Howto:Setup SIP Federation with innovaphone AG V9

From innovaphone wiki
Jump to navigation Jump to search

Applies To

This information applies for innovaphone systems operated with V9 up to V11r2.

Remark: Since V12r1 there's a new federation article to be applied.

More Information

Problem Details

With the innovaphone myPBX UC Client it is not only possible to communicate with the persons within your company, but also possible to use the unified communication features like presence etc. also with external companies.

Our company, innovaphone AG, provides an interface for the SIP federation with our partners and customers. This article describes how to setup your innovaphone PBX to be able to communicate with innovaphone AG using UC features.

Prerequisites

Make sure you have following:

  • innovaphone PBX System with the recent V9 or V10 firmware
  • licenses for myPBX
  • access to your public DNS server, to be able to configure required DNS record
  • access to the internet from the PBX or other innovaphone gateway
  • the System Name of the PBX must be equal to the domain part used for E-Mails
  • the Name of the User Objects (do not mix with Long Name) must be equal to the user part of the E-Mail addresses used for external communication
    • if the Users E-Mail address is bob@company.example, the System Name must be company.example and the Name of User Object bob

Configuration

PBX

System Name

The System Name of the PBX must be set according the DNS domain name used for federation. In case of innovaphone AG this is innovaphone.com.

The option Use as Domain must be active.

System Name

Visibility

In order to give innovaphone AG the access to your presence and on-line status, the Access on the PBX User Object must be configured. This can be done for the complete domain @innovaphone.com or to a specific person bob@innovaphone.com.

Access Rights

This can be done on a per-user level or in an appropriate template.

To set up default access rights (which may be restrictive) for all federation partners, you can specify @ only as Name (which serves as a catch-all-domain) (available from v10sr3).

Gateway Object

Create a Gateway Object without number. Place the Long Name of this object to the Route Root-Node External Calls to filed of the PBX General configuration page:

PBX External Routing

In case this option already used to route calls to another PBX in a loop in scenario, make sure to route the calls first to the SIP interface configured for the federation, ant than to the 3rd Party PBX.

SIP Interface

SIP Interface Example


The SIP interface is required to be able send and accept SIP calls and presence subscriptions to the federation partners. The mode of the SIP interface should be Open Federation.

This SIP interface must be reachable from the internet via TCP port 5061 and must be registered at the Gateway Object in the PBX used for federation.

The best practice is to route incoming federation calls to numbers (e.g. 123@example.com) via the Trunk Line Object that is used for PSTN calls. In the following picture you will find the routing ways of the federation calls:

Routing via TrunkLine

Routing via TrunkLine explanation


Important: Make sure to enable Interworking(QSIG,SIP) on the routes from and to this interface.


You can use an additional innovaphone gateway to offload the SIP interface for federation from the PBX gateway and place it in the DMZ.

Depending on your network configuration (NAT, Firewall etc.) it is useful to enable Media-Relay on the SIP interface to be able to make voice calls.

DNS Entries

The SIP Federation mechanism relies on the DNS to resolve the domain name of the federation partner and find out the IP address to send the SIP messages.

Following DNS entries from you as federation partner are required:

  • SRV record _sips._tcp.yourcompany.example or _sipfederationtls._tcp.yourcompany.example pointing to an IP address or host name of the innovaphone gateway that hosts the SIP interface for federation
  • in case SRV record points to a host name, the host name must be resolved to the IP address of the innovaphone gateway that hosts the SIP interface for federation

For example, following DNS entries are configured for federation with the innovaphone AG:

_sips._tcp.innovaphone.com    IN    SRV    5061   sip.innovaphone.com
sip.innovaphone.com    IN    A    145.253.157.4

After the DNS record is configured and propagated to your DNS servers, check it in the DNS client on the innovaphone gateway:

Setup SIP Federation with innovaphone AG dns srv record example.png

Certificates

The innovaphone gateway, that hosts the SIP interface for federation must have a certificate with a Common Name (CN) or SubjectAlternativeName (DNS) that matches your domain name. You can use a self signed one, generated directly on the box.

In case you configure DNS and IP Entries in the certificate, make sure the domain name used for the PBX and Federation Interface is included in the certificate.

Self signed certificate

E.g., innovaphone AG provides following entries in the certificate:

CN=innovaphone.com
DNS=innovaphone.com
DNS=sip.innovaphone.com
IP=145.253.157.4

However, only CN and DNS for innovaphone.com would be sufficient for SIP Federation.

Get on the Trust List

If you try to federate with innovaphone AG for the first time, your certificate will be rejected, cause it will be not on our trust list.

To get on the trust list at our federation gateway, please contact presales and provide the domain name and the certificate data.

Put the certificate of innovaphone AG on the own Trust List

You have also to trust a certificate, provided by innovaphone:

Subject
C=Germany, ST=BW, L=Sindelfingen, O=innovaphone AG, OU=Techserv, CN=innovaphone.com
DNS=innovaphone.com
DNS=sip.innovaphone.com
IP=145.253.157.4
Issuer    C=Germany, ST=BW, L=Sindelfingen, O=innovaphone AG, OU=Techserv, CN=innovaphone.com

Serial number    FBA06716
Not before    22.08.2013 09:26:00 GMT
Not after    22.08.2023 09:26:00 GMT
CA    yes
Path length    0
Key usage    digital_signature key_encipherment key_cert_sign
Subject key ID    79:E8:1A:D0:4F:3E:3A:2E:13:DD:BB:9F:76:68:6B:00:2B:97:37:6C
Authority key ID    79:E8:1A:D0:4F:3E:3A:2E:13:DD:BB:9F:76:68:6B:00:2B:97:37:6C
    --------
Type    X.509 v3
Public key    1024-bit RSA
SHA1    27:E1:9A:19:A2:EC:E3:0E:9F:F6:96:75:49:90:AC:55:F5:36:3C:70
MD5    08:AB:5C:DE:D0:6E:90:E2:8E:81:00:F7:06:A2:41:18

Security Considerations

Firewall

In case a firewall is used to filter the connections from the internet to your SIP gateway, please define a rule to allow incoming connections from the IP address 145.253.157.4 to the TCP port 5061.

Also make sure to allow a range of UDP ports for RTP, in case voice calls should be supported.


Offload SIP Federation Interface to DMZ

When possible, offload the SIP Interface in the Federation mode to an innovaphone Gateway in the DMZ, so the PBX itself is not reachable from the internet directly.


Secure your PBX

In case the Gateway with PBX is reachable from the internet, make sure to use secure passwords for administration and user objects. 'implement IP-Filters to disable registrations at the PBX from the internet.

Usage

To add somebody on your favourites list, go to the myPBX and place the e-mail address of the person into the search field. Then press on the star symbol.

Add contacts

In case the federation was configured correctly and access rights are configured to be able to see presence and on-line status, the save button for an External URI will appear.

SIP Federation Partner

Here is a list of domains accepting SIP federation connections:

SIP Federation enabled Domains
Domain access contact
innovaphone.com on request presales@innovaphone.com
oberberg.net on request admin_tk@oberberg.net
modusone.ch on request marc.steiner@modusone.ch
estos.de presence only

Troubleshooting

The best way to troubleshoot the SIP federation is to make an RPCAP Wireshark trace on the gateway with the SIP interface used for federation.

Check the trace for following:

  • a DNS request and reply resolving the SRV record
  • establishing of the TLS connection
  • SIP subscribe and notify requests (visible only in the innovaphone log part if SIP tracing is enabled)

Related Articles

Reference9:Gateway/Interfaces/SIP