //assigns SSID UNICEF to the interface
ap(config-if)#no shutdown //Activates the interface
ap(config-if)#exit
Then we apply the same commands to Dot11Radio1 (5GHz) interface:
ap(config)#interface Dot11Radio1
ap(config-if)#encryption mode cipher aes-ccm
ap(config-if)#ssid UNICEF
ap(config-if)#no shutdown
ap(config-if)#end
Before continuing save the changes by using the “copy" command:
ap#copy running-config startup-config //saves the actual configuration

3.3 CONTROLLER BASED ACCESS POINTS AND CISCO 2504
3.3.1 Initial Cisco 2504 Configuration
Out of the box, the WLC can be configured using a quick setup menu. Connect PC to port 2 of the
WLC, wait for it to get an IP address and access the WLC through http://192.168.1.1
Setting up the controller
System Name: XX-XXX-WC-01

Country: Any European country or United States
Date & Time: leave default
Timezone: adapt accordingly
NTP Server: 158.113.18.9 (UNICEF only)
Management IP Address: adapt accordingly (in UNICEF, it should be in the 10.x.y.z range)
Subnet Mask: 255.255.255.128 or adapt accordingly
Default Gateway: 10.x.y.254 or adapt accordingly
Management VLAN ID: adapt accordingly (in UNICEF, it should be VLAN 40)
Create wireless networks
Using the quick setup menu, continue creating the SSIDs. By default the WLC proposes to create a
corporate 802.1X SSID and a Guest WiFi portal. In UNICEF, parameters should be as follows:
Network Name: CharlieWiFi

Security: WPA2 enterprise
VLAN: New VLAN
VLAN ID: 40
VLAN IP Address: 10.x.y.250 or adapt accordingly
VLAN Subnet Mask: 255.255.255.0 or adapt accordingly
VLAN Default Gateway: 10.x.y.254 or adapt accordingly
DHCP Server Address: 10.x.y.254 or adapt accordingly
Network Name: UNICEF Guest

Security: Web Consent
VLAN: New VLAN
VLAN ID: 41
VLAN IP Address: 172.16.1.250
VLAN Subnet Mask: 255.255.255.0
VLAN Default Gateway: 172.16.1.254
DHCP Server Address: 172.16.1.254
Apply, system will reboot and then be accessible via the management IP address. If the setup
includes VLANs, make sure the computer is connected to an access switch port in the same VLAN
as the WLC.
3.3.2 WLC Management via the Web Interface
There should be no other reason to connect to the WLC other than monitor and troubleshoot wireless
access points and user authentication or to access the LobbyAdmin. Access Points, for example are
automatically recognized and configured by the controller as soon as they are plugged to the
network, there is no additional configuration required in the process.

Using Internet Explorer again, connect to port 1-4 of the Core Switch and browse to
http://10.x.y.250. After entering credentials. You should then be redirected to the WLC
summary page:
Figure 192 - Accessing the WLC
Once authenticated, the administrator is redirect to a dashboard displaying most of the useful
information in a single view: WLAN status, amount of clients, interferers and usage statistics of the
WLAN. The configuration pages and logs can be accessed by clicking the “advanced” tab…
i. Configuring SSIDs
Go to the WLAN tab and select the Create New option:
Figure 193 – Creating SSIDs
3.3.3 Guest Users and Lobby Administrators
WLC administrators can create guest user credentials by goiing to Security > local Net Users.
Guest credential can be generated on demand and expire after a pre-determined period. Although
not recommended, one Guest credential can fit all users (the same username / password can be
used at the same time).
Lobby administrators are special WLC users that can create and manage guest user accounts on
the Wireless LAN Controller (WLC). The lobby ambassador has limited configuration privileges and
can access only the web pages used to manage the guest accounts (similar to the “local Net Users”).
The lobby ambassador can specify the amount of time that the guest user accounts remain active.
After the specified time elapses, the guest user accounts expire automatically.

The LobbyAdmin account should first be created, in MANAGEMENT -> Local Management Users.
Once done, log into the Cisco WLC user as LobbyAdmin. The Guest Users IDs page appears. Note
that those are not the presently connected guest users but just their credentials. Here “Guest1” is
the only valid Guest username and is valid for the next 26 days:
Figure 194 - Guest User List
b. Click New to create a guest user

account. New page appears as shown in
Figure 41
c. Enter the required Guest User data:

username, password (or generate one),
the credentials’ lifetime (max 30 days), the
WLAN to be assigned to (only UNICEF
Guest) and its description.
d. Once done, click on “apply”.
Figure 195 - Creating a Guest User
3.3.4 Monitoring User Authentication
The WLC can be used to monitor the amount of users logged-in. In the Default Summary page, click
“detail” in the row that corresponds to the current clients. Alternatively go to Monitor > Clients:
Figure 196 - List of Clients connected to the AP

This table displays a list of all clients attached to the Cisco WLC. Interesting client information
includes the MAC & IP addresses, WLAN SSID associated with, username, their status, whether
they have been authenticated to access the WAN... By hovering the cursor over the blue drop-down
arrow (end of the line) for the desired client one can obtain additional functions to either, test client
connectivity, disable or remove the client.
3.3.5 Adding Controller Based Access Points
It is important to note that only CISCO Lightweight Access Points (LAPs), Controller Based Access
Points (CAPWAP) and Hybrid Remote Edge Access Points (H-REAPs) can be managed by the WLC.
Make sure to select the correct type of access points when undergoing the procurement. The IOS
version running in the WLC is important as it will determine which AP models are supported. For
example, the actual LTA models Cisco 1700/2700/3700 require the WLC version IOS 8.0+ to run,
likewise older AP models might not be supported by the latest version of the IOS.
A standalone Cisco Access Point can be converted to a controller based access point (and vice-
versa). Refer to the procedure further below.
Connecting the Access Points
Connect each APs to the relevant LAN kit switch port. As the switch is PoE capable, APs will be
powered from the Ethernet port and power on instantaneously. If the LAN switch is not PoE capable,
each AP will need power from an external power injector.
Upon connection, the AP will identify the WLC and generate a tunnel where all VLANs will be trunked
(see Figure 10). The LAP will then contact and establish connection to the WCS, who will take control
and configure it according to its settings. No additional actions will be needed on each newly
connected AP.
Monitoring new AP association
Connect a PC to the AP console port (on the back) with the provided blue cable and power on the
switch. If the PC does not have a serial port, use a serial to USB converter.
A black Window should then display, as soon as you connect the AP, the command line interface
will appear with the AP boot sequence and diagnostic lines.
When connected for the first time to the WLC, the AP will first obtain an IP from the DHCP server in
the firewall and look for the WLC by sending broadcasts:
*Mar 1 00:04:25.214: %CAPWAP-3-STATIC_TO_DHCP_IP: Could not discover WLC using static

IP. Forcing AP to use DHCP.
*Mar 1 00:04:34.354: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address
10.175.244.140, mask 255.255.255.128, hostname APbc16.65d6.6fcf
Translating "CISCO-CAPWAP-CONTROLLER.unicef.org"...domain server (158.113.18.10)
*Mar 1 00:04:36.227: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:04:36.696: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-
CONTROLLER.unicef.org
*Mar 1 00:04:46.696: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 22 17:19:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip:
10.175.244.250 peer_port: 5246

*Oct 22 17:19:02.624: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully
peer_ip: 10.175.244.250 peer_port: 5246
Once found, the AP tries to create a CAPWAP tunnel with the WLC which fails as the AP has not
been configured yet by the WLC:
*Oct 22 17:19:02.625: %CAPWAP-5-SENDJOIN: sending Join Request to 10.175.244.250
*Oct 22 17:19:02.627: %CAPWAP-3-ERRORLOG: Invalid eve!!!!!!!!!nt 10 & state 5
combination.
*Oct 22 17:19:02.627: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message
type 10 state 5.
*Oct 22 17:19:02.627: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from
controller
*Oct 22 17:19:02.627: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from
10.175.244.250perform archive download capwap:/c1140 tar file
The AP will therefore download both a new firmware image and the configuration file, both compiled
and provided by the WLC:
*Oct 22 17:19:02.629: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP.
Downloading image from Controller.
examining image...!
extracting info (288 bytes)
Extracting files...
c1140-k9w8-mx.152-4.JA1/ (directory) 0 (bytes)
extracting c1140-k9w8-mx.152-4.JA1/T2.bin (8080 bytes)
extracting c1140-k9w8-mx.152-4.JA1/img_sign_rel_sha2.cert (1371 bytes)
extracting c1140-k9w8-mx.152-4.JA1/8001.img (186308 bytes)!!!
[Extracting goes on for 10-15 lines]
New software image installed in flash:/c1140-k9w8-mx.152-4.JA1
Configuring system to use new image...done.
The LAP will then reboot and complete the association to the WCS by loading its configuration. This
time the CAPWAP tunnel is successful and once finished the AP brings its interfaces up:
Loading"flash:/c1140-k9w8-mx.152-4.JA1/c1140-k9w8-mx.152.JA1"...##############....
File "flash:/c1140-k9w8-mx.152-4.JA1/c1140-k9w8-mx.152-4.JA1" uncompressed and
installed, entry point: 0x4000
executing...
[logs]
*Apr 21 06:40:02.651: %CAPWAP-3-STATIC_TO_DHCP_IP: Could not discover WLC using static

IP. Forcing AP to use DHCP.
*Apr 21 06:40:11.792: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address
10.175.244.140, mask 255.255.255.128, hostname APbc16.65d6.6fcf
Translating "CISCO-CAPWAP-CONTROLLER.unicef.org"...domain server (158.113.18.10)
*Apr 21 06:40:14.063: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-
CONTROLLER.unicef.org
*Apr 21 06:40:24.063: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 22 17:28:41.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip:
10.175.244.250 peer_port: 5246
*Oct 22 17:28:43.634: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully
peer_ip: 10.175.244.250 peer_port: 5246
*Oct 22 17:28:43.634: %CAPWAP-5-SENDJOIN: sending Join Request to 10.175.244.250
*Oct 22 17:28:44.064: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller DK-ETR4-WC-01
[logs]
*Oct 22 17:28:45.108: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1,

changed state to down

*Oct 22 17:28:46.030: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0,
changed state to up
*Oct 22 17:28:46.064: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
The AP is now listed in the WCS web interface now:
Figure 197 - List of registered APs
3.3.6 Converting a controller-based AP to a standalone AP (and vice-versa)
In order to convert the AP, the proper firmware should be downloaded from cisco.com. Following are
the three type of IOS available for download:
- k9w7 –standalone IOS firmware

- k9w8 – full controller-based IOS firmware
- rcvk9w8 – controller-based recovery image
To proceed to the conversion, a PC should be either directly connected to AP’s ethernet port or
through a switch (if the AP is powered through PoE). A TFTP server (ex: tftpd32) must be installed
on the PC and host the previously downloaded IOS firmware. In the example below PC, the PC has
been assigned a 10.10.10.1/24 address and the AP is a 1140 model and is assigned the
10.10.10.102/24 IP address.
The following commands should be entered in the console mode:
AP5475.d0f5.2ee7#debug capwap console cli

AP5475.d0f5.2ee7#conf t
AP5475.d0f5.2ee7(config)#ip default-gateway 10.10.10.1
AP5475.d0f5.2ee7(config)#int g0
AP5475.d0f5.2ee7(config-if)#ip address 10.10.10.102 255.255.255.0
AP5475.d0f5.2ee7(config-if)#no sh
// Before entering this command, make sure the TFTP server is running
AP5475.d0f5.2ee7#archive download-sw /force-reload /overwrite tftp://10.10.10.1/c1140-
k9w7-tar.124-25d.JA.tar
"examining image...
Loading c1140-k9w7-tar.124-25d.JA.tar from 10.10.10.1 (via GigabitEthernet0): !
extracting info (283 bytes)
Image info:
Version Suffix: k9w7-.124-25d.JA ...................."
Once conversion process is over, verify the right image has been loaded:

ap>en
Password: // default password is Cisco
ap#
ap#sh version
Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(25d)JA, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 09-Dec-10 15:24 by prod_rel_team
ROM: Bootstrap program is C1140 boot loader
BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(18a)JA3, RELEASE SOFTWARE (fc1)
ap uptime is 0 minutes
System returned to ROM by reload
System image file is "flash:/c1140-k9w7-mx.124-25d.JA/c1140-k9w7-mx.124-25d.JA"
For the reverse conversion from standalone to controller-based, download the recovery image (in
this example: c1140-rcvk9w8-tar.124-25d.JAL.tar) and use the same command on the autonomous
AP privilege mode:
AP5475.d0f5.2ee7#archive download-sw /force-reload /overwrite tftp://10.10.10.1/c1140-

rcvk9w8-tar.124-25d.JA.tar
3.3.7 WLC Firmware Upgrades
1. Login to the WLC: From a laptop, browse to the WLC IP, log in using your credentials.
2. Verify TFTP -> WLC connectivity: Go to “COMMANDS” -> “Upload File”. Leave all default but
update the server IP address with the laptop IP address. Click “Save Configuration” and once
confirmed, click “Upload”.
If communications with the tftp server work, you should read a confirmation message and the
configuration file should have been transferred to the current tftp folder.

3. Download the Field Upgrade Software (FUS), ex:AIR-CT2500-K9-1-9-0-0-FUS.aes. Go to
“COMMANDS” -> “Download File”. Leave all default but the laptop IP address and replace the File
name with “AIR-CT2500-K9-1-9-0-0-FUS.aes”. Click “Download” and wait until the confirmation
message is displayed.
The WLC should request to reboot, click “reboot” or go to “COMMANDS” -> “Reboot” and click
“Reboot”. All communications with the WLC will be lost and the WLC will take a while to reboot (20-
30 minutes), make sure you have enabled the serial connection so you can monitor WLC’s upgrade
process.
4. Download the IOS firmware, for ex: AIR-CT2500-K9-8-1-121-0.aes. Follow the exact same
instructions as in point 3. But this time the File Name in “COMMANDS” -> “Upload File” should be
“AIR-CT2500-K9-8-1-121-0.aes”. Once the upgrade is done, login to the GUI again, you should be
redirected to the new dashboard. Click on “Advanced” to access the previous default page and verify
the “Software Version” have been updated:

3.4 WIRELESS BRIDGES
The last paragraph of the handbook details the configuration process for setting up point-to-point and
point-to-multipoint bridges. We will consider a situation where a humanitarian agency would need to
extend Internet connectivity from its main office to 2 remote locations (staff accommodation and
warehouse) and will setup bridges as follow:
Warehouse
Main Office
Bridge Switch AP
Accomodation
Switch Main Bridge
Bridge Switch AP
Figure 198 - Bridge Topology
3.4.1 Physical Installation
Bridge systems usually consists of a weather proof transmission unit (with integrated or external
antennas), a Power Injector, a Power Adaptor and a grounding block (also called surge protector) at
the building entrance. The Bridge and the external antennas, if used, are installed outdoors. The
grounding Block is installed at the building entrance and the Power Injector and DC power supply
are installed indoors. The overall diagram is shown below:
Figure 199 - Bridge Installation Scheme
Before mounting the bridges to the roof or mast, the installer should always make sure the setup is
working in a lab environment.
Routing the cables
When routing the cable down a radio tower one must secure the cable to the tower. This is typically
done by using plastic or nylon ties securing the cable to either one leg of the tower or to the existing

cables traveling down the tower. When using plastic or nylon ties one should make sure the cable
ties are UV (ultraviolet light) resistive so they will not crack or break from exposure over time to the
sun’s rays. Always keep the cable away from sharp objects, if mounting on a roof top do not stretch
the cable across places where people will walk or move heavy equipment that might cut or damage
the cable. Always make sure the cable lies flat on the roof and never suspend it where someone
could trip over it. Before the cable enters into the building make sure the cable is routed through the
grounding block and that care is taken to not damage or compromise the cable when routing it into
the building. Beware of sharp edges around the wire path or hole you are using to get the cables into
the building.
Tip: It is good practice to create a small cable loop around all outside connections. Should the
weatherproofing fail, this would limit the water damage to the loop preserving the rest of the cable so
that it could be spliced and reused.
Lightening Protection
Lightning is caused by the build up of electrical potential between the clouds and ground, between
clouds, or between clouds and the surrounding air. During thunderstorms, static electricity builds up
within the clouds. A positive charge builds in the upper part of the cloud, while a large negative
charge builds in the lower portion. When the difference between the positive and negative charges
becomes too great, the electrical charge jumps from one area to another, creating a lightning bolt.
Most lightning bolts will strike from one cloud to another, but they can also strike the ground or other
metal objects. Static electricity from wind, snow or the electrical energy from a lightning strike or
nearby strike can cause damage your Bridge or other electronic equipment. Always use a grounding
block on the bridge and make sure the grounding block is attached to a suitable ground.
Use a heavy gauge wire and keep ground wire as short as possible. The use of a good ground will
lessen the chance of damage due to a nearby strike and helps to “bleed off” any static charges that
may build up on the cable.

3.4.2 Ubiquiti Nanobeam / Powerbeam Configuration (airOS 7)
a. Getting started
To access the airOS Configuration Interface, perform the following steps:
Configure the Ethernet adapter on your computer with a static IP address on the 192.168.1.x subnet
(for example, IP address: 192.168.1.100 and subnet mask: 255.255.255.0). Then launch your web
browser and enter https://192.168.1.20 in the address field.
Both default username and passwords are ubnt. Also select the country of operations (by default
USA). Once logged in, the dashboard looks like as follows:
Figure 200 - Ubiquiti Dashboard
A best practice is to change the default password as highlighted by the red message on top of the
screen.
b. Wireless Parameters
The Wireless tab contains everything needed to set up the wireless part of the link, including the
wireless mode, SSID, channel and frequency, output power, data rates, and wireless security:
Figure 201 - Ubiquiti P2P Wireless Settings

It is important that all bridges have matching parameters, relevant fields to focus are:
Main bridge Remote bridge(s)

Wireless mode* Access Point PTP or PTMP Station PTP or PTMP
SSID UNICEF UNICEF
Channel Width 80 MHz (P2P) – 40 MHz (PTMP) 80 MHz (P2P) – 40 MHz (PTMP)
Security WPA2-AES WPA2-AES
WPA Authentication PSK PSK
WPA Preshared Key Unicef123 Unicef123
Table 24 - Ubiquiti Wireless Parameters (example)
(*) The mode depends on the product model and network topology requirements:
- Access Point PTP: If a single device acts as an access point (AP) in a Point-to-Point (PtP) link.
The device functions as an AP that connects a single client device (the client device must be in
Station PTP mode).
- Station PTP: If a client device connects to an AP in a Point-to-Point (PtP) link. The client device
acts as the subscriber station while connecting to the AP (the AP must be in Access Point PTP
mode).
- Access Point PTMP: If a single device acts as an AP in a Point-to-MultiPoint (PtMP) link. The
device functions as an AP that connects multiple client devices (client devices must be in Station
PTMP mode).
- Station PTMP: If multiple client devices connect to an AP. The client devices act as the subscriber
stations while they are connecting to the AP (which must be in Access Point PTMP mode).
c. Others Parameters
The Network menu is used to adapt the bridge IP settings to the local office network addressing.
Make sure the parameters are set to their default (Network mode = Bridge) and assign static IP
addresses for easier remote management and monitoring. In the service tab, it is recommended to
enable the NTP client (Ubiquiti default or 158.113.18.9) and the devise discovery (CDP). Last the
system menu can be used to modify the administrator name (ex: admin), update the date settings
and save the configuration.
d. Verifying Association
Once all bridges have been configured correctly, they should automatically associate after scanning
all frequencies (30 seconds). For example, here’s a main bridge configured as Access Point PTMP
associated with 2x remote bridges configured as Station PTMP:
Figure 202 - Ubiquiti Associated Bridges
------------------------------------ END OF CHAPTER 7 ------------------------------------


ANNEXES
ANNEX A – CORE COMMITMENTS FOR CHIDLREN .................................................................. 209

ANNEX B – ICT PREPAREDNESS CHECKLIST.................................................................................... 211
ANNEX C – SIMPLIFIED STANDARD OPERATING PROCEDURES FOR LEVEL II AND III EMERGENCIES .... 214
ANNEX D – QUICK ICT ASSESSMENT ............................................................................................... 220
ANNEX E – RESPONSE PLAN TEMPLATE .......................................................................................... 226
ANNEX F - UN STANDARD CALLSIGNS / SELCALLS ................................................................ 232
ANNEX G – PROCEDURES FOR RADIO COMMUNICATIONS ................................................... 237

ANNEX A – CORE COMMITMENTS FOR CHIDLREN
Emergency preparedness and response planning in the area of ICT is to a large extent governed by
the Core Commitments for Children (CCCs) in Humanitarian Action. The CCCs state clearly the
responsibilities of ICT functions at the global, regional and country office level, to ensure adequate
preparedness, and actions to take in response and early recovery phases. Below is chapter 3.6
outlining the ICT commitments of the CCCs.
COMMITMENT
Timely, effective and predictable delivery of telecommunications services to ensure efficient

and secure programme implementation, staff security and compliance with inter-agency
commitments.
PROGRAM ACTION IN PREPAREDNESS
Ensure the immediate availability of essential emergency information and communication technology
(ICT), and telecommunications equipment and services, by having supply contracts in place with an
emergency delivery clause (HQ/RO).
- Pre-position essential rapid-deployment emergency ICT solutions in high-risk offices (RO/CO);
and put in place licensing and agreements with host governments on importation and licensing
of key telecommunications-response equipment and services (CO/interagency).
- Ensure the timely availability of trained and experienced emergency ICT responders by
maintaining internal and external emergency response rosters (HQ/RO).
- Ensure that all UNICEF COs have a minimum of one emergency-trained ICT professional
(CO/RO).
- Ensure that ICT is included in all UNICEF country and regional emergency-simulation exercises
(RO/HQ); and conduct annual emergency ICT training and simulation exercises (HQ/RO/CO).
- Ensure that CO ICT personnel are trained in MOSS/security telecommunications requirements
(HQ/RO/CO) and that evaluation of and reporting on MOSS telecommunications compliance is
included in regular office ICT activities (RO/CO).
- Support implementation of inter-agency and NGO emergency ICT/ telecommunications working
groups at the field-office level (CO/RO/ HQ).
- Support and ensure inter-agency standardization for emergency ICT/ telecommunications
equipment, services and procedures (HQ).
- For the purpose of business continuity, ensure that critical staff have the requisite remote
connectivity and access to UNICEF core systems (RO/CO), as per individual office requirements
and established from Information Technology Solutions and Services Division and business and
continuity plans (HQ).
- Conduct remote connectivity tests as per individual office requirements and established policies
and guidelines from Information Technology Solutions and Services Division and business
continuity plans. Ensure remote execution of office-critical processes, where applicable
(RO/CO).
- Ensure, where applicable and as per individual office requirements, remote access to vital
records requirements to execute critical processes for critical staff on-site and for those working
from home (RO/CO).
ANNEXES 209
PROGRAM ACTION IN THE RESPONSE
- Perform an immediate emergency ICT and telecommunications gap assessment to identify
critical gaps in MOSS/security telecommunications compliance and data communications
(Internet, email, etc.) service availability; determine resource requirements and need for eventual
external support (RO/CO).
- Collaborate with cluster partners to identify opportunities for shared telecommunications and
data-communications service delivery, and take responsibility as cluster lead at the local level, if
required and as per inter-agency agreements (CO/RO).
- Request deployment of trained emergency ICT/telecommunications responders and emergency
telecommunications project coordinators, as required (RO/CO).
- Produce a consolidated supply plan covering identified ICT and telecommunications equipment
and service requirements (CO).
- Provide key UNICEF users with remote access to corporate applications using secure
connectivity solutions, such as virtual private networks (CO)
PROGRAM ACTION DURING EARLY RECOVERY

- Provide secure corporate data connectivity – such as Very Small Aperture Terminal (VSAT) –
and implement core UNICEF information systems and associated infrastructure required to
support the longer-term emergency operation (CO).
- Conduct a follow-up and in-depth ICT/telecommunications assessment to establish requirements
for early recovery and longer-term operation; support planning, execution and hand-over to
capable partners of interagency joint emergency ICT projects (RO/CO).

This ICT Emergency Preparedness Checklist is designed to help Field Offices in assessing and improving assess their emergency preparedness in the area of ICT and through
this, facilitate timely and appropriate response to emergencies. As such, theThis list should be considered a part of the overall office’s preparedness efforts, including BCP
planning, security/MOSS awareness, ICT systems/services, and so forth. The checklist is also a tool for regional and ITSS officers to monitor individual FOs’ preparedness and
provide assistance as required.
ANNEX B – ICT PREPAREDNESS CHECKLIST
For additional support and information about ICT preparedness, check out ITSS‟ Emergency Portal (Intranet >> Information Technology >> ITSS Emergency Portal) or contact
your Regional Chief of ICT.
Region:
Country Office:
Prepared by (name/function)
Current security Level:
Date updated:
1. Office Continuity Plan select notes Responsible/focal point
A. Likely threat and risk scenarios determined and planned for.

Head of Operations
B. Critical ICT systems and services identified and Business
Impact Analysis performed on Critical ICT services Head of Operations
C. ICT Services Recovery Time Objective agreed by CO
Management Head of Operations
D. Remote access requirements for critical staff determined and
equipment/services implemented. Head of Operations
E. Country Office ICT DR Plan including Critical ICT staff and their
alternates has been documented and shared with Representative,
Operations Officer, RCICT, CO Security focal point and other
relevant staff. Head of Operations
F. Back-up electrical supply (generator, etc.) identified and back-
up power systems pre-deployed to main office and/or alternate
office locations to ensure availability of power. Head of Operations
G. Power generator is regularly tested. Sufficient fuel is available
for prolonged outages Head of Operations
H. Office Business Continuity Plan tested in the last year.

Head of Operations
I. Is ICT DR Plan integrated with office’s overall BCP?

Head of Operations
J. Contact details for local datacoms equipment and service
providers are available. Head of Operations
K. All critical documentation and software is stored in a safe and
accessible location outside the main office (FTP site, shared drive
or other). Head of Operations
L. ALL BCP Critical Staff are regularly encouraged to take backup
copy of essential documents and e-mail archives from their
desktop computers on top external drive to facilitate working
from home? Head of Operations
M. All BCP Critical staff (with support from Local IT staff) have
tested all remote access methods (prior to predicted emergency).
Head of Operations
ANNEXES 211
Emergency Telecommunications/ MOSS Select One notes Responsibility
A. Office country is MOSS compliant in terms of telecommunications. Security Officer
B. UN Country-MOSS plan is shared with RCICT and

Security Officer
ITSS/Operations/Emergency Telecoms?
C. Local interagency ICT or ETC coordination group is established and

functioning. (If no such group exists, consider taking the initiative to start one. Security Officer
TOR available on ITSS Emergency Portal)
D. Plan and additional HF/VHF/Satcoms equipment exist to respond to

increase in security phase and/or emergency response. (ITSS recommends
Security Officer
that CO’s in high-risk maintain a solid stock of spare equipment. Exact
quantities should be assessed based on MOSS, risk and staffing-levels.)
F. All UNICEF vehicles being used for field operations in high-risk areas are
equipped with HF/VHF and Satcom equipment as per the Country MOSS Security Officer
requirement.
G. Staff are equipped with portable radio equipment as per the local MOSS
Security Officer
requiremnets.
H. Staff received training on the use of HF/VHF radio duiring last 6 months. Security Officer
I. Office has communication tree, and it is tested every three months. Security Officer
Office Connectivity (In main office) Select notes Responsibility

A. Primary connection available Head of ICT
B. Secondary connection available Head of ICT
Internet Connectivity (At back-up location)
A. Primary Internet connection available Head of ICT
B. Secondary Internet connection available Head of ICT
C. All corporate applications installed/configured and tested on all the
computers/laptops that will be used by the BCP Critical staff. Head of ICT
Remote Access
A. Local Citrix service setup for BCP must be tested by the BCP Critical staff
regularly. Head of ICT
B. ALL BCP Critical Staff to work on VISION are aware of mycitrix.unicef.org
(Citrix remote access service hosted from NYHQ) and have used Core
applications via NYHQ Citrix. Head of ICT
C. Remote Access via CISCO AnyConnect VPN has been configured and
tested on all the laptop computers to be used by BCP Critical Staff. Head of ICT
D. Staff are trained on the use of available remote access applications and
able to access from home/alternate location. Head of ICT
VISION System Access
A. VISION accessible via NYHQ Citrix service from the Country office. Head of ICT
B. All VISION users know how to use VISION via NYHQ Citrix service. Head of ICT
C. Remote Access via CISCO AnyConnect VPN has been configured on all the
laptop computers. Head of ICT
D. Remote Access via CISCO AnyConnect VPN has been configured and
tested on all the laptop computers to be used by VISION users and tested by
each BCP Critical Staff and VISION users. Head of ICT
E. SAP GUI client installed/configured on the laptop computers identified to
be used for BCP and tested by the BCP Critical staff. Head of ICT
F. VISION Transaction Management System access via SAP GUI and NYHQ
Citrix method tested by each BCP Critical staff. Head of ICT
G. APPROVA system access via Internet Explorer using URL and NYHQ Citrix
tested by each BCP Critical staff who has APPROVA Role. Head of ICT
H. Accessing VISION Insight via NYHQ Citrix service tested Head of ICT
I. VISION Icons installed and tested on all the laptops of the office. Head of ICT
Intranet and Internet Services
A. Internet (Field Office Website Maintenance) Content contributors
provided with Internet access to the RedDot servers using Internet Explorer
browser. Head of ICT
B. All BCP critical staff have Internet access and individual passwords to
access the UNICEF Intranet. Head of ICT
C. All relevant staff have been given access to WebHRIS. Head of ICT

Intranet and Internet Services
A. Internet (Field Office Website Maintenance) Content contributors
provided with Internet access to the RedDot servers using Internet Explorer
browser. Head of ICT
B. All BCP critical staff have Internet access and individual passwords to
access the UNICEF Intranet. Head of ICT
C. All relevant staff have been given access to WebHRIS. Head of ICT
Email and Collaboration Service (Office 365)
A. Outlook Lync, and OneDrive for Business PC clients are configured,
tested, and used by all BCP critical staff. Head of ICT
B. All BCP Critical Staff are trained to use e-mail, web conferencing, and
OneDrive for Business via remote access (Internet browser) and able to access
from home/alternate site. Head of ICT
C. All BCP Critical staff have the BCP-related documentation in their
OneDrive for Business. Including Office365 user references. Head of ICT
D. All BCP Critical staff mobile devices have been configured for UNICEF
email, Lync, and OneDrive for business. Head of ICT
Client Authentication and File & Print Services
A. Client Authentication and DNS resolution at backup site are configured and
verified. Head of ICT
B. File & Print service has been configured and tested running from the
Backup site. Head of ICT
C. Logon script execution, F&P shares & folder permissions at backup site
configured and verified. Head of ICT
D. File & Print server data (all user data & shared folders) is included in the
daily ICT data backup procedure. Head of ICT
E. Critical Staff trained in the use of F&P at backup site and able to access from
home/alternate location. Head of ICT
Infrastructure and Operations
A. Data back-up strategy developed and implemented, with regular back-up;
maintenance and secure storage. Head of ICT
B. Restore Process periodically tested. Frequency of tests? Head of ICT
C. Data back-up taken from the Primary data centre is periodically restored
and tested on the Backup/Secondary data centre where there is no clustering
or real-time update feature. Head of ICT
D. Data backup media stored in a secure location far away from the main
system operation area. Head of ICT
E. Fire alarm and smoke detector installed at the primary data centre as well
as secondary data centre and integrated with internal and external monitoring
systems. Head of ICT
F. Your office has High Availability Gateway setting that could be moved to an
emergency location. (Open Systems does not provide cold-standby firewalls.
Emergency prone locations and locations where shipping equipment is difficult
are recommended to have their own HA gateways. Meanwhile, each region
has a number of sites with HA gateway settings. These HA gateway could be
transferred/shipped to the other office in case if their hardware failed.)
Head of ICT
G. The Office has a spare WiFi set for quick deployment in case of emergency.
Head of ICT
H. The UPS system is installed and tested. Head of ICT
I. Redundant Power Distribution Units (PDUs) are available. Head of ICT
J. Leak detection throughout raised floor installed (if raised floor has been
installed). Head of ICT
ICT Emergency Preparedness

A. Office Profile and Emergency ICT Preparedness Checklist are regularly
updated and posted on EWEA site at least 2 times a year, and immediately
updated when an emergency strikes. Head of ICT
E. An office-in-a-box kit or ETR-1 kit is available in case rapid response is
needed. (ITSS recommends every CO has at least one ETR1 or similar rapid
response ICT kit.) Head of ICT
F. Mobile High-Speed Data Satellite Services such as BGAN or Thuraya IP are
updated with latest firmware and have been tested in the last 2 months. (ITSS
recommends at least one HSD MSS terminal per office; more in high-risk
scenarios.) Head of ICT
G. Alternate rapid deployable Internet connectivity solution is on standby
(such as VSAT, local ISP, 3G router, other). The office maintains a list of
contacts and services for all local and global Internet and Cellular providers.
Head of ICT
Rapid Emergency ICT Assessment
A. Are you familiar with the procedure for Rapid ICT Assessment?
For background information on Rapid Telecoms Assessment, go to Intranet >>
Information Technology >> ITSSEmergency Portal >>Emergency Response Please explain briefly Head of ICT
ANNEXES 213
ANNEX C – SIMPLIFIED STANDARD OPERATING PROCEDURES FOR LEVEL II AND III EMERGENCIES
SSOP: Level II Emergencies

Sector: ICT
Business Owner: ICTD
Procedures: The below are identified as key actions to ensure a rapid and efficient emergency response in area of ICT. These actions build on existing ICT
emergency preparedness guidelines, as specified in the ICTD Emergency ICT Checklist (on IT-Explorer/Emergency Portal).
Within first week
Action Considerations Responsibility To consult /engage Approval

/
clearance
Conduct a quick ICT Assessment tools available in ‘ICT emergency
assessment to determine toolbox’ on ICTD Emergency Portal. CO
RCICT (Regional
immediate needs If access to emergency location is difficult, seek to CO ICT manager Operations
Chief of ICT)
obtain information about ICT status and gaps from officer
non-ICT staff visiting area or from other agencies.
Consult country office Emergency Preparedness and
CO ICT
Response Plan (EPRP), country specific security
2. Implement security CO Operations manager/Security
(MOSS)/UNDSS requirements, and operational needs. CO Rep
communications procedures manager officer/UNDSS/Cluster
High-risk countries should maintain in-country stock
lead agency
of essential equipment security comms equipment.
Consult country office Emergency Preparedness and
Response Plan (EPRP). Consider using interagency
CO Operations
3. Ensure access to data- connectivity provided by ETC lead (if available).
CO ICT Manager manager/Cluster lead CO Rep
connectivity for responders High-risk countries should maintain in-country stock
agency
of essential data-communications equipment
(satphones, etc.)
CO
4. Manage ICT coordination. Initiate coordination (teleconferences) as required. CO ICT manager RCICT/ICTD Operations
officer
5. Identify need for additional Consider hiring locally available staff. External, CO Operations RCICT/DHR/EmOps
CO Rep
emergency ICT staff international responders s can be identified through e- Manager Geneva

- global web roster (DHR’s Emergency Unit); through
regional rosters; and through UNICEF standby
arrangements (EmOps Geneva).
For quick delivery: Order standard UNICEF

equipment, preferably from Supply Division’s
6. Prepare ICT supply plan and CO
Emergency Supply List; Where applicable, use
forward to Supply responsible CO ICT manager RCICT/HQ ICTD Operations
emergency procurement option; Order complete kits.
- officer
If required, request ICTD pre-stocked telecoms kit
solutions (ETR1, 2 or 3 kits)
Within second week
7. Participate in local and global CO ICT manager RCICT CO

interagency ICT coordination If local ICT working group does not exist, consider Operations
meetings; seek to identify initiating such (ToR for local ICT working group officer
opportunities for interagency available on Oneresponse.info and ICTD Emergency
shared ICT services. Portal)
-
ANNEXES 215
SSOP: Level III Emergencies
Sector: ICT
Business Owner: ICTD
Procedures: The below are identified as key actions to ensure a rapid and efficient emergency response in area of ICT. Many of the outlined actions build on
existing ICT emergency preparedness guidelines, as specified in the ICTD Emergency ICT Checklist (on IT-Explorer/Emergency Portal). In situations where
the country office installations and staff are directly affected by the emergency, primary responsibility for actions indicated as country office ICT responsibility
below may be transferred to Regional Chief of ICT (RCICT).
Immediately at activation (first 24 hours)
Action Considerations Approval
Responsibi To consult
/
lity /engage
clearance
1. Conduct a quick ICT assessment and RCICT
share information with CMT, RCICT ▪ If access to emergency location is difficult, seek to obtain
CO ICT (Regional CO Ops
and ICTD emergency focal point information about ICT status and gaps from non-ICT staff
manager Chief of officer
visiting area or from other agencies.
ICT)
If UNICEF CO is directly affected, inaccessible or under threat:
▪ Initiate BCP and have relevant form signed by head of office.

▪ May require contracting of local ISP and/or use of back-up CO ICT RCICT/HQ CO Ops
2. Support office BCP plan
communications tools such as BGAN or other satellite manager ICTD officer
communications.
3. Assess need for implementation of
“shadow” office for hosting of essential ▪ Shadow office can be UNICEF office in neighboring country. RC ICT HQ ICTD GEC
CO ICT services
First 48 hours (in addition to those listed above)

4. Implement security communications
CO
procedures/radio-check (HF/VHF radio ▪ In interagency radio networks, this task may be handled by CO ICT CO Ops
security
communication system, satphones, etc.) lead agency. manager officer
focal point
▪ Voice and data-connectivity options include local service
5. Ensure staff travelling to affected area providers (if operational), other UN agencies’ services, CO ICT
CO Ops
has access to voice, data-connectivity BGAN and other mobile satellite communications, etc. manager HQ ICTD
officer
and security-communication options ▪ Provide key staff with access to smartphone (if services RCICT
available in emergency location).

▪ SitRep typically daily in early phase of emergency, then bi-
weekly or weekly as required. Simple format should be used:
6. Initiate regular ICT sitreps for sharing period covered; main actions taken (services, procurement, CO ICT CO Ops
RCICT
with CMT, RCICT and HQ ICTD staffing); major gaps and constraints (services, procurement, manager officer
staffing); immediate and longer term plans; interagency ICT
activities; etc.
HQ ICTD
CO ICT
7. Alert UNICEF ICT service providers ▪ Alert global, regional and in-country suppliers and include Director /
manager/
that emergency services may be possible scenarios, services required, estimated number of RCICT / None
RCICT /
required locations, timeframe, etc. CO ICT
HQ ICTD
manager
▪ The IRT may constitute ICT/telecoms expert. RCICT HQ ICTD/ CO Ops
8. Identify emergency ICT staff to lead ▪ Identify additional surge capacity needed (to be deployed by DHR officer
and support UNICEF ICT response DHR)
- ▪ Take advantage of ICTD and DHR roster of internal and
external emergency ICT trained staff.
CO ICT
9. Initiate in-house and interagency ICT ▪ Teleconferences are typically held at least twice a week in the HQ ICTD CO Ops
manager /
coordination teleconferences initial stage, then weekly or as required. Director officer
RCICT
First week (in addition to those listed above)
10. Participate in local and global
▪ If local ICT working group does not exist, consider initiating
interagency ICT coordination CO ICT CO Ops
(TOR for local ICT working group available on RCICT
meetings; seek to identify opportunities manager officer
Oneresponse.info)
for interagency shared ICT services
▪ For quick delivery: Order standard UNICEF equipment,
11. Prepare ICT supply plan and forward preferably from Supply Division’s Emergency Supply List;
CO ICT RCICT/HQ CO Ops
to supply responsible Use emergency SO option; Order complete kits.
manager ICTD officer
- ▪ Request ICTD pre-stocked telecoms solutions (ETR1, 2 and 3
kits).
▪ File sharing is essential for sharing of hand-over documents
and other important files. File sharing solution can be shared CO ICT RCICT / CO Ops
12. Implement file sharing solution
drive or – if local network sharing not feasible – collaborative manager HQ ICTD officer
space on UNICEF Intranet.
13. Ensure fast-track of requests for ▪ As adequate, agree on higher priority ICT SLA for all other
HQ ICTD RCICT/DH CO Ops
assignment of email and Intranet access service requests by the affected CO.
Director R officer
for new staff and consultant
ANNEXES 217
▪ e-saf requests from emergency office to be immediately
flagged and prioritized.
▪ Emergency GHD numbers: Help Desk Officer: +1- 917-605-
1601 and Help Desk Manager: +1- 917-605-1816
Following weeks (in addition to those listed above)
14. Determine additional ICT staffing
CO ICT
requirements and initiate action to ▪ Take advantage of ICTD and DHR roster of internal and CO Ops
RCICT manager/D
obtain necessary staff external emergency ICT trained staff officer
HR
-
15. Provide key UNICEF users with ▪ Consider requesting emergency telecoms response kit from
corporate network access; implement ICTD in-house pre-stock
CO ICT RCICT/HQ CO ops
core UNICEF information systems and
manager ICTD officer
associated infrastructure to support the
operation.
16. Perform follow-up ICT assessment to ▪ Assessment tools available in ‘ICT emergency toolbox’ on CO ICT RCICT/HQ CO ops
determine gaps in longer-term response ICTD Emergency Portal. manager ICTD officer

Related Procedures, Guidance, Rules, Policies and Regulations
The ICTD Simplified Standard Operating Procedures for Level 3 emergencies build on the ICT component of the CCCs as well as current ICTD policies and
procedures related to emergency response and business continuity, including ICT Guidelines & checklist, ICT Assessment templates, ICT Budget tools, TOR
for Interagency ICT working group, etc. Where possible, these policies and procedures have been simplified.
Risk Management Strategy
The major risks have been identified as:

Risk: Lack of availability of trained and experienced ICT emergency response staff.
Mitigation strategy: UNICEF trained responder staff is available from various standby partners and can be used for support roles; however for ICT manager
role, UNICEF staff will be required.
Risk: Local service providers affected by emergency/disaster and not able to provide services.
Mitigation strategy: Import UNICEF telecoms response kits to ensure back-up connectivity.
Risk: Delays in importation and licensing of IT and telecoms equipment.
Mitigation strategy: Raise license and importation issues to interagency level and have local ICT working group/Emergency Telecoms Cluster group approach
local Govt. telecom authorities with import/license requests.
Risk: Quantity of ICT equipment does not reflect actual needs.
Mitigation strategy: CO ICT Manager to work closely with CO Operations officer to ensure matching between expected staffing levels and ICT requirements.
Risk: ICTD pre-stock not replenished after shipment to CO.
Mitigation strategy: ICTD will only commit to ship from pre-stock after receiving adequate budget for reimbursement, alternatively written commitment from
CO Rep or GEC.
Exit Strategy
The main areas to consider in ICT exit strategy are:
▪ Ensure exit strategy is clear about ownership of ICT manager function when response staff exit and hand-over to longer-term staff.
▪ Ensure Office Profile and ICT inventories are updated with equipment imported as part of emergency response.
▪ Ensure equipment with recurring costs (such as satcoms) is incorporated in CO inventory and budget.
▪ Ensure office data-connectivity is resilient and adequate.
▪ Ensure local and global contracts for telecoms and ICT services are formalized and budgeted for.
ANNEXES 219
ANNEX D – QUICK ICT ASSESSMENT

ANNEXES 221
ANNEXES 223
ANNEXES 225
ANNEX E – RESPONSE PLAN TEMPLATE
EXECUTIVE SUMMARY
This response plan covers the ICT requirements for the on-going emergency in (insert country name),
based upon information collected during the initial assessment organized by (insert office who did the
assessment). The objective is to provide Internet access, security telecommunications and help desk
services to support UNICEF program and operations in (insert location(s)).
This project will be done in 3 phases (this parameter may change depending on scenarios) for a duration
of (enter duration) months. It will be led by (insert Country Office name) under the guidance of the
UNICEF Regional Office in (insert RO name) and the Information Technology Solutions and Services
(ICTD) in Headquarters.
This response plan includes budget and related costs for the necessary ICT equipment, services and
additional staffing. It also describes procurement methods, logistics, exit strategy and risk mitigation.
IMPLEMENTATION TIMELINE
Starting (insert date), phase 0 aims at upgrading existing UNICEF offices in (insert office name(s)) to
cope with the additional surge staff responding to the emergency.
In (insert new sites), where UNICEF had no prior presence, the implementation is divided in two phases:
• Phase I aims at establishing basic ICT infrastructure and services in all additional sites. This
includes Country MOSS compliant telecommunication facilities, depending on the local security
level, and basic e-mail and voice services. In this phase, voice and data communication is
guaranteed through satellite terminals and/or 3G equipment where applicable;
• Phase II aims at strengthening and extending the existing infrastructure to cater for the planned
number of users, including cost-effective Internet access for all staff, the establishment of a secured
network, Wifi infrastructure, remote sites and local help desk;
(Include timeline, example below with Microsoft Visio)

26/4/14 6/5/14 22/5/14 15/10/14
Emergency On-Site Assessment On-site Assessment
21/7/14 5/9/14 Closure
declared Start of Phase I Start of Phase I
M&E mission Closure Lessons Learn
Location X Location Y Location Y Report
CO+X+Y
1/5/14 1/6/14 1/7/14 1/8/14 1/9/14 1/10/14

04/23/14 10/22/14
2/5/14 16/5/14
28/4/14 6/6/14 27/9/14
Upgrade Start of Phase II
Initial Start of Phase II Closure
CO Location X
Assessment & Location Y Location X
Capacity
Response plan
DESCRIPTION OF SERVICES
In existing UNICEF offices (insert office locations), the increase of surge staff will stress the local ICT
capacity. Phase 0 will therefore focus on upgrading ICT structures:
• Increase of the office WAN/Internet bandwidth
• Installation of additional WIFI equipment

• Provision of satellite phones and VHF radios to selected surge personnel
• Installation of additional IT equipment such as laser printers
• Increase of the ICT help desk staffing capacity
As for additional sites, priority should be given to the establishment of basic Internet connectivity and
security telecommunication networks compliant with the country MOSS. Start-up of ICT services has
been divided in two installation phases as detailed below.
Phase I will include:

• Provision of Internet and voice services using the fastest possible means to staff deploying to (name
affected area)
• Country MOSS telecoms compliance
• Provision and programming of VHF hand-held radios for all/selected (choose appropriate) staff;
• Access to Vision for selected staff;
• Provision of Internet access via WiFi to surge staff
• Basic printing and scanning services to surge responders
• Help Desk support to emergency responders
Phase II will include

• Establishment of a longer-term ICT support staff structure. Specific details depend on the size of
the office, and are provided in the next section of this document.
• Internet connectivity extension to secondary sites: (Warehouse, staff accommodation and sister
agencies / implementing partners).
• Establishment / deployment of a VHF repeater(s) (* see note below)
• Establishment of a radio room, and recruitment of radio operators to maintain 24/7 coverage. The
radio room will include, at a minimum, one HF base station, one VHF base station, a satellite phone
and one e-mail account (* see note below)
• Installation of VHF/HF communications equipment in the vehicles (* see note below)
• Establishment of back-up electrical power for ICT equipment
• Training of drivers and selected personnel (* see note below)
Notes (*): If above services are covered by the Interagency project then they should be omitted
PROJECT COST & FUNDING
The total equipment and recurring cost amounts to US$ (insert the equipment/recurring cost from
budget), while the estimated staffing cost is US$ (insert staffing cost including travel, DSA, hazard –
staffing costs should clearly highlight the initial deployment costs from the long-term costs).
See Appendix “Budget” for complete cost breakdown by equipment, staff and recurring cost.
The deployment will start/have started on advances from the following sources:
• (insert amount) from the xxx Fund
• (insert amount) from the xxx fund
• …
GOVERNANCE & STAFFING
The project will be implemented under the direct management of (choose function: Operations Officer/
ICT Officer/Regional ICT/Emergency Coordinator).
The staffing plan includes a total of (insert staffing numbers) staff deployed – using a combination of
(list staffing resources, country office personnel re-assigned, regional staff, global roster staff, locally
recruited staff, stand-by partners and private sector partners).
ANNEXES 227
A detailed staffing plan (organogram) including roles and names, for both phases, is attached in Annex
“ICT Organogram”.
SUPPLY & LOGISTICS
The initial response will be achieved using the existing country office contingency equipment. Additional
equipment will be procured from: (include procurement source:
• Local procurement: specify equipment type
• Regional stock: specify equipment type
• ICTD stock: specify equipment type
• Global LTAs: specify equipment type
The procurement of this equipment will be handled by (specify which office will be responsible
all/specific procurements: country office, regional office, ICTD)
This chapter should also describe shipment routes and pre-positioning of the equipment in staging
areas when applicable.
MONITORING & EVALUATION
The office will guarantee that ICT requests from staff are met by implementing real time monitoring
which will be achieve through: daily calls, operational and emergency meetings, weekly conference
calls with the Regional Office and Head Quarters and field trips.
Key performance indicators that will be used to monitor the implementation of the project are as follow:
• Number of Users per common UNICEF operational area.
• Number of registered devices (ex: DHCP leases) per common UNICEF operational area.
• Cost per beneficiary and per device
• Performance against initial baseline (including budget) – not a separate indicator as such but a
measurable milestone to monitor progress
• Sustainability and long-term benefits
• Optimized use of local resources and partnerships
• Adequate resources in place (including staff number and level, funding, etc.)
• Percentage of service availability
• Average bandwidth usage per location
• Cost efficiency and savings resulting from sharing of resources and minimizing service duplication
• Funding distribution
PHASE-OUT/EXIT STRATEGY
Specify how the office will transition from the emergency phase to normal operations, either via the
project closing, a downsizing of operations or the establishment of a permanent office.
Include key activities during transition (ie Internet access discontinuation, equipment to be dismantled
and/or to be submitted for PSB, return of equipment to ICTD stock, etc.), the timeline for each activity
and potential costs, associated risks and how will the process be monitored.
RISKS MITIGATION

(Identify possible risks, their impact, importance and possible mitigation strategies. See below some of
the possible risks or identify any other risks that may be relevant to this particular operation)
Risk Impact Mitigation Strategy

Phase I will be implemented using Country Office equipment stock.
Equipment Additional equipment required for Phase II will make use of ICTD pre-
High
delivery delay stock in Copenhagen and procurement through existing LTAs with
emergency clauses whenever possible.
Deteriorating Evacuation procedure in place. Use of lightweight and transportable ICT
High
security equipment that could be transported to another site.
Request for licenses will be transmitted to local authorities prior to
Local
installations. Any potential issue will be escalated to UNICEF
Regulations High
Representative. The office will also seek for Inter-Agency collaboration
issues
and ETC services.
Custom / transit List of equipment to be shared in advance with the logistics team working
High
delays with customs
Project funding Inter-Agency or ETC arrangements for shared services. Possible
High
limitations downsizing of the ICT services to be provided in Phase II.
Staff Phase I will be implemented by country office ICT personnel. Possible
mobilization or use of local consultants or standby partners. Inter-agency arrangements
Medium
recruitment for shared support.
delays
Changing of Re-use of spare equipment from the country office and/or other
operational Medium emergency sites.
requirements
Local ISP not Use of global service providers and VSAT equipment
able to provide Low
services
Unstable Implementation of a backup VSAT link. Usage of mobile satellite devises.
Low
Internet link
Unstable Dedicated ICT generator. UPS for LAN/WLAN infrastructure. Power over
electricity Low Ethernet Wifi access points and VOIP phones.
access
Lack of staffing Support to be provided by the Regional Office, global ICT roster and/or
capacity in the low standby partners.
country
INTER-AGENCY COLLABORATION
This chapter only applies if inter-agency arrangement such the Emergency Telecoms Cluster is
deployed.
The Emergency Telecommunications Cluster (ETC) will aim at providing Security Telecommunication
and “Internet café” type of connectivity to UN agencies and Cluster partners in the following operational
areas (name of sites).
(name of agency) is the implementing agency responsible for the assessment of security
telecommunications and data-communications needs, preparation of project proposals, establishment
and maintenance of services.
UNICEF will seek to make the best usage of such services by collaborating with the implementing
partner on the following (list arrangements, examples :):
• Share VHF and HF radio configurations to access the common security network
• Use data connectivity as main or backup link via point-to-point wireless links
ANNEXES 229
• Participate in inter-agency / ETC meetings and teleconferences when necessary
• Share UNICEF services when necessary
DETAILS PER SITE
The section below includes details of the services established / to be provided for each of the sites. It
is based on information available as of (insert date) on the sites to be covered, the security phase in
place and the number of staff planned. The “Service available” column indicates whether services and
equipment are available at the moment of writing of this document. The following column, “Provider”
lists the provider of the services (ex: CO stock, LTA supplier, ETC, ISP…).
EXISTING SITE (INSERT NAME)
The office upgrade in (insert location name) will start/started on (insert date), and is continuing to cater
for additional staff arrivals. Services are scheduled for completion by (insert date).
Assumptions:
1. (Insert number) additional staff to the existing (insert number) person team,
2. UN security Level (insert level number),
Planned
Service Availability Provider
for P0
Mobile phones for surge critical staff Yes/No X
Satellite phones for surge critical staff Yes/No X
ICT Help desk capacity increase Yes/No X
Main Internet link upgrade Yes/No X
Backup Internet link upgrade Yes/No X
LAN & WLAN infrastructure upgrade Yes/No X
Printing services upgrade
Emergency Team Site (Sharepoint) Yes/No X

ADDITIONAL SITE X
Assumptions:
1. (Insert number) staff,

2. UN security Level (insert level number),
3. (Dedicated or shared) Office setup
Planned Planned
Service Availability Provider
for PI for PII
Mobile phones for critical staff Yes/No X
Satellite phones for critical staff Yes/No X
BGAN or Thuraya IP for the office Yes/No X
ICT Help desk Yes/No X
Printing / Scanning Yes/No X
Main Internet link Yes/No X
Backup Internet link Yes/No X
Firewall Yes/No X
Team Site (Sharepoint) Yes/No X
LAN & WLAN infrastructure Yes/No X
Voice router & VOIP equipment Yes/No X
Public telephone line Yes/No X
PABX Yes/No X
Audio-conference service Yes/No X
Video-conference service Yes/No X
Servers Yes/No X
Backup Power (generator, solar) Yes/No X
24/7 radio room Yes/No X
VHF base in the office Yes/No X
VHF mobile in the vehicles Yes/No X
VHF handheld for staff Yes/No X
VHF repeater coverage Yes/No X
HF base and antenna in the office Yes/No X
HF mobile in the vehicles Yes/No X
ANNEXES 231
ANNEX F - UN STANDARD CALLSIGNS / SELCALLS
The United Nations have created a standard to uniquely identify individual, agencies and locations
(countries, cities, bases, vehicles…) using HF/VHF networks. The main goals of those standards are
to:
- Increase the safety and security of aid workers and their properties.
- Increase the efficiency of and the communication within the UN and NGO community.
- Identify each base and vehicle with a unique callsign and selcall within one HF/VHF network.
- To convey as much critical information as possible (e.g. the agency a user belongs to, its
location) through the callsign and selcall structure.
- Keep the callsigns as short as possible and easy to use.
- Support NGOs and smaller agencies.
The standardization plan comprises two inter-linked parts:

- A Selcall (selective calling) numbering scheme,
- The allocation of a fixed or mobile personal HF/VHF “callsign”.
Sellcalls and callsigns are based on a number of secondary standards defining the standard call letters
(or abbreviation) for locations, agencies and departments. These secondary standards are described
in next paragraph.
N.B The official call sign, allocated by the ITU, for the UN is 4U i.e. 4UA – 4UZ
If ever questioned by Telecoms authorities about call signs being used then you should quote the ITU
callsign first then the list of callsigns you have created e.g. 4UA AF mobile 3654
LOCATION, AGENCIES AND DEPARTMENTS IDENTIFICATION
To uniquely define each location within one VHF or HF radio network, the United Nations are
maintaining a database containing the identifiers for each country and city where humanitarian
organizations are operating. The full document is available is the flash drive ( ►Sell Call and Call sign
list Nov 2011.xlsx) and following is an extract:
Country Country City/base Location

Country Region City/base
Identifier Id Identifier Id
Afghanistan Alpha 1 2 Andkhoy Quebec 17
Afghanistan Alpha 1 2 Badghis Victor 22
Afghanistan Alpha 1 2 Bamian Bravo 02
Afghanistan Alpha 1 2 Chaghcharan November 14
…. … … … … … …
Colombia Charlie 5 4 Barranca Bermeja Juliet 10
Colombia Charlie 5 4 Bogota Bravo 02
Colombia Charlie 5 4 Bucaramanga Golf 07
…. … … … … … …
Uganda Uniform 1 1 Bundibyogio Bravo 02
Uganda Uniform 1 1 Fort Portal Foxtrot 06
Uganda Uniform 1 1 Gulu Golf 07
…. … … … … … …
Figure 203 - Extract of Location's Database
Similarly, humanitarian organizations having a large presence in a location are identified with single call
letter. UN agencies have permanent worldwide call letters while NGOs are assigned letters depending
on the needs in a specific location. Following is the list of the main agencies call letters:
Numerical Numerical
Agency Id Assigned Agency Agency Id Assigned Agency
sequence sequence

01 Alpha FAO (Agriculture) 14 November
02 Bravo Worldbank (Bank) 15 Oscar OCHA/UNDAC
03 Charlie UNICEF (Children) 16 Papa UNOPS (Projects)
04 Delta UNDP (Development) 17 Quebec FALD/UNDPKO
05 Echo UNESCO (Education) 18 Romeo UNHCR (Refugees)
06 Foxtrot WFP (Food) 19 Sierra UNDSS (Security)
07 Golf 20 Tango
08 Hotel WHO (Health) 21 Uniform UN Secretariat
09 India 22 Victor
10 Juliet 23 Whiskey
11 Kilo 24 X-ray NGOs
12 Lima 25 Yankee NGOs
13 Mike IOM (Migration) 26 Zulu NGOs
Figure 204 - Identifying Agencies
Finally most commonly used departments within an agency are defined by a call number system as
follow:
1 = Management and miscellaneous senior staff

2 = Finance and administration
3 = Logistics
4 = Programs
5 = Security
6 = Agency defined
7 = Drivers / Transport
8 = ICT / Technical Services
9 = Visitors
Of course, dedicated prefixes should only be used for departments or user groups large enough to
justify a dedicated prefix. Note that department’s numbers are only used for VHF callsigns.
All locations, agencies and departments identifiers are used with the call sign and selcall structure as
explained in the following paragraphs.
ANNEXES 233
VHF CALLSIGN ASSIGNEMENT
A callsign is a code used to name individual or entities when discussing on the network. When using
VHF, one usually wants to communicate with an individual, a base or a vehicle:
VHF Callsigns for individuals
B – C – X – YZ
Where B = city/base identifier (figure 28), C = agency identifier (figure 29),

X = department identifier, YZ = number within the department assigned by the agency
Notes:
- For ‘YZ’, it is advisable to introduce a numbering system that reflects the reporting line within the
organisation.
- ONLY use a single digit and avoid the ‘0’ as a department/group or staff identifier
- The numbering after the first digit is free for each agency to define, for each individual operation.
Examples:
- Bravo Romeo 3 = UNHCR Baghdad Head of Logistics
- Bravo Romeo 3.1 = UNHCR Baghdad warehouse supervisor
- Bravo Romeo 3.11 to 3.19 = UNHCR Baghdad warehouse staff
- Kilo Charlie 5 = UNICEF Kampala Security officer
- Hotel Papa 8.11 to 8.19 = WHO Prishtina (Kosovo) ICT staff
Notes:
- The ‘dots’ in the calls are not to be pronounced.
- Each number is pronounced individually (e.g. Papa Delta Three One One, not Papa Delta Three
Eleven).
If a VHF network covers more than one country or in cross border operations, it is advised that a full
regional callsign is used:
A – B – C – X – YZ
(Where A = Country identifier, B = city/base identifier, C = agency identifier,

X = department identifier and YZ = number within the department)
VHF Callsigns for bases

B – C + “Base”
Where B = city/base identifier (figure 28), C = agency (figure 29)

Example: UNICEF base in Kampala, Uganda = KC Base (spelled as Kilo Charlie Base)
If a VHF network covers more than one country or in cross border operations, it is advised that a full
regional callsign is used:
A – B – C + “Base”
(Where A = Country identifier, B = city/base identifier, C = agency identifier)

Note: If more than one base per agency is operational in the same location then a number is added, for
example A-B-C Base1, 2, 3 etc
VHF Callsigns for mobiles
A - C + ‘mobile’ +XYZZ
Where A = Country identifier (figure 14), C = agency (figure 15),

XY = Numerical sequence for the agency +30/60 (figure 15),
ZZ = the mobile number is any unique identifier each agency assigns to the car.
Examples:
- UNICEF vehicle #13 in Uganda: “Uniform Charlie Mobile 3313”
- FAO vehicle #53 in Colombia: “Charlie Alpha Mobile 3153”
- WFP vehicle #117 in Afghanistan: “Alpha Foxtrot Mobile 6617”
VHF SELCALL ASSIGNMENT (SELECT 5)

Similarly to selcalls in HF, VHF selcall number used to reach a particular radio. However, due to
limitations of analogue VHF networks, the selcall number is only used to “ring” the destination; once the
destination press the PTT (push-to-talk button), communication is received by all radios in the network.
The standard 9 digit VHF selcall is represented as follow:
1 + A - BC - DE - F - GH
1 is the select-V feature indicating a call

A is the one digit number identifying the country within the region (figure 28)
BC is the two digit location identifier (figure 28)
DE is the two digit agency identifier (figure 29)
F is the one digit department number
GH is the two digit personnel identifier
Example: UNICEF ICT Officer in Bogota (Colombia), Bravo Charlie 8, “150203801”
Note: Vehicles are typically not identified with VHF callsigns but some operations may require this. If so
we recommend: A – C + “Mobile” + XXX
A=country, C=agency, XXX=unique identifier assigned to the vehicle (1-999 theoretically)
Example: UNICEF vehicle #13 in Uganda  Uniform Charlie Mobile 13
ANNEXES 235
HF SELCALL ASSIGNMENT
Main HF suppliers and various UN agencies collaborated to implement a six digit selective calling
(selcall) protocol in all newly manufactured HF radios. The selcall number is then entered in the
transceivers to reach a particular destination. An easy analogy to HF selcalls is the numbering system
used in phone networks.
A standard six digit HF selcall is represented as follow:
A-B-CD-EF
Selcall assignment for base stations:

A is the one digit number identifying the region where the base is located (figure 14)
B is the one digit number identifying the country within the region (figure 14)
CD is the two digit numerical sequence used the agencies (figure 15)
EF is the two digit numerical sequence used for the location ID (figure 14)
Example:
- WFP base in Kampala (Uganda), Kilo Uniform Foxtrot, “110611”
- UNICEF base in Bogota (Colombia), Charlie Bravo Charlie, “540302”
- FAO base in Bamian (Afghanistan), Alpha Alpha Bravo, “120102”
Selcall assignment for mobiles:
A is the one digit number identifying the region where the base is located (figure 14)
B is the one digit number identifying the country within the region (figure 14)
CD is the two digit numerical sequence used the agencies (+ 30/60) (figure 15)
EF is the two digit numerical sequence used for the location ID (figure 14)
Notes: In the mobile numbering plan each agency is allocated selcalls for two fleets of 90 vehicles
(avoiding “0” as the last digit as this may cause a group call on certain type of radios). If a particular
agency requires a larger fleet allocation, one of the unused fleet numbers from 27-30, 57-60 or 87-98
can be allocated.
Example:
- WFP mobile #15 in Uganda is 113615

- UNICEF mobile #23 in Uganda is 113323
- UNHCR mobile #32 in Togo is 764832

ANNEX G – PROCEDURES FOR RADIO COMMUNICATIONS
EXAMPLE OF HOW NOT TO USE A RADIO

Read the following extract of a radio conversation and write down what you see is wrong.
Fred: Hello Ahmed, How are you?
Ahmed: Hello Fred, I’m fine thanks.
Fred: Any security information in your place?
Ahmed: Well, there was more shooting last night, its fine now though.
Fred: OK, is it still OK for me to come to Huambo today?
Ahmed: Yes, no problems, which route are you taking?
Fred: I’m planning to go the back road to you via the small bridge
Ahmed: OK, can you bring me some cash?
Fred: How much do you need?
Ahmed: $2000
Fred: Did you say $2000?
Ahmed: Yes
Fred: OK
Ahmed: What time can I expect you
Fred: Around 3pm, I’ll call you when I leave town and when I pass the small bridge
Ahmed: Thanks, see you later
GENERAL INSTRUCTIONS FOR TRANSMITTING

Following are general advises to consider before transmitting over a radio network:
- Decide what you are going to say ensuring it will be clear and brief;
- Make sure no-one else is speaking on the net before you start;
- Remember to divide your message into sensible phrases, make pauses and maintain a natural
rhythm to your speech;
- Avoid excessive calling and unofficial transmissions;
- Use standard pronunciation. Emphasize vowels sufficiently. Avoid extreme of pitch, speak in a
moderately strong voice, do not shout.
- Keep a distance of about 5 cms between the microphone and your lips. Shield your microphone
from background noises.
ANNEXES 237
PHONETICS AND PROCEDURE WORDS
An international phonetic alphabet is used to spell out words and acronyms so that critical combinations
of letters and numbers can be pronounced and understood by those who transmit and receive voice
messages by radio regardless of their native language.
In some countries letters like India, Whiskey and Yankee are considered to be unsuitable. Therefore
substitutes can be used from other phonetic alphabet variations e.g. Indigo, William, Young
Letters are as follows
Numbers are as follows
In general numbers are transmitted digit by digit except that exact multiples of hundreds and thousands
are spoken as such. For example:
12: ONE TWO
90: NINE ZERO
136: ONE THREE SIX
500: FIVE HUNDRED
7000: SEVEN THOUSAND
16000: ONESIX THOUSAND
19A: ONE NINE ALFA
Following is a list of the most common pro-words to be used and their meaning:

PROWORD MEANING
PROWORD MEANING
ACKNOWLEDGE! Confirm that you have received the SILENCE - SILENCE - Cease all transmissions on this net
message and will comply (WILCO) SILENCE! immediately. Will be maintained until
AFFIRMATIVE Yes/Correct lifted.
NEGATIVE No/Incorrect SILENCE LIFTED Silence is lifted. The net is free for
ALL AFTER…. Everything that you (I) transmitted after traffic.
….. (keyword) END OF MESSAGE This concludes the message just
OVER (OUT) transmitted (and the message
ALL BEFORE Everything that you (I) transmitted instructions pertaining to a formal
before …. (keyword) message)
CORRECT (THAT IS What you have transmitted is correct,
CORRECT) you are correct. END OF TEXT The textual part of a formal message
ends. Standby for the message
CORRECTION a. An error as been made in this instructions immediately following.
transmission. I will continue with the FETCH….! I wish to speak on the radio to that
last word (group) correctly transmitted. person (appointment title).
b. An error has been made in this
transmission. The correct version is… … Speaking Requested person is now using the
c. That which follows is a corrected radio by himself
version in answer to your request for FIGURES Numeral or numbers will follow. (This
verification. proword is not used with the callsigns,
time definitions, grid references,
WRONG Your last transmission was incorrect. bearings, distances, etc)
The correct version is.... FROM a. THIS IS….
DIREGARD THIS This transmission is an error. b. The originator of this formal
TRANSMISSION - Disregard it. (This proword shall not be message is indicated by the address
OUT used to cancel any message that has designation immediately following.
been already completely transmitted
and for which receipt or TO The addressees whose designations
DO NOT ANSWER - Station(s) called are not to answer this will immediately follow are to take
OUT call, acknowledge this message, or action on this formal message.
otherwise transmit in this connection.
THIS IS… This transmission is from the station
whose designation immediately
follows.
MESSAGE I have message for you.
MESSAGE FOLLOWS A formal message which requires

recording is about to follow.
OVER This is the end of my turn of
transmitting. A response is expected.
ANNEXES 239
PROWORD MEANING PROWORD MEANING
OUT This is the of my transmission to you. ROGER I have received your last transmission
No answer or acknowledgement is satifactorily.
expected.
OUT TO YOU Do not answer, I have nothing more to

ROGER SO FAR? Have you received this part of my
you, I shall now call some other station message correctly?
on the net. WILCO I have received your message,
READ BACK! Repeat the entire following understand it, and will comply. (to be
transmission back to me exactly as used only by addressee) ROGER or
received. WILCO are never used together.
UNKNOWN STATION The identity of the station calling or with
I READ BACK The following is my reply to your
request to read back.
whom I am attempting to establish
SAY AGAIN! a. Repeat all of your last transmission. communication is unknown.
B. Followed by identification data ALL VERIFY Verify the entire message (or portion
AFTER, ALL BEFORE, WORD indicated) with the originator and send
AFTER, WORD BEFORE etc, it verified version. To be used only at
means: Repeat… (portion indicated). discretion of or by the addressee to
which the questioned message was
I SAY AGAIN I am repeating my transmission or
portion indicated. directed.
SEND! Go ahead with your transmission. I VERIFY That which follows has been verified at
your request and is repeated. To be
SEND YOUR Go ahead, transmit: I am ready to copy used only as a reply to VERIFY.
MESSAGE! WAIT-WAIT-WAIT I must pause for a second
… SPEAK SLOWER! Reduce the speed of your
transmission. (normally used in
connection with request for repetition) WAIT-OUT I must pause longer than some
I SPELL I shall spell the next word, group or seconds, and will call you again when
equivalent phonetically. ready.
RELAY TO… Transmit the following message to all WORD AFTER… The word of the message to which I
addressees or to the address have reference is that which follows…
designation immediately following.
RELAY THROUGH… Send this message through

WORD BEFORE… The word of the message to which I
callsigns… have reference is that which
THROUGH ME I am in contact with the station you are precedes….
calling, I can act as a relay station. WORDS TWICE Communication is difficult.
Transmit(ting) each phrase (group)
MESSAGE PASSED Your message has been passed to….
twice. This proword can be used as an
TO…
order, request or as information.
Example of conversation:
- ALFA – THIS IS CHARLIE – MESSAGE – OVER

- FROM ALFA – SEND – OVER
- THIS IS CHARLIE – WATCH OUT FOR FALLEN ROCKS ON ROAD BIRKET – I SPELL –
BRAVO INDIA ROMEO KILO ECHO TANGO - BIRKET – OVER
- FROM ALFA – WILCO – OUT

RADIO CHECKS, SIGNAL STRENGTH AND READABILITY
The following phrases are for use when initiating and answering queries concerning signal strength and
readability:
RADIO CHECK: What is my signal strength and readability, how do you read me?
YOU ARE (I READ YOU): signal strength and readability is as follow:
Reports of signal strength:

LOUD – Signal is excellent
GOOD – Signal is good
WEAK – I can hear you only with difficulty
VERY WEAK – I can hear you only with great difficulty
NOTHING HEARD – I cannot hear you at all.
Reports of readability:
CLEAR – Excellent quality
READABLE – Good quality
DISTORTED – I have troubles reading you
WITH INTERFERENCE – I have trouble reading you due to interference
NOT READABLE – I can hear that you transmit but I cannot read you at all
Example of radio check:

UNIFORM CHARLIE MOBILE 3313 this is UNIFORM KILO CHARLIE – RADIOCHECK – OVER
This is UNIFORM CHARLIE MOBILE 3313 – YOU ARE LOUD AND CLEAR – OVER
This is UNIFORM KILO CHARLIE – I READ YOU LOUD AND CLEAR - OUT
ANNEXES 241
GLOSSARY
Alternating Current, an electric current that reverses its direction many times a second at regular intervals, typically
AC
used in power supplies
ALE Automatic Link Establishment. In HF is a system that automatically selects the best frequency.
Amplitude Modulation. The modulation of a wave by varying its amplitude, used chiefly as a means of radio
AM
broadcasting, in which an audio signal is combined with a carrier wave
Access Point. A type of base station that wireless LANs use to interface wireless users to a wired network and
AP
provide roaming throughout a facility.
Business Continuity / Disaster Recovery. Process, policies and procedures related to preparing for recovery or
BC/DR
continuation of technology infrastructure critical to an organization after a natural or human-induced disaster.
Business Continuity Planning, identifies an organization's exposure to internal and external threats and synthesizes
BCP hard and soft assets to provide effective prevention and recovery for the organization, while maintaining competitive
advantage and value system integrity
Bit Error Ratio. The rate at which erroneous Bits are received over a link, expressed as a proportion of the overall
BER
bit rate.
BGAN Mobile satellite terminal offering voice and high-speed Internet access, up to 492kbps.
Bit Smallest information unit. A bit can be 0 or 1.
Basic Service Set, is an IEEE 802.11 definition of a managed wireless network that comprises a single access
BSS
point and its wireless devices.
Block Up Converter. Used in the transmission or uplink of satellite signals, a BUC used on an antenna converts a
BUC
band or block of frequencies from a lower frequency to a higher frequency on a Ka, Ku, or C band satellite.
The C band is a name given to certain portions of the electromagnetic spectrum, including wavelengths of
microwaves that are used for long-distance radio telecommunications. The IEEE C-band (4 GHz to 8 GHz) - and
C Band
its slight variations - contains frequency ranges that are used for many satellite communications transmissions,
some Wi-Fi devices, some cordless telephones, and some weather radar systems.
C/N Carrier to Noise Ratio. Ratio of received carrier power and noise power in a given bandwidth, expressed in dB.
CallSign Unique designation for a transmitting station
CALM Codan Automated Link Management (CALM) is a function that automates the selection of channels. (See ALE)
UNICEF core commitments for children in emergencies. CCCs contains minimum requirements also for the ICT
CCC
preparedness and response
CCNA Cisco Certified Network Associate certification from Cisco
Code Division Multiple Access. A process where each user modulates their signals with a different, noninterfering
CDMA
code.
American multinational corporation that provides server and desktop virtualization, networking and cloud computing
Citrix
technologies
Command Line Interface: a user interface in which you type commands instead of choosing them from a menu or
CLI
selecting an icon
CO UNICEF Country Office
Codan Manufacturer and UNICEF LTA provider of standard HF radio equipment
CPS Motorola Customer Programming Software, is the only way to program Motorola two-way radios.
CVG Company manufacturing UNICEF's ETR1 kits. UNICEF holds a Long Term Agreement (LTA) with CVG.
CW Continuous Wave. An electromagnetic wave, esp. a radio wave, having a constant amplitude.
Protocol to control the access of packet-radio transmitters to the frequency channel they share. The user stations
(DAMA-slaves) must transmit only if they get the permission by the central node (DAMA-master). This makes it
DAMA
possible that all stations controlled by a DAMA master are priviledged equal. DAMA was developed by Nord<>Link
for Packet-Radio and is standard in Europe but not in most other countries.
Danimex UNICEF's LTA provider for VHF/UHF equipment
Decibel: a logarithmic unit of sound intensity; 10 times the logarithm of the ratio of the sound intensity to some
Db
reference intensity
The decibel watt or dBW is a unit for the measurement of the strength of a signal expressed in decibels relative to
one watt. It is used because of its capability to express both very large and very small values of power in a short
dBw
range of number; e.g., 1 milliwatt = −30 dBW, 1 watt = 0 dBW, 10 watts = 10 dBW, 100 watts = 20 dBW, and
1,000,000 W = 60 dBW.
DC Direct Current. An electric current that flows in one direction steadily.
Dynamic Host Configuration Protocol. A protocol that automatically assigns unique IP parameters (adress, mask,
DHCP
gateway, DNS…) within an assigned range to network devices.
In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes
DMZ
an organization's external services to a larger untrusted network, usually the Internet.
Domain Name Server, the system that automatically translates Internet addresses to the IP addresses that
DNS
computers use

Direct Ordering. Procurement process using LTAs that save time and resources by eliminating the need of repeated
DO/LTA bidding and discussions around contractual terms and conditions, and can thus subsequently lead to shorter
delivery lead time
Designated Officer. In each country or designated area where the United Nations is present, the senior-most United
DO/
Nations official is normally appointed in writing by the Secretary-General as the Designated Official for Security,
Security
and accredited to the Host Government as such.
Direct-Sequence Spread Spectrum. A type of spread spectrum where a spreading code increases the signal rate
DSSS
of the data stream to diffuse the signal over a wider portion of the frequency band
Eb/N0 (the energy per bit to noise power spectral density ratio) is an important parameter in digital communication
or data transmission. It is a normalized signal-to-noise ratio (SNR) measure, also known as the "SNR per bit". It is
EbNo
especially useful when comparing the bit error rate (BER) performance of different digital modulation schemes
without taking bandwidth into account.
Equivalent Isotropically Radiated Power. Amount of power that a theoretical isotropic antenna (which evenly
EIRP distributes power in all directions) would emit to produce the peak power density observed in the direction of
maximum antenna gain.
Emerging Markets Communications, Inc is UNICEF's WAN provider. The company handles an hybrid global
EMC
satellite and terrestrial communication network.
EPRP Emergency Preparedness and Response Plan
Emergency Supply List is developed by UNICEF's Supply Division and includes the most essential items for
ESL
different types of emergencies. Those items are held in Copenhagen's stock.
Extended Service Set. A wireless LAN service composed of two or more BSSs with APs as defined by the IEEE
ESS
802.11 standard.
Emergency Telecoms Cluster. At the global level, ETC is led by WFP, who also serves as security and datacoms
service provider of last resort, and typically will lead the coordination of ICT in major emergencies. At the local
ETC level, the ETC lead agency can be WFP or another agency found to be well suited to take lead. As an ETC member,
UNICEF ICT should be ready to support ETC at the local level, and serve as ETC service provider when natural
and required
Emergency Telecoms Response kit number 1: Contains MSS and all necessary equipment to rapidly implement a
ETR-1
small office/team communications needs
Emergency Telecoms Response kit number 2: Contains iDirect VSAT + Network components for medium
ETR-2 sized/short-term office and all necessary equipment to rapidly implement a small office/team communications
needs
Emergency Telecoms Response kit number 3: Contains EMC VSAT for corporate connectivity + network
ETR-3
components for full office
Emergency Telecoms Training. Annual event organized by UNICEF aiming to prepare ICT staff to respond to
ETT
UNICEF's emergencies.
FDMA Frequency Division Multiple Access. A multiple access method in which the bandwidth is divided into channels.
Forward Error Correction. A method of error correction at the receiver end in a one-way data transmission. Error
FEC
correction bits are added to the signal so it can be reconstructed in case of corruption.
Frequency Hopping Spread Spectrum. A type of spread spectrum where the transceiver hops from one frequency
FHSS to another, according to a known hopping pattern, to spread the signal over a wider portion of the frequency band.
Older 802.11 wireless LANs utilize frequency hopping.
FM Frequency modulation. The modulation of a radio or other wave by variation of its frequency.
Frequency Shift Keying. A modulation process that makes slight changes to the frequency of the carrier signal to
FSK
represent information in a way that's suitable for propagation through the air.
Free Space Loss. is the loss in signal strength of an electromagnetic wave that would result from a line-of-sight
FSL
path through free space (usually air), with no obstacles nearby to cause reflection or diffraction
Figure of merit for satellite antennas similar to signal to noise ratio. Stands for gain/ temperature, where
G/T
temperature is the noise temperature in Kelvin.
G7-P3 Understand G7 to P3. United Nation's professional classification for job levels.
Is Inmarsat's previous generation of mobile satellite devises. Used to deliver ISDN (up to 64kbps), MPDS (shared
GAN M4
20Kbps) and voice.
GEO Geosynchronous Earth Orbit. An orbit that allows a satellite to remain fixed above a certain spot on earth.
GLONASS The Russian Global Navigation Satellite System is similar in operation to the GPS
GM/GP Motorola's two way radio series for vehicle (GM) and handhelds (GP)
Geomobile Packet Radio Services is a communication protocol for mobile satellite services such as Thuraya
GmPRS
allowing up to 148kbps.
Global Positioning System. An MEO public satellite system consisting of 24 satellites and used for navigation and
GPS
geolocalisation.
Global System for Mobile Communications, standard set to describe protocols for second generation (2G) digital
GSM
cellular networks used by mobile phones.
Global Satellite Phone Service is an Inmarsat standard used for basic voice and data communications with an
GSPS
IsatPhone Pro.
High Frequency, shortwave radio: Operating from 2-30MHz, useful for long-range communications (100-2,000km
HF
or more)
HPA High Powered Amplifier. An earth station device that amplifies the modulated carrier for its voyage to the satellite.
iDirect VSAT standard offering Internet access globally at fixed cost.
IEC IEC Telecoms is UNICEF's LTA provider of Thuraya equipment and services.
GLOSSARY 243
Institute of Electrical and Electronics Engineers. Non profit organization that establishes standards for the data
IEEE
communications industry, especially for LANs.
IFL Inter Facility Link. The link between an antenna and its associated ground communications equipment.
International Protection rating that describes the protection a fitting has from intrusion of solid and liquid material
IP54
(54 = limited dust ingress and water spray protection from all directions)
International Protection rating that describes the protection a fitting has from intrusion of solid and liquid material
IP65
(65 = totally protected against dust and low pressure jets water)
IP (Internet Protocol) PBX (Private branch exchange). Business telephone system designed to deliver voice or
IPBX
video over a data network and interoperate with the Public Switched Telephone Network (PSTN)
IP Security. A protocol that supports secure exchange of packets at the network layer of a network. IPSec is
IPSec commonly implemented in VPNs and encrypts data packets across the entire network; often referred to as end-to-
end encryption.
Iridium
Is a 2.4 kbps dial up Iridium service allowing users to connect to email (ccmail)
/PPP
iSite Is the default software used to configure iDirect modems
ICTD UNICEF's Information Technology Solutions and Services department based in New York Head Quarters
A portion of the RF spectrum located between 10.9 GHz and 17 GHz, a part of which is dedicated to satellite
Ku Band communications. Satellite downlink frequencies are located between 11.7 GHz and 12.2 GHz and uplink
frequencies are located between 14 GHz and 14.5 GHz.
Left/Right Handed Circular Polarization. Polarization of an electromagnetic wave where the tip of the electric field
L/RHCP
vector, at a fixed point in space, describes a circle as time progresses.
LEO Low Earth Orbit. An orbital altitude typically around 350 - 1400 km above the Earth's surface.
Low Noise Amplifier. Equipment that receives the satellite signal reflected by the antenna and amplifies it to the
LNA
level needed by the satellite receiving equipment.
LNB Low noise blocker, a circuit on a satellite dish that selects the required signal from the transmission
Line of Sight. Straight line between the transmitter and the receiver. The line between the two needs to be clear,
LOS
as anything blocking the path will result in a signal disruption.
Long Term Agreement. Agreement between UNICEF and a supplier or service provider to provide goods or
LTA
services as required, over a specific period of time, at determined price.
Media Access Control address (MAC address). Unique identifier assigned to network interfaces for
MAC
communications on the physical network segment.
Medium Earth orbit. A satellite system used in telecommunications. MEO satellites orbit the earth between 1,000
MEO
and 22,300 miles above the planet's surface.
Multiple-Input and Multiple-Output. Use of multiple antennas at both the transmitter and receiver to improve
MIMO
communication performance.
MiniM Inmarsat's previous generation of mobile satellite devises. Used to deliver voice and 2.4kbps data.
Minimum Operating Security Standards. A generic document that sets the minimum operating security standards
MOSS
for United Nations field operations globally.
Motorola Manufacturer of UNICEF/UN standard VHF and UHF radio equipment
MoU Memorandum of Understanding. Document describing a bilateral or multilateral agreement between parties.
MSK Minimum shift keying. Type of continuous-phase frequency-shift keying that was developed in the late 1960s.
MSS Mobile Satellite Services (BGAN, Thuraya, Iridium, etc.)
Network Address Translation. A protocol that maps official IP addresses to private addresses that may be in use
on their internal networks. For example, a broadband Internet service provider may offer only one official IP address
NAT
to a home owner. NAT, along with DHCP, enables the homeowner to have multiple PCs and laptops sharing the
single official IP address.
NGT Codan New Generation Transceiver. Family of Codan HF radios for bases and vehicles.
Network Policy Server. Microsoft's implementation of a Remote Authentication Dial-in User Service (RADIUS)
NPS server and proxy in Windows Server. It performs centralized connection authentication, authorization, and
accounting for many types of network access, including wireless and virtual private network (VPN) connections.
NSP NGT System Programmer. Codan's software used to configure and program NSP radios.
Near Vertical Incidence Skywave. A wave that is reflected from the ionosphere at a nearly vertical angle and that
NVIS is used in short-range communications to reduce the area of the skip zone and thereby improve reception beyond
the limits of the ground wave.
NYHQ UNICEF's New York Head Quarters
Outdoor Unit. Equipment located outside of a building close to the satellite dish or antenna and typically includes,
ODU
a low noise block converter (LNB), and a block-up-converter (BUC).
Orthogonal Frequency Division Multiplexing. A type of modulation technology that separates the data stream into
OFDM a number of lower-speed data streams, which are then transmitted in parallel. Used in 802.11a, 802.11g, and
powerline networking.
On the Job Training. Advance UNICEF's emergency telecoms curiculum for standby partners, held in a field
OJT
location and usually 3 weeks long.
Port Address Translation. A feature of a network device that translates TCP or UDP communications made
PAT
between hosts on a private network and hosts on a public network.

Private Line or Digital Private Line. Lets the user receive only the calls accompanied by the radio's code and to
PL/DPL place calls only to those that accept the code. This helps eliminate disruptive conversations of others who may be
sharing radio frequencies.
Provider of Last Resort. Term used in the humanitarian cluster approach, where a specific agency is mandated to
PoLR provide a service when no local capacity is available. Ex: WFP is PoLR for data and security communication
services for the emergency telecoms cluster (ETC)
POP3
Protocols for receiving e-mail.
/IMAP
PROMS and VISION are UNICEF' enterprise resource planning (ERP) softwares for running payments, orders,
PROMS
inventory, accounting, and logistics. PROMS was replaced by VISION which runs on SAP and was rolled out to all
/VISION
UNICEF offices in 2012.
PSU Power Supply Unit. Module that converts mains electricity into the DC voltages.
PTT Push To Talk. The switch on a subscriber unit which, when pressed, causes the subscriber unit to transmit.
PuTTY Free and open source terminal emulator application which can act as SSH, Telnet and serial console client.
QAM QAM. A modulation technique, using variations in both signal amplitude and phase to convey information.
Quality of Service. The concept of reserving selected network resources and characteristics in order to provide a
QoS certain degree of dependability and performance for high bandwidth continuous transmission applications such as
video and multimedia information.
Quadrature Phase Shift Keying. Digital modulation scheme that conveys data by changing, or modulating, the
QPSK
phase of a reference signal (the carrier wave).
RCICT UNICEF's Regional Coordinator of ICT
Radio Frequency. Also used generally to refer to the radio signal generated by the system transmitter, or to energy
RF
present from other sources that may be picked up by a wireless receiver.
Radio Frequency Interference. A non-desired radio signal which creates noise or dropouts in the wireless
RFI
communication.
RG-6 Common type of coaxial cable used in a wide variety of communication applications
RO UNICEF Regional Office
Received Signal Strength Indicator. Indicates the intensity of the received signal. It is output by the receiving
RSSI
equipment.
RTT Round-trip time. The total time required for a packet to traverse a network to its destination and back again.
Room-temperature vulcanizing, a term for rubber compounds that solidify and stabilize at room temperature. RTV
RTV
rubber is a two-part mixture that is commonly used to make molds for garage kits.
Rx/Tx Common abbreviations for "receive" and "transmit"
Satellite Access Station, also refered as teleport. A center providing interconnections between different forms of
SAS
telecommunications, esp. one that links satellites to ground-based communications
SCPC Single Channel Per Carrier refers to using a single signal at a given frequency and bandwidth.
Selective Calling. Squelch protocol used in radio communications systems, in which transmissions include a brief
SelCall burst of sequential audio tones. Receivers that are set to respond to the transmitted tone sequence will open their
squelch, while others will remain muted.
Select V Motorola's proprietary implementation of SelCall.
Security Management Team. The Security Management Team (SMT) will consist of the Designated Official (DO),
SMT who acts as chair, the head of each United Nations organization present at the duty station. The SMT advises the
DO on all security-related matters.
Simple Network Management Protocol. Protocol used mostly in network management systems to monitor network-
SNMP
attached devices.
Security Risk Assessment. process of identifying those threats which could affect UN personnel, assets or
SRA operations and the UN’s vulnerability to them, assessing risks to the UN in terms of likelihood and impact,
prioritizing those risks and identifying prevention and mitigation strategies and measures.
Single Side Band. A form of amplitude modulation, frequently used on the HF band. SSB is very efficient as it uses
SSB one-half the bandwidth of a standard AM double side band signal. Most SSB signals suppress the carrier, further
improving its efficiency.
Secure Shell. Network protocol that allows data to be exchanged using a secure channel between two networked
SSH
devices.
Service Set Identifier. A unique 32-character network name, or identifier, that differentiates one wireless LAN from
SSID
another.
SSOP Simplified Standard Operating Procedure: UNICEF's procedure to be followed in an emergency.
SWR Standing Wave Ratio, a measure of the effectiveness of an antenna
Transmission Control Protocol. A protocol that establishes and maintains connections between computer devices
TCP
attached to a network. TCP is used in conjunction with IP, which is commonly referred to as TCP/IP.
Time Division Multiplexing. Two or more bit streams or signals are transferred apparently simultaneously as sub-
TDM
channels in one communication channel, but are physically taking turns on the channel.
Time Division Multiple Access. A process that allows only one user to transmit in any given time slot. Each user
TDMA
has use of the entire bandwidth during its assigned time slot.
Network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented
Telnet
communications facility via a virtual terminal connection
GLOSSARY 245
ThurayaIP MSS terminal offering high-speed Internet access, up to 384kbps
Terms of reference, describe the purpose and objectives in a mission. ToRs are required to deploy standby partner
ToR
staff and consultants.
Telecoms Sans Frontieres. Humanitarian-aid non-governmental organization specialised in telecommunications in
TSF
emergency situations.
Traveling Wave Tube Amplifier. High Power RF Frequency Amplifier that works by transferring energy from an
TWTA
electron beam to the RF signal.
User Datagram Protocol. Used to provide fast data transfer between two IP endpoints, but is not as reliable a
UDP
method as TCP.
Ultra High Frequency radio: Operating around 450MHz, useful for short-range communication (5-50km, dep on
UHF
network infrastructure)
UNDSS United Nations Department for Safety and Security
UNICEF United Nations International Children's Emergency Fund, more commonly known as United Nation's Children Fund
Upper/Lower Sideband. Modes of SSB transmission. Band of frequencies higher than or lower than the carrier
USB/LSB
frequency, containing power as a result of the modulation process.
VAC Volt Alternating Current, see AC
Very High Frequency radio: Operating around 150MHz area, useful for short-range communications (5-50km, dep
VHF
on network infrastructure)
A virtual LAN, known as a VLAN, is a logically-independent network. Several VLANs can co-exist on a single
VLAN
physical switch. It is usually refer to the IEEE 802.1Q tagging protocol.
VOIP Voice over Internet protocol, a communications protocol that allows for telephonic communication via the Internet
Virtual Private Network. The use of special software on the client device that controls access to remote applications
VPN
and secures the connection from end to end using encryption.
Very Small Aperture Terminal: Satellite system using antennas of ~1-3.8 meter, for international
VSAT
Internet/email/corporate applications, at fixed cost
Voltage Standing Wave Ratio. The ratio of the maximum/minimum values of standing wave pattern along a
VSWR transmission line to which a load is connected. VSWR value ranges from 1 (matched load) to infinity for a short or
an open load. For most base station antennas the maximum acceptable value of VSWR is 1.5.
VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer 2 messaging protocol that manages the addition,
VTP
deletion, and renaming of Virtual Local Area Networks (VLAN) on a network-wide basis.
VTY Virtual Terminal Line, see Telnet
WAN Wide Area Network: a computer network that spans a wider area than does a local area network
Wired Equivalent Privacy. A part of the 802.11 standard that defines encryption between devices connected to a
WEP
wireless LAN.
WFP World Food Program
Wireless LAN in Disaster and Emergency Response. Ericsson's Response standard ETC solution for WIFI guest
WIDER
user access.
WIFI Wireless Fidelity. A trademark of the Wi-Fi Alliance, commonly used to refer to 802.11g
Worldwide Interoperability for Microwave Access. A wireless technology based on the IEEE 802.16 standard
WIMAX
providing metropolitan area network connectivity for fixed wireless access at broadband speeds.
Wireless Local Area Networks. A network using radio waves instead of a cable to connect a user device, such as
WLAN
a laptop computer, to a LAN
Wi-Fi Protected Access. A security protocol, defined by the Wi-Fi Alliance, that enables computer devices to
WPA periodically obtain a new encryption key. WPA version 1 implements Temporal Key Integrity Protocol (TKIP) and
WEP; whereas, WPA version 2 implements the full 802.11i standard (which includes AES).

NOTES
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
NOTES 247
NOTES
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________

Emergency Telecommunications Handbook PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Emergency Telecommunications Handbook PDF

Uploaded by

Copyright:

Available Formats

EMERGENCY

United Nations Children Fund (UNICEF)

December 2017 Edition (v5.1)

2 EMERGENCY TELECOMS HANDBOOK

Chief Information Officer, UNICEF

Chief, ICTD Operations and Services

4 EMERGENCY TELECOMS HANDBOOK

1 SCOPE AND DEFINITIONS .................................................................................................................... 9

2 EMERGENCY PREPAREDNESS GUIDELINES........................................................................................ 12

3 EMERGENCY RESPONSE GUIDELINES ............................................................................................... 17

CHAPTER 2 – HIGH FREQUENCIES (HF) RADIOS

1 ABOUT HIGH FREQUENCIES.............................................................................................................. 30

2 HF HARDWARE STANDARDS ............................................................................................................ 35

3 DEPLOYING CODAN NGT SRX RADIOS ............................................................................................ 39

4 DEPLOYING CODAN ENVOY X1/X2 RADIOS ....................................................................................... 48

1 ABOUT VHF/UHF ............................................................................................................................ 58

2 HARDWARE STANDARDS .................................................................................................................. 63

3 INSTALLATION BEST PRACTICES ....................................................................................................... 68

4 GM/GP RADIOS PROGRAMMING ....................................................................................................... 70

5 DM/DP RADIOS ANALOGUE PROGRAMMING...................................................................................... 75

CHAPTER 4 – MOBILE SATELLITE SERVICES (MSS)

1 INTRODUCTION TO MOBILE SATELLITE SERVICES .............................................................................. 80

2 HARDWARE AND SERVICE STANDARDS ............................................................................................. 85

3 DEPLOYING MSS TERMINALS ........................................................................................................... 93

6 EMERGENCY TELECOMS HANDBOOK

1 INTRODUCTION TO VSAT TECHNOLOGIES ....................................................................................... 108

2 VSAT HARDWARE STANDARDS ..................................................................................................... 116

3 VSAT SERVICE PLANS .................................................................................................................. 124

4 VSAT INSTALLATION ..................................................................................................................... 126

CHAPTER 6 – IP TECHNOLOGIES (LAN/WAN/VOIP)

1 LAN/WAN ARCHITECTURE PRINCIPLES ......................................................................................... 142

2 LAN HARDWARE STANDARDS ........................................................................................................ 149

3 M ANAGING AND CONFIGURING IP NETWORKS .................................................................................. 151

CHAPTER 7 – IP TECHNOLOGIES (WIFI)

1 INTRODUCTION TO WIRELESS NETWORKS ....................................................................................... 174

2 WLAN HARDWARE STANDARDS .................................................................................................... 189

3 DEPLOYING WLAN SOLUTIONS ...................................................................................................... 191

ANNEX A - CORE COMMITMENTS FOR CHILDREN .................................................................................. 209

Emergency Telecoms Handbook

8 EMERGENCY TELECOMS HANDBOOK

Emergency Telecoms Handbook

1.1 HUMANITARIAN EMERGENCIES

1.2 EMERGENCY MANAGEMENT CYCLE

The emergency threshold refers to the real-

The Response phase (also referred as Early

1.3 CLASSIFYING THE LEVEL OF RESPONSE

10 EMERGENCY TELECOMS HANDBOOK

1.4 ICT STRATEGY IN HUMANITARIAN EMERGENCIES

2.1 COUNTRY RISK INDEX

The resulting InfoRM map, as of January 2016, is as follow:

Figure 2 - InfoRM Risk Index Map

2.2 PREPAREDNESS PLANNING

12 EMERGENCY TELECOMS HANDBOOK

2.3 BUSINESS CONTINUITY

Objectives of a BCP are:

3. Establish clear management procedures, transitions and emergency decision-making authority;

4. Streamline recovery of internal information, processes and systems.

- A Business Risk Assessment and Impact Analysis;

2.4 ICT DISASTER RECOVERY

IT systems are vulnerable to a variety of disruptions triggered by man-made, natural, or environmental

2.5 SECURITY AND MOSS

The country-specific Minimum Operating Security Standards (MOSS) baseline is a UN specific

2.6 TRAINING OF ICT RESPONDERS