NEC NEC Corporation
Session Border Controller for UC Mobility
Ingate SIParator®
Quick Setup Guide
NDA-31663Issue 1
Liability Disclaimer
NEC Corporation of America reserves the right to change the specifications, functions, or features, at any time, without notice.NEC Corporation of America has prepared this document for the exclusive use of its employees and customers. The information
contained herein is the property of NEC Corporation of America and shall not be reproduced without prior written approval from NEC
Corporation of America.
UNIVERGE is a registered trademark of NEC Corporation. All other brand names and product names referenced in this document are
trademarks or registered trademarks of their respective companies.
© 2015 NEC Corporation of America
Communications Technology Group
i
Ingate SIParator Quick Guide for MC550 - Issue 1
Contents
Configuring the Ingate SIParator® SBC for MC550 1-1
Ingrate SIParator Test General Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1Ingate Business Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1PBX & Session Border Controller (SBC) tested . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Conditions and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Net Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Ingate SIParator Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
ii Contents
Ingate SIParator Quick Guide for MC550 - Issue 1
iii
Ingate SIParator Quick Guide for MC550 - Issue 1
Figures
Figure Title Page
1-1 MC550 with Ingate SIParator NEC Test Lab Setup. . . . . . . . . . . . . . . . . 1-3
iv Figures
Ingate SIParator Quick Guide for MC550 - Issue 1
1-1
Ingate SIParator Quick Guide for MC550 - Issue 1
1Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator® is a device that connects to an existing network firewall to seamlessly enable SIP Communications (Session Initiation Protocol). While traditional firewalls block SIP traffic, including mission-critical applications like Voice over IP, the SIParator resolves this problem by working in tandem with your current security solutions. Ingate SIParators are available in a range of models to meet the needs of the entire enterprise market.
This guide will assist knowledgeable vendors with configuring the Ingate SIParator for MC550 use with the NEC SV8500/SV9500 Communications Server. It also provides sample entries for the required fields.
Ingrate SIParator Test General Information
For questions about software and hardware installation or other PBX configuration issues, refer to the corresponding SV8500 or SV9500 Data Programming Manual.
These manuals can be downloaded from NEC's National Technical Assistance Center (NTAC) web site. You must have a valid dealer ID to access the documents.
Ingate Business Account
Contact your Ingate Business representative.
1-2 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
PBX & Session Border Controller (SBC) tested
a) SV8500 S8 4.19 & later
b) SV9500 V1 4.19 & later
c) MC550: 13.0.1073 & later
d) VMWare ESXi: 5.5.0
e) Ingate SIParator: Software Firewall/SIParator 5.0.3
Conditions and Limitations
The Ingate SIParator provides for many different office environments. It can be set as a Stand-alone Session Border Controller (SBC), DMZ, DMZ/LAN, or WAN type, as well as being able to turn the Firewall mode on or off. The NEC MC550 testing performed was done using the SIParator as a Stand-alone SBC. The programming shown in this Quick Guide is for that configuration. For programming information and other documentation for the SIParator to use the SBC in a manner other than the basic Stand-alone, refer to Ingate's support site.
On the SV8500 and SV9500 PBX, the Internal SIP Handler (InSIPH) does not support the RFC3261 Route set specifications. However, the Ingate looks for the Record Route (RR) information in the SDP Answer message before connecting media. As such, until RR support is provided by the InSIPH, the PBX must be set to include SDP in the INVITE to the MC550 station in the PCPro AUACL and AUACN commands.
When assigning the AUACL or AUACN command with PCPro, it is recommended to use the following settings. The MC550 uses “NEC MC550” as the User-Agent. Refer to the table below.
NOTE
The above SV PBX system can be Appliance model/Software model.
CDN PARAM UAD1 Register Expires 6002 Multi-line Mode 03 Send INVITE with SDP (Note 1) 14 Hold Method 05 SIP-INFO 06 Send signal(*,#) of SIP-INFO 07 MWI 08 Name Display 19 Reject Unacceptable reINVITE 0
10 Hold 2nd Call 011 Call Record Memory Clear 012 TONE[0] FE
Configuring the Ingate SIParator® SBC for MC550 1-3
Ingate SIParator Quick Guide for MC550 - Issue 1
Net Configuration
Figure 1-1 MC550 with Ingate SIParator NEC Test Lab Setup
13 TONE[1] 7F14 Nurse Call Display 015 Distinctive Ringing 016 Notice of URL 017 Notice of Connected Number 018 DNIS Notification of INVITE 0
19DNIS and ANI Notification of INVITE
0
NOTE
1. In the UC Mobility Installation Guide, it shows this parameter must be set to “0”, but for the Ingate SBC connection only, this must be set to “1“.
GW10.11.10.1
GW10.11.50.1
GW10.11.20.1
SV8500S/W: S8 04 .19
LAN1 – 10.11.50.52LAN2 – 10.11.50.50
SIPHandler – 10.11.50.51
NEC ITL Phonex35000
10.11.20.203
NEC ITL Phonex35001
10.11.20.204
NEC ITL Phone(ITL-32D-1)
x6500010.11.20.202
Switch10.11.20.0
NEC ITL Phonex67000
10.11.20.202
123456789101112
A B
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Etherne
t
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
Switch10.11.10.0
Domain ControllerDHCP, DNS, WINS
10.11.10.230
123456789101112
A B
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Ethern
et
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
Voice Mail Server10.11.10.232
x35700 Pilot#
VMWare ESXi 5.510.11.10.246
SV9500V01 4 .19
LAN1 – 10.11.10.52LAN2 – 10.11.10.50
SIPHandler – 10.11.10.51
V-MGSIPSP-4058 01 .05.00.00LAN1 – 10.11.10.85LAN2 – 10.11.50.79
123456789101112
A B
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Ethern
et
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
Switch10.11.50.0
ESXi ServerEth0
ESXi ServerEth1
NEC MG-SIP
MG-SIP128(on SV8500)
SP-4058 01 .05.00.00LAN 1: 10.11.50.85
Switch/GW10.11.70.0
`
PBX Mgr / Wireshark10.11.10.238
Ingate SIParator(v5.0.3)
VMWare ESXi 5.5.010.11.10.10
ESXi ServerEth0
ESXi ServerEth1
123456789101112
A B
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
Ethern
et
A
12x
6x
8x
2x
9x
3x
10x
4x
11x
5x
7x
1x
C
Switch 10.11.50.0 is performing this
router function. This is not a separate, stand-alone router
MC550x65058
10.11.70.196
65058 @MC550 a.SV8500 bc.prv
STATIONS:3xxxx registered to SV 85006xxxx registered to SV 9500
1-4 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
Ingate SIParator Programming
There are numerous screens in the SIParator Web GUI for programming. The information below shows only those screens or partial screens where data was changed from the default setting.
The programming steps shown below assume you have already performed the basic installation. Refer to Ingate's document “Ingate SIParator®/Firewall for Virtual Machines” for the initial installation that will enable you to use the SIParator Web GUI to set the following data.
Step 1 Basic Configuration section > Basic Configuration tab > Policy For Ping To the SIParator: The default data is to never reply to ping. It is recommended to set this to reply to ping to all IP addresses during installation. Once installation is completed and the SIParator Session Border Controller (SBC) is operating correctly, you can change this setting so the SBC does not reply to all pings.
Step 2 Basic Configuration section > Basic Configuration tab > DNS Servers: Input the IP Address of the DNS server the SBC should use if needed.
Configuring the Ingate SIParator® SBC for MC550 1-5
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 3 Basic Configuration section > Access Control tab > Configuration Transport: Assign the server Ethernet port that is used to access the SBC via HTTP. This parameter will have data assigned from your initial installation in order for you to be using the Web GUI. However, some changes you may make in the Networks Section will void this setting, and you will need to come back here and select the new setting. For example, if this is currently showing the data/name of Ethernet Port 0, and you change the Name at Step 11 below, you will need to come back here and select the new setting.
Step 4 Basic Configuration section > Access Control tab > Configuration Transport: Assign the server Ethernet port that is used to access the
1-6 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
SBC via SSH. For our example, we assigned the WAN port to be able to access the SBC via SSH.
Step 5 Basic section > Access Control tab > Configuration Allowed Via Interface: This field shows the server's Ethernet ports SIParator discovered during the initial Virtual Machine installation of the SIParator software. While the Active/Inactive state of the Ethernet ports are set in the Network section under the corresponding Eth# tab, this parameter shows you the last state set and allows you to change it. You don't want to set your SBC programming to a Ethernet connection you forgot to turn on.
Step 6 Basic section > Access Control tab > Configuration Computers: Assign the IP address (IPA) of the computer(s) allowed to program the SBC. In our example, we set to allow all IPAs to use both the HTTP & SSH protocols. This is okay for initial setting for getting the SBC up and running. However, it is recommended to “fine-tune” this setting after everything is working. For better security, you may want to allow only one or two specific IPAs for the different Ethernet connections you assigned in this section. If the HTTP, HTTPS, and/or SSH are on different networks, you can click on “Add new rows” to add different IPA access entries for those protocols.
Step 7 Basic Configuration section > SIParator Type tab > Type of SIParator: No default data changes were made here; just wanted to point out where you would go to change the functionality of the SIParator SBC. It can be set as Stand-alone, DMZ, DMZ/LAN, or WAN type, as well as being able to turn the Firewall mode on or off.
NOTE
The HTTP, HTTPS, and SSH fields allow only a single server Ethernet connection, each to be assigned for programming access. We recommend assigning at least two of these protocols for access and use different server Ethernet connections. If you assign HTTP only and that server hardware port becomes defective, you have no way to program the SBC to use another server hardware port, even if the server is equipped with more than two Ethernet connections. Best practice would be to have three or more Ethernet connections where you initially have two for the LAN/WAN connections and use the 3rd as another internal network connection and set that as HTTPS or SSH. That way, no programming access ability is set on the WAN side.
Configuring the Ingate SIParator® SBC for MC550 1-7
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 8 Network section > Networks and Computers tab > Networks and Computers: Networks and Computers are assigned here. What we show
1-8 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
is more than you may require, and is more than the testing required. However, in case you use your SBC for more than the Stand-alone Mode with MC550, it is a good idea to see how this area can be set up.
Some parameters in this SBC allow an item to be entered once so you group items to only need a single entry. For example, the “Dot(xx)nw" networks may be set to use different Interfaces but you need to assign them within the same surrounding. By grouping them all under “LAN”, you can use “LAN” as the entry for those parameters.
If those “Dot(xx)nw” networks use the same Interface and you are allowing all endpoints on those subnets, like shown in the example, they all could have made as a single entry with the Lower Limit set to 10.11.10.0, and the Upper Limit set at 10.11.50.255.
The PBX Internal SIP Handle (InSIPH) is listed separately, even though the 10.11.10.0 - 10.11.10.255 is already defined; so that if we want to set any parameters specifically for the InSIPH that we may not want to apply across the entire subnet, we can use “InSIPH” or its IPA in those parameters instead of “LAN” or “Dot10nw”.
Keep in mind that this document is just a quick guide to get your Ingate SIParator working for the MC550. It does not go through all the details of how the SBC can be used or how to set its security controls tighter. Refer to the Ingate Support site where there are numerous “How to” guides tailored to specific areas of installation and functionality of the SIParator.
Step 9 Network section > Default Gateways tab > Main Default Gateways: Assign the default gateway on the WAN side of the SBC and the Interface that is used to get there. For our example, the “DMZ” is on the 10.11.70.0 network (as assigned under the “Network and Computers” tab, with Eth1 set with an IPA 10.11.70.2 (this will be assigned under the “Eth1” tab). The gateway for that subnet is 10.11.70.1. As such, 10.11.70.1 is assigned here.
Configuring the Ingate SIParator® SBC for MC550 1-9
Ingate SIParator Quick Guide for MC550 - Issue 1
1-10 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 10 Network section > Eth0 tab > General: Assign the Name you want for this Interface and set to “Active” if it is to be active. You can also leave the default name of Ethernet0. For our example, we called Eth0 “Inside”, so that we know that server interface connects to the internal network. Back at Step 8, you can see under the Interface/VLAN column it is easy to see what Networks and Computers were assigned to the Inside (Internal) or Outside (External) interfaces.
Step 11 Network section > Eth0 tab > Directly Connected Networks:Assign the name and IPA for this interface of the SBC. If selecting DHCP under the “Address Type” field, do not assign data in the “DNS Name or IP Address” field. For our example, we chose SBC LAN just to make it easier to know we are referring to the internal network side of the SBC. If you refer back to Step 3 you can see how this made it easy to know what we were choosing for our HTTP access. Note that if you make any changes here, you will need to go back to Step 3 (and or Step 4) to select the new entry if you assigned this interface for HTTP, HTTPS, or SSH access.
Step 12 Network section > Eth0 tab > Static Routing: Assign the networks that are accessed through this side of the SBC but are not directly connected (direct of via VLAN). You must tell the SBC the IPA of the gateway/router that information for those networks are to be sent to. For our example, only the 10.11.10.0 network is directly connected. The other internal networks can only be accessed through the 10.11.10.1 gateway.
Configuring the Ingate SIParator® SBC for MC550 1-11
Ingate SIParator Quick Guide for MC550 - Issue 1
1-12 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 13 Network section > Eth1 tab > General: Assign the Name you want for this Interface and set to “Active” if it is to be active. You can also leave the default name of Ethernet1. For our example, we called Eth1 “Outside” so that we know that server interface connects to the external network. Back at Step 8, you can see under the Interface/VLAN column it is easy to see what Networks and Computers were assigned to the Inside (Internal) or Outside (External) interfaces.
Step 14 Network section > Eth1 tab > Directly Connected Networks: Assign the name and IPA for this interface of the SBC. If selecting DHCP under the “Address Type” field, do not assign data in the “DNS Name or IP Address” field. For our example, we chose SBC WAN just to make it easier to know we are referring to the internal network side of the SBC. If you refer back to Step 4 you can see how this made it easy to know what we were choosing for our SSH access. Note that if you make any changes here, you will need to go back to Step 4 (and or Step 3) to select the new entry if you assigned this interface for HTTP, HTTPS, or SSH access.
Step 15 Network section > Eth1 tab > Static Routing: Data you assigned in Step 9 will already be shown here. If there are networks that are accessed through this side of the SBC, but must use a different gateway, you must tell the SBC the IPA of the gateway/router that information for those networks is to be sent to.
Configuring the Ingate SIParator® SBC for MC550 1-13
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 16 SIP Services section > Basic tab > SIP Module:Enable the SIP Module of the SBC.
Step 17 SIP Services section > Basic tab > SIP Media Port Range:If needed, change the port range the SBC should use for SIP Media streams. Default is 58024 - 60999.
1-14 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 18 SIP Services section > Interoperability tab > Remove Via Headers:Assign the SV8500/SV9500 Internal SIP Handler (InSIPH) IPA.
Configuring the Ingate SIParator® SBC for MC550 1-15
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 19 SIP Services section > Interoperability tab > URI Encoding:The default data is “Always encrypt URIs”. Change this to “Use registration”.
Step 20 SIP Services section > Interoperability tab > Remove Headers in 180 Responses:The current SV8500/SV9500 Internal SIP Handler (InSIPH) does not support the Route set specification of RFC3261. Select “Remove Record-Route and Contact headers in 180 responses”.
1-16 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 21 SIP Services section > Interoperability tab > Keep User-Agent Header When Acting as B2BUA: Select “Keep existing User-Agent header”.
Configuring the Ingate SIParator® SBC for MC550 1-17
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 22 SIP Services section > Interoperability tab > Force username in registered Contact:Select “Yes”.
Step 23 SIP Services section > Interoperability tab > Hide our Record-Route header:Select “Add new rows” and enter the address of the InSIPH.
1-18 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 24 SIP Services section > Sessions and Media tab > Session Configuration:The default is 14400 seconds. We used 180 for testing but you may want to set this to 1800.
Step 25 SIP Services section > Sessions and Media tab > Media Configuration:The default is “Lock IP address and port to first sender”. Change this to “Allow multiple sender IP addresses and ports”.
Configuring the Ingate SIParator® SBC for MC550 1-19
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 26 SIP Services section > Sessions and Media tab > Detect codec changes:The default is “Detect only changes to the first payload type listed”. Change this to “Detect changes to all payload types (except dynamic)”.
1-20 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 27 SIP Services section > Remote SIP Connectivity tab > Remote NAT Traversal: Enable Remote NAT Traversal
Step 28 SIP Services section > Remote SIP Connectivity tab > NAT keepalive method: Default is “Use both OPTIONS and short registration timers”. This causes the phones to re-register every 40 seconds (or whatever value is assigned for “NAT timeout for UDP”) as the keepalive/heartbeat. That creates triple the amount of keepalive messages than just using the OPTIONS messages as the heartbeat.
Step 29 SIP Services section > Remote SIP Connectivity tab > Media Route:Default is “Route media directly between clients behind the same NAT”. Select “Always route media through the SIParator”.
Configuring the Ingate SIParator® SBC for MC550 1-21
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 30 SIP Services section > Remote SIP Connectivity tab > Unconditional NAT Traversal: Default is “Only use Remote NAT Traversal when the client looks NATed”. Select “Always use Remote NAT Traversal”.
Step 31 SIP Services section > Remote SIP Connectivity tab > Unconditional NAT Traversal Interfaces:Select “Add new rows” and choose your Outside/WAN connection.
Step 32 SIP Traffic section > Filtering tab > Default Policy For SIP Requests:Default is “Local only”. Select “Process all”.
1-22 Configuring the Ingate SIParator® SBC for MC550
Ingate SIParator Quick Guide for MC550 - Issue 1
Step 33 SIP Traffic section > Routing tab > DNS Override For SIP Requests:This is where the SBC is told to relay messages from the Domain “MC550a.SV8500bc.prv” to the InSIPH. No need to do a DNS Lookup.
For additional information or support on this NEC Corporation product, contact your NEC Corporation representative.
Ingate SIParator Quick Guide for MC550
NEC NEC Corporation
NDA-31663, Issue 1