Course12:Advanced - V12 News

From innovaphone wiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

V12 News

Overview

Overview

The most important V12 features are listed in this book. For detailed information on these features, there are links to further topics of this advanced training plus references to our wiki.

With V12 there are plenty of new features and products. Some main highlights are:

  • IP112 phone

  • new gateways
  • cloud-based innovaphone PBX services

  • enhanced security features

  • webRTC and myPBX enhancements

and of course much more...

    New Software Products

    New software products

    Within Firmware version 12, innovaphone introduces some new functionalities which are described in the following roughly. For some of them, you will find more information or also lessons in the following topics of this training.

    Note: As always with innovaphone, it's possible to use new firmware versions as well on existing hardware types. In general for version 12 this applies too - but:

    There's an exception in terms of hardware which owns too little on-board memory. Version 12 requires gateways providing at least 32MB DRAM size, which at the small gateways IP302 and IP305 is available since hardware version 307. So older hardware versions of these gateways will not be able to run Version 12 (btw: Version 11 as well not).

    The following subchapters will present you the new software features.

    Reverse Proxy

    Reverse Proxy

    Starting with Version 12, any innovaphone device can act as a Reverse Proxy.

    What is an Reverse Proxy?

    A Reverse Proxy is taking requests from the internet (in our case e.g. external phone users) and forward them to servers in an internal network (e.g. the PBX). Externals making requests to the Reverse Proxy may not be aware of the internal network itself.

    The function is similar to a NAT Port Forwarding, where incoming TCP/TLS connections are forwarded to a defined target.

    All incoming connections are terminated in the Reverse Proxy, which creates a new session to the opposite network.

    Target definition is not only done by IP-ports, but also by application content of the payload.

    A connection between the Reverse Proxy and the PBX can be trusted by validation of certificates used.

    Reverse Proxy Usecases

    Following two examples on potential usecases for Reverse Proxy:

    Cloud Installation

    • ReverseProxy is operated in a DMZ with a private and a public IP address
    • provision of one centralized point of access for endpoint registration including certificate validation
    • access is done using H.323/TLS or SIP/TLS
    • limited access to the PBX for myPBX service is granted by use of HTTP(S)
    • central phone book access is granted using LDAP(S)
    Remote PBX access (a.k.a. anywhere workplace)

    • ReverseProxy is installed in the PBX itself (when no DMZ is in place) or on any extra device within the local network
    • PBX access is limited to configured protocols
    • HTTP/S access is limited as well for special services only (e.g. myPBX)
    • PBX access is made through the NAT router by port forwarding in the ReverseProxy

    Supported Feature Set

    • TCP/TLS may be different between the far and local end
    • service ports can be configured for non-standard ports
    • Attack defense:
      • Suspicious requests are detected based on unsuccessful connects
      • Attack requests are displayed in counters
      • Attackers IP address is automatically added to a built-in blacklist which can be displayed
      • Each time an entry is added to the blacklist, a system event is generated
      • Administrational access to the blacklist for address removal or explicit adding to built-in whitelist.
    • Limitation on specific networks can be done

    Protocol support

    Supported protocols of the innovaphone Reverse Proxy are:

    • H.323/TCP and H.323/TLS
    • SIP/TCP, SIP/TLS
    • HTTP, HTTPS
    • LDAP, LDAPS
    • SOAP

    Non supported protocols and services are:

    • H.323 over RAS-UDP
    • Kerberos (Admin-UI access)
    • IPv6 (not yet)

    As an exception access to myPBX is possible (of course).

    TURN

    TURN

    What is TURN

    When trying to realize audio connections between devices being located in different networks, STUN is used to identify the different external IP addresses of these devices. 
    ICE then is trying to establish an end-to-end media connection through all involved NAT routers.
    In V11, both above mentioned protocols have been introduced to realize connection of external phones or services like webRTC.

    But - there's one drawback: 
    in V11, ICE requires at least one full cone NAT network in the setup. When both involved NAT routers are able to do symmetric or port restricted NAT only, ICE and by this RTP will fail.

    For this to work, TURN (Transversal Using Relays around NAT) is required.
    Simply spoken this is an entity in the public internet which relays media data (RTP) between two NAT routers.

    As public TURN servers are rare, starting with V12r1 all innovaphone gateways are able to act as TURN server.

    Of course all devices being operated with V12r1 can act as TURN client.

    Some thoughts on use of TURN:
    • It works with all kinds of NAT, including restrictive NAT routers/firewalls.
    • As TURN requires resources at the host which may create delays, it should be used only if a direct communication is not possible. To overcome this drawback in general, a TURN server can be operated in a separate innovaphone box.
    • ICE ensures that TURN is only used when no STUN gathered ICE-candidates are available -> can be configured always

    OPUS

    OPUS

    OPUS is an audio codec which is specified to use a bandwidth from 6 to 510kBit/s.

    Within this range, a subset is defined called OPUS-NB (narrowband). It consumes 11kbit/s bandwidth at 8KHz and provides a quality comparable to G.711.

    OPUS-NB was selected for integration as the innovaphone conference bridge always uses 8kHz audio samples.

    As G.711 requires 64kbit/s and bandwidth sometimes is an issues, OPUS-NB will be a good alternative to be used instead.

    With V12, all new gateways and the phones IP111/112 support OPUS-NB on their onboard DSP. 
    For webRTC, browsers itself support OPUS-NB as well. 
    myPBX for Android does OPUS-NB as well (delivered by the device).

    Like for other implemented codecs, OPUS as well is always negotiated at the end device. There's no re-negotiation during conversation.

    New Hardware Products

    New hardware products

    New phone IP112

    The IP111 - which was introduced in V11 - was extended to a new product called screenshot.png IP112.

    Following features have been added to the IP112:

    • offers 2 Gigabit Ethernet connections (1000Mbit/s) and is either powered by PoE or an external power supply.

    • offers one USB 2.0 port for exclusive headset use (not other devices are supported nor allowed).

    • Next to the well known voice codecs, the IP112 (and the IP111 as well) offers support for G.729 and the new OPUS codec.

    • By the way: Existing IP111 supports OPUS as well!
    Note: For the IP112, there's a V11r2 firmware available as well!


    New gateways

    Starting in 2016, there will be a bunch of new gateways offering different interface settings for different use cases:

    • screenshot.png IP311 - entry level VoIP-PBX and gateway,
      providing 4 analogue trunk lines (FXO), 2 analogue extensions (FXS) and 6 on-board DSPs.

    • screenshot.png IP411 - entry level VoIP-PBX and gateway,
      providing 2 ISDN-BRI trunk lines and 2 analogue extensions (FXS) and 6 on-board DSPs.
      The IP411 replaces the former models IP302 and IP305.

    • screenshot.png IP811 - mid size VoIP-PBX and gateway,
      providing 5 ISDN-BRI trunk lines and 10 on-board DSPs.
      The IP811 replaces the former models IP800 and IP810.

    • screenshot.png IP3011 - advanced level VoIP-PBX and gateway,
      providing 1 ISDN-PRI trunk line and 30 on-board DSPs.
      The IP3011 replaces the former model IP3010 - but without BRI for sync purposes.

    • screenshot.png IP1130 - media gateway without PBX functionality,
      providing one ISDN-PRI trunk line and 30 on-board DSPs.
      Two IP1130 replaces one former model IP1060.
      Remark: max. size of a single conference is limited to 30 channels - also by use of two IP1130.

    • screenshot.png IP0011 - dedicated for use as pure media gateway and stand-alone Reverse Proxy/SBC
      Platform for up to 500 PBX Users (all-in-one) (no conferences)!
      The IP0011 replaces the former IP0010.

    All these gateways are using the same hardware platform and by this own the same features in terms of:

    • 2 Gigabit Ethernet ports each

    • new CPU with better Linux performance due to more Linux RAM (now 768 - 1536 MB vs. 256 MB previously)

    • OPUS audio codec at on-board DSPs (narrowband only)

    • built-in Flash Disk (known as /DRIVE/FLASH) with following sizes
      • 128 MB für IP311 and IP411
      • 1GB for IP811, IP3011, IP0011

    • optional mSATA SSD (known as /DRIVE/CF0). All new devices offer an internal SSD card holder for SSD according to our recommendations. Installation is optional and to be done by partner.

    • enhanced internal clock resolution (5ppm, previously 50ppm)

    • on-board Linux Application Platform available on all new xx11/11xx gateways (except of IP1130) by use of optional SSD 

    • all devices can act as Reverse Proxy and offer various SBC functionalities

    New adapter

    • screenshot.png IP29 - IP adapter for eight analogue extensions FXS.
      It replaces the former IP28.
    Note: all gateways and adapters mentioned above require at least firmware V11r2sr10 (or V12r1) for operation.


    For further details, please refer to the fish-help.png datasheets

    PBX Enhancements

    PBX enhancements

    As always with release of a new firmware version, one main area of improvements is the PBX and the embedded functions and services.

    myPBX webRTC

    In V11, webRTC was introduced to do real-time communication within a web browser without use of additional plugins.

    Starting with V12, innovaphone has extended the webRTC features by

    Video

    Next to H.264, webRTC now as well supports VP8 video codec.

    VP8 is a codec providing similar quality as H.264 and consumes as well approx. 300kbps bandwidth.
    Restrictions:
    • Chrome currently supports VP8 only (they intend implementation of H.264).
    • innovaphone conference interfaces do not support VP8 - so (currently) no video conferences using Chrome.

    Application Sharing


    In former times AS was only possible by using the myPBX Windows Launcher, now AS is possible between both Launcher and webRTC users.

    Max. bandwidth used for AS is 500kbps.

    Restrictions:
    • webRTC is still not supported by InternetExplorer and Safari
    • webRTC users cannot share their own screen - but they are able to control launcher-shared screens
    • no compatibility with 3rd party devices

    Audio Codecs


    Next to G.711, within webRTC OPUS is now supported as well. 
    This comes from the browser and now creates compatibility for calls between webRTC and new phone users (IP111/112) or gateways (IPxx11, IP29).

    ICE/TURN


    Next to the V11 implementation, where webRTC was only able to use ICE/STUN, which may have led to missing audio data, TURN was implemented for use of other NAT networks than full-cone as well

    Toolbox

    By use of webRTC, within V12 a feature called myPBX toolbox was introduced.
    This allows to create HTML code for websites providing myPBX functionalities e.g. like a call button.
    Next to audio and presence informaton, it also supports use of both video and application sharing.
    By this, external users can call directly into the company to a dedicated user/group/WQ.

    The code is based on a fish-help.png JavaScript library, which can be used to create your own scripts.

    myPBX general

    Netlogon

    A long requested feature was use of the same login credentials for Windows and myPBX. This is also often called SingleSignOn.
    With V12, a new method for login is introduced by use of Netlogon with the following characteristics:
    • use with Active Directory only
    • one domain only
    • requirement to use NTLM (v1 only), port 135/TCP
    • the PBX needs to have an AD account and a connection to the domain controller
    • the account configuration is made in the PBX
    • myPBX SingleSignOn not applicable for phones or HotDesking
    In terms of security concerns, it has to be said that the windows password is neither stored at the PBX nor at the client.
    On PC login, a comparision with the AD located real Win-PWD is done. If this is successful, a temporary used password is generated and stored in both the PBX and the PC for later login checks. It is valid until logout from this dedicated PC.
    Depending on the used browser, the hash at the PC is either stored at the DOM storage or the registry.
    As NTLM is not very secure, HTTPS can be used for PBX access.

    Gateway Enhancements

    Gateway Enhancements

    Conferencing

    In V12, for audio conferencing DTLS was added now to support webRTC users conference.

    Moreover, some improvements on the conferencing in terms of video ability have been made:
    To perform video conferences, in former times it was necessary to use a 3rd party MCU. With version 12, the MCU is built in!

    This was realized by avoiding media blending to minimze load on the hardware.
    Furthermore, by voice activity detection only the video of the current talker is captured and displayed. Due to this, only H.264 is supported here.

    Above mentioned improvements lead to a video call performance of up to 30 users on a IP6010 - which of course is less than 60 audio channel but better than nothing smile
    Of course these figures depend on used CPU and its performance.

    Remark: Any special integrations for use of 3rd MCUs as valid till V11rx will not longer be supported!

    SIP Provider Profiles

    Since several years, innovaphone conducts certification tests for SIP providers for connectivity recommendation. fish-help.png Results can be found in the wiki including a configuration instruction. 
    Drawback of this process is that it's done only once and does not consider changes in neither our firmware nor the tested provider platform.
    To overcome this, we install a repetivite test process by use of permanent available access to the different providers. So if you are interested in getting any provider tested, just follow our fish-help.png instruction.

    Beneficial outcome of this process is now availability of SIP provider profiles being available starting with V12 at the Gateway/SIP section.
    Via a dropdown list one can select from various tested providers and will get the configuration done - just login credentials and given number needs to be added.
    Configuration issues like media or SIP settings are gone - everything which was evaluated during innovaphone certification will be set automatically!

    License Enhancements

    License enhancements

    New licenses

    webRTC License

    For use of webRTC - which acts "like" a software phone - a new license is introduced with V12.

    The license is per channel (a.k.a. per call), that is as many webRTC licenses are available as many calls can be made simultaneously via webRTC.

    The webRTC license is a PBX license and by this "floatable" from a license-master.

    Maximum amount of concurrent webRTC calls at a dedicated PBX can be set via PBX/Config/General/"Max WebRTC calls".

    Note:  In any case, webRTC usage requires at least a port license for the webRTC-user (as always); and - if requested by customer - video and/or application sharing licenses for these features to work.

    Changes

    Simplified Port License

    Till V11, the first registration on an object took one license - regardless what type.

    Starting with V12, the first registration on an User, Executive, Gateway or Trunk object will take one license.

    Benefit is that unexpected licenses are eliminated. These are

    • registration on a waiting queue for setting diversions
    • slave registrations on a master pbx
    • registration of a master pbx on a license-only master

    End of Life

    End of life

    Following gateways will be end of life:

    • IP28 - replaced by IP29
    • IP302 - replaced by IP411
    • IP305 - replaced by IP411
    • IP800 - replaced by IP811
    • IP810 - replaced by IP811
    • IP0010 - replaced by IP0011
    • IP1060 - replaced by IP1130 (two pieces needed when going for equivalent amount of channels)
    • IP3010 - replaced by IP3011

    IP22, IP24, IP38 and IP6010 remain in the portfolio!

    IP6010 will be the only gateway providing loop-in functionality, 2 PRIs and 60 DSP channels useable for conference as well.


    Upgrade to V12r1

    Upgrade to V12r1

    If an upgrade from V11r2 to V12r1 is intended, we hardly recommend to read the appropriate fish-help.png upgrade article.

    Here all news and changes compared to V11r2 are listed which need to be taken into account for proper and smooth upgrade.

    BTW: Of course additional consideration of former upgrade articles is mandatory when upgrading from any further version than V11r2.