3COM Drums Version 4.3 User Manual

3Com® Telecommuting Module User

Manual

Version 4.3

3Com® Telecommuting Module User Manual: Version 4.3

Part Number BETA Published December 2005

3Com Corporation, 350 Campus Drive, Marlborough MA 01752-3064

Copyright © 2005, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notiﬁcation of such revision or change. 3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms, or conditions of merchantability, satisfactory quality, and ﬁtness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time. If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hardcopy documentation, or on the removable media in a directory ﬁle named LICENSE.TXT or !LICENSE.TXT.If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as "Commercial Computer Software" as deﬁned in DFARS 252.227-7014 (June 1995) or as a "commercial item" as deﬁned in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR252.227-7015(Nov1995)orFAR 52.227-14 (June 1987), whichever is applicable. You agree not to removeor defaceanyportion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this guide. Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries. 3Com, the 3Com logo, NBX, and SuperStack are registered trademarks of 3Com Corporation. NBX NetSet, pcXset, and VCX are trademarks of 3Com Corporation. Adobe is a trademark and Adobe Acrobat is a registered trademark of Adobe Systems Incorporated. Microsoft, Windows, Windows 2000, Windows NT,and Microsoft Word are registered trademarks of Microsoft Corporation. All other company and product names may be trademarks of the respective companies with which they are associated.

Part I. Introduction to 3Com VCX IP Telecommuting Module ............................................................................. i

1. Introduction to 3Com VCX IP Telecommuting Module.................................................................................1

2. Installing 3Com VCX IP Telecommuting Module..........................................................................................5

3. Conﬁguring 3Com VCX IP Telecommuting Module ...................................................................................13

Part II. How To..........................................................................................................................................................20

4. How To Conﬁgure SIP...................................................................................................................................21

Part III. Description of 3Com VCX IP Telecommuting Module Settings............................................................35

5. The Serial Console ........................................................................................................................................36

6. Basic Conﬁguration.......................................................................................................................................42

7. Network Conﬁguration..................................................................................................................................60

8. SIP Services...................................................................................................................................................69

9. SIP Trafﬁc......................................................................................................................................................82

10. Administration.............................................................................................................................................87

11. Logging........................................................................................................................................................98

12. Failover......................................................................................................................................................112

13. Tools ..........................................................................................................................................................118

14. Firewall and Client Conﬁguration .............................................................................................................121

Part IV. Appendices................................................................................................................................................124

A. More About SIP..........................................................................................................................................125

B. Troubleshooting ..........................................................................................................................................127

C. Lists of Reserved Ports, ICMP Types and Codes, and Internet Protocols..................................................130

D. Deﬁnitions of terms ....................................................................................................................................140

E. License Conditions......................................................................................................................................147

F. Obtaining Support for Your 3Com Products...............................................................................................162

Index.........................................................................................................................................................................165

Part I. Introduction to 3Com VCX IP

Telecommuting Module

Chapter 1. Introduction to 3Com VCX IP Telecommuting Module

Some of the functions of 3Com VCX IP Telecommuting Module are:

• SIP proxy: Forwarding of SIP requests.

• Protection against such attacks as address spooﬁng.

• Logging/alarm locally on the Telecommuting Module, via email and/or via syslog.

• Managing several logical/directly-connected networks and several network connections/physical networks.

• Administration of the Telecommuting Module through a web browser using http or https.

• Failover - connect two Telecommuting Modules in parallel; one handles trafﬁc and the other acts as a hot standby.

• STUN server and Remote SIP Connectivity for SIP clients behind NAT boxes which are not SIP aware (using the

Remote SIP Connectivity module).

Note that some of the functions mentioned here are only available if the corresponding extension module has been installed.

What is a Telecommuting Module?

A Telecommuting Module is a device which processes trafﬁc under the SIP protocol (see RFC 3261). The Telecommuting Module receives SIP requests, processes them according to the rules you have set up, and forwards them to the receiver.

The Telecommuting Module connects to an existing enterprise ﬁrewall through a DMZ port, enabling the transmission of SIP-based communications without affecting ﬁrewall security. SIP messages are then routed through the ﬁrewall to the private IP addresses of authorized users on the internal network.

The Telecommuting Module can also be used as an extra gateway to the internal network without connecting to the ﬁrewall, transmitting only SIP-based communications.

Conﬁguration alternatives

The 3Com VCX IP Telecommuting Module can be connected to your network in three different ways, depending on your needs.

Note that the interface which should receive trafﬁc from the outside must have a public IP address (no NAT), regardless of which Telecommuting Module Type was selected. For a DMZ or DMZ/LAN type, this means that the interface connected to the DMZ of the ﬁrewall must have a public IP address.

DMZ Conﬁguration

Using this conﬁguration, the Telecommuting Module is located on the DMZ of your ﬁrewall, and connected to it with only one interface. The SIP trafﬁc ﬁnds its way to the Telecommuting Module using DNS or by setting the Telecommuting Module as an outbound proxy on the clients.

This is the most secure conﬁguration, since all trafﬁc goes through both your ﬁrewall and your Telecommuting Module. It is also the most ﬂexible, since all networks connected to any of your ﬁrewall’s interfaces can be SIP-enabled.

The drawback is that the SIP trafﬁc will pass the ﬁrewall twice, which can decrease performance.

Chapter 1. Introduction to 3Com VCX IP Telecommuting Module

Fig 1. Telecommuting Module in DMZ conﬁguration.

DMZ/LAN Conﬁguration

Using this conﬁguration, the Telecommuting Module is located on the DMZ of your ﬁrewall, and connected to it with one of the interfaces. The other interface is connected to your internal network. The Telecommuting Module can handle several networks on the internal interface even if they are hidden behind routers. No networks on other interfaces on the ﬁrewall can be handled.

This conﬁguration is used to enhance the data throughput, since the trafﬁc only needs to pass your ﬁrewall once. This conﬁguration can only support one local network.

Fig 2. Telecommuting Module in DMZ/LAN conﬁguration.

Standalone Conﬁguration

Using this conﬁguration, the Telecommuting Module is connected to your internal network on one interface and the outside world on the other.

Use this conﬁguration only if your ﬁrewall lacks a DMZ interface, or for some other reason cannot be conﬁgured for the DMZ or DMZ/LAN alternatives.

Fig 3. Telecommuting Module in Standalone conﬁguration.

Quick guide to 3Com VCX IP Telecommuting Module installation

3Com VCX IP Telecommuting Module is easy to install:

Chapter 1. Introduction to 3Com VCX IP Telecommuting Module

• Select an IP address for the Telecommuting Module on your network.

• The network interfaces are marked with 1 and 2. These numbers correspond to the physical interfaces eth0 and

eth1 respectively, the latter which should be use in the installation program.

• Plug in the power cord and turn on the Telecommuting Module.

• Wait while the Telecommuting Module boots up.

• Connect the network cables to the network interfaces.

• Find out the MAC address of the Telecommuting Module’s Network Interface 1 (printed on the Telecommuting

Module label).

• Add a static entry in your local ARP table consisting of the Telecommuting Module’s MAC address and the IP

address it should have on Network Interface 1. This is how to add a static ARP entry if you use a Windows computer: Run the command command (or cmd). In the Command window, enter the command arp -s ipaddress macaddress where ipaddress is the new IP

address for Network Interface 1, and macaddress is the MAC address printed on the Telecommuting Module, but with all colons (:) replaced with dashes (-).

• Ping this IP address to give the Telecommuting Module its new IP address. You should receive a ping reply if the

address distribution was successful.

• Direct your web browser to the IP address of the Telecommuting Module. You will be prompted to set a

password for the Telecommuting Module admin user.

• Now you can see the top page of 3Com VCX IP Telecommuting Module. Click on the Telecommuting Module

Type link and select the conﬁguration for your Telecommuting Module. The types are described on the web page.

• Go to the Network Interface 1 page and enter the necessary conﬁguration. See also the Interface section. Note

that the Telecommuting Module must have at least one IP address which can be reached from the Internet.

• If one of the Telecommuting Module Types DMZ/LAN or Standalone was chosen, move on to the Network

Interface 2 page and give the Telecommuting Module at least one IP address on this interface and state the networks connected to the interface. See also the Interface section.

• Go to the Networks and Computers page. Deﬁne the networks that will send and receive SIP trafﬁc using the

Telecommuting Module. Usually, you need at least one network per interface of the ﬁrewall connected to the Telecommuting Module (or, for the Standalone type, per interface of the Telecommuting Module). Some computers should be handled separately, and they therefore need their own networks. See also the Networks and Computers section.

• Go to the Basic Conﬁguration page under Basic Conﬁguration and enter a Default gateway and a DNS

server. See also the Basic Conﬁguration section.

• Go to the Access Control page and make settings for the conﬁguration of the Telecommuting Module. See also

the Access Control section.

• Go to the Surroundings page (for the DMZ Telecommuting Module Type) and state the networks connected to

the ﬁrewall. See also the Surroundings section in chapter 7, Network Conﬁguration.

• Go to Basic under SIP Services and turn the SIP module on. See also the Basic section.

• Go to the Interoperability page. Turn Preserve username and SIP URL encryption on.

• If you use a dialing domain which looks like an IP address, enter the dialing domain in the Translation

exceptions table. See also the Interoperability section.

• For this type of dialing domain, you also need to go to the Routing page. Enter the dialing domain in the DNS

Override For SIP Requests table and state the IP address of the SIP server(s) to handle the domain. See also the Routing section.

• Go to the Save/Load Conﬁguration page under. Select Apply conﬁguration. Now you can test your new

conﬁguration and save it permanently if you are satisﬁed with it. If the conﬁguration is not satisfactory, select Revert or restart the Telecommuting Module. The old conﬁguration will remain.

Chapter 1. Introduction to 3Com VCX IP Telecommuting Module

When the Telecommuting Module is conﬁgured, the ﬁrewall connected to it must also be reconﬁgured (for the DMZ and DMZ/LAN Telecommuting Module Types).

• Allow UDP and TCP trafﬁc in the port interval used for media streams by the Telecommuting Module, and port

5060. This trafﬁc must be allowed to all networks which should be reached by SIP trafﬁc.

See also chapter 14, Firewall and Client Conﬁguration, for information on conﬁguring the ﬁrewall and the SIP clients, and chapter 4, How To Conﬁgure SIP, for Telecommuting Module conﬁguration examples.

Before you start

You could do a rough sketch of your network to make the conﬁguration simpler. Things to think of:

• Which IP addresses will the Telecommuting Module interfaces use? You can have more than one IP network on

one interface, each requiring a separate IP address for the Telecommuting Module.

• Which series of IP addresses will be used on the networks connected to the different interfaces?

• Are there networks behind routers?

• What is the default gateway for the Telecommuting Module?

About settings in 3Com VCX IP Telecommuting Module

3Com VCX IP Telecommuting Module uses two sets of Telecommuting Module conﬁgurations: preliminary and permanent conﬁguration. The permanent conﬁguration is what is used in the active Telecommuting Module. The preliminary conﬁguration is where you change and set the conﬁguration. See chapter 3, Conﬁguring 3Com VCX IP Telecommuting Module, for instructions.

The changes you make in the preliminary conﬁguration are not stored in the permanent conﬁguration until you click on Apply conﬁguration on the Save/Load Conﬁguration page under Administration.

The password conﬁguration and time setting are the exceptions to this rule; they are saved immediately. Change the administrator passwords and create more administrator users on the User Administration page under Administration.

3Com VCX IP Telecommuting Module displays serious errors in red, e.g., if mandatory information is not entered. Blank ﬁelds are shown in red. Fields that you correct remain red until you select Save, Add new rows or update the page in some other way.

If you have a web connection with the Telecommuting Module that is inactive for 10 minutes, it will ask for a password again.

Always log out from the Telecommuting Module administration interface when you are not using it. Press the Log out button on the left to log out.

The terms used in the book are explained in appendix D, Deﬁnitions of Terms. For a general description of how to conﬁgure and administer the Telecommuting Module, see

Conﬁguring 3Com VCX IP Telecommuting Module.

chapter 3,

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Installation

There are three ways to install an 3Com VCX IP Telecommuting Module: using a serial cable, using a diskette or perform a magic ping.

Installation with a serial cable or a diskette requires being at the same place as the Telecommuting Module, but will give more options for the start conﬁguration.

Installation with magic ping does not require being on the same place as the Telecommuting Module (but the computer has to be connected to the same logical network as the Telecommuting Module), but restricts the start conﬁguration.

Installation with magic ping

You can use the magic ping to set an IP address for the Telecommuting Module. This is how to perform a magic ping:

• Plug in the power cord and turn the Telecommuting Module on.

• Wait while the Telecommuting Module boots up.

• Connect the network cables to the network interfaces.

• Find out the MAC address of the Telecommuting Module (printed on the back of the Telecommuting Module).

This is the MAC address of Network Interface 1.

• Add a static entry in your local ARP table consisting of the Telecommuting Module’s MAC address and the IP

for the Network Interface 1 interface, and macaddress is the MAC address printed on the Telecommuting Module, but with all colons (:) replaced with dashes (-).

• Ping this IP address to give the Telecommuting Module its new IP address. You should receive a ping reply if the

address distribution was successful.

• Conﬁgure the rest through a web browser.

• Plug in the power cord and turn the Telecommuting Module on.

• Wait while the Telecommuting Module boots up.

• Connect the network cables to the network interfaces.

• Find out the MAC address of the Telecommuting Module (printed on the back of the Telecommuting Module).

This is the MAC address of Network Interface 1.

• Add a static entry in your local ARP table consisting of the Telecommuting Module’s MAC address and the IP

for the Network Interface 1 interface, and macaddress is the MAC address printed on the Telecommuting Module, but with all colons (:) replaced with dashes (-).

Chapter 2. Installing 3Com VCX IP Telecommuting Module

• Ping this IP address to give the Telecommuting Module its new IP address. You should receive a ping reply if the

address distribution was successful.

• Conﬁgure the rest through a web browser.

Installation with a serial cable

These steps are performed when installing with a serial cable:

• Connect the Telecommuting Module to your workstation with a null modem serial cable.

• Plug in the power cord and turn the Telecommuting Module on.

• Wait while the Telecommuting Module boots up.

• Log on from your workstation.

• Run the installation program (see following instructions).

• Connect the network cables to the network interfaces.

• Conﬁgure the rest through a web browser.

Connect the Telecommuting Module to your workstation with a null modem serial cable, plug in the power cord and turn the Telecommuting Module on. You will have to wait a few minutes while it boots up.

• If you use a Windows workstation, connect like this: Start Hyperterm. A Location dialogue will show, asking for

your telephone number and area. Click Cancel followed by Yes. Then you will be asked to make a new connection. Type a name for this connection, select an icon and click OK. The Location dialogue will show again, so click Cancel followed by Yes.

Now you can select Connect using COM1 and click OK. A Port settings dialogue will show, where you select 19200 as Bits per second. Use the default conﬁguration for all other settings. Click OK and wait for a login prompt. (In some cases you have to press Return to get the login prompt.)

• If you use a Linux workstation, connect like this: Make sure that there is a symbolic link named /dev/modem

which points to the serial port you connected the Telecommuting Module to. Connect using minicom with the bit rate 19200 bits/s, and wait for a login prompt.

Log on as the user admin. The ﬁrst time you log on, no password is required. You set the password when you run the installation script, which starts automatically when you have logged on.

Each network interface is marked with a name (1 and 2), which corresponds to a tab under Network. All eth interfaces belong to ethernet cards and should only be connected using ethernet cables.

Decide which computer(s) are allowed to conﬁgure 3Com VCX IP Telecommuting Module and enter the name of the network interface to which they are connected, for example, Network Interface 1. You must use the physical device name (eth0 and eth1).

Enter the IP address of the Telecommuting Module on this interface and the network mask for the network. A network mask can be written in two ways in 3Com VCX IP Telecommuting Module:

• The ﬁrst looks just like an IP address, for example 255.255.192.0 or 255.255.254.0.

• The other way is as a number between 0 and 32. An IP address has 32 bits, where the number of the network

mask indicates how many bits are used in the network’s addresses. The rest of the bits identiﬁes the computer on the network.

Now, you can select to deactivate any network interfaces. Select y to deactivate all interfaces but the one you just conﬁgured. The remaining network interfaces can be activated later when you complete the conﬁguration via the web interface from your work station. This only applies to interfaces which was previously active; you can’t activate interfaces with this setting.

Now enter the computer or computers from which the Telecommuting Module may be conﬁgured (the conﬁguration computers).

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Then enter a password for the Telecommuting Module. This is the password you use in your web browser to access and change the Telecommuting Module’s conﬁguration. Finally, you can reset all other conﬁguration if you want to.

Following is a sample run of the installation program.

3Com VCX IP Telecommuting Module Administration

1. Basic conﬁguration

2. Save/Load conﬁguration

3. Become a failover team member

4. Leave failover team and become standalone

5. Wipe email logs

6. Set password q. Exit admin ==>

Select 1 to install your 3Com VCX IP Telecommuting Module.

Basic unit installation program version 4.3

Press return to keep the default value

Network conﬁguration inside:

Physical device name[eth0]: IP address [0.0.0.0]: 10.47.2.242 Netmask/bits [255.255.255.0]: 255.255.0.0 Deactivate other interfaces? (y/n) [n]

Computers from which conﬁguration is allowed:

You can select either a single computer or a network.

Conﬁgure from a single computer? (y/n) [y]

If you choose to allow only one computer to conﬁgure the Telecommuting Module, you are asked for the IP address (the mask is set automatically).

IP address [0.0.0.0]: 10.47.2.240

If this IP address is not on the same network as the IP address of the Telecommuting Module, you are asked for the router. Enter the IP address of the router on the network where the Telecommuting Module is connected. Then enter the network address and mask of the network containing the conﬁguring computer.

Static routing: The computer allowed to conﬁgure from is not on a network local to this unit. You must conﬁgure a static route to it. Give the IP address of the router on the network the unit is on.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

You can choose to allow several computers to conﬁgure the Telecommuting Module, by answering no to the question:

Conﬁgure from a single computer? (y/n) [y] n

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Telecommuting Module). The network mask determines the number of computers that can act as conﬁguration computers.

Network number [0.0.0.0]: 10.47.2.0 Netmask/bits [255.255.255.0]: 255.255.255.0

If the network or partial network is not directly connected to the Telecommuting Module, you must enter the IP address of the router leading to that network. Then enter the network’s address and mask.

Static routing: The network allowed to conﬁgure from is not on a network local to this unit. You must conﬁgure a static route to it. Give the IP address of the router on the network this unit is on.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

Then enter a password.

Password []:

Finally, you are asked if you want to reset other conﬁguration.

Other conﬁguration Do you want to reset the rest of the conﬁguration? (y/n) [n]

If you answer n, nothing is removed. If you answer y, you have three alternatives to select from:

1. Clear as little as possible. This is the alternative that is used if you answer n to the question above. Both the preliminary and the permanent conﬁgurations will be updated with the conﬁguration speciﬁed above.

2. Revert to the factory conﬁguration and then apply the conﬁguration speciﬁed above. This will affect the permanent but not the preliminary conﬁguration.

3. Revert to the factory conﬁguration and empty all logs and then apply the conﬁguration speciﬁed above. Both the preliminary and the permanent conﬁgurations will be affected.

Select the update mode, which is what you want to remove.

Update mode (1-3) [1]:

Chapter 2. Installing 3Com VCX IP Telecommuting Module

You have now entered the following conﬁguration

Network conﬁguration inside:

Physical device name: eth0 IP address: 192.168.150.2 Netmask: 255.255.255.0 Deactivate other interfaces: no

Computer allowed to conﬁgure from:

IP address: 192.168.128.3

Password: eeyore

The rest of the conﬁguration is kept.

Is this conﬁguration correct (yes/no/abort)? yes

Now, ﬁnish conﬁguration of the Telecommuting Module from the computer/computers speciﬁed in the installation program.

Installation with a diskette

These steps are performed when installing with a diskette:

• Select an IP address and store it on the installation diskette as described below.

• Insert the installation diskette into the Telecommuting Module’s ﬂoppy drive.

• Plug in the power cord and turn the Telecommuting Module on.

• Connect the network cables to the network interfaces.

• Wait while the Telecommuting Module boots up.

• Conﬁgure the rest through a web browser.

You must ﬁrst insert the diskette into your PC. If the PC is running Windows, open a Command window and run the ﬁnst-en script from the diskette. If the PC is running Linux, mount the diskette, change directory to the mounted one, and run the ﬁnst-en script.

Enter the IP address of the Telecommuting Module on this interface and the network mask for the network. A network mask can be written in two ways in 3Com VCX IP Telecommuting Module:

• The ﬁrst looks just like an IP address, for example 255.255.192.0 or 255.255.254.0.

• The other way is as a number between 0 and 32. An IP address has 32 bits, where the number of the network

mask indicates how many bits are used in the network’s addresses. The rest of the bits identiﬁes the computer on the network.

Now enter the computer or computers from which the Telecommuting Module may be conﬁgured (the conﬁguration computers).

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Following is a sample run of the installation program on the diskette.

Basic unit installation program version 4.3

Press return to keep the default value

Network conﬁguration inside:

Physical device name[eth0]: IP address [0.0.0.0]: 10.47.2.242 Netmask/bits [255.255.255.0]: 255.255.0.0 Deactivate other interfaces? (y/n) [n]

Computers from which conﬁguration is allowed:

You can select either a single computer or a network.

Conﬁgure from a single computer? (y/n) [y]

If you choose to allow only one computer to conﬁgure the Telecommuting Module, you are asked for the IP address (the netmask is set automatically).

IP address [0.0.0.0]: 10.47.2.240

If this IP address is not on the same network as the inside of the Telecommuting Module, you are asked for the router. Enter the IP address of the router on the network where the Telecommuting Module is connected. Now enter the network address and mask of the network containing the conﬁguring computer.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

You can choose to allow several computers to conﬁgure the Telecommuting Module, by answering no to the question:

Conﬁgure from a single computer? (y/n) [y] n

The installation program then asks for the network number. The network number is the lowest IP address in the series of numbers that includes the conﬁguration computers (see chapter 3, Conﬁguring 3Com VCX IP Telecommuting Module). The network mask determines the number of computers that can act as conﬁguration computers.

Network number [0.0.0.0]: 10.47.2.0 Netmask/bits [255.255.255.0]: 255.255.255.0

Chapter 2. Installing 3Com VCX IP Telecommuting Module

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

Then enter a password.

Password []:

Finally, you are asked if you want to reset other conﬁguration.

Other conﬁguration Do you want to reset the rest of the conﬁguration? (y/n) [n]

If you answer n, nothing is removed. If you answer y, you have three alternatives to select from:

2. Revert to the factory conﬁguration and then apply the conﬁguration speciﬁed above. This will affect the permanent but not the preliminary conﬁguration.

3. Revert to the factory conﬁguration and empty all logs and then apply the conﬁguration speciﬁed above. Both the preliminary and the permanent conﬁgurations will be affected.

Select the update mode, which is what you want to remove.

Update mode (1-3) [1]:

All conﬁguration is now complete. The installation program shows the conﬁguration and asks if it is correct. yes saves the conﬁguration. no runs the installation program over again. abort ends the installation program without saving. Now, eject the diskette from your PC and insert it into the Telecommuting Module’s ﬂoppy drive. Then power up

the Telecommuting Module and wait for it to boot. Then, ﬁnish conﬁguration of the Telecommuting Module from the computer/computers speciﬁed in the installation program.

Note that the diskette contains a command to erase certain parts of the conﬁguration during boot when the diskette is inserted. Make sure to eject it once the Telecommuting Module has booted up to avoid future loss of data.

If you happen to forget the administrator password for the Telecommuting Module, you can insert the diskette into the Telecommuting Module again and boot it. Note that if you selected anything but 1 as the update mode, you will lose conﬁguration when doing this.

Turning off a Telecommuting Module

Backup the Telecommuting Module conﬁguration (just in case something should happen). You do this on the Save/Load Conﬁguration page under Administration. Once this is done, just turn the computer off. The computer that runs 3Com VCX IP Telecommuting Module is specially designed so that you can switch it off without causing any problems in the ﬁle structure.

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Remember to lock up the Telecommuting Module

The Telecommuting Module is a computer with special software, and must be protected from unauthorized physical access just as other computers performing critical tasks. A locked up Telecommuting Module protects against:

• connecting to the console

• connecting a keyboard and monitor

• changing the administrator password using the installation diskette.

• changing BIOS conﬁguration to allow the Telecommuting Module to be booted from a diskette

For more information about the necessary conﬁguration, see chapter 3, Conﬁguring 3Com VCX IP Telecommuting Module.

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

You connect to your 3Com VCX IP Telecommuting Module by entering its name or IP address in the Location box of your web browser.

Logging on

Before you can conﬁgure the Telecommuting Module, you must enter your administrator username and password or RADIUS username and password. The admin user is predeﬁned with complete administration privileges.

Log on again

If you have a web connection for Telecommuting Module conﬁguration that is inactive for more than 10 minutes, you must enter the password again and click on one of the buttons Keep changes below and Abandon changes below.

On all pages where changes have been made, the two buttons Keep changes below and Abandon changes below will be shown when you log on again. Keep changes below connects you to the Telecommuting Module and stores the preliminary conﬁguration you have changed. Abandon changes below connects you to the Telecommuting Module and discards the changes you have made on this page.

On pages where nothing has been changed, the Log in again button is displayed. Enter the password and click on the button to re-connect to the Telecommuting Module.

The Telecommuting Module’s encryption key is changed every 24 hours. If you have a web connection for Telecommuting Module conﬁguration when this happens, you must enter the password again. This works in the same way as when your connection has been inactive for more than 10 minutes (see above).

Log out

When you have ﬁnished looking at or adding settings, you should log out from the Telecommuting Module. Below the menu there is a Log out button which will end your session.

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

Note: You will not be logged out automatically just by directing your web browser to a different web address. You should log out using the button to make the browser forget your username and password.

Navigation

There is a menu for quick navigation to all conﬁguration pages. On top of the page, you also see the name of the Telecommuting Module.

Site Map

The Site Map is the ﬁrst page displayed when you have logged on the Telecommuting Module. From this page, you can access Basic Conﬁguration, Administration, Network, Logging, SIP Services, SIP Trafﬁc, and Failover. You can also access a special page by the text links below each category name.

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

Basic Conﬁguration

Under Basic Conﬁguration, select Telecommuting Module Type and the name of the Telecommuting Module. You also enter IP addresses for gateway and DNS server. Here you also conﬁgure if the Telecommuting Module should interact with a RADIUS or an SNMP server.

Administration

Under Administration, you store or load a conﬁguration. You can also test your conﬁguration to see if it works the way you planned, upgrade or reboot your Telecommuting Module, set date and time, and conﬁgure administration users and passwords.

Network

Under Network, you enter the Telecommuting Module’s IP address, the routing for the different networks, and deﬁne groups of IP addresses which are used in various settings of the Telecommuting Module.

Logging

Under Logging, you specify the type of trafﬁc you want to log/alarm and how it should be logged. You can also view the logs and the trafﬁc load here.

SIP Services

Under SIP Services, you conﬁgure interoperability settings and Remote SIP Connectivity.

SIP Trafﬁc

Under SIP Trafﬁc, you conﬁgure the SIP trafﬁc through the Telecommuting Module. You can also view current pass-through registrations and SIP sessions.

Failover

Under Failover, you conﬁgure the failover team and its dedicated network. You can also view the status of the other team member.

Tools

Under Tools, you ﬁnd handy tools for troubleshooting. The Telecommuting Module features a packet capturer which produces pcap trace ﬁles.

Home

Under Home, you get basic information about the Telecommuting Module’s serial number, software version, installed licenses and patches, and links to more information.

Overview of conﬁguration

Start by installing the Telecommuting Module as described in chapter 2, Installing 3Com VCX IP Telecommuting Module.

Select the Telecommuting Module Type. The Telecommuting Module must have at least one IP address for each network card to work. A routing, or path, for

each network must also be set on the interface pages under Network. Go to the Networks and Computers page and enter the networks which are using the Telecommuting Module. For a DMZ Telecommuting Module, also state the Telecommuting Module’s Surroundings.

Then move on to SIP Services and turn the SIP module on. Use logging to analyze the trafﬁc that passes through the Telecommuting Module. Choose to log locally on the

Telecommuting Module, send logs to a syslog server or send them by email to an email address. Specify the type of

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

logging wanted under Logging. This is also where the logs of trafﬁc through the Telecommuting Module are viewed.

When the conﬁguration is complete, apply it. Go to Save/Load Conﬁguration under Administration. Select Apply conﬁguration. Now the new conﬁguration is tested. Save it permanently if it works satisfactorily. If the conﬁguration is not satisfactory, select Revert or restart the Telecommuting Module. The old conﬁguration will remain.

Preliminary and permanent conﬁguration

3Com VCX IP Telecommuting Module has two kinds of settings: preliminary and permanent conﬁguration. When the Telecommuting Module is running, the permanent conﬁguration controls the Telecommuting Module functions.

When you conﬁgure your Telecommuting Module, you are working with the preliminary conﬁguration. As you change the preliminary conﬁguration, the permanent conﬁguration continues to control the Telecommuting Module functions.

When you are done with the preliminary conﬁguration, you can test it by selecting Apply conﬁguration on the Save/Load Conﬁguration page. Now the preliminary conﬁguration controls the Telecommuting Module functions.

When you are satisﬁed with the preliminary conﬁguration, you can apply it permanently, which copies the preliminary conﬁguration to the permanent conﬁguration. Now the new conﬁguration controls the Telecommuting Module functions.

You can also copy the permanent conﬁguration to the preliminary conﬁguration. This does not affect the permanent conﬁguration or the Telecommuting Module functions, which are still being run by the permanent conﬁguration. You do this by selecting Abort all edits on the Save/Load Conﬁguration page under Administration. This will discard all changes made in the preliminary conﬁguration since last time you applied a conﬁguration by pressing Save conﬁguration.

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

You can save the preliminary conﬁguration to a ﬁle on your work station (the computer that is running your web browser). Select Save to local ﬁle on the Save/Load Conﬁguration page.

A saved conﬁguration can be loaded to the preliminary conﬁguration. Use Browse to search your local computer or enter path and ﬁle name in the box. When you have chosen the ﬁle you want to load, select Load from local ﬁle on the Save/Load Conﬁguration page.

You can save the preliminary conﬁguration to a diskette. Insert a formatted diskette in the Telecommuting Module’s ﬂoppy drive and press Save to diskette on the Save/Load Conﬁguration page.

You can load a saved conﬁguration to the preliminary conﬁguration. Insert a diskette containing the saved conﬁguration in the Telecommuting Module’s ﬂoppy drive and press Load from diskette on the Save/Load Conﬁguration page.

You can perform all of these functions on the Save/Load Conﬁguration page under Administration.

Conﬁguring IP addresses and masks in 3Com VCX IP

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

Telecommuting Module

IP address

IP addresses are written as four groups of numbers with dots between them. The numbers must be between 0 and 255 (inclusive); for example, 192.168.129.17.

Mask/Bits

The binary system uses the numbers 0 and 1 to represent numbers. A binary digit is called a bit. Eight bits in the binary system can represent numbers from 0 to 255.

The mask indicates how much of the IP address is used for the network address and the computers’ individual addresses, respecitvely. A mask consists of 8+8+8+8 = 32 bits. Below is a mask with 26 bits set to 1, which means that 26 bits of the IP address is locked to the network address and can’t be changed within the network.

Bits 11111111 11111111 11111111 11000000 No. 255 255 255 192

In the 3Com VCX IP Telecommuting Module, a mask is written either as the number of bits that are 1 or as four numbers (0-255) with dots between the numbers.

Sometimes it can be convenient to give a group of computers a network name, such as Administration, or specify that only a handful of computers can change the Telecommuting Module conﬁguration.

You can form a group of computers with a network name, if the computers have consecutive IP addresses. In order to do this, you must set the mask to indicate that the network group consists of those computers only. The lowest IP address for these computers tells the network number of the group.

This is easiest to explain with a simple example. You have 7 computers that will make up a group called Administration.

Take the nearest power of two above the number of computers you want to include: 2, 4, 8, 16, 32, 64, 128 or 256. Since you have 7 computers, 8 is the nearest. In this example, one IP address is free for future use.

Give the computers consecutive IP addresses. Make the ﬁrst IP address a multiple of the power of two number you selected, but under 255. In the above example, this means 0, 8, 16, 24, 32, 40, 48 and so on, up to 248. You might choose to start with 136 (17 x 8). This would give the computers the IP addresses 196.176.1.136, 196.176.1.137,

196.176.1.138, 196.176.1.139, 196.176.1.140, 196.176.1.141, 196.176.1.142 and 196.176.1.143. One of the IP addresses is free and can be used for an eighth computer in the future. You must enter the ﬁrst IP

address in the series, 196.176.1.136, in the Network/IP address ﬁeld. Now you must set the mask so that only the computers with these eight IP addresses are included in this network.

Take 256 and subtract the number of IP addresses in the named network. In the example, we would have 256-8 =

248. The complete mask is 255.255.255.248. Now you have created a group of computers (IP addresses) that you can give a single name, such as Administration.

Table of netmasks.

No. of computers Mask Bits

1 255.255.255.255 32 2 255.255.255.254 31 4 255.255.255.252 30 8 255.255.255.248 29 16 255.255.255.240 28 32 255.255.255.224 27 64 255.255.255.192 26 128 255.255.255.128 25 256 255.255.255.0 24

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

See appendix C, Lists of Reserved Ports, ICMP Types and Codes, and Internet Protocols, for more information on netmasks.

Name queries in 3Com VCX IP Telecommuting Module

A Telecommuting Module should be as independent of other computers as possible. At the same time, the person who changes the conﬁguration of the Telecommuting Module may want to use names for the computers instead of IP addresses. Also, the SIP module needs to look up names of SIP domains. This makes it necessary to use a DNS (name server) for SIP requests.

There are three instances when 3Com VCX IP Telecommuting Module uses a DNS server:

• When it receives a SIP request for a SIP domain.

The results of these DNS queries are stored for a short while in the Telecommuting Module.

• When you change names/IP addresses and save the page.

The results of these DNS queries are stored in the Telecommuting Module.

• When you click on Look up all IP addresses again.

The results of these DNS queries are stored in the Telecommuting Module.

3Com VCX IP Telecommuting Module is dependent of a working name server for the SIP functions. However, it doesn’t automatically look up IP addresses in the conﬁguration, which makes it necessary to click on Look up all IP addresses again every time a computer changes its IP address.

When you enter IP addresses in the Telecommuting Module, they are not updated automatically. If you change a name/IP address in a row, the row is updated when you click on Save, switch to another page of the Telecommuting Module user interface, or click on Look up all IP addresses again.

Part II. How To

In the How To part, you ﬁnd step-by-step descriptions for many common conﬁgurations for the Telecommuting Module. You also ﬁnd references to relevant chapters in Part III, Description of 3Com VCX IP Telecommuting Module settings.

Chapter 4. How To Conﬁgure SIP

3Com VCX IP Telecommuting Module provides a lot of SIP possibilities. In this chapter, the most common SIP setups are setup with step-by-step instructions for the conﬁguration.

DMZ Telecommuting Module, SIP server on the outside

The simplest SIP scenario is when the SIP server is managed by someone else, and the Telecommuting Module SIP function is only used to traverse NAT.

Note that the Telecommuting Module must have a public (non-NATed) IP address for the SIP signaling to work correctly.

Here are the settings needed for this. It is assumed that the Telecommuting Module already has a network conﬁguration. Only the additional SIP settings are listed.

Networks and Computers

The Telecommuting Module must know the network structure to be able to function properly. On the Networks and Computers page, you deﬁne all networks which the Telecommuting Module should serve and which are not

reached through the default gateway of the ﬁrewall. All computers that can reach each other without having to go through the ﬁrewall connected to the Telecommuting Module should be grouped in one network.

You can also deﬁne networks and parts of networks for other conﬁguration purposes.

Chapter 4. How To Conﬁgure SIP

Surroundings

To make the Telecommuting Module aware of the network structure, the networks deﬁned above should be listed on the Surroundings page.

One effect of this is that trafﬁc between two users on different networks, or between one of the listed networks and a network not listed here, is NAT:ed.

Another effect is that for connections between two users on the same network, or on networks where neither is listed in Surroundings, no ports for RTP sessions will be opened, since the Telecommuting Module assumes that they are both on the same side of the ﬁrewall.

Normally, at least one network should be listed here. If no networks are listed, the Telecommuting Module will not perform NAT for any trafﬁc.

Basic

Go to the Basic page under SIP Services and turn the SIP module on. Here you also select log classes for SIP event logging.

Interoperability

If Windows Messenger is used for SIP communication, you need to set a parameter on the Interoperability page. Set lr=true status to On under Loose routing.

Chapter 4. How To Conﬁgure SIP

Routing

On the Routing page, you can enter the SIP server managing your SIP domain. Enter the name or IP address of the SIP server under Outbound proxy.

If you enter the server name here, all SIP trafﬁc from the inside will be directed to this server, regardless of where it is bound to.

Basic Conﬁguration

If no other SIP routing information is entered, the Telecommuting Module must be able to look up SIP domains in DNS. DNS servers are entered on the Basic Conﬁguration page under Basic Conﬁguration.

Save/Load Conﬁguration

Finally, go to the Save/Load Conﬁguration page under Administration and apply the new settings by pressing Apply conﬁguration.

DMZ Telecommuting Module, SIP server inside

You might instead have a SIP server of your own, located on the inside or maybe on a DMZ. If the SIP server is located on a NATed network, DNS queries for the SIP domain should point to the

Telecommuting Module, which in turn will forward the SIP trafﬁc to the server. Note that the Telecommuting Module must have a public (non-NATed) IP address for the SIP signaling to work

correctly.

Chapter 4. How To Conﬁgure SIP

Here are the settings needed for this. It is assumed that the Telecommuting Module already has a network conﬁguration. Only the additional SIP settings are listed.