Howto13r1:Installation Scenarios: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
Line 136: Line 136:


== Possible scenarios if port 443 is already in use ==
== Possible scenarios if port 443 is already in use ==
Sometimes the SSL Port (tcp/443) is already in use by other systems like Webmail or Webserver on the customers side. To use your myApps Clients from externally over a Reverse Proxy the myApps Client need to connect also via Port 443 to the customer network.
Sometimes the SSL Port (tcp/443) is already in use by other systems like Webmail or Webserver on the customers side. To use your myApps Clients externally the myApps Client need to connect also via Port 443 to the customer network.  


There are some possible solutions what you can do if the SSL port is already in use.
There are some possible solutions to resolve that conflict.


=== Use an innovaphone Cloud Setup ===
=== Use an innovaphone Cloud Setup ===
If you don't want/can change the network on customers side you are able to use a [https://www.innovaphone.com/de/cloud/cloud-miete-oder-kauf.html|innovaphone Cloud Setup].
If you don't want to or can't change the network on customers side you can use a [https://www.innovaphone.com/de/cloud/cloud-miete-oder-kauf.html|innovaphone Cloud Setup].


=== Separate IP Address for Reverse Proxy ===
=== Separate IP Address for Reverse Proxy ===
The best way is to have more than one public IP-Addresses. In this scenario you are able to use a separate IP-Address for a specific server/service. In this way you can use different IP-Addresses on your Firewall and route the traffic (without NAT) to the different servers/services.
The best way is to have more than one public IP-Addresses. In this scenario you use a separate IP-Address for a specific server/service. In this way you can use different IP-Addresses on your Firewall and route the traffic to the different servers/services.


=== Distribute traffic based on hostname ===
=== Distribute traffic based on hostname ===
If you only have a single IP-Address you have to decide which is the target system for an incoming tcp/443 packet. What you can do is to check the called hostname in the GET Request and forward (NAT) the Packet to the correct Service.
If you only have a single IP-Address you have to decide which is the target system for an incoming tcp/443 packet. For this, you can use a system that forwards the request based on the hostname in the GET Request and forward the packet to the correct service.


==== Use existing firewall ====
==== Use existing firewall ====
Most of the Next-Gen firewalls support features like ''Load-Balancer'', ''Reverse Proxy'' or something other which will helps you.
Most of the Next-Gen firewalls support features like ''Load-Balancer'', ''Reverse Proxy'' or something similar that can do the forwarding.
Which this feature you can listen on Port tcp/443 and check the called hostname and forward the traffic to the configured destination IP-Address.


''Note: Please consult your firewall vendor or system admin if you need help to configure this.''
''Note: Please consult your firewall vendor or system admin if you need help to configure this.''


==== Use Reverse Proxy ====
==== Use innovaphone's Reverse Proxy ====
The Reverse Proxy will listen on Port tcp/443 and check the called hostname inside the GET Packet and forward the traffic to the [[Course12:Advanced_-_Reverse_Proxy#Service_Name_Definition |configured destination IP-Address]].
The Reverse Proxy can do the forwarding to [[Course12:Advanced_-_Reverse_Proxy#Service_Name_Definition |configured destination IP-addresses]] too.
With this setup you can route or NAT (depending from your Firewall) all incoming Traffic based on tcp/443 to the Reverse Proxy.
With this setup you route or NAT (depending from your Firewall) all incoming Traffic based on tcp/443 to the Reverse Proxy.
Then the Reverse Proxy will receive all the traffic and can distribute it to the correct system (eg. for "''webmail.domain.tld''" to the local Exchange IP and traffic for "''apps.domain.tld''" to the innovaphone AP-Platform).
The Reverse Proxy distributes it to the appropriate system (eg. for "''webmail.domain.tld''" to the local Exchange IP and traffic for "''apps.domain.tld''" to the innovaphone AP-Platform).


''Note: Please think about that the reverse proxy only can [[Course12:Advanced_-_Reverse_Proxy#Reverse_Proxy_and_Certificates|handle a single SSL-Certificate]]. You have to use a Wildcard (*.domain.tld) Certificate.''
''Note: the reverse proxy can [[Course12:Advanced_-_Reverse_Proxy#Reverse_Proxy_and_Certificates|handle a single SSL-Certificate]] only. You have to use a wildcard (*.domain.tld) certificate therefore.''


=== Separate WAN Uplink ===
=== Separate WAN Uplink ===

Revision as of 11:25, 10 March 2020

Before starting your v13 Installation you have to check the customer network and his requirements first.

You can install a v13 setup in different ways, so we will give you an overview and a best practice for your specific case.

Applies To

This information applies to

  • v13

IP/DNS-Installation scenarios

Decision Matrix

On the left side you can choose the needs and conditions of your customer. Then you will see which solutions are possible or recommended.

Some information to understand the conditions in the table:

Reverse Proxy
Needed if you want connect with external phones (e.g. Smartphones or HomeOffices) to your internal PBX or Application Platform. The requirements are an official domain and access to the router configuration to configure port forwardings. If you do not have a domain, you have to rent one. If you do not have access to the router, your customer must use a Cloud Solution.
Local DNS server
All applications can work with DNS Names. You have to configure some internal subdomains with the private IP addresses of your gateways
Example PBX: pbx.domanin.tld => 192.168.2.10
Example Ap Platform: ap.domanin.tld => 192.168.2.11
External DNS server
In combination with the reverse proxy you can offer some subdomains from your external domain name with the external IP or the NAT-IP of your Reverse Proxy
Example PBX: pbx.domanin.tld => 1.2.3.4
Example Ap Platform: ap.domanin.tld => 1.2.3.4

Reverse Proxy is needed

Please check on the vertical lines the starting conditions on your customer site. After that you can check on the right columns possible scenarios for your customer.

  Cloud   On Premise
/  innovaphone Cloud   internal DNS Server   external NAT Hairpinning   new DNS Server with a innovaphone Box   use only IP addresses 
 • local DNS server exists ✔✔✔ ✔✔✔ X
 • no local DNS server exists ✔✔✔ X X

Reverse Proxy is not needed

Please check on the vertical lines the starting conditions on your customer site. After that you can check on the right columns possible scenarios for your customer.

  Cloud   On Premise
/  innovaphone Cloud   internal DNS Server   external NAT Hairpinning   new DNS Server with a innovaphone Box   use only IP addresses 
 • local DNS server exists ✔✔✔ ✔✔✔ ✔✔
 • no local DNS server exists ✔✔✔ X ✔✔


  • ✔✔✔ means that we recommend it
  • ✔✔ means that you can do it, and it works fine
  • means that you can do it, it works fine but you should do some local network adjustment
  • O means that you can do it, but we don't recommended it
  • X means that you should not do it, otherwise you may run into problems


Don't forget to have a look into our training books to decide how to setup the whole network:

Scenario - innovaphone Cloud

Tools clipart.png FIXME: This part of documentation has to be finished

Scenario - internal DNS Server

You can use your existing DNS Server to setup your DNS names to resolv it to the correct internal IP addresses.

Example:

  • pbx.example.com => 192.168.2.10
  • apps.example.com => 192.168.2.11

Scenario - external NAT Hairpinning

If you have no internal DNS Server and your NAT router support Hairpinning you can use external DNS entries with a record to your external IP-Address.

Your internal client should resolve pbx.example.com to your public IP address of your own router. If you configure needed NAT rules to your internal IP, your router will accept the package from inside and forward it back to the internal IP from your NAT rule.

In this scenario no separate internal dns server are required and your internal client (eg. 192.168.3.5) can talk with your PBX (eg. pbx.example.com -> 1.2.3.4) with a mapping to the internal IP (eg. 192.168.3.10)

The most used NAT Rules are:

// H.323/TLS 
[from outside] tcp/1300     => [internal IP of your Reverse Proxy] 

// LDAPS
[from outside] tcp/636      => [internal IP of your Reverse Proxy] 

// HTTPS
[from outside] tcp/443      => [internal IP of your Reverse Proxy] 

// TURN
[from outside] tcp/udp/3478 => [internal IP of your Reverse Proxy]


During the install process you have to set up a temporary internal DNS first and to configure your PC and the innovaphone Gateway to use them, which provides the local addresses. Only during the install you have to distribute the internal DNS by DHCP in your router to the Clients. If everything is finished, you can turn off the local DNS. If you have no Hardware/Software for a temporary DNS Server you can use a innovaphone Box which is described here.

If you cannot setup temporary DNS records the installer will automatic activate the Operation without DNS mode, to communicate via IP address. You have to deactivate the mode after setup the correct DNS entries.

Scenario - new DNS Server with a innovaphone Box

If you decided to setup an internal DNS than you can do that as described here:

First choose Manual Installation

SetupInternerDNS-Part1.png

Than enable the DNS Server and create A Records

SetupInternerDNS-Part2.png

Afterwards it looks like that:

SetupInternerDNS-Part3.png

In the next step you should provide the IP of this box as DNS server to all of you phones. Therefore you could use your own DHCP Server.

Now you can go back to the normal installation process of the box. Therefore just ....

Scenario - use only IP addresses

You can use static IP addresses in the installations process. So no DNS is needed.

Example:

  • PBX DNS Name => 192.168.2.10
  • AP DNS Name => 192.168.2.11

Possible scenarios if port 443 is already in use

Sometimes the SSL Port (tcp/443) is already in use by other systems like Webmail or Webserver on the customers side. To use your myApps Clients externally the myApps Client need to connect also via Port 443 to the customer network.

There are some possible solutions to resolve that conflict.

Use an innovaphone Cloud Setup

If you don't want to or can't change the network on customers side you can use a Cloud Setup.

Separate IP Address for Reverse Proxy

The best way is to have more than one public IP-Addresses. In this scenario you use a separate IP-Address for a specific server/service. In this way you can use different IP-Addresses on your Firewall and route the traffic to the different servers/services.

Distribute traffic based on hostname

If you only have a single IP-Address you have to decide which is the target system for an incoming tcp/443 packet. For this, you can use a system that forwards the request based on the hostname in the GET Request and forward the packet to the correct service.

Use existing firewall

Most of the Next-Gen firewalls support features like Load-Balancer, Reverse Proxy or something similar that can do the forwarding.

Note: Please consult your firewall vendor or system admin if you need help to configure this.

Use innovaphone's Reverse Proxy

The Reverse Proxy can do the forwarding to configured destination IP-addresses too. With this setup you route or NAT (depending from your Firewall) all incoming Traffic based on tcp/443 to the Reverse Proxy. The Reverse Proxy distributes it to the appropriate system (eg. for "webmail.domain.tld" to the local Exchange IP and traffic for "apps.domain.tld" to the innovaphone AP-Platform).

Note: the reverse proxy can handle a single SSL-Certificate only. You have to use a wildcard (*.domain.tld) certificate therefore.

Separate WAN Uplink

You can book a separate internet connection to get a second public IP-Address and forward the Traffic to your Reverse Proxy.

Related Articles