Howto:Setup Federation with innovaphone V12r1: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
Line 191: Line 191:
[[Image:Setup_Federation_13.png | Filter]]
[[Image:Setup_Federation_13.png | Filter]]


'''Note:''' To avoid External Federate partners to call to the "Trunk Line Object" (ie: trunk@domain.com), we could delete the "Name" Field of the Trunkline Object so this object could only be called by "0" and not by "Name".
To prevent External Federation partners to be able to call the PBX Objects that are not supposed to be called by external users the option "Reject ext. Calls" should be activated on this objects. The "Reject ext. Calls" option should be activated also on the Trunk Line Object that is connected to an FXO line, cause on FXO the caller can dial the destination number after a connect via DTMF. Other trunk lines, like ISDN or SIP are not affected since if called by name, no further input from the caller is accepted (call is established with sending complete).


==Usage==
==Usage==

Revision as of 16:04, 19 October 2017

Applies To

This information applies to innovaphone systems V12r1 and later.

The former article is depracted

More Information

Problem Details

With the innovaphone myPBX UC Client it is not only possible to communicate with the persons within your company, but also possible to use the unified communication features like presence etc. also with external companies.

innovaphone provides an interface for federation with our partners and customers. This article describes how to setup your innovaphone PBX to be able to communicate with other companies using UC features.

Federation can either be done using H.323 or SIP - depending on the capabilites of the federating systems.

Mostly, H323 federation will be applied only between innovaphone parties; while SIP is used to federate with non-innovaphone systems.

Prerequisites

Make sure you have following:

  • innovaphone PBX System with the recent V12r1 firmware
  • licenses for myPBX
  • access to your public DNS server, to be able to configure required DNS record
  • access to the internet from the PBX or other innovaphone gateway
  • the System Name of the PBX must be equal to the domain part used for E-Mails
  • the Name of the User Objects (do not mix with Long Name) must be equal to the user part of the E-Mail addresses used for external communication
    • if the Users E-Mail address is bob@company.example, the System Name must be company.example and the Name of User Object bob

Configuration

PBX

System Name

The System Name of the PBX must be set according the DNS domain name used for federation. In case of innovaphone AG this is innovaphone.com.

The option Use as Domain must be active.

System Name

Visibility

In order to give innovaphone AG the access to your presence and on-line status, the Access on the PBX User Object must be configured. This can be done for the complete domain @innovaphone.com or to a specific person bob@innovaphone.com.

Access Rights

This can be done on a per-user level or in an appropriate template.

To set up default access rights (which may be restrictive) for all federation partners, you can specify @ only as Name (which serves as a catch-all-domain) (available from v10sr3).

Gateway Object

Create a Gateway Object without number. Place the Long Name of this object to the Route Root-Node External Calls to filed of the PBX General configuration page:

PBX External Routing

In case this option already used to route calls to another PBX in a loop in scenario, make sure to route the calls first to the interface configured for federation, and from there to the 3rd Party PBX.

Protocol Interface

Depending on the PBX system used at the federation partner, either H323 or SIP has to be used for federation.

H323 Interface

Create a GW interface with the following settings:

SIP Interface Example

The GW interface used for H323 federation must be able to send and receive H323 calls and presence subscriptions to and from the federation partner. The mode of H323 is Gateway without registration plus active Federation option. MediaRelay has to be off to enable video and collaboration.

This H323 interface must be reachable from the internet via TCP port 1300 and must be routed within the Routing to an internally registered Gateway Interface.

SIP Interface

Following screenshot shows SIP based federation to SkypeForBusinessOnline 2016 by use of a SIP interface.

Configuration

Mandatory options to be configured:

  • Open Federation : SIP/TLS interface without registration used to send and receive calls to federation partners.
  • Local domain : Domain for SIP Federation enables to select the TLS Certificate according to the Domain Name
  • Local Hostname : Put local hostname or IP address of the SIP Federation device. (If no value it's set the local IP will be used as default)
  • General Coder Preference = G711/G729 Exclusive : necessary as no other codecs are supported by SFBonline for voice calls.
  • Media-Relay = On : Avoid interoperability issues for audio calls
  • No Ice = On : SFB supports ICE and calls can be establish with use of ICE, however in some network topology incoming calls from SFB to Inno could take long time to connect (4-6sec) duo the ICE checks plus there were some call scenarios that calls were disconnected by SFB client when ICE was used so for that reason we recommend to not use ICE.
  • SRTP Cipher = AES128/80 : SFB client uses SDES for SRTP with the Cipher AES128/80, other Cipher like the default (AES128/32) will not be accepted by SFB client.
  • Microsoft Presence Format = On : supports interpretation of MS presence format
  • Advanced - following SIP-options have to be applied:
    • /pai : use P-Asserted Identity for outgoing calls
    • /dont-validate-calling-domain : Calling domain on inbound federation calls from SFBonline is not validated
    • /microsoft-stuff : Provide correct online presence of SFB users to innovaphone and avoid S4B rejection of SIP Invites (for Audio or Chat calls) from Users not present the Contacts List (since V12r2)
    • /single-audio-description : avoid SDP interoperability issues for audio calls (since V12r2)
    • /forward-connection-only : Don't use inbound transport connection to send requests (since V12r2)

This SIP interface must be reachable from the internet via TCP port 5061.

Remark: For federation between two innovaphone systems, don't use SIP - only H.323!

Routing

Following picture describes routing for federation calls for both H323 and SIP. Depending on the federation protocol used, configuration of either SIP or H323 routing is possible as well:

Routing internal federation gw

By use of the following routing table, an H.323 federation will be tried to take place first. Upon failing DNS query, SIP federation will be used afterwards:

Routing via TrunkLine

Important: Make sure to enable Interworking(QSIG,SIP) on the routes from and to the SIP-interface.

An additional innovaphone gateway can be used to offload the federation interfaces from the PBX and place it in the DMZ.

DNS Entries

Federation mechanism relies on DNS to resolve the domain name of the federating partner and find out the IP address to send signaling messages to.

Following DNS entries from you as federation partner are required:

SIP

  • SRV record _sips._tcp.yourcompany.example or _sipfederationtls._tcp.yourcompany.example has to point to an IP address or host name of the innovaphone gateway that hosts the SIP interface for federation

Setup Federation 8.png

  • in case SRV record points to a host name, the host name must be resolved to the IP address of the innovaphone gateway that hosts the SIP interface for federation

For example, following DNS entries are configured for SIP federation with the innovaphone AG :

_sips._tcp.innovaphone.com    IN    SRV    5061   sip.innovaphone.com
sip.innovaphone.com    IN    A    145.253.157.4

After configuration and propagation of the DNS record to your DNS servers, cross-check correct their resolving in the DNS client on the innovaphone gateway:

Setup Federation 9.png

H323

  • SRV record _h323s._tcp.yourcompany.example or _h323federationtls._tcp.yourcompany.example has to point to an IP address or host name of the innovaphone gateway that hosts the H323 interface for federation

Setup Federation 10.png

  • in case SRV record points to a host name, the host name must be resolved to the IP address of the innovaphone gateway that hosts the H323 interface for federation


For example, following DNS entries are configured for H323 federation with the innovaphone AG :

_h323s._tcp.innovaphone.com    IN    SRV    1300   h323.innovaphone.com
h323.innovaphone.com    IN    A    145.253.157.4

After configuration and propagation of the DNS record to your DNS servers, cross-check correct their resolving in the DNS client on the innovaphone gateway:


Setup Federation 11.png

Certificates

Federation is always based on trust by use of certificates. Depending on the federation, different certificate types are used:

  • Closed federation: certifcates are only known by the federating partners and have to be exchanged between those two parties only.
  • Open federation: Certificates used are root certificates which are originated by an official authority.

For more details also refer to the approriate wiki articles here and here.

In any case the innovaphone gateway which hosts the federation interfaces must have a certificate with a Common Name (CN) or SubjectAlternativeName (DNS) that matches your domain name. You can use a self signed one, generated directly on the box.

In case of configuring DNS and IP Entries in the certificate, make sure the domain name used for the PBX and Federation Interface is included in the certificate.

Self signed certificate

E.g., innovaphone AG provides following entries in the certificate:

CN=innovaphone.com
DNS=innovaphone.com
DNS=sip.innovaphone.com
IP=145.253.157.4

However, only CN and DNS for innovaphone.com would be sufficient for Federation.

Get on the Trust List

When trying to federate with the federation partner for the first time, the certificate will be rejected due to non-existance on the opposite trust list.

To get on the trust list, the federating partner has to be contacted and the domain name and the certificate data has to be provided to him.

Security Considerations

Offload Federation Interface to DMZ

When possible, offload the federation interface to an innovaphone Gateway located in the DMZ to avoid the PBX itself being reachable from the internet directly.

Secure your PBX

In case the Gateway with PBX is reachable from the internet, make sure to use secure passwords for administration and user objects. Implement IP-Filters to disable registrations at the PBX from the internet.

Filter on Federation Calls

Create a filter for calls processed via federation gateway object to avoid partners calling internal extensions or trunk lines by number. Assign the filter to the federation gateway.

Filter

To prevent External Federation partners to be able to call the PBX Objects that are not supposed to be called by external users the option "Reject ext. Calls" should be activated on this objects. The "Reject ext. Calls" option should be activated also on the Trunk Line Object that is connected to an FXO line, cause on FXO the caller can dial the destination number after a connect via DTMF. Other trunk lines, like ISDN or SIP are not affected since if called by name, no further input from the caller is accepted (call is established with sending complete).

Usage

To add somebody on your favourites list, go to the myPBX and place the e-mail address of the person into the search field. Then press on the star symbol.

Add contacts

In case the federation was configured correctly and access rights are configured to be able to see presence and on-line status, the save button for an External URI will appear.

Known issues

Outgoing call fails

  • Problem symptom: RTP on outgoing call fails with option ICE=off
  • Description: Initiation of outgoing call requires to signal own public-IP-adress in Invite with SDP. As Invite only uses IP-adress of ETH0 when option ICE=off, call will fail if ETH0 is configured with local instead of public IP.
  • Workaround: Set the public IP address on the ETH0 Interface and the private IP on the ETH1.

Troubleshooting

The best way to troubleshoot the federation is to make an RPCAP Wireshark trace on the gateway with the interface used for federation.

Check the trace for following:

  • a DNS request and reply resolving the SRV record
  • establishing of the TLS connection
  • SIP subscribe and notify requests (visible only in the innovaphone log part if SIP tracing is enabled)

Related Articles

Howto:Federation_with_Skype_For_Business_Online

Reference12r1:Gateway/Interfaces/SIP

Reference12r1:Gateway/GK/GW

Reference10:Gateway/Routes/Map

Reference11r1:Certificate_management

Reference11r1:Certificate_names_and_trust_relationships