mobility: connecting remote workers teliasonera sip trunking deployment © 2011 intertex data ab...
TRANSCRIPT
Mobility: Connecting Remote Workers TeliaSonera SIP Trunking Deployment
© 2011 Intertex Data AB
Prepared for: Ingate Systems 3 Day Seminar Unified Communications: SIP Trunking, Video, Collaboration and MoreITEXPO Conference, Austin, September 2011
By: Karl Erik Ståhl President Intertex Data ABCEO and Chairman Ingate Systems [email protected]
Also see Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011! http://www.ingate.com/files/ITEXPO_Miami_2011_Presentations/Intertex%20-%20UC%20Across%20the%20Borders.pps
© 2011 Intertex Data and Ingate Systems
What are Mobility and Remote Users?
We certainly want our home workers connected to the company PBX
And the same goes for our road warriors - at the hotel- at public WiFi
All should have all PBX services- Reached by extension number or DID- Place PSTN calls (displaying correct CallerID)- Voice mail, conferencing etc.- Presence, IM, video if supported by the PBX
Call me on my Swedish office number +46 8 12345629 now!
2 slides from Live Demo Presentation from ITEXPO SIP Trunking Summit Miami, February 2011! http://www.ingate.com/files/ITEXPO_Miami_2011_Presentations/Intertex%20-%20UC%20Across%20the%20Borders.pps
INGATE LAN
ingate.com
InternetUS, Miami
THIS LAN, SIP Trunk-UC Summit
([email protected]) [email protected]
CELL
PSTN
INTERTEX LAN
intertex.se
Sweden
3G
PSTN
SIP/PSTNGateway
SIP Trunk Provider 1
PSTNSIP/PSTNGateway
SIP Trunk Provider 2
Japan
We Saw Mobility and Beyond POTS
Ordinary phone calls reach my laptop across the Ocean!
I can use extension number as connected to the home PBX
And I see presence and can put calls into conference…
I can also:Call Sophie in another domain (federate)… even with Video … even though, she is also remote from the Ingate office (Actually she is in the room.) … with media going the shortest way (here on the LAN) while signaling goes back to Sweden!
© 2011 Intertex Data AB 5
We Saw Mobility and Beyond POTS All other PBX functionality also works remotely
E.g. IM (Instant Messaging)
© 2011 Intertex Data AB 6
But Why are NATs and Firewalls Such Obstacles
Typical Internet protocol (SMTP, HTTP…)
Internet
HOSTSERVER
SIP (and H.323…) connects Person-to-Person
Internet
PERSONPERSON
Locate the person Set up a session+ Open real time media streams+
© 2011 Intertex Data AB 7
SIP Does It! – But a Very General Solution is Required
PSTN
Public Internet
SIP Trunking Provider
GWSIP System
Data & VoIP LAN
IP-PBX
Soft Clients and Multimedia Terminals
Intertex IX78 E-SBCThe SIP Proxy in the E-SBC forwards and rewrites the SIP signaling and controls media through its NAT/Firewall.
Remote [email protected]
DNS
intertex.se
© 2011 Intertex Data AB 8
And there May be More to Consider (Telia Network)…
IX78 E-SBC is a SIP Proxy based Firewall Controlling SIP Signaling and Media
TR-069TR-069 Internet Internet
IP-TV
VoD
IP-TV
VoD
IMS
VoIP
IMS
VoIP
PDA
VLANs or ADSL Virtual Circuits
The Multimedia LAN
WiFi
IP-
PBX
SIP Trunk
Remote User
The remote user is often behind a remote NAT/FW – SIP Traversal needed. Far End NAT Traversal (FENT) can be enabled in the IX78 E-SBC.
NATFW
SIP on different WAN pipes must be handled
© 2011 Intertex Data AB 9
Remote Users Require More Security Measures
Remote users to the PBX can be authenticated by the IX78 (also)
Brute Force Attack Protection
Attackers are nowadays trying to find simple passwords by brute force testing. 10 – 100 trials/second have been seen (e.g. SipVicious / friendli-scanner). After 3 trial we pretend all attempts are wrong, so the correct one is never found.
© 2011 Intertex Data AB 10
…in Addition to e.g. Preventing SIP DoS Attack
Signature RecognitionIf the internal SIP proxy detects known signatures in SIP headers from attackers, it instructs the internal firewall to block attacking IP address. New signatures can be added manually or provisioned automatically.
SIP Rate Limiting:
If there are more than 20 SIP packets/seconds from the same IP address, the internal firewall blocks that IP address for 20 seconds and does not respond to that IP address until the SIP packet rate is below 3 packets/seconds.
11
Different Types of PBXs are SIP Trunked
Data LAN only
PBX with PBX with system system phonesphones
PBX Type 1.5
VoIP & Data LAN
PBX Type 2
IPIP-- PBXPBX
Few PBXs are of this type. Asterisk with firewall (IPtables /NETfilter) can be compiled and configured this way, but requires a lot.
A Good E-SBC Should Provide:1) NAT/Firewall Traversal – Must NAT to same address space!
2) Basic SIP and Network Interoperability - E.g. Authentication, Registrations, UDP/TLS/TCP, Dynamic IP address, etc.
3) SIP Repair - E.g. Call Transfer, Fragmented packets, Bugs, etc. 4) Features - E.g. Remote Users, Administration (remote and local)
5) Security - LAN/PBX/VoIP network protection, Service attack protection
VoIP & Data LAN
IPIP-- PBXPBX
PBX Type 1
Modern IP-PBXs are of this type. Media goes directly between phone and SIP Trunk.
SIP Trunk Interface
Signaling:Media:
SIP Trunk
PSTNSIP Trunking
Provider NetworkGW
SIP System
2) 3) 4) 5)2) 3) 4) 5)IX78
1)1) 2) 3) 4) 5)2) 3) 4) 5) 2) 3) 4) 5)2) 3) 4) 5)
But they may not have SIP Phones...
© 2011 Intertex Data and Ingate Systems 12
Remote Users Supported
If the PBXs uses SIP compliant phones IX78 E-SBC set up to forward incoming SIP to the PBX Can use WAN IP address or domain name in the SIP address. The E-SBC can authenticate the users Remote users should preferably also be behind an Intertex/Ingate E-SBC for
automatic NAT/Firewall traversal If the remote user is behind an ordinary NAT/Firewall (non SIP aware), FENT
(Far End Nat Traversal) can be enabled in the IX78 E-SBC
If non-SIP IP phones are used, the PBX vendor may have some tunneling solution for remote workers
The IX78 not involved
Standard SIP phones (local or remote) can also be registered directly to the IX78 E-SBC
Directly ready for remote users The E-SBC will authenticate the users Extension numbers can be integrated Not all PBX features will be available to such phones
© 2011 Intertex Data AB 13
PBX with PBX with non-SIP non-SIP phonesphones
SIP Clients Can be Registered Directly to the IX78 E-SBC
There are many PBXs out there that do not allow Soft Clients, Remote Users or Standard SIP Phones.
Registrar
Soft Client WiFi Mobile
Remote UsersNumbers integrated
14
E-SBCs & SIP Capable Firewalls
Ingate Systems [email protected] Farley Road Hollis, NH 03049United StatesPh: +1 (603) 883-6569Tel sv: +46 8 6007750
Intertex Data [email protected] 45 SE-174 44 SundbybergSwedensip:[email protected]: +46 8 6282828
See us at ITEXPO Room 9C!
© 2011 Intertex Data AB 15
Ordinary Voice IADs – Good for Telephony Replication…
InternetInternet
The 5060 SIP-port is just grabbed on the outside to the FXS ports!
Lower level SIP ALGs often cause problems and do not handle more than basic scenarios.
• SIP to the LAN or WiFi• Calls between SIP clients on LAN • Calls between internal ATA ports and LAN clients• Call transfers, 3-party calls, etc.• Using SIP generally over the Internet (Operator “took all the SIP”) (Users must not be deprived of general SIP-functionality!)
Often problems with, or total lack of:
Telephone ports (FXS) on the CPE is a popular way to deploy IP telephony. By logically placing the SIP clients on the outside of the NAT/Firewall, unreliable work-around methods like STUN, TURN and ICE become unnecessary. However, this only gives POTS replication, often even stopping general SIP based services!
© 2011 Intertex Data AB 16
No battery draining of WiFi mobile phones, otherwise caused by keep-alive packets* inhibiting sleep mode.* Work-around methods for SIP NAT-traversal like STUN, TURN, ICE and Far End NAT Traversal use frequent keep-alive packets to keep holes in the NAT/Firewall open.
Our CPEs are SIP Capable NAT/Router/Firewalls
InternetInternet
Problems solved where they occur
Wired or wireless SIP clients (phones, soft clients, PDAs)
No special requirements on the SIP Client – Just standard SIP
SIP
All Intertex CPEs have a SIP Proxy based SIP aware Firewall/NAT
General, can handle complex call scenarios and all SIP services
Additional functionality available (SIP server, PBX functionality etc.)
IMSIMS