Page 1
User's Manual
Mediant™ 500 E-SBC
Enterprise Session Border Controller
Digital VoIP Media Gateway
Version 6.8
September 2014
Document # LTRT-10427
Page 2
Page 3
User's Manual Contents
Table of Contents
1 Overview ............................................................................................................ 21
Getting Started with Initial Connectivity ................................................................23
2 Introduction ....................................................................................................... 25
3 Default OAMP IP Address ................................................................................. 27
4 Configuring VoIP LAN Interface for OAMP ..................................................... 29
4.1 Web Interface ......................................................................................................... 29
4.2 CLI .......................................................................................................................... 31
Management Tools ..................................................................................................33
5 Introduction ....................................................................................................... 35
6 Web-Based Management .................................................................................. 37
6.1 Getting Acquainted with the Web Interface ............................................................ 37
6.1.1 Computer Requirements .......................................................................................... 37
6.1.2 Accessing the Web Interface ................................................................................... 38
6.1.3 Areas of the GUI ...................................................................................................... 39
6.1.4 Toolbar Description .................................................................................................. 40
6.1.5 Navigation Tree ....................................................................................................... 41
6.1.5.1 Displaying Navigation Tree in Basic and Full Vi ew ..................................41
6.1.5.2 Showing / Hiding the Navigation Pane .....................................................42
6.1.6 Working with Configuration Pages .......................................................................... 43
6.1.6.1 Accessing Pages ......................................................................................43
6.1.6.2 Viewing Parameters .................................................................................43
6.1.6.3 Modifying and Saving Parameters ...........................................................45
6.1.6.4 Working with Tables .................................................................................46
6.1.7 Searching for Configuration Parameters ................................................................. 47
6.1.8 Creating a Login Welcome Message ....................................................................... 49
6.1.9 Getting Help ............................................................................................................. 50
6.1.10 Logging Off the Web Interface ................................................................................. 51
6.2 Viewing the Home Page ......................................................................................... 51
6.2.1 Assigning a Port Name ............................................................................................ 53
6.3 Configuring Web User Accounts ............................................................................ 54
6.3.1 Basic User Accounts Configuration ......................................................................... 55
6.3.2 Advanced User Accounts Configuration .................................................................. 57
6.4 Displaying Login Information upon Login ............................................................... 60
6.5 Configuring Web Security Settings ........................................................................ 61
6.6 Web Login Authentication using Smart Cards ....................................................... 61
6.7 Configuring Web and Telnet Access List ............................................................... 62
7 CLI-Based Management .................................................................................... 65
7.1 Getting Familiar with CLI ........................................................................................ 65
7.1.1 Understanding Configuration Modes ....................................................................... 65
7.1.2 Using CLI Shortcuts ................................................................................................. 66
7.1.3 Common CLI Commands ........................................................................................ 67
7.1.4 Configuring Tables in CLI ........................................................................................ 68
7.1.5 Understanding CLI Error Messages ........................................................................ 69
Version 6.8 3 Mediant 500 E-SBC
Page 4
Mediant 500 E-SBC
7.2 Enabling CLI ........................................................................................................... 69
7.2.1 Enabling Telnet for CLI ............................................................................................ 69
7.2.2 Enabling SSH with RSA Public Key for CLI ............................................................. 70
7.3 Establishing a CLI Session .................................................................................... 72
7.4 Configuring Maximum Telnet/SSH Sessions ......................................................... 73
7.5 Viewing and Terminating Current CLI Sessions .................................................... 73
7.6 Configuring Displayed Output Lines in CLI Terminal Window ............................... 74
8 SNMP-Based Management ............................................................................... 75
8.1 Enabling SNMP and Configuring SNMP Community Strings ................................. 75
8.2 Configuring SNMP Trap Destinations .................................................................... 76
8.3 Configuring SNMP Trusted Managers ................................................................... 78
8.4 Configuring SNMP V3 Users .................................................................................. 79
9 INI File-Based Management .............................................................................. 81
9.1 INI File Format ....................................................................................................... 81
9.1.1 Configuring Individual ini File Parameters ............................................................... 81
9.1.2 Configuring Table ini File Parameters ..................................................................... 81
9.1.3 General ini File Formatting Rules ............................................................................ 83
9.2 Configuring an ini File ............................................................................................ 83
9.3 Loading an ini File to the Device ............................................................................ 84
9.4 Secured Encoded ini File ....................................................................................... 84
9.5 Configuring Password Display in ini File ................................................................ 85
9.6 INI Viewer and Editor Utility ................................................................................... 86
General System Settings ........................................................................................87
10 Configuring Certificates ................................................................................... 89
10.1.1 Configuring TLS Certificate Contexts ...................................................................... 89
10.1.2 Assigning CSR-based Certificates to TLS Contexts ............................................... 93
10.1.3 Assigning Externally Created Private Keys t o T LS Contexts .................................. 94
10.1.4 Generating Private Keys for TLS Contexts.............................................................. 95
10.1.5 Creating Self-Signed Certificates for TLS Cont exts ................................................ 96
10.1.6 Importing Certificates and Certificate Chain i nto Trusted Certificate Store ............. 97
10.1.7 Configuring Mutual TLS Authentication ................................................................... 98
10.1.7.1 TLS for SIP Clients ...................................................................................98
10.1.7.2 TLS for Remote Device Management ......................................................99
10.1.8 Configuring TLS Server Certificate Expiry Check .................................................100
11 Date and Time .................................................................................................. 101
11.1 Configuring Date and Time Manually ................................................................... 101
11.2 Configuring Automatic Date and Time using SNTP ............................................. 101
11.3 Configuring Daylight Saving Time ........................................................................ 103
General VoIP Configuration ..................................................................................105
12 Network ............................................................................................................ 107
12.1 Configuring Physical Ethernet Ports .................................................................... 107
12.2 Configuring Ethernet Port Groups ........................................................................ 109
12.3 Configuring Underlying Ethernet Devices ............................................................ 111
User's Manual 4 Document #: LTRT-10427
Page 5
User's Manual Contents
12.4 Configuring IP Network Interfaces ....................................................................... 113
12.4.1 Assigning NTP Services to Application Types ......................................................116
12.4.2 Multiple Interface Table Configuration S um m ary and Guidelines .........................116
12.4.3 Networking Configuration Examples .....................................................................117
12.4.3.1 One VoIP Interface for All Applications ................................................. 117
12.4.3.2 VoIP Interface per Application Type ...................................................... 118
12.4.3.3 VoIP Interfaces for Combined Application T ypes ................................. 118
12.4.3.4 VoIP Interfaces with Multiple Default Gateways ................................... 120
12.5 Configuring Static IP Routes ................................................................................ 120
12.5.1 Configuration Example of Static IP Routes ...........................................................122
12.5.2 Troubleshooting the Routing Table .......................................................................123
12.6 Configuring Quality of Service .............................................................................. 124
12.7 Configuring ICMP Messages ............................................................................... 126
12.8 DNS ...................................................................................................................... 126
12.8.1 Configuring the Internal DNS Table .......................................................................126
12.8.2 Configuring the Internal SRV Table .......................................................................128
12.9 Configuring NFS Settings ..................................................................................... 130
12.10 Network Address Translation Support ................................................................. 132
12.10.1 Device Lo cated behind NAT ..................................................................................132
12.10.1.1 Configuring a Static NAT IP Address for All Interfaces ......................... 133
12.10.1.2 Configuring NAT Translation per IP Interface ....................................... 134
12.10.2 Remote UA behind NAT ........................................................................................135
12.10.2.1 SIP Signaling Messages ....................................................................... 135
12.10.2.2 Media (RTP/RTCP/T.38) ....................................................................... 136
12.11 Robust Receipt of Media Streams by Media Latching ......................................... 138
12.12 Multiple Routers Support ...................................................................................... 140
13 Security ............................................................................................................ 141
13.1 Configuring Firewall Settings ............................................................................... 141
13.2 Configuring General Security Settings ................................................................. 145
13.3 Intrusion Detection System .................................................................................. 146
13.3.1 Enabling IDS ..........................................................................................................147
13.3.2 Configuring IDS Policies ........................................................................................147
13.3.3 Assigning IDS Policies ...........................................................................................151
13.3.4 Viewing IDS Alarms ...............................................................................................152
14 Media ................................................................................................................ 155
14.1 Configuring Voice Settings ................................................................................... 155
14.1.1 Configuring Voice Gain (Volume) Control .............................................................155
14.1.2 Silence Suppression (Compression) .....................................................................155
14.1.3 Echo Cancellation ..................................................................................................156
14.2 Fax and Modem Capabilities ................................................................................ 157
14.2.1 Fax/Modem Operating Modes ...............................................................................159
14.2.2 Fax/Modem Transport Modes ...............................................................................159
14.2.2.1 T.38 Fax Relay Mode ............................................................................ 159
14.2.2.2 G.711 Fax / Modem Transport Mode .................................................... 162
14.2.2.3 Fax Fallback .......................................................................................... 162
14.2.2.4 Fax/Modem Bypass Mode .................................................................... 163
14.2.2.5 Fax / Modem NSE Mode ....................................................................... 164
14.2.2.6 Fax / Modem Transparent with Events Mode ....................................... 165
14.2.2.7 Fax / Modem Transparent Mode ........................................................... 165
14.2.2.8 RFC 2833 ANS Report upon Fax/Modem Detection ............................ 166
14.2.3 V.34 Fax Support ...................................................................................................166
14.2.3.1 Bypass Mechanism for V.34 Fax Transmission .................................... 167
Version 6.8 5 Mediant 500 E-SBC
Page 6
Mediant 500 E-SBC
14.2.3.2 Relay Mode for T.30 and V.34 Faxes ................................................... 168
14.2.3.3 V.34 Fax Relay for SG3 Fax Machines ................................................. 168
14.2.4 V.150.1 Modem Relay ...........................................................................................169
14.2.5 Simultaneous Negotiation of Fax (T.38) and Modem (V.150.1) Relay ..................170
14.2.6 V.152 Support ........................................................................................................171
14.2.7 Fax Transmission behind NAT ..............................................................................171
14.3 Configuring RTP/RTCP Settings .......................................................................... 172
14.3.1 Configuring the Dynamic Jitter Buffer ....................................................................172
14.3.2 Comfort Noise Generation .....................................................................................173
14.3.3 Dual-Tone Multi-Frequency Signaling ...................................................................174
14.3.3.1 Configuring DTMF Transport Types ...................................................... 174
14.3.3.2 Configuring RFC 2833 Payload ............................................................ 175
14.3.4 Configuring RTP Base UDP Port ...........................................................................176
14.4 Configuring IP Media Settings .............................................................................. 177
14.4.1 Automatic Gain Control (AGC) ..............................................................................177
14.5 Configuring Various Codec Attributes .................................................................. 178
14.6 Configuring Media (SRTP) Security ..................................................................... 178
15 Services ........................................................................................................... 181
15.1 DHCP Server Functionality .................................................................................. 181
15.1.1 Configuring the DHCP Server ...............................................................................181
15.1.2 Configuring the Vendor Class Identifier .................................................................185
15.1.3 Configuring Additional DHCP Options ...................................................................186
15.1.4 Configuring Static IP Addresses for DHCP Clients ...............................................188
15.1.5 Viewing and Deleting DHCP Clients ......................................................................189
15.2 SIP-based Media Recording ................................................................................ 191
15.2.1 Enabling SIP-based Media Recording ...................................................................194
15.2.2 Configuring SIP Recording Routing Rules ............................................................194
15.2.3 Configuring SIP User Part for SRS ........................................................................196
15.2.4 Interworking SIP-based Media Recording with Third-Party Vendors ....................196
15.2.4.1 Genesys ................................................................................................ 196
15.2.4.2 Avaya UCID ........................................................................................... 196
15.3 RADIUS Authentication ........................................................................................ 197
15.3.1 Setting Up a Third-Party RADIUS Server ..............................................................198
15.3.2 Configuring RADIUS Authentication ......................................................................199
15.3.3 Securing RADIUS Communication ........................................................................200
15.3.4 Authenticating RADIUS in the URL .......................................................................200
15.4 LDAP-based Management and SIP Services ...................................................... 201
15.4.1 Enabling the LDAP Service ...................................................................................202
15.4.2 Enabling LDAP-based Web/CLI User Login Authentication and Authorization.....202
15.4.3 Configuring LDAP Servers.....................................................................................203
15.4.4 Configuring LDAP DNs (Base Paths) per LDAP Server ........................................206
15.4.5 Configuring the LDAP Search Filter Attribute ........................................................207
15.4.6 Configuring Access Level per Management Groups Attributes ............................208
15.4.7 Configuring LDAP Search Methods .......................................................................210
15.4.8 Configuring the Device's LDAP Cache ..................................................................210
15.4.9 Configuring Local Database for Management User Authentication ......................212
15.4.10 LDAP-based Login Authentication Example ..........................................................214
15.4.11 Activ e Di rectory-based Routing for Microsoft Lync ...............................................218
15.4.11.1 Querying the AD and Routing Priority ................................................... 218
15.4.11.2 Configuring AD-Based Routing Rules ................................................... 221
15.4.11.3 Querying the AD for Calling Name ........................................................ 223
15.5 Least Cost Routing ............................................................................................... 224
15.5.1 Overview ................................................................................................................224
15.5.2 Configuring LCR ....................................................................................................226
15.5.2.1 Enabling the LCR Feature ..................................................................... 226
User's Manual 6 Document #: LTRT-10427
Page 7
User's Manual Contents
15.5.2.2 Configuring Cost Groups ....................................................................... 228
15.5.2.3 Configuring Time Bands for Cost Groups ............................................. 229
15.5.2.4 Assigning Cost Groups to Routing Rules .............................................. 230
15.6 Configuring Call Setup Rules ............................................................................... 231
15.6.1 Call Setup Rule Examples .....................................................................................235
16 Quality of Experience ...................................................................................... 237
16.1 Reporting Voice Quality of Experience to SEM .................................................... 237
16.1.1 Configuring the SEM Server ..................................................................................237
16.1.2 Configuring Clock Synchronization between Device and SEM .............................238
16.1.3 Enabling RTCP XR Reporting to SEM ..................................................................238
16.2 Configuring Quality of Experience Profiles ........................................................... 238
16.3 Configuring Bandwidth Profiles ............................................................................ 242
16.4 Configuring Media Enhancement Profiles ............................................................ 244
17 Control Network .............................................................................................. 249
17.1 Configuring Media Realms ................................................................................... 249
17.2 Configuring Remote Media Subnets .................................................................... 251
17.3 Configuring SRDs ................................................................................................ 254
17.4 Configuring SIP Interfaces ................................................................................... 256
17.5 Configuring IP Groups .......................................................................................... 260
17.6 Configuring Proxy Sets ........................................................................................ 270
18 SIP Definitions ................................................................................................. 277
18.1 Configuring SIP Parameters ................................................................................ 277
18.2 Configuring Registration Accounts ....................................................................... 277
18.2.1 Regular Registration Mode ....................................................................................280
18.2.2 Single Registration for Multiple Phone Numbers using GIN ..................................280
18.3 Configuring Proxy and Registration Parameters .................................................. 281
18.3.1 SIP Message Authentication Example ..................................................................282
18.4 Configuring SIP Message Manipulation ............................................................... 284
18.5 Configuring SIP Message Policy Rules ................................................................ 289
19 Coders and Profiles ........................................................................................ 293
19.1 Configuring Default Coders .................................................................................. 293
19.2 Configuring Coder Groups ................................................................................... 296
19.3 Configuring Tel Profile .......................................................................................... 297
19.4 Configuring IP Profiles ......................................................................................... 300
Gateway Application .............................................................................................325
20 Introduction ..................................................................................................... 327
21 Digital PSTN ..................................................................................................... 329
21.1 Configuring Trunk Settings ................................................................................... 329
21.2 TDM and Timing ................................................................................................... 331
21.2.1 Configuring TDM Bus Settings ..............................................................................331
21.2.2 Clock Settings ........................................................................................................332
21.2.2.1 Recovering Clock from PSTN Line Interface ........................................ 332
21.2.2.2 Configuring Internal Clock as Clock Source ......................................... 333
Version 6.8 7 Mediant 500 E-SBC
Page 8
Mediant 500 E-SBC
21.3 Configuring CAS State Machines ......................................................................... 333
21.4 Configuring Digital Gateway Parameters ............................................................. 336
21.5 Tunneling Applications ......................................................................................... 337
21.5.1 TDM Tunneling ......................................................................................................337
21.5.1.1 DSP Pattern Detector ............................................................................ 340
21.5.2 QSIG Tunneling .....................................................................................................340
21.6 ISDN Non-Facility Associated Signaling (NFAS) ................................................. 341
21.6.1 NFAS Interface ID ..................................................................................................342
21.6.2 Working with DMS-100 Switches ..........................................................................342
21.6.3 Creating an NFAS-Related Trunk Configuration ...................................................343
21.6.4 Performing Manual D-Channel Switchover in NFAS Group ..................................344
21.7 ISDN Overlap Dialing ........................................................................................... 344
21.7.1 Collecting ISDN Digits and Sending Complete Number in SIP .............................344
21.7.2 Interworking ISDN Overlap Dialing with SIP According to RFC 3578 ...................345
21.8 Redirect Number and Calling Name (Display) ..................................................... 346
22 Trunk Group .................................................................................................... 347
22.1 Configuring Trunk Group Table ............................................................................ 347
22.2 Configuring Trunk Group Settings ........................................................................ 349
23 Manipulation .................................................................................................... 355
23.1 Configuring General Settings ............................................................................... 355
23.2 Configuring Source/Destination Number Manipulation Rules .............................. 355
23.3 Manipulating Number Prefix ................................................................................. 361
23.4 SIP Calling Name Manipulations .......................................................................... 362
23.5 Configuring Redirect Number IP to Tel ................................................................ 365
23.6 Manipulating Redirected and Diverted Numbers for Call Diversion ..................... 369
23.7 Mapping NPI/TON to SIP Phone-Context ............................................................ 370
23.8 Configuring Release Cause Mapping .................................................................. 371
23.8.1 Fixed Mapping of SIP Response to ISDN Release R eason ..................................373
23.8.2 Fixed Mapping of ISDN Release Reason to S IP Response ..................................374
23.8.3 Reason Header ......................................................................................................377
23.9 Numbering Plans and Type of Number ................................................................ 378
24 Routing ............................................................................................................. 379
24.1 Configuring General Routing Parameters ............................................................ 379
24.2 Configuring Outbound IP Routing Table .............................................................. 379
24.3 Configuring Inbound IP Routing Table ................................................................. 388
24.4 IP Destinations Connectivity Feature ................................................................... 392
24.5 Alternative Routing for Tel-to-IP Calls .................................................................. 394
24.5.1 Alternative Routing Based on IP Connecti vity .......................................................394
24.5.2 Alternative Routing Based on SIP Responses ......................................................395
24.5.3 Alternative Routing upon SIP 3xx with Multiple Contacts ......................................397
24.5.4 PSTN Fallback .......................................................................................................398
24.6 Alternative Routing for IP-to-Tel Calls .................................................................. 399
24.6.1 Alternative Routing to Trunk upon Q.931 Call Release Cause Code ...................399
24.6.2 Alternative Routing to an IP Destination upon a Busy Trunk ................................400
24.6.3 Alternative Routing upon ISDN Disconnect ...........................................................402
25 Configuring DTMF and Dialing ....................................................................... 403
25.1 Dialing Plan Features ........................................................................................... 403
25.1.1 Digit Mapping .........................................................................................................403
User's Manual 8 Document #: LTRT-10427
Page 9
User's Manual Contents
25.1.2 External Dial Plan File ...........................................................................................405
26 Configuring Supplementary Services ........................................................... 407
26.1 Call Hold and Retrieve ......................................................................................... 408
26.2 Call Transfer ......................................................................................................... 408
26.2.1 Consultation Call Transfer .....................................................................................408
26.2.2 Consultation Transfer for QSIG Path Replacement ..............................................409
26.2.3 Blind Call Transfer .................................................................................................409
26.3 Call Forward ......................................................................................................... 410
26.4 Message Waiting Indication ................................................................................. 410
26.5 Emergency E911 Phone Number Services .......................................................... 411
26.5.1 Pre-empting Existing Calls for E911 IP-to-Tel Calls ..............................................412
26.5.2 Enhanced 9-1-1 Support for Lync Server 2010 .....................................................412
26.5.2.1 About E9-1-1 Services .......................................................................... 413
26.5.2.2 Microsoft Lync Server 2010 and E9-1-1 ................................................ 414
26.5.2.3 AudioCodes ELIN Gateway for Lync Server 2010 E9-1-1 Calls to PSTN
417
26.5.2.4 Configuring AudioCodes ELIN Gateway ............................................... 422
26.6 Multilevel Precedence and Preemption ................................................................ 424
26.6.1 MLPP Preemption Events in SIP Reason Header ................................................427
26.6.2 Precedence Ring Tone ..........................................................................................428
26.7 Detecting Collect Calls ......................................................................................... 429
26.8 Advice of Charge Services for Euro ISDN ........................................................... 429
26.9 Configuring Charge Codes ................................................................................... 430
26.10 Configuring Voice Mail ......................................................................................... 432
Session Border Controller Application................................................................433
27 SBC Overview .................................................................................................. 435
27.1 SIP Network Definitions ....................................................................................... 436
27.2 SIP Dialog Initiation Process ................................................................................ 436
27.3 User Registration ................................................................................................. 438
27.3.1 Initial Registration Request Processing .................................................................439
27.3.2 SBC Users Registration Database ........................................................................439
27.3.3 Routing using Users Registration Database..........................................................440
27.3.4 Registration Refreshes ..........................................................................................440
27.3.5 Registration Restriction Control .............................................................................441
27.4 SBC Media Handling ............................................................................................ 441
27.4.1 Media Anchoring without Transcoding (Transparent) ...........................................442
27.4.2 No Media Anchoring ..............................................................................................443
27.4.3 Restricting Coders .................................................................................................445
27.4.4 Prioritizing Coder List in SDP Offer .......................................................................446
27.4.5 SRTP-RTP and SRTP-SRTP Transcoding ...........................................................446
27.4.6 Multiple RTP Media Streams per Call Session .....................................................447
27.5 Limiting SBC Call Duration ................................................................................... 447
27.6 SBC Authentication .............................................................................................. 447
27.6.1 SIP Authentication Server Functionality ................................................................447
27.6.2 User Authentication based on RADIUS .................................................................448
27.7 Interworking SIP Signaling ................................................................................... 448
27.7.1 Interworking SIP 3xx Redirect Responses ............................................................449
27.7.1.1 Resultant INVITE Traversing Device .................................................... 449
Version 6.8 9 Mediant 500 E-SBC
Page 10
Mediant 500 E-SBC
27.7.1.2 Local Handling of SIP 3xx ..................................................................... 450
27.7.2 Interworking SIP Diversion and History-Info Headers ...........................................451
27.7.3 Interworking SIP REFER Messages ......................................................................451
27.7.4 Interworking SIP PRACK Messages .....................................................................452
27.7.5 Interworking SIP Session Timer ............................................................................452
27.7.6 Interworking SIP Early Media ................................................................................453
27.7.7 Interworking SIP re-INVITE Messages ..................................................................455
27.7.8 Interworking SIP UPDATE Messages ...................................................................455
27.7.9 Interworking SIP re-INVITE to UPDATE ................................................................455
27.7.10 Interwor king Call Hold ............................................................................................455
27.8 Call Survivability ................................................................................................... 456
27.8.1 Auto-Provisioning of Subscriber-Specific Information for BroadWorks Server for
Survivability.........................................................................................................................456
27.8.2 BroadSoft's Shared Phone Line Call Appearance for SBC Survivability...............456
27.8.3 Call Survivability for Call Centers ..........................................................................458
27.8.4 Survivability Mode Display on Aastra IP Phones ..................................................460
27.9 Call Forking .......................................................................................................... 461
27.9.1 Initiating SIP Call Forking ......................................................................................461
27.9.2 SIP Forking Initiated by SIP Proxy Server .............................................................461
27.9.3 Call Forking-based IP-to-IP Routing Rules ............................................................462
27.10 Alternative Routing on Detection of Failed SIP Response ................................... 462
28 SBC Configuration .......................................................................................... 463
28.1 Configuring General Settings ............................................................................... 463
28.1.1 Interworking Dialog Information in SIP NOTIFY Messages ..................................463
28.2 Configuring Admission Control ............................................................................. 465
28.3 Configuring Allowed Audio Coder Groups ........................................................... 468
28.4 Configuring Allowed Video Coder Groups ........................................................... 470
28.5 Routing SBC ........................................................................................................ 470
28.5.1 Configuring Classification Rules ............................................................................470
28.5.1.1 Classification Based on URI of Selected Header Example ................... 475
28.5.2 Configuring Message Condition Rules ..................................................................476
28.5.3 Configuring SBC IP-to-IP Routing .........................................................................477
28.5.4 Configuring SIP Response Codes for Alternative Routing Reasons .....................486
28.6 SBC Manipulations ............................................................................................... 487
28.6.1 Configuring IP-to-IP Inbound Manipulations ..........................................................490
28.6.2 Configuring IP-to-IP Outbound Manipulations .......................................................493
Cloud Resilience Package ....................................................................................499
29 CRP Overview .................................................................................................. 501
30 CRP Configuration .......................................................................................... 503
30.1 Enabling the CRP Application .............................................................................. 503
30.2 Configuring Call Survivability Mode ..................................................................... 504
30.3 Pre-Configured IP Groups .................................................................................... 505
30.4 Pre-Configured IP-to-IP Routing Rules ................................................................ 506
30.4.1 Normal Mode .........................................................................................................506
30.4.2 Emergency Mode ...................................................................................................507
30.4.3 Auto Answer to Registrations ................................................................................507
30.5 Configuring PSTN Fallback .................................................................................. 508
User's Manual 10 Document #: LTRT-10427
Page 11
User's Manual Contents
High-Availability System .......................................................................................509
31 HA Overview .................................................................................................... 511
31.1 Connectivity and Synchronization between Devices ............................................ 511
31.2 Device Switchover upon Failure ........................................................................... 512
31.3 HA Status on the Home Page .............................................................................. 513
32 HA Configuration............................................................................................. 515
32.1 Initial HA Configuration ........................................................................................ 515
32.1.1 Network Topology Types and Rx/Tx Ethernet P ort Group Settings ......................515
32.1.2 Configuring the HA Devices ..................................................................................516
32.1.2.1 Step 1: Configure the First Device ........................................................ 517
32.1.2.2 Step 2: Configure the Second Device ................................................... 519
32.1.2.3 Step 3: Initialize HA on the Devices ...................................................... 520
32.2 Configuration while HA is Operational ................................................................. 520
32.3 Configuring Firewall Allowed Rules ...................................................................... 521
33 HA Maintenance .............................................................................................. 523
33.1 Maintenance of Redundant Device ...................................................................... 523
33.2 Replacing a Failed Device ................................................................................... 523
33.3 Forcing a Switchover ............................................................................................ 523
33.4 Software Upgrade ................................................................................................ 523
Maintenance ...........................................................................................................525
34 Basic Maintenance .......................................................................................... 527
34.1 Resetting the Device ............................................................................................ 527
34.2 Remotely Resetting Device using SIP NOTIFY ................................................... 528
34.3 Locking and Unlocking the Device ....................................................................... 529
34.4 Saving Configuration ............................................................................................ 530
35 High Availability Maintenance ........................................................................ 531
36 Disconnecting Active Calls ............................................................................ 533
37 Resetting Channels ......................................................................................... 535
37.1 Restarting a B-Channel ........................................................................................ 535
38 Software Upgrade ............................................................................................ 537
38.1 Loading Auxiliary Files ......................................................................................... 537
38.1.1 Call Progress Tones File .......................................................................................539
38.1.2 Prerecorded Tones File .........................................................................................541
38.1.3 CAS Files ...............................................................................................................542
38.1.4 Dial Plan File ..........................................................................................................542
38.1.4.1 Creating a Dial Plan File........................................................................ 542
38.1.4.2 External Dial Plan File ........................................................................... 543
38.1.4.3 Dial Plan Prefix Tags for Routing .......................................................... 545
38.1.4.4 Obtaining IP Destination from Dial Plan File ......................................... 549
38.1.4.5 Modifying ISDN-to-IP Calling Party Number ......................................... 550
38.1.5 User Information File .............................................................................................551
38.1.5.1 Enabling the User Info Table ................................................................. 551
Version 6.8 11 Mediant 500 E-SBC
Page 12
Mediant 500 E-SBC
38.1.5.2 Gateway User Information for PBX Ext ensions and "Global" Numbers 551
38.1.5.3 User Information File for SBC User Database ...................................... 555
38.2 Software License Key .......................................................................................... 559
38.2.1 Obtaining the Software License Key File ...............................................................559
38.2.2 Installing the Software License Key .......................................................................560
38.2.2.1 Installing Software License Key using Web Int erf ace ........................... 560
38.2.2.2 Installing Software License Key using CLI ............................................ 561
38.3 Software Upgrade Wizard .................................................................................... 562
38.4 Backing Up and Loading Configuration File ......................................................... 567
39 Automatic Update Mechanism ....................................................................... 569
39.1 Automatic Configuration Methods ........................................................................ 569
39.1.1 DHCP-based Provisioning .....................................................................................569
39.1.2 Provisioning from HTTP Server using DHCP Opt i on 67 .......................................570
39.1.3 Provisioning from TFTP Server using DHCP Option 66 ........................................571
39.1.4 HTTP-based Provisioning ......................................................................................571
39.1.5 FTP- or NFS-based Provisioning ...........................................................................572
39.1.6 Provisioning using AudioCodes EMS ....................................................................572
39.2 HTTP/S-Based Provisioning using the Automatic Update Feature ...................... 573
39.2.1 Files Provisioned by Automatic Update .................................................................573
39.2.2 File Location for Automatic Update .......................................................................573
39.2.3 Triggers for Automatic Update ...............................................................................574
39.2.4 Access Authentication with HTTP Server ..............................................................575
39.2.5 Querying Provisioning Server for Updated Fil es ...................................................575
39.2.6 File Download Sequence .......................................................................................577
39.2.7 Cyclic Redundancy Check on Downloaded Configuration Files ...........................578
39.2.8 MAC Address Automatically Inserted in Confi guration File Name ........................578
39.2.9 Automatic Update Configuration Examples ...........................................................579
39.2.9.1 Automatic Update for Single Device ..................................................... 579
39.2.9.2 Automatic Update from NFS, FTP and HTTP S ervers ......................... 580
39.2.9.3 Automatic Update for Mass Deployment ............................................... 581
40 Restoring Factory Defaults ............................................................................ 583
40.1 Restoring Defaults using CLI ............................................................................... 583
40.2 Restoring Defaults using Hardware Reset Button ................................................ 584
40.3 Restoring Defaults using an ini File ...................................................................... 584
41 Automatic Archiving of Confi gurati on File ................................................... 585
42 USB Storage Capabilities ............................................................................... 587
Status, Performance Monitoring and Reporting .................................................589
43 System Status ................................................................................................. 591
43.1 Viewing Device Information .................................................................................. 591
43.2 Viewing Ethernet Port Information ....................................................................... 592
44 Carrier-Grade Alarms ...................................................................................... 593
44.1 Viewing Active Alarms .......................................................................................... 593
44.2 Viewing Alarm History .......................................................................................... 594
45 Performance Monitoring ................................................................................. 595
45.1 Viewing MOS per Media Realm ........................................................................... 595
45.2 Viewing Trunk Utilization ...................................................................................... 596
User's Manual 12 Document #: LTRT-10427
Page 13
User's Manual Contents
45.3 Viewing Quality of Experience ............................................................................. 597
45.4 Viewing Average Call Duration ............................................................................ 599
46 VoIP Status ...................................................................................................... 601
46.1 Viewing Trunks & Channels Status ...................................................................... 601
46.2 Viewing NFAS Groups and D-Channel Status ..................................................... 602
46.3 Viewing Active IP Interfaces ................................................................................. 603
46.4 Viewing Ethernet Device Status ........................................................................... 604
46.5 Viewing Static Routes Status ............................................................................... 604
46.6 Viewing Performance Statistics ............................................................................ 605
46.7 Viewing Call Counters .......................................................................................... 605
46.8 Viewing Registered SAS/SBC Users ................................................................... 607
46.9 Viewing Registration Status ................................................................................. 608
46.10 Viewing Call Routing Status ................................................................................. 608
46.11 Viewing IP Connectivity ........................................................................................ 610
47 Reporting Information to External Party ....................................................... 613
47.1 Configuring RTCP XR .......................................................................................... 613
47.2 Generating Call Detail Records ............................................................................ 616
47.2.1 Configuring CDR Reporting ...................................................................................616
47.2.2 CDR Field Description ...........................................................................................617
47.2.2.1 CDR Fields for SBC Signaling .............................................................. 617
47.2.2.2 CDR Fields for SBC Media ................................................................... 620
47.2.2.3 CDR Fields for Gateway/IP-to-IP Application ....................................... 621
47.2.2.4 Release Reasons in CDR ..................................................................... 625
47.3 Configuring RADIUS Accounting ......................................................................... 627
47.4 Event Notification using X-Detect Header ............................................................ 631
47.5 Querying Device Channel Resources using SIP OPTIONS ................................ 634
Diagnostics ............................................................................................................635
48 Syslog and Debug Recordings ...................................................................... 637
48.1 Syslog Message Format ...................................................................................... 637
48.1.1 Event Representation in Syslog Messages ...........................................................638
48.1.2 Identifying AudioCodes Syslog Messages using Facility Levels ...........................640
48.1.3 SNMP Alarms in Syslog Messages .......................................................................641
48.2 Enabling Syslog ................................................................................................... 642
48.3 Configuring Web Operations to Report to Syslog ................................................ 643
48.4 Configuring Debug Recording .............................................................................. 643
48.5 Filtering Syslog Messages and Debug Recordings ............................................. 644
48.5.1 Filtering IP Network Traces ...................................................................................646
48.6 Viewing Syslog Messages ................................................................................... 647
48.7 Collecting Debug Recording Messages ............................................................... 649
48.8 Debug Capturing on Physical VoIP Interfaces ..................................................... 651
Version 6.8 13 Mediant 500 E-SBC
Page 14
Mediant 500 E-SBC
49 Self-Testing ...................................................................................................... 653
50 Creating Core Dump and Debug Files upon Device Crash ......................... 655
51 Testing SIP Signaling Calls ............................................................................ 657
51.1 Configuring Test Call Endpoints ........................................................................... 657
51.2 Starting and Stopping Test Calls .......................................................................... 661
51.3 Viewing Test Call Statistics .................................................................................. 662
51.4 Configuring DTMF Tones for Test Calls ............................................................... 663
51.5 Configuring Basic Test Call .................................................................................. 664
51.6 Configuring SBC Test Call with External Proxy ................................................... 665
51.7 Test Call Configuration Examples ........................................................................ 666
Appendix ................................................................................................................669
52 Dialing Plan Notation for Routing and Manipulation .................................... 671
53 Configuration Parameters Refer ence ............................................................ 673
53.1 Management Parameters ..................................................................................... 673
53.1.1 General Parameters ..............................................................................................673
53.1.2 Web Parameters ....................................................................................................674
53.1.3 Telnet Parameters .................................................................................................677
53.1.4 ini File Parameters .................................................................................................677
53.1.5 SNMP Parameters .................................................................................................678
53.1.6 Serial Parameters ..................................................................................................681
53.1.7 Auxiliary and Configuration File Name Parameters ..............................................682
53.1.8 Automatic Update Parameters ..............................................................................683
53.2 Networking Parameters ........................................................................................ 686
53.2.1 Ethernet Parameters ..............................................................................................686
53.2.2 Multiple VoIP Network Interfaces and VLAN Parameters .....................................687
53.2.3 Routing Parameters ...............................................................................................687
53.2.4 Quality of Service Parameters ...............................................................................688
53.2.5 NAT Parameters ....................................................................................................689
53.2.6 NFS Parameters ....................................................................................................690
53.2.7 DNS Parameters ....................................................................................................691
53.2.8 DHCP Parameters .................................................................................................691
53.2.9 NTP and Daylight Saving Time Parameters ..........................................................693
53.3 Debugging and Diagnostics Parameters .............................................................. 695
53.3.1 General Parameters ..............................................................................................695
53.3.2 SIP Test Call Parameters ......................................................................................696
53.3.3 Syslog, CDR and Debug Parameters ....................................................................697
53.3.4 Resource Allocation Indication Parameters...........................................................702
53.3.5 HA Ping Parameters ..............................................................................................703
53.4 Security Parameters ............................................................................................. 703
53.4.1 General Security Parameters ................................................................................703
53.4.2 HTTPS Parameters ...............................................................................................705
53.4.3 SRTP Parameters ..................................................................................................707
53.4.4 TLS Parameters .....................................................................................................709
53.4.5 SSH Parameters ....................................................................................................711
53.4.6 IDS Parameters .....................................................................................................712
53.5 Quality of Experience Parameters ....................................................................... 713
53.6 Control Network Parameters ................................................................................ 716
53.6.1 IP Group, Proxy, Registration and Authenti cat i on Parameters .............................716
53.6.2 Network Application Parameters ...........................................................................727
User's Manual 14 Document #: LTRT-10427
Page 15
User's Manual Contents
53.7 General SIP Parameters ...................................................................................... 729
53.8 Coders and Profile Parameters ............................................................................ 755
53.9 Channel Parameters ............................................................................................ 758
53.9.1 Voice Parameters ..................................................................................................758
53.9.2 Coder Parameters .................................................................................................760
53.9.3 DTMF Parameters .................................................................................................761
53.9.4 RTP, RTCP and T.38 Parameters .........................................................................762
53.10 Gateway and IP-to-IP Parameters ....................................................................... 767
53.10.1 Fax and Mod em Parameters .................................................................................767
53.10.2 DTMF and H ook-Flash Parameters .......................................................................774
53.10.3 Digit Collect i on and Dial Plan Parameters .............................................................777
53.10.4 Voice Mail Parameters ...........................................................................................779
53.10.5 Supplementary Services Parameters ....................................................................784
53.10.5.1 Caller ID Parameters ............................................................................. 784
53.10.5.2 Call Waiting Parameters ........................................................................ 785
53.10.5.3 Call Forwarding Parameters ................................................................. 785
53.10.5.4 Call Hold Parameters ............................................................................ 786
53.10.5.5 Call Transfer Parameters ...................................................................... 787
53.10.5.6 MLPP and Emergency Call Parameters ............................................... 789
53.10.5.7 Call Cut-Through Parameters ............................................................... 794
53.10.6 PSTN Parameters ..................................................................................................795
53.10.6.1 General Parameters .............................................................................. 795
53.10.6.2 TDM Bus and Clock Timing Parameters ............................................... 800
53.10.6.3 CAS Parameters ................................................................................... 802
53.10.6.4 ISDN Parameters .................................................................................. 805
53.10.7 ISDN and CAS Interworking Parameters ..............................................................812
53.10.8 Answer and Disconnect Supervision Parameters .................................................828
53.10.9 Tone Parameters ...................................................................................................831
53.10.9.1 Telephony Tone Parameters ................................................................. 831
53.10.9.2 Tone Detection Parameters .................................................................. 836
53.10.9.3 Metering Tone Parameters ................................................................... 837
53.10.10 Trunk Groups and Routing Parameters ...........................................................838
53.10.11 IP Connectivity Parameters ..............................................................................846
53.10.12 Alternative Routing Parameters .......................................................................847
53.10.13 Number Manipulation Parameters ....................................................................849
53.11 SBC Parameters .................................................................................................. 860
53.12 Standalone Survivability Parameters ................................................................... 873
53.13 IP Media Parameters ........................................................................................... 877
53.14 Services ............................................................................................................... 881
53.14.1 SIP-based Media Recording Parameters ..............................................................881
53.14.2 RADIUS and LDAP Parameters ............................................................................882
53.14.2.1 General Parameters .............................................................................. 882
53.14.2.2 RADIUS Parameters ............................................................................. 882
53.14.2.3 LDAP Parameters ................................................................................. 884
53.14.3 Least Cost Routing Parameters ............................................................................887
53.14.4 Call Setup Rules Parameters ................................................................................888
54 SBC and DSP Channel Capacity .................................................................... 889
54.1 Signaling-Media Sessions & User Registrations .................................................. 889
54.2 Channel Capacity and Capabilities ...................................................................... 890
55 Technical Specifications ................................................................................ 891
Version 6.8 15 Mediant 500 E-SBC
Page 16
Mediant 500 E-SBC
This page is intentionally left blank.
User's Manual 16 Document #: LTRT-10427
Page 17
User's Manual Notices
Notice
This document describes AudioCodes Mediant 500 Enterprise Session Border Controller (ESBC).
Information contained in this document is believed to be accurate and reliable at the time of
printing. However, due to ongoing product improvements and revisions, AudioCodes cannot
guarantee accuracy of printed material after the Date Published nor can it accept responsibility
for errors or omissions. Before consulting this document, check the corresponding Release
Notes regarding feature preconditions and/or specific support in this release. In cases where
there are discrepancies between this document and the Release Notes, the information in the
Release Notes supersedes that in this document. Updates to this document and other
documents as well as software files can be downloaded by registered customers at
http://www.audiocodes.com/downloads.
© Copyright 2014 AudioCodes Ltd. All rights reserved.
This document is subject to change without notic e.
Date Published: September-07-2014
Trademarks
AudioCodes, AC, AudioCoded, Ardito, CTI2, CTI², CTI Squared, HD VoIP, HD VoIP
Sounds Better, InTouch, IPmedia, Mediant, MediaPack, NetCoder, Netrake, Nuera, Open
Solutions Network, OSN, Stretto, TrunkPack, VMAS, VoicePacketizer, VoIPerfect,
VoIPerfectHD, What’s Inside Matters, Your Gateway To VoIP and 3GX are trademarks or
registered trademarks of AudioCodes Limited. All other products or trademarks are
property of their respective owners. Product specifications are subject to change without
notice.
WEEE EU Directive
Pursuant to the WEEE EU Directive, electronic and electrical waste must not be disposed
of with unsorted waste. Please contact your local recycling authority for disposal of this
product.
Customer Support
AudioCodes continually strives to produce high quality documentation. If you have any
comments (suggestions or errors) regarding this document, please fill out the
Documentation Feedback form on our Web site at http://www.audiocodes.com/downloads
Abbreviations and Terminology
.
Each abbreviation, unless widely used, is spell ed out in full when first used.
Version 6.8 17 Mediant 500 E-SBC
Page 18
Mediant 500 E-SBC
h your organization’s security policies. For basic security guidelines, refer to
Related Documentation
Manual Name
SIP CPE Release Notes
Mediant 500 E-SBC Hardware Installation Manual
Complementary Guides
CLI Reference Guide
CPE Configuration Guide for IP Voice Mail
SNMP Reference Guide
SBC Design Guide
Recommended Security Guidelines Configuration Note
SIP Message Manipulations Quick Reference Guide
SAS Application Configuration Guide
CAS Protocol Table Configuration Note
Utility Guides
INI Viewer & Editor Utility User's Guide
DConvert User's Guide
AcBootP Utility User's Guide
CLI Wizard User's Guide
Notes and Warnings
Note: This device is considered an INDOOR unit and therefore, m ust be installed only
indoors. In addition, Ethernet port interface cabling must be routed only indoors and
must not exit the building.
Note: The scope of this document does not fully cover security aspects for deploying
the device in your environment. Security measures should be done in accordance
wit
AudioCodes Recommended Security Guidelines document.
Note: Throughout this manual, unless otherwise specified, the term device refers to
your AudioCodes product.
Note: Before configuring the device, ensure that it is installed correctly as instructed
in the Hardware Installation Manual.
User's Manual 18 Document #: LTRT-10427
Page 19
User's Manual Notices
General Public License (LGPL), BSD and LDAP, which terms are located at:
code by contacting AudioCodes, by following the instructions available on
Notes:
• By default, the device supports export-grade (40-bit and 56-bit) encryption due to
US government restrictions on the export of secu rity technologies. To enable 128bit and 256-bit encryption on your device, contact your AudioCodes sales
representative.
• This device includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/).
• This device includes cryptographic software w ritten by Eric Young
(eay@cryptsoft.com).
Note: Some of the features listed in this document are available only if the relevant
Software License Key has been purchased from AudioCodes and installed on the
device. For a list of Software License Keys that can be purchased, please consult
your AudioCodes sales representative.
Note: OPEN SOURCE SOFTWARE. Portions of the software may be open source
software and may be governed by and distributed under open source licenses, such
as the terms of the GNU General Public License (GPL), the terms of the Lesser
http://www.audiocodes.com/support and all are incorporated herein by reference. If
any open source software is provided in object code, and its accompanying license
requires that it be provided in source code as well, Buyer may receive such source
AudioCodes website.
Version 6.8 19 Mediant 500 E-SBC
Page 20
Mediant 500 E-SBC
Documentation Feedback
AudioCodes continually strives to produce high quality documentation. If you have any
comments (suggestions or errors) regarding this document, please fill out the
Documentation Feedback form on our Web site at http://www.audiocodes.com/downloads
.
User's Manual 20 Document #: LTRT-10427
Page 21
User's Manual 1. Overview
1 Overview
The Mediant 500 Enterprise Session Border Controller (E-SBC), hereafter referred to as
the device, is a member of AudioCodes family of E-SBCs, enabling connectivity and
security between small medium businesses (SMB) and service providers' VoIP networks.
The device provides SBC functionality as well as voice-over-IP (VoIP) media gateway
functionality. The device offers enhanced dialing plans and voice routing capabilities along
with SIP-to-SIP mediation, allowing enterprises to implement SIP Trunking services (IP-toIP call routing) and IP-based Unified Communications, as well as flexible PSTN and legacy
PBX connectivity.
The device is designed as a secured VoIP platform. A fully featured enterprise-class SBC
provides a secured voice network deployment based on a Back-to-Back User Agent
(B2BUA) implementation. The SBC functionality provides perimeter defense for protecting
the enterprise from malicious VoIP attacks; mediation for allowing the connection of any
PBX and/or IP PBX to any service provider; and service assurance for service quality and
manageability.
The device offers call "survivability" solutions using its Stand Alone Survivability (SAS) or
Cloud Resilience Package (CRP) applications, ensuring service continuity to enterprises
served by a centralized SIP-based IP-Centrex server or branch offices of distributed
enterprises. Call survivability enables internal office communication between SIP clients in
the case of disconnection from the centrali zed SIP IP-Centrex server or IP-PBX.
The device supports 1+1 High Availability when deployed with two devices, each
connected to a different network (in the same subnet). In case of a network failure in one
network, a switch over of traffic to the standby device occurs.
The device supports the following interface s:
Four Gigabit Ethernet (10/100/1000Base-T) LAN ports
Single E1/T1 port interface over a copper wire pair, supporting Transparent , CAS and
ISDN protocols. The device supports various I S DN PRI protocols such as EuroISDN,
North American NI-2, Lucent™ 4/5ESS, Nortel™ DMS-100 and others. It also
supports different variants of CAS protocols for E1 and T1 spans, including MFC R2,
E&M immediate start, E&M delay dial / start, loop start and ground start
Two USB ports for optional, USB storage services
Serial console port (RJ-45) for device management
The device supports local and remote management through various management
platforms such as an HTTP/S-based Web server, a command-line interface (CLI), SNMP,
and serial (RS-232).
Note: For maximum call capacity figures, see ''SBC and DSP Channel Capacity'' on
page 889.
Version 6.8 21 Mediant 500 E-SBC
Page 22
Mediant 500 E-SBC
This page is intentionally left blank.
User's Manual 22 Document #: LTRT-10427
Page 23
Getting Started with Initial
Connectivity
Part I
Page 24
Page 25
User's Manual 2. Introduction
2 Introduction
This part describes how to initially access the device's management interface and change
its default IP address to correspond with your networking scheme.
Version 6.8 25 Mediant 500 E-SBC
Page 26
Mediant 500 E-SBC
This page is intentionally left blank.
User's Manual 26 Document #: LTRT-10427
Page 27
User's Manual 3. Default OAMP IP Address
3 Default OAMP IP Address
The device is shipped with a factory default IP address for operations, administration,
maintenance, and provisioning (OAMP), through its VoIP LAN interface. You can use this
address to initially access the device from any of its management tools (embedded Web
server, EMS, or Telnet/SSH). You can also access the device through the console CLI, by
connecting the device's serial (RS-232) port to a PC.
The table below lists the device's default IP address.
Table 3-1: Default VoIP LAN IP Address for OAMP
IP Address Value
Application Type OAMP + Media + Control
IP Address 192.168.0.2
Prefix Length 255.255.255.0 (24)
Default Gateway 192.168.0.1
Underlying Device 1
Interface Name "Voice"
Version 6.8 27 Mediant 500 E-SBC
Page 28
Mediant 500 E-SBC
This page is intentionally left blank.
User's Manual 28 Document #: LTRT-10427
Page 29
User's Manual 4. Configuring VoIP LAN Interface for OAMP
4 Configuring VoIP LAN Interface fo r OAMP
You can change the IP address of the VoIP-LAN interface for OAMP, using any of the
following methods:
Embedded HTTP/S-based Web server - see ''Web Interface'' on page 29
4.1 Web Interface
Embedded command line interface (CLI) - see ''CLI'' on page 31
The following procedure describes how to change the IP address of the OAMP on the
VoIP-LAN interface, using the Web-based management tool (Web interface). The default
IP address is used to initially access the device.
To configure the VoIP-LAN IP Address for OAMP, using the Web interface:
1. Connect Port 1 (left-most LAN port) located on the front panel directly to the network
interface of your computer, using a straight-throug h Ethernet cable.
2. Change the IP address and subnet mask of your computer to correspond with the
default OAMP IP address and subnet mask of the device.
3. Access the Web interface:
a. On your computer, start a Web browser and in the URL address field, enter the
default IP address of the device; the Web interfac e's Web Login screen appears:
b. In the 'Username' and 'Password' fields, enter the case-sensitive, default login
username ("Admin") and password ("Adm i n" ).
c. Click Login.
Figure 4-1: Web Login Screen
Version 6.8 29 Mediant 500 E-SBC
Page 30
Mediant 500 E-SBC
4. Open the Physical Ports Settings page (Configuration tab > VoIP menu > Network >
Physical Ports Table) and then configure the device's physical Ethernet port-pair
(group) that you want to later assign to the OAMP interface. For more information, see
Configuring Physical Ethernet Ports on page 107.
5. Open the Interface Table page (Configuration tab > VoIP menu > Network > IP
Interfaces Table).
6. Select the 'Index' radio button corresponding to the OAMP + Media + Control
application type, and then click Edit.
7. Change the IP address to correspond with your network IP addressing scheme, for
example:
• IP Address: 10.8.6.86
• Prefix Length: 24 (for 255.255.255.0)
• Gateway: 10.8.6.85
• Underlying Device: Select the Ethernet Dev i ce (VLAN and associated Ethernet
port group) for OAMP
8. Click Submit.
9. Save your settings by resetting the device with a flash burn (see ''Resetting the
Device'' on page 527).
10. Disconnect the device from the PC and cable the device to your network. You can
now access the management interface using t he new OAMP IP address.
Note: When you complete the above procedure, change your PC's IP address to
correspond with your network requirements.
User's Manual 30 Document #: LTRT-10427
Page 31
User's Manual 4. Configuring VoIP LAN Interface for OAMP
4.2 CLI
This procedure describes how to configure the VoIP-LAN IP address for OAMP using the
device's CLI. The procedure uses the regular CLI commands. Alternatively, you can use
the CLI Wizard utility to set up your device with the initial OAMP settings. The utility
provides a fast-and-easy method for initial configuration of the device through CLI. For
more information, refer to the CLI Wizard User's Guide.
To configure the OAMP IP address in the CLI:
1. Connect the RS-232 port of the device to the serial communication port on your
computer. For more information, refer to the Hardware Installation Manual.
2. Establish serial communication with the device using a terminal emulator program
such as HyperTerminal, with the following communication port settings:
• Baud Rate: 115,200 bps
• Data Bits: 8
• Parity: None
• Stop Bits: 1
• Flow Control: None
3. At the CLI prompt, type the username (default is "Admin" - case sensitive):
Username: Admin
4. At the prompt, type the password (default is "Admin" - case sensitive):
Password: Admin
5. At the prompt, type the following:
enable
6. At the prompt, type the password again:
Password: Admin
7. Access the VoIP configuration mode:
# configure voip
8. Access the Interface table:
(config-voip)# interface network-if 0
Version 6.8 31 Mediant 500 E-SBC
Page 32
Mediant 500 E-SBC
9. Configure the IP address:
(network-if-0)# ip-address <IP address>
10. Configure the prefix length:
(network-if-0)# prefix-length <prefix lengt h / subnet mask, e.g., 16>
11. Configure the Default Gateway address:
(network-if-0)# gateway <IP address>
12. Exit t he Interface table:
(network-if-0)# exit
13. Exit t he V oIP configuration mode:
(config-voip)# exit
14. Reset the device with a flash burn:
# reload now
15. Cable the device to your network. You can now access the device's management
interface using this new OAMP IP address.
User's Manual 32 Document #: LTRT-10427
Page 33
Management Tools
Part II
Page 34
Page 35
User's Manual 5. Introduction
5 Introduction
This part provides an overview of the various management tools that can be used to
configure the device. It also provides step-by-step procedures on how to configure these
management tools.
The device provides the following management tools:
Embedded HTTP/S-based Web server - see ''Web-based Management'' on page 37
Command Line Interface (CLI) - see ''CLI-Based Management'' on page 65
Simple Network Management Protocol (SNMP) - see ''SNMP-Based Management'' on
75
page
Configuration ini file - see ''INI File-Based Management'' on page 81
Notes:
• Some configuration settings can only be done using a specific management tool.
For example, some configuration can only be done using the Configuration ini file
method.
• Throughout this manual, whenever a parameter is mentioned, its corresponding
Web, CLI, and ini file parameter is mentioned. The ini file parameters are enclosed
in square brackets [...].
• For a list and description of all the configuration parameters, see ''Configuration
Parameters Reference'' on page 673.
Version 6.8 35 Mediant 500 E-SBC
Page 36
Mediant 500 E-SBC
This page is intentionally left blank.
User's Manual 36 Document #: LTRT-10427
Page 37
User's Manual 6. Web-Based Management
6 Web-Based Management
The device provides an embedded Web server (hereafter referred to as Web interface),
supporting fault management, configuration, accounting, performance, and security
(FCAPS), including the following:
Full configuration
Software and configuration upgrades
Loading auxiliary files, for example, the Call Progress Tones file
Real-time, online monitoring of the device, including display of alarm s and their
severity
Performance monitoring of voice calls and various traffic parameters
The Web interface provides a user-friendly, graphical user interface (GUI) , which can be
accessed using any standard Web browser (e.g., Microsoft™ Internet Explorer).
Access to the Web interface is controlled by various security mechanisms such as login
user name and password, read-write privileges, and limiting access to specific IP
addresses.
Notes:
• The Web interface allows you to configure most of the device's settings. However,
additional configuration parameters may ex i st that are not available in the Web
interface and which can only be configured using other management tools.
• Some Web interface pages and/or parameter s are available only for certain
hardware configurations or software features. The software features are
determined by the installed Software Licens e Key (see ''Software License Key'' on
page 559).
6.1 Getting Acquainted with the Web Interface
6.1.1 Computer Requirements
This section provides a description of the Web inte rface.
The client computer requires the following to work with the Web interface of the device:
A network connection to the device
One of the following Web browsers:
• Microsoft™ Internet Explorer™ (Version 6.0 and later)
®
• Mozilla Firefox
Recommended screen resolutions: 1024 x 768 pixels, or 1280 x 1024 pixels
(Versions 5 through 9.0)
Note: Your Web browser must be JavaScript-enabled to access t he Web i nterface.
Version 6.8 37 Mediant 500 E-SBC
Page 38
Mediant 500 E-SBC
6.1.2 Accessing the Web Interface
The following procedure describes how to access the Web interface.
To access the Web interface:
1. Open a standard Web browser (see ''Computer Requirements'' on page 37).
2. In the Web browser, specify the OAMP IP address of the device (e.g.,
http://10.1.10.10); the Web interface's Login window appears, as shown below:
Figure 6-1: Web Login Screen
3. In the 'Username' and 'Password' fields, enter the case-sensitive, user name and
password respectively.
4. Click Login; the Web interface is accessed, displaying the Home page. For a detailed
description of the Home page, see ''Viewing the Hom e Page'' on page 51.
Notes:
• By default, Web access is only through the IP address of the OAMP interface.
However, you can allow access from all of the device's IP network interfaces, by
setting the EnableWebAccessFromAllInterfaces par ameter to 1.
• The default login username and password is "Adm i n". To change the login
credentials, see ''Configuring the Web User A cc ounts'' on page 54.
• If you want the Web browser to remember your password, select the 'Remember
Me' check box and then agree to the browser's prom pt (depending on your
browser) to save the password for future logi ns. On your next login attempt, simply
press the Tab or Enter keys to auto-fill the 'Usernam e' and 'Password' fields, and
then click Login.
• Depending on your Web browser's settings, a security warning box may be
displayed. The reason for this is that the dev i ce's certificate is not trusted by your
PC. The browser may allow you to install the certif icate, thus skipping the warning
box the next time you connect to the device. If you are using Windows Internet
Explorer, click View Certificate, and then Install Certificate. The browser also
warns you if the host name used in the URL is not identical to the one listed in the
certificate. To resolve this, add the IP address and host name (ACL_nnnnnn,
where nnnnnn is the serial number of the device ) to your hosts file, located at
/etc/hosts on UNIX or C:\Windows\System32\Drivers\ETC\hosts on Windows; then
use the host name in the URL (e.g., https://ACL_280152). Below is an example of
a host file:
127.0.0.1 localhost
10.31.4.47 ACL_280152
User's Manual 38 Document #: LTRT-10427
Page 39
User's Manual 6. Web-Based Management
6.1.3 Areas of the GUI
The areas of the Web interface's GUI are shown in the figure below and described in the
subsequent table.
Figure 6-2: Main Areas of the Web Interface GUI
Table 6-1: Description of the Web GUI Areas
Item # Description
1
2
3
AudioCodes company logo.
Product name.
Toolbar, providing frequently required com m and buttons. For more information, see
''Toolbar Description'' on page 40.
4
5
Displays the username of the Web user that is currently logged in.
Navigation bar, providing the following tabs for accessing various functionalities in
the Navigation tree:
Configuration, Maintenance, and Status & Diagnostics tabs: Access the
configuration menus (see ''Working with Configuration Pages'' on page 43)
Search tab: Enables a search engine for searching configuration parameter s (see
''Searching for Configuration Parameter s '' on page 47)
6
Navigation tree, displaying a tree-like structure of elements (configuration menus or
search engine) pertaining to the selected tab on the Navigation bar. For more
information, see ''Navigation Tree'' on page 41.
7
Work pane, displaying the configuration page of the selected menu in the Navigation
tree. This is where configuration is done. For more information, see ''Working with
Configuration Pages'' on page 43.
Version 6.8 39 Mediant 500 E-SBC
Page 40
Mediant 500 E-SBC
Opens the High Availability Maintenance page
6.1.4 Toolbar Description
The toolbar provides frequently required comm and buttons, described in the table below:
Table 6-2: Description of Toolbar Buttons
Icon Button
Name
Submit
Burn
Device
Actions
Description
Applies parameter settings to the device (se e ''Sav i ng Configuration''
on page 530).
Note: This icon is grayed out when not applicable to the currently
opened page.
Saves parameter settings to flash memory (see ''Saving
Configuration'' on page 530).
Opens a drop-down list with frequently needed commands:
Load Configuration File: Opens the Configuration File page for
loading an ini file to the device (see ''Backing Up and Loading
Configuration File'' on page 567).
Save Configuration File: Opens the Configuration File page for
saving the ini file to a folder on your PC (see ''Backing Up and
Loading Configuration File'' on page 567).
Reset: Opens the Maintenance Actions page for performing
various maintenance procedures such as reset ting the device
(see ''Resetting the Device'' on page 527).
Software Upgrade Wizard: Starts the Software Upgrade Wizard
for upgrading the device's software (see ''Sof tware U pgrade
Wizard'' on page 561).
Switch Over: Opens the High Availability Maintenance page for
switching between Active and Redundant devices (see High
Availability Maintenance on page 531).
Reset Redundant:
for resetting the Redundant device (see High Av ai labi lity
Maintenance on page
531).
Home
Opens the Home page (see ''Viewing the Home Page'' on page 51).
Help
Log off
-
Reset
Opens the Online Help topic of the currently opened configuration
page (see ''Getting Help'' on page 50).
Logs off a session with the Web interface (see ''Loggi ng Off the Web
Interface'' on page 51).
If you modify a parameter on a page that takes ef fect only after a
device reset, after you click the Submit button, the toolbar displays
"Reset". This is a reminder that you need t o l ater save your settings
to flash memory and reset the device.
User's Manual 40 Document #: LTRT-10427
Page 41
User's Manual 6. Web-Based Management
6.1.5 Navigation Tree
The Navigation tree is located in the Navigation pane and displays a tree-like structure of
menus pertaining to the selected tab on the Navigation bar. You can drill-down to the
required page item level to open its corresponding page i n the Work pane.
The terminology used throughout this manual for referring to the hierarchical structure of
the tree is as follows:
Menu: first level (highest level)
Submenu: second level - contained within a menu
Page item: last level (lowest level in a menu) - contained within a menu or submenu
Figure 6-3: Navigating in Hierarchical Menu Tree (Example)
Note: The figure above is used only as an example. The displayed menus depend on
supported features based on the Software License Key installed on your device.
6.1.5.1 Displaying Navigation Tree in Basic and Full View
You can view an expanded or reduced display of the Navigation tree. This affects the
number of displayed menus and submenus in the tree. The expanded view displays all the
menus pertaining to the selected configuration tab; the reduced view displays only
commonly used menus.
To display a reduced menu tree, select the Basic option (default).
Version 6.8 41 Mediant 500 E-SBC
Page 42
Mediant 500 E-SBC
To display all menus and submenus, select the Advanced option.
Figure 6-4: Basic and Full View Options
Note: After you reset the device, the Web G UI is displayed in Basic view.
6.1.5.2 Showing / Hiding the Navigation Pane
You can hide the Navigation pane to provide more space for elements displayed in the
Work pane. This is especially useful when the Work pane displays a wide table. The arrow
button located below the Navigation bar is used to hide and show the pane.
To hide the Navigation pane, click the left-pointing arrow ; the pane is hidden and
the button is replaced by the right-pointing arrow button.
To show the Navigation pane, click the right-pointing arrow ; the pane is
displayed and the button is replaced by the lef t -pointing arrow button.
Figure 6-5: Show and Hide Button (Navigation Pane in Hide View)
User's Manual 42 Document #: LTRT-10427
Page 43
User's Manual 6. Web-Based Management
6.1.6 Working with Configuration Pages
The configuration pages contain the parameters for configuring the device and are
6.1.6.1 Accessing Pages
displayed in the Work pane.
The configuration pages are accessed by clicking the required page item in the Navigation
tree.
To open a configuration page:
1. On the Navigation bar, click the required tab (Configuration, Maintenance, or Status
& Diagnostics); the menus pertaining to the selected tab appear in the Navigation
tree.
2. Navigate to the required page item, by performing the following:
• Drill-down using the plus sign to expand the menu and submenus.
• Drill-up using the minus sign to collapse the menu and submenus.
3. Click the required page item; the page opens in the Work pane.
You can also access previously opened pages by clicking the Web browser's Back button
until you have reached the required page. This is useful if you want to view pages in which
you have performed configurations in the current Web session.
Note: Depending on the access level of your Web user account, certain pages may
not be accessible or may be read-only (see ''Configuring Web User Accounts'' on
page 54). If a page is read-only, "Read-Only Mode" is displayed at the bottom of the
page.
6.1.6.2 Viewing Parameters
Some pages allow you to view a reduced or expanded display of parameters. The Web
interface provides two methods for displaying page parameters:
Displaying "basic" and "advanced" parameters - see ''Displaying Basi c and Advanced
Parameters'' on page
Displaying parameter groups - see ''Showing / Hiding Parameter Groups'' on page 44
6.1.6.2.1 Displaying Basic and Advanced Parameters
Some pages provide a toggle button that allows you to show and hide parameters. This
button is located on the top-right corner of the page and has two display states:
Advanced Parameter List button with down-pointing arrow: click this button to
display all parameters.
Basic Parameter List button with up-pointing arrow: click this button to show only
common (basic) parameters.
43
Version 6.8 43 Mediant 500 E-SBC
Page 44
Mediant 500 E-SBC
The figure below shows an example of a page displaying basic parameters only. If you
click the Advanced Parameter List button (shown below), the page will also display the
advanced parameters.
Figure 6-6: Toggling between Basic and Advanced View
Notes:
• When the Navigation tree is in Advanced display mode (see ''Navigation Tree'' on
page 41), configuration pages display all their parameters.
• If you reset the device, the Web pages display only the basic parameters.
• The basic parameters are displayed in a different background color to the
advanced parameters.
6.1.6.2.2 Showing / Hiding Parameter Groups
Some pages group parameters under sections, which can be hidden or shown. To toggle
between hiding and showing a group, simply click the group title name that appears above
each group. The button appears with a down-pointing or up-pointing arrow, indicating that it
can be collapsed or expanded when clicked, respectively.
Figure 6-7: Expanding and Collapsing Parameter Groups
User's Manual 44 Document #: LTRT-10427
Page 45
User's Manual 6. Web-Based Management
6.1.6.3 Modifying and Saving Parameters
When you modify a parameter value on a page, the Edit icon appears to the right of the
parameter. This indicates that the parameter has been modified, but has yet to be applied
(submitted). After you click Submit the icon disappears.
Figure 6-8: Edit Symbol after Modifying Parameter Value
To save configuration changes on a page to the device's volatile memory
(RAM):
On the toolbar, click the Submit button.
At the bottom of the page, click the Submit button.
When you click Submit, modifications to parameters with on-the-fly capabilities are
immediately applied to the device and take effect. Parameters displayed on the page with
the lightning icon take effect only after a device reset. For resetting the device, see
''Resetting the Device'' on page 527.
Note: Parameters saved to the volatile memory (by clicking Submit), revert to their
previous settings after a hardware or software reset, or if the device is powered down.
Thus, to ensure parameter changes (whether on-the-fly or not) are retained, save
('burn') them to the device's non-volatile memory, i.e., flash (see ''Saving
Configuration'' on page 530).
Version 6.8 45 Mediant 500 E-SBC
Page 46
Mediant 500 E-SBC
If you enter an invalid parameter value (e.g., not in the range of permitted values) and then
click Submit, a message box appears notifying you of the invalid value. In addition, the
parameter value reverts to its previous value and is highlighted in red, as shown in the
figure below:
Figure 6-9: Value Reverts to Previous Valid Value
6.1.6.4 Working with Tables
Many of the Web configuration pages provide tables for configuring various functionalities
of the device. The figure below and subsequent table describe the areas of a typical
configuration table:
Figure 6-10: Displayed Details Pane
Table 6-3: Enhanced Table Design Description
Item # Button
1 Add
Adds a new index entry row to the table. When you click this button, a
dialog box appears with parameters for configuring the new entry.
When you have completed configuration, cli ck the Submit button in
the dialog box to add it to the table.
2 Edit
3 Delete
Edits the selected row.
Removes the selected row from the table. When you click this button,
a confirmation box appears requesting you to confirm deletion. Click
Delete to accept deletion.
User's Manual 46 Document #: LTRT-10427
Page 47
User's Manual 6. Web-Based Management
Item # Button
4 Show/Hide
5
6
7
Some tables also provide the Up and Down buttons for changing the position (index
number) of a selected table row. These buttons become available only if the table contains
more than one row.
You can also define the number of rows to display on the page and to navigate between
pages displaying multiple rows. This is done using the page navigation area located below
the table, as shown in the figure below:
Toggles between displaying and hiding the full conf i guration of a
selected row. This configuration is displayed below the table (see Item
#6) and is useful for large tables that cannot display all its columns in
the work pane.
- Selected index row entry for editing, deleting and showing
configuration.
- Displays the full configuration of the selected row when you click the
Show/Hide button.
- Links to access additional configuration tables related to the current
configuration.
Figure 6-11: Viewing Table Rows per Page
Table 6-4: Row Display and Page Navigation
Item # Description
1
Defines the page that you want to view. Enter the required page number or use the
following page navigation buttons:
- Displays the next page
- Displays the last page
- Displays the previous page
- Displays the first page
2
Defines the number of rows to display per page. Y ou can select 5 or 10, where the
default is 10.
3
Displays the currently displayed page number.
6.1.7 Searching for Configuration Parameters
You can locate the exact Web page on which a specific parameter appears, by using the
Search feature. To search for a Web parameter, you must use the ini file parameter name
as the search key. The search key can include the full parameter name (e.g.,
"EnableSyslog") or a substring of it (e.g., "sys"). If you search for a substring, all
parameters containing the specified substring in their names are listed in the search result.
Version 6.8 47 Mediant 500 E-SBC
Page 48
Mediant 500 E-SBC
To search for a parameter:
1. On the Navigation bar, click the Search tab; the Search engine appears in the
Navigation pane.
2. In the field alongside the Search button, enter the parameter name or a substring of
the name for which you want to search. If you have done a previous search for such a
parameter, instead of entering the required string, you can use the 'Search History'
drop-down list to select the string saved from a previous search.
3. Click Search; a list of found parameters based on your search key appears in the
Navigation pane. Each searched result displays the following:
• ini file parameter name
• Link (in green) to the Web page on which the param eter appears
• Brief description of the parameter
• Menu navigation path to the Web page on which the parameter appears
4. In the searched list, click the required parameter (green link) to open the page on
which the parameter appears; the relevant page opens in the Work pane and the
searched parameter is highlighted in the page for easy identification, as shown in the
figure below:
Figure 6-12: Searched Result Screen
Table 6-5: Search Description
Item # Description
1
Search field for entering search key and Search butt on for activating the search
process.
2
3
Search results listed in Navigation pane.
Found parameter, highlighted on relevant Web page
User's Manual 48 Document #: LTRT-10427
Page 49
User's Manual 6. Web-Based Management
6.1.8 Creating a Login Welcome Message
You can create a Welcome message box that is displayed on the Web Login page. The
figure below displays an example of a Welcome me ss age:
Figure 6-13: User-Defined Web Welcome Message after Login
To enable and create a Welcome message, use the WelcomeMessage table ini file
parameter, as described in the table below. If this parameter is not configured, no Welcome
message is displayed.
Parameter Description
[WelcomeMessage]
Table 6-6: ini File Parameter for Welcome Login Message
Enables and defines a Welcome message that appe ars on the Web Login
page for logging in to the Web interface.
The format of this parameter is as follows:
[WelcomeMessage]
FORMAT WelcomeMessage_Index = WelcomeMessage_Text;
[\WelcomeMessage]
For Example:
[WelcomeMessage ]
FORMAT WelcomeMessage_Index = WelcomeMessage_Text;
WelcomeMessage 1 = "*********************************";
WelcomeMessage 2 = "********* This is a Welc om e m essage **";
WelcomeMessage 3 = "*********************************";
[\WelcomeMessage]
Each index row represents a line of text in the Welcome message box. Up
to 20 lines (or rows) of text can be defined.
Version 6.8 49 Mediant 500 E-SBC
Page 50
Mediant 500 E-SBC
6.1.9 Getting Help
The Web interface provides you with context-sensitive Online Help. The Online Help
provides brief descriptions of parameter s pert aining to the currently opened page.
To view the Help topic of a currently opened page:
1. On the toolbar, click the Help button; the Help topic pertaining to the opened
page appears, as shown below:
Figure 6-14: Help Topic for Current Page
2. To view a description of a parameter, click the plus sign to expand the parameter.
To collapse the description, click the minus sign.
3. To close the Help topic, click the close button located on the top-right corner of
the Help topic window or simply click the Help button.
Note: Instead of clicking the Help button for each page you open, you can open it
once for a page and then simply leave it open. Each time you open a different page,
the Help topic pertaining to that page is automatically displayed.
User's Manual 50 Document #: LTRT-10427
Page 51
User's Manual 6. Web-Based Management
The displayed number and type of telephony interfaces depends on the
6.1.10 Logging Off the Web Interface
The following procedure describes how to log off the Web interface.
To log off the Web interface:
1. On the toolbar, click the Log Off icon; the following confirmation message box
appears:
Figure 6-15: Log Off Confirmation Box
2. Click OK; you are logged off the Web session and the Web Login dialog box appears
enabling you to re-login, if required.
6.2 Viewing the Home Page
The Home page is displayed when you access the device's Web interface. The Home page
provides you with a graphical display of the device's front panel, showing color-coded
status icons for various operations device.
To access the Home page:
On the toolbar, click the Home icon.
Figure 6-16: Home Page
Note:
ordered hardware configuration.
Version 6.8 51 Mediant 500 E-SBC
Page 52
Mediant 500 E-SBC
In addition to the color-coded status information depicted on the graphical display of the
device, the Home page displays various read-only information in the General Information
pane:
IP Address: IP address of the device
Subnet Mask: Subnet mask address of the device
Default Gateway Address: Default gateway used by the device
Digital Port Number: Number of digital PRI ports (depending on ordered hardware
configuration)
Firmware Version: Software version running on the device
Protocol Type: Signaling protocol currently used by the device (i.e. SIP)
Gateway Operational State:
• "LOCKED": device is locked (i.e. no new calls are accepted)
• "UNLOCKED": device is not locked
• "SHUTTING DOWN": device is currently shut ting down
To perform these operations, see ''Basic Maintena nce'' on page 527.
High Availability: Status of the device's HA mode (see HA Status on the Home Page
on page 513).
The table below describes the areas of the Home page.
Table 6-7: Home Page Description
Item # Description
1 Displays the highest severity of an active alarm raised (if any) by the device:
Green = No alarms
Red = Critical alarm
Orange = Major alarm
Yellow = Minor alarm
To view active alarms, click the Alarms area to open the Active Alarms page (see
Viewing Active Alarms on page 593).
2 Status LED.
3 USB port for USB storage services.
4 RS-232 interface port (RJ-45).
5 Module number for the interface type.
6 Gigabit Ethernet LAN port status icons:
(green): Link is working
(gray): Link is not configured
(red): Link error
To view detailed port information, click t he port i con (see Viewing Ethernet Port
Information on page 592).
7 Interface module name.
8 E1/T1 port (trunk or channel) status icon.
Icon Trunk Description
Disable: Trunk not configured (not in use)
(gray)
User's Manual 52 Document #: LTRT-10427
Page 53
User's Manual 6. Web-Based Management
Item # Description
Active - OK: Trunk synchronized
(green)
(yellow)
(red)
(blue)
RAI Alarm: Remote Alarm Indication (RAI), also known as the
Yellow Alarm
LOS/LOF Alarm: Loss due to LOS (Loss of Signal) or LOF (Loss of
Frame)
AIS Alarm: Alarm Indication Signal (AIS), also known as the Blue
Alarm
D-Channel Alarm: D-channel alarm
(orange)
NFAS Alarm
(dark orange)
If you click a port, a shortcut menu appears wit h commands allowing you to do the
following:
Port Settings: Displays trunk status (see ''Viewing Trunk and Channel Status'' on
page 601)
Update Port Info: Assigns a name to the port (see ''Assigning a Port Name'' on
page 53)
6.2.1 Assigning a Port Name
You can configure an arbitrary name or a brief description for each telephony port
displayed on the Home page. This description is displayed as a tooltip when you hover
your mouse over the port.
Note: Only alphanumerical characters can be used in the port description.
To add a port description:
1. Open the Home page.
2. Click the required port icon; a shortcut menu appears:
3. From the shortcut menu, choose Update Port Info; a text box appears:
4. Type a brief description for the port, and then click Apply Port Info.
Version 6.8 53 Mediant 500 E-SBC
Page 54
Mediant 500 E-SBC
6.3 Configuring Web User Accounts
Web user accounts define users for the Web interface and CLI. User accounts permit login
access to these interfaces as well as different levels of read and write privileges. Thus,
user accounts prevent unauthorized access to these interfaces, permitting access only to
users with correct credentials (i.e., username and password).
Each user account is based on the following:
Username and password: Credentials that enable authorized login access t o the
Web interface.
User level (user type): Access privileges specifying what the user can view in the
Web interface and its read/write privileges. T he table below describes the different
types of Web user account access levels:
Table 6-8: Web User Access Levels and Privileges
Numeric
User Level
Representation in
RADIUS
Privileges
Security
Administrator
Master
Administrator
Monitor
No Access
By default, the device is pre-configured with the following two Web user accounts:
User Access Level Username
200 Read / write privileges for all pages. It can create all user
220 Read / write privileges for all pages. Can create all user
100 Read / write privileges for all pages, except security-
50 No access to security-related and file-loading pages;
0 No access to any page.
Table 6-9: Pre-configured Web User Accounts
(Case-Sensitive)
types and is the only one that can create the first M aster
user.
Note: At least one Security Administrator user must exits.
types, including additional Master users and Securit y
Administrators. It can delete all users except the last
Security Administrator.
related pages (read-only).
read-only access to all other pages.
Note: This access level is not applicable when using
advanced Web user account configuration in the Web
Users table.
Password
(Case-Sensitive)
Security Administrator
Monitor
After you log in to the Web interface, the username is displayed on the toolbar.
If the Web session is idle (i.e., no actions are performed) for more than five minutes, the
Web session expires and you are once again requested to login with your username and
password. Users can be blocked for a period of time upon a user-defined number of
unsuccessful login attempts. Login information (such as how many login attempts were
made and the last successful login time) can b e presented to the user.
User's Manual 54 Document #: LTRT-10427
Admin Admin
User User
Page 55
User's Manual 6. Web-Based Management
To prevent user access after a specific number of failed logins:
1. From the 'Deny Access On Fail Count' drop-down list, select the number of failed
logins after which the user is prevented access to the device for a user-defined time
(see next step).
2. In the 'Deny Authentication Timer' field, enter the interval (in seconds) that the user
needs to wait before a new login attempt from the same IP address can be done after
reaching the number of failed login attempts (defined in the previous step).
Notes:
• For security, it's recommended that you change the default username and
password of the pre-configured users (i.e., Security Administrator and Monitor
users).
• The Security Administrator user can change all attributes of all Web user
accounts. Web users with access levels other than Security Administrator can
change only their password and username.
• To restore the two Web user accounts to default set tings (usernames and
passwords), set the ini file parameter ResetWebPassword to 1.
• To log in to the Web interface with a different W eb user, click the Log off button
and then login with with a different username and password.
• You can set the entire Web interface to read-only (re gardless of Web user access
levels), by using the ini file parameter DisableWebConfig (see ''Web and Telnet
Parameters'' on page 673).
• You can define additional Web user accounts usin g a RADIUS server (see
''RADIUS Authentication'' on page 64).
6.3.1 Basic User Accounts Configuration
This section describes basic Web user account configuration. This is relevant only if the
two default, pre-configured Web user accounts--Security Administrator ("Admin") and
Monitor ("User")--are sufficient for your manag em ent scheme.
The Web user account parameters that can be modified depends on the access level of the
currently logged-in Web user:
Table 6-10: Allowed Modifications per Web User Level
Logged-in User Web User Level Allowed Modifications
Security
Administrator
Monitor
Notes:
• The username and password can be a string of up to 19 characters and are case-
• When only the basic user accounts are being used, up to two users can be
(Default) Security Administrator Username and password
Monitor Username, password, and access level
(Default) Security Administrator None
Monitor Username and password
sensitive.
concurrently logged in to the Web interface, and they can be the same user.
Version 6.8 55 Mediant 500 E-SBC
Page 56
Mediant 500 E-SBC
To configure the two pre-configured Web user accounts:
1. Open the Web User Accounts page (Configuration tab > System menu > Web User
Accounts). If you are logged in as Security Administrator, both Web user accounts
are displayed (as shown below). If you are logged in with the second user account,
only the details of this user account are display ed.
Figure 6-17: WEB User Accounts Page (for Users with 'Security Administrator' Privileges)
2. To change the username of an account:
a. In the 'User Name' field, enter the new user name.
b. Click Change User Name; if you are currently logged in to the Web interface with
this account, the 'Web Login' dialog box appears.
c. Log in with your new user name.
3. To change the password of an account:
a. In the 'Current Password' field, enter the current password.
b. In the 'New Password' and 'Confirm New Password' fields, enter the new
password.
c. Click Change Password; if you are currently logged in to the Web interface with
this account, the 'Web Login' dialog box appear s.
d. Log in with your new password.
4. To change the access level of the optional, second account:
a. Under the Account Data for User: User group, from the 'Access Level' drop-
down list, select a new access level user.
b. Click Change Access Level; the new access level is appl i ed i m mediately.
User's Manual 56 Document #: LTRT-10427
Page 57
User's Manual 6. Web-Based Management
6.3.2 Advanced User Accounts Configuration
The Web Users table lets you configure advanced Web user accounts. This configuration
is relevant only if you need the following manag em ent schemes:
Enhanced security settings per Web user (e.g., limit session duration)
More than two Web user accounts (up to 10 Web user accounts)
Master users
Notes:
• Only the Security Administrator user can initially access the Web Users table.
• Only Security Administrator and Master users can add, edit, or delete users.
• Admin users have read-only privileges in the Web Users table; Monitor users have
no access to this table.
• For advanced user accounts, up to five users can be concurrently logged in to the
Web interface, and they can be the same user.
• If you delete a user who is currently in an active Web session, the user is
immediately logged off by the device.
• All users can change their own passwords. This is do ne i n the WEB Security
The following procedure describes how to configure Web users in the Web interface. You
can also configure this using the CLI command web-users.
Settings page (see ''Configuring Web Security Settings'' on page 61).
• To remove the Web Users table and revert to the Web User Accounts page with
the pre-configured, default Web user accounts, set the ResetWebPassword ini file
parameter to 1. This also deletes all other Web users.
• Once the Web Users table is accessed, Monitor u sers and Admin users can only
change their passwords in the Web Security S ettings page (see ''Configuring Web
Security Settings'' on page 61). The new password must have at least four
different characters than the previous passwo rd. (The Security Administrator users
and Master users can change their passwords in the Web Users table and in the
Web Security Settings page.)
To add Web user accounts with advanced settings:
1. Open the Web Users Table page:
• Upon initial access:
a. Open the Web User Accounts page (Configuration tab > System menu >
Web User Accounts).
b. Under the Web Users Table group, click the Create Table button.
• Subsequent access: Configuration tab > System menu > Web User Accounts.
The Web Users table appears, listing the two default, pre-configured Web use
accounts - Security Administrator ("Admin") and Monitor ("User"):
Figure 6-18: Web Users Table Page
Version 6.8 57 Mediant 500 E-SBC
Page 58
Mediant 500 E-SBC
below) or if their status is changed (to New or Vali d) by a System
2. Click Add; the following dialog box is displayed:
Figure 6-19: Web Users Table - Add Record Dialog Box
3. Configure a Web user according to the parameters described in the table below.
4. Click Submit, and then save ("burn") your settings to f l ash memory.
Table 6-11: Web User Table Parameter Descriptions
Parameter Description
Index Defines an index number for the new table record.
Note: Each table row must be configured wit h a uni que index.
Web: Username
CLI: user-name
Defines the Web user's username.
The valid value is a string of up to 40 alphanumeric characters,
including the period ".", underscore "_", and hyphen "-" signs.
Web: Password
CLI: password
Defines the Web user's password.
The valid value is a string of 8 to 40 ASCII characters, which must
include the following:
At least eight characters
At least two letters that are upper case (e.g., "AA")
At least two letters that are lower case (e.g., "aa")
At least two numbers
At least two signs (e.g., the dollar "$" sign)
No spaces in the string
At least four characters different to the previous password
Web: Status
CLI: status
Defines the status of the Web user.
New = (Default) User is required to change its password on the next
login. When the user logs in to the Web interface, the user is
immediately prompted to change the current password.
Valid = User can log in to the Web interface as normal.
Failed Access = This state is automatically set for users that exceed
a user-defined number of failed login attempts, set by the 'Deny
Access on Fail Count' parameter (see ''Configuring Web Security
Settings'' on page 61
). These users can log in only after a user-
defined timeout configured by the 'Block Durat ion' parameter (see
User's Manual 58 Document #: LTRT-10427
Page 59
User's Manual 6. Web-Based Management
Administrator or Master.
defined number of failed login attempts. Thi s i s
Parameter Description
Old Account = This state is automatically set for users that have not
accessed the Web interface for a user-defined number of days, set
by the 'User Inactivity Timer' (see ''Configuring We b Security
Settings'' on page 61). These users can only log in to the Web
interface if their status is changed (to New or Val id) by a System
Administrator or Master.
Notes:
The Old Account status is applicable only to Admin and Monitor
users; System Administrator and Master users can be inactive
indefinitely.
For security, it is recommended to set the status of a newly added
user to New in order to enforce password change.
Web: Password Age
CLI: pw-age-interval
Web: Session Limit
CLI: session-limit
Web: Session Timeout
CLI: session-timeout
Web: Block Duration
CLI: block-time
Defines the duration (in days) of the validity of the password. When this
duration elapses, the user is prompted to cha nge the password;
otherwise, access to the Web interface is blo ck ed.
The valid value is 0 to 10000, where 0 means that the password is
always valid. The default is 90.
Defines the maximum number of Web interf ace sessions allowed for
the user. In other words, this allows the s am e user account to log in to
the device from different sources (i.e., IP addre sses).
The valid value is 0 to 5. The default is 2.
Note: Up to 5 users can be concurrently logged in to the Web int erface.
Defines the duration (in minutes) of Web inact i vity of a logged-in user,
after which the user is automatically logged off the Web interface.
The valid value is 0 to 100000. The default value is according to the
settings of the 'Session Timeout' global parameter (see ''Configuring
Web Security Settings'' on page 61).
Defines the duration (in seconds) for wh i ch t he user is blocked when
the user exceeds a userconfigured by the 'Deny Access On Fail Count' parameter (see
''Configuring Web Security Settings'' on page
61).
The valid value is 0 to 100000, where 0 means that the user can do as
many login failures without getting blocked. T he default is according to
the settings of the 'Deny Authentication T im er' parameter (see
''Configuring Web Security Settings'' on page 61).
Note: The 'Deny Authentication Timer' parameter relates to failed Web
logins from specific IP addresses.
Version 6.8 59 Mediant 500 E-SBC
Page 60
Mediant 500 E-SBC
Master = Read/write privileges for all pa ges. T his user also functions
Parameter Description
Web: User Level
CLI: user-level
Defines the user's access level.
Monitor = (Default) Read-only user. This user can only view Web
pages and access to security-related pages is deni ed.
Administrator = Read/write privileges for all pages, except security-
related pages including the Web Users table w here this user has
only read-only privileges.
Security Administrator = Read/write privileges for all pages. This
user is the Security Administrator.
as a security administrator.
Notes:
At least one Security Administrator must exist. The last remaining
Security Administrator cannot be deleted.
The first Master user can be added only by a Security Administrator
user.
Additional Master users can be added, edited and deleted only by
Master users.
If only one Master user exists, it can be deleted only by itself.
Master users can add, edit, and delete Security Administrators (but
cannot delete the last Security Administrat or).
Only Security Administrator and Master users can add, edit, and
delete Administrator and Monitor users.
6.4 Displaying Login Information upon Login
The device can display login information im m edi ately upon Web login.
To enable display of user login information upon a successful login:
1. Open the WEB Security Settings page (Configuration tab > System menu >
Management > WEB Security Settings).
2. From the 'Display Login Information' drop-down list, select Yes.
3. Click Submit.
Once enabled, the Login Information window is displayed upon a successful login, as
shown in the example below:
Figure 6-20: Login Information Window
User's Manual 60 Document #: LTRT-10427
Page 61
User's Manual 6. Web-Based Management
6.5 Configuring Web Security Settings
The WEB Security Settings page is used to configure security for the device's Web
interface.
By default, the device accepts HTTP and HTTPS access. However, you can enforce
secure Web access communication method by configuring the device to accept only
HTTPS.
For a description of these parameters, see ''Web and T el net Parameters'' on page 673.
To define Web access security:
1. Open the WEB Security Settings page (Configuration tab > System menu >
Management > WEB Security Settings).
2. Set the 'Secured Web Connection (HTTPS)' parameter to HTTPS Only.
3. Configure the parameters as required.
4. Click Submit.
5. To save the changes to flash memory, see ''Saving Configuration'' on page 530.
6.6 Web Login Authentication using Smart Cards
You can enable Web login authentication using certificates from a third-party, common
access card (CAC) with user identification. When a user attempts to access the device
through the Web browser (HTTPS), the device retrieves the Web user’s login username
(and other information, if required) from the CAC. The user attempting to access the device
is only required to provide the login password. Typically, a TLS connection is established
between the CAC and the device’s Web interface, and a RADIUS server is implemented to
authenticate the password with the username. Therefore, this feature implements a twofactor authentication - what the user has (i.e., the physical card) and what the user knows
(i.e., the login password).
This feature is enabled using the EnableMgmtTwoFactorAuthentication parameter.
Note: For specific integration requirements for implementing a third-party smart card
for Web login authentication, contact your A udi oCodes representative.
Version 6.8 61 Mediant 500 E-SBC
Page 62
Mediant 500 E-SBC
To log in to the Web interface using CAC:
1. Insert the Common Access Card into the card reader.
2. Access the device using the following URL: https://<host name or IP address>; the
device prompts for a username and password.
3. Enter th e password only. As some browsers require that the username be provided,
it’s recommended to enter the username with an arbitrary value.
6.7 Configuring Web and Telnet Access List
The Web & Telnet Access List page is used to define IP addresses (up to ten) that are
permitted to access the device's Web, Telnet, and SSH interfaces. Access from an
undefined IP address is denied. If no IP addresses are defined, this security feature is
inactive and the device can be accessed from any IP address. The Web and Telnet Access
List can also be defined using the ini file parameter WebAccessList_x (see ''Web and
Telnet Parameters'' on page 673).
To add authorized IP addresses for Web, Telnet, and SSH interfaces access:
1. Open the Web & Telnet Access List page (Configuration tab > System menu >
Management > Web & Telnet Access List).
Figure 6-21: Web & Telnet Access List Page - Add New Entry
2. To add an authorized IP address, in the 'Add an authorized IP address' field, enter the
required IP address, and then click Add New Entry; the IP address you entered is
added as a new entry to the Web & Telnet Access Lis t table.
Figure 6-22: Web & Telnet Access List Table
User's Manual 62 Document #: LTRT-10427
Page 63
User's Manual 6. Web-Based Management
3. To delete authorized IP addresses, select the Delete Row check boxes corresponding
to the IP addresses that you want to delete, and then click Delete Selected
Addresses; the IP addresses are removed from the table and these IP addresses can
no longer access the Web and Telnet interfaces.
4. To save the changes to flash memory, see ''Saving Configuration'' on page 530.
Notes:
• The first authorized IP address in the list must be your PC's (terminal) IP address;
otherwise, access from your PC is denied.
• Delete your PC's IP address last from the 'Web & Tel net Access List page. If it is
deleted before the last, subsequent acces s t o the device from your PC is denied.
Version 6.8 63 Mediant 500 E-SBC
Page 64
Mediant 500 E-SBC
This page is intentionally left blank.
User's Manual 64 Document #: LTRT-10427
Page 65
User's Manual 7. CLI-Based Management
7 CLI-Based Management
This chapter provides an overview of the CLI-based management and provides
configuration relating to CLI management.
Notes:
• For security, CLI is disabled by default.
• For a description of the CLI commands, ref er to the CLI Reference Guide.
7.1 Getting Familiar with CLI
This section describes the basic structure of the device's CLI, which you may need to know
before configuring the device through CLI.
7.1.1 Understanding Configuration Modes
Before you begin your CLI session, you should familiarize yourself with the CLI command
modes. Each command mode provides different levels of access to commands, as
described below:
Basic command mode: This is the initial mode that is accessed upon a successful
CLI login authentication. Any user level can access this mode and thus, the
commands supported by this command tier are lim i ted, as is interaction with the
device itself. This mode allows you to view v ari ous information (using the show
commands) and activate various debugging capabi li ties.
Welcome to AudioCodes CLI
Username: Admin
Password:
>
The Basic mode prompt is ">".
Enable command mode: This mode is the high-level tier in the command hierarchy,
one step up from the Basic Mode. A password ("Admi n", by default) is required to
access this mode after you have accessed the Basic mode. This mode allows you to
configure all the device's settings. The E nable m ode is accessed by typing the
following commands:
> enable
Password: <password>
#
The Enable mode prompt is "#".
Notes:
• The enable command is required only for users with Administrator or Monitor
access levels; Security Administrator and M ast er access levels automatically enter
Version 6.8 65 Mediant 500 E-SBC
Enable mode upon initial login. For configuring user access levels, see
Configuring Web User Accounts on page 54.
• The default password for accessing the Enable mode is "Admin" (case-sensitive).
To change this password, use the CLIPrivPass ini f i l e parameter.
Page 66
Mediant 500 E-SBC
automatically completes the command, displays it on the command prompt
<cr>
The Enable mode groups the configuration comm ands under the following command
sets:
• config-system: Provides the general and system related configuration
commands, for example, Syslog configurati on. This set is accessed by typing the
following command:
# configure system
(config-system)#
• config-voip: Provides the VoIP-related configuration commands, for example,
SIP and media parameters, and VoIP network int erf ace configuration. This set is
accessed by typing the following command:
# configure voip
(config-voip)#
7.1.2 Using CLI Shortcuts
The CLI provides several editing shortcut keys to help you configure your device more
easily, as listed in the table below.
Table 7-1: CLI Editing Shortcut keys
Shortcut Key Description
Up arrow key Retypes the previously entered command. Continuing to press the Up
arrow key cycles through all commands entered, st arting with the most
recent command.
<Tab> key Pressing the <Tab> key after entering a part i al (but unique) command
line, and waits for further input.
Pressing the <Tab> key after entering a part i al and not unique command
displays all completing options.
? (question mark)
Displays a list of all subcommands in the current mode, for example:
(config-voip)# voip-network ?
dns Enter voip-network dns
ip-group IP Group table
nat-translation NATTranslationtable
...
Displays a list of available commands beginning with certain letter(s),
for example:
(config)# voip-network d?
dns Enter voip-network dns
Displays syntax help for a specific command by entering the command,
a space, and then a question mark (?). This includes the range of valid
values and a brief description of the next parameter expected for that
particular command. For example:
(config)# voip-network dns srv2ip ?
[0-9] index
If a command can be invoked (i.e., all its argument s have been entered),
the question mark at its end displays "<cr>" to indicate that a carriage
return (Enter) can now be entered to run the command, for example:
(config)# logging host 10.1.1.1 ?
<Ctrl + A> Moves the cursor to the beginning of the command line.
<Ctrl + E> Moves the cursor to the end of the command line.
User's Manual 66 Document #: LTRT-10427
Page 67
User's Manual 7. CLI-Based Management
auto finish
You need only enter enough letters to identify a command as unique. For
not necessary.
Space Bar at the --More-
Displays the next screen of output. You can confi gure the size of the
CLI Terminal Window'' on page 74.
(conf-if-VLAN 1)# do show interfaces GigabitEthernet 0/0
# no debug log
by an asterisk (*) before the command prompt.
(session closed)
Applied to a command output. The filter should b e typed after the command with
Shortcut Key Description
<Ctrl + U> Deletes all the characters on the command line.
example, entering "int G 0/0" at the configuration prompt provides you
access to the configuration parameters for the specified Gigabit-Ethernet
interface. Entering "interface GigabitEthernet 0/0" would work as well, but is
-prompt
displayed output, as described in ''Configurin g Displayed Output Lines in
7.1.3 Common CLI Commands
The following table contains descriptions of common CLI commands.
Table 7-2: Common CLI Commands
Command Description
do
no
activate
Provides a way to execute commands in other command sets without taking the
time to exit the current command set. The foll owing example shows the do
command, used to view the GigabitEthernet int erface configuration while in the
virtual-LAN interface command set:
(config)# interface vlan 1
Undoes an issued command or disables a featur e. Enter no before the
command:
Activates a command. When you enter a configuration command in the CLI , the
command is not applied until you enter the activate and exit commands.
Note: Offline configuration changes require a reset of the devi ce. A reset can be
performed at the end of the configuration changes. A required reset is indicated
exit
Leaves the current command-set and return s one level up. If issued on the top
level, the session ends.
For online parameters, if the configuration wa s ch anged and no activate
command was entered, the exit command applies the activate command
automatically. If issued on the top level, the session will end:
(config)# exit
# exit
display
help
history
list
Displays the configuration of current conf i gurat i on set.
Displays a short help how-to string.
Displays a list of previously run commands.
Displays the available command list of the current command-set.
| <filter>
a pipe mark (|).
Supported filters:
include <word> – filter (print) lines which contain <word>
Version 6.8 67 Mediant 500 E-SBC
Page 68
Mediant 500 E-SBC
exclude <word> – filter lines which does not contain <word>
;Serial Number: 2239835;Slot Number: 1
Command Description
grep <options> - filter lines according to grep common Unix utility options
egrep <options> - filter lines according to egrep common Unix utility options
begin <word> – filter (print) lines which begins with <word>
between <word1> <word2> – filter (print) lines which are placed between
<word1> and <word2>
count – show the output’s line count
Example:
# show system version | grep Number
7.1.4 Configuring Tables in CLI
Throughout the CLI, many configuration elements are in table format, where each table row
is represented by an index number. When you add a new row to a table, the device
automatically assigns it the next consecutive, available index number. You can also specify
an index number, if required. When you add a new table row, the device accesses the
row's configuration mode.
Table rows are added using the new command:
# <table name> new
For example, if three rows are configured in the Account table (account-0, account-1, and
account-2) and a new entry is subsequently added, account-3 is automatically created and
its configuration mode is accessed:
(config-voip)# sip-definition account new
(account-3)#
You can also add a new table row to any specific index number, even if a row has already
been configured for that index number. The row that was previously assigned that index
number is subsequently incremented to the next index number, as well as all the index
rows listed further down in the table.
To add a new table row to a specific index number, use the insert command:
# <table name> <index> insert
For example, if three rows are configured in the Account table (account-0, account-1, and
account-2) and a new row is subsequently added with index 1, the previous account-1
becomes account-2 and the previous account-2 becomes account-3, and so on. The
following command is run for this example:
(config-voip)# sip-definition account 1 insert
Note: This behavior when inserting table rows is applicable only to tables that do not
have "child" tables (sub-tables).
User's Manual 68 Document #: LTRT-10427
Page 69
User's Manual 7. CLI-Based Management
7.1.5 Understanding CLI Error Messages
The CLI provides feedback on commands by di splaying informative messages:
Failure reason of a run command. The failure message is identical to the not i fication
failure message sent by Syslog. For example, an invalid Syslog server IP address is
displayed in the CLI as follows:
(logging)# syslog-ip 1111.1.1.1
Parameter 'SyslogServerIP' does NOT accept the IP-Address:
1111.1.1.1, illegal IPAddress.
Configuration failed
Command Failed!
"Invalid command" message: The command may not be valid in the current command
mode, or you may not have entered sufficient characters for the command to be
recognized. Use "?" to determine your error.
"Incomplete command" message: You may not have entered all of the pertinent
information required to make the command v al i d. Use "?" to determine your error.
7.2 Enabling CLI
Access to the device's CLI through Telnet and SSH is disabled by default. This section
describes how to enable these protocols.
7.2.1 Enabling Telnet for CLI
The following procedure describes how to enable Telnet. You can enable a secured Telnet
that uses Secure Socket Layer (SSL) where information is not transmitted in the clear. If
SSL is used, a special Telnet client is required on your PC to connect to the Telnet
interface over a secured connection; examples include C-Kermit for UNIX and Kermit-95
for Windows.
For security, some organizations require the display of a proprietary notice upon starting a
Telnet session. You can use the configuration ini file parameter, WelcomeMessage to
configure such a message (see ''Creating a Login Welcome Message'' on page 49).
To enable Telnet:
1. Open the Telnet/SSH Settings page (Configuration tab > System menu >
Management > Telnet/SSH Settings).
2. Set the ‘Embedded Telnet Server’ parameter to Enable Unsecured or Enable
Secured (i.e, SSL).
3. Configure the other Tenet parameters as required. For a description of these
parameters, see ''Telnet Parameters'' on page 677.
4. Click Submit, and then reset the device with a burn-to-flash for your settings to take
effect.
Version 6.8 69 Mediant 500 E-SBC
Page 70
Mediant 500 E-SBC
7.2.2 Enabling SSH with RSA Public Key for CLI
Unless configured for TLS, Telnet is not secure as it requires passwords to be transmitted
in clear text. To overcome this, Secure SHell (SSH) is used, which is the de-facto standar d
for secure CLI. SSH 2.0 is a protocol built above TCP, providing methods for key
exchange, authentication, encryption, a nd authorization.
SSH requires appropriate client software for the management PC. Most Linux distributions
have OpenSSH pre-installed; Windows-based PCs require an SSH client software such as
PuTTY, which can be downloaded from
http://www.chiark.greenend.org.uk/~sgtatham/putty
By default, SSH uses the same username and password as the Telnet and Web server.
SSH supports 1024/2048-bit RSA public keys, providing carrier-grade secur ity. Follow the
instructions below to configure the device with an administrator RSA key as a means of
strong authentication.
To enable SSH and configure RSA public keys for Windows (using PuTTY SSH
software):
1. Start the PuTTY Key Generator program, and then do the following:
a. Under the 'Parameters' group, do the following:
♦ Select the SSH-2 RSA option.
♦ In the 'Number of bits in a generated ke y' field, enter "1024" bits.
b. Under the 'Actions' group, click Generate and then follow the on-screen
instructions.
c. Under the 'Actions' group, click Save private key to save the new private key to a
file (*.ppk) on your PC.
d. Under the 'Key' group, select the displayed encoded text between "ssh-rsa" and
"rsa-key-….", as shown in the example below:
.
Figure 7-1: Selecting Public RSA Key in PuTTY
User's Manual 70 Document #: LTRT-10427
Page 71
User's Manual 7. CLI-Based Management
2. Open the Telnet/SSH Settings page (Configuration tab > System menu >
Management > Telnet/SSH Settings), and then do the following:
a. Set the 'Enable SSH Server' parameter to Enable.
b. Paste the public key that you copied in Step 1.d into the 'Admin Key' field, as
shown below:
c. For additional security, you can set the 'Require Public Key' to Enable. This
ensures that SSH access is only possible by using the RSA key and not by using
user name and password.
d.
e. Configure the other SSH parameters as required. For a description of these
parameters, see ''SSH Parameters'' on page 711.
f. Click Submit.
3. Start the PuTTY Configuration program, and then do the following:
a. In the 'Category' tree, drill down to Connection, then SSH, and then Auth; the
'Options controlling SSH authentication' p ane appears.
b. Under the 'Authentication parameters' group, click Browse and then locate the
private key file that you created and saved in Step 4.
4. Connect to the device with SSH using the username "Admin"; RSA key negotiation
occurs automatically and no password is required.
To configure RSA public keys for Linux (using OpenSSH 4.3):
1. Run the following command to create a new key in the admin.key file and to save the
public portion to the admin.key.pub file:
ssh-keygen -f admin.key -N "" -b 1024
2. Open the admin.key.pub file, and then copy the encoded string from "ssh-rsa" to the
white space.
3. Open the Telnet/SSH Settings page (Configuration tab > System menu >
Management > Telnet/SSH Settings), and then paste the value copied in Step 2 into
the 'Admin Key' field.
4. Click Submit.
5. Connect to the device with SSH, using the following command:
ssh -i admin.key xx.xx.xx.xx
where xx.xx.xx.xx is the device's IP address. RSA-key negotiation occurs
automatically and no password is required.
Version 6.8 71 Mediant 500 E-SBC
Page 72
Mediant 500 E-SBC
ng login credentials, see
7.3 Establishing a CLI Session
The device's CLI can be accessed using any of the following methods:
RS-232: The device can be accessed through its RS-232 serial port, by conne cting a
VT100 terminal to it or using a terminal emulat i on program (e.g., HyperTerminal) with
a PC. For connecting to the CLI through RS-232, see ''CLI'' on page
Secure SHell (SSH): The device can be accessed through its Ethernet interface by
the SSH protocol using SSH client software. A popular and freeware SSH client
software is Putty, which can be downloaded from
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.
Telnet: The device can be accessed through its Ethernet interface by the Telnet
protocol using Telnet client software.The following procedure describes how to
establish a CLI session with the device.
The following procedure describes how to acces s t he CLI through Telnet/SSH.
Note: The CLI login credentials are the same as all the device's other management
interfaces (such as Web interface). The default username and password is "Admin"
and "Admin" (case-sensitive), respectively. For configuri
''Configuring Web User Accounts'' on page 54.
31.
To establish a CLI session with the device:
1. Connect the device to the network.
2. Establish a Telnet or SSH session using the device's OAMP IP address.
3. Log in to the session using the username and password assigned to the Admin user of
the Web interface:
a. At the Username prompt, type the username, and then press Enter:
Username: Admin
b. At the Password prompt, type the password, and then press Enter:
Password: Admin
c. At the prompt, type the following, and then press Enter:
> enable
d. At the prompt, type the password again, and then press Enter:
Password: Admin
User's Manual 72 Document #: LTRT-10427
Page 73
User's Manual 7. CLI-Based Management
7.4 Configuring Maximum Telnet/SSH Sessions
You can set the maximum (up to five) number of concurrent Telnet/SSH sessions permitted
on the device.
Note: Before changing this setting, make sure that not more than this number of
sessions are currently active; otherwise, the new setting will not take effect.
To configure the maximum number of concurrent Telnet/SSH sessions:
1. Open the Telnet/SSH Settings page (Configuration tab > System menu >
Management > Telnet/SSH Settings).
2. In the 'Maximum Telnet Sessions' field, enter the maximum number of concurrent
sessions.
3. Click Submit.
7.5 Viewing and Terminating Current CLI Sessions
You can view and terminate users that are currently logged in to the device's CLI. This
applies to users logged in to the CLI through RS-232 (console), Telnet, or SSH. For each
logged-in user, the following is displayed: the type of interface (console, Telnet, or SSH),
user's username, remote IP address from where the user logged in, and the duration (days
and time) of the session. Each user is displayed with a unique index (session ID).
To view currently logged-in CLI users:
# show users
[0] console Admin local 0d00h03m15s
[1] telnet John 10.4.2.1 0d01h03m47s
[2]* ssh Alex 192.168.121.234 12d00h02m34s
The current session from which this show command was run is displayed with an asterisk
(*).
Note: The device can display managem ent sessions of up to 24 hours. After this time,
the duration counter is reset.
To end the CLI session of a specific CLI user:
# clear user <session ID>
When this command is run, it ends the Telnet/SSH session (logs out the RS-232 session)
and displays the CLI login prompt.
Note: The session from which the command is run cannot be terminated.
Version 6.8 73 Mediant 500 E-SBC
Page 74
Mediant 500 E-SBC
7.6 Configuring Displayed Output Lines in CLI Terminal Window
You can configure the maximum number of lines (height) displayed in the terminal window
for the output of CLI commands (Telnet and SSH). The number of displayed lines can be
specified from 0 to 65,535, or determined by re-sizing the terminal window by mousedragging the window's border.
To configure a specific number of output lines:
(config-system)# cli-terminal
<cli-terminal># window-height [0-65535]
If window-height is set to 0, the entire command output is displayed. In other words, even if
the output extends beyond the visible terminal window length, the --MORE-- prompt is not
displayed.
To configure the number of lines according to dragged terminal window:
(config-system)# cli-terminal
<cli-terminal># window-height automatic
When this mode is configured, each time you change the height of the terminal window
using your mouse (i.e., dragging one of the window's borders or corners), the number of
displayed output command lines is changed a cc ordingly.
User's Manual 74 Document #: LTRT-10427
Page 75
User's Manual 8. SNMP-Based Management
8 SNMP-Based Management
The device provides an embedded SNMP Agent that allows it to be managed by
AudioCodes Element Management System (EMS) or a third-party SNMP Manager (e.g.,
element management system). The SNMP Agent supports standard Management
Information Base (MIBs) and proprietary MIBs, enabling a deeper probe into the
interworking of the device. The SNMP Agent can also send unsolicited events (SNMP
traps) towards the SNMP Manager. All supported MIB files are supplied to customers as
part of the release.
AudioCodes EMS is an advanced solution for standards-based management that covers all
areas vital for the efficient operation, administration, management and provisioning
(OAM&P) of the device. The standards-compliant EMS uses distributed SNMP-based
management software, optimized to support day-to-day Network Operation Center (NOC)
activities, offering a feature-rich management framework. It supports fault management,
configuration and security.
This section provides configuration relating to SNMP management.
Notes:
• SNMP-based management is enabled by default. For di sabling it, see ''Enabling
SNMP and Configuring SNMP Community S trings'' on page 75.
• For more information on the device's SNMP support (e.g., SNMP traps), refer to
the SNMP User's Guide.
• EMS support is available only if the device is installed with a Software License Key
that includes this feature. For installing a Sof tware License Key, see ''Software
License Key'' on page 559.
• For more information on using the EMS tool, ref er to the EMS User's Manual and
EMS Server IOM Manual.
8.1 Enabling SNMP and Configuring SNMP Community Strings
The SNMP Community String page lets you configure up to five read-only and up to five
read-write SNMP community strings and to configure the community string that is used for
sending traps.
For detailed descriptions of the SNMP parameters, see ''SNMP Parameters'' on page 678.
Version 6.8 75 Mediant 500 E-SBC
Page 76
Mediant 500 E-SBC
To configure SNMP community strings:
1. Open the SNMP Community String page (Configuration tab > System menu >
Management > SNMP > SNMP Community String).
2. Configure SNMP community strings according to the table below.
3. Click Submit, and then save ("burn") your settings to f l ash memory.
To delete a community string, select the Delete check box corresponding to the community
string that you want to delete, and then click Submit.
Table 8-1: SNMP Community String Parameter Descriptions
Parameter Description
Community String
Read Only [SNMPReadOnlyCommunityString_x]: Up to five
read-only community strings (up to 19 characters each). The
default string is 'public'.
Read / Write [SNMPReadWriteCommunityString_x]: Up to
five read / write community strings (up to 19 cha racters each).
The default string is 'private'.
Trap Community String
CLI: configure system > snmp
Community string used in traps (up to 19 charact ers).
The default string is 'trapuser'.
trap > community-string
[SNMPTrapCommunityString]
8.2 Configuring SNMP Trap Destinations
The SNMP Trap Destinations page allows you to configure up to five SNMP trap
managers. You can associate a trap destination with SNMPv2 users and specific SNMPv3
users. Associating a trap destination with SNMPv3 users sends encrypted and
authenticated traps to the SNMPv3 destination. By default, traps are sent unencrypted
using SNMPv2.
User's Manual 76 Document #: LTRT-10427
Page 77
User's Manual 8. SNMP-Based Management
To configure SNMP trap destinations:
1. Open the SNMP Trap Destinations page (Configuration tab > System menu >
Management > SNMP > SNMP Trap Destinations).
Figure 8-1: SNMP Trap Destinations Page
2. Configure the SNMP trap manager parameters according to the table below.
3. Select the check box corresponding to the SNMP Manager that you wish to enable.
4. Click Submit.
Note: Only row entries whose corresponding check boxes are selected are applied
when clicking Submit; otherwise, settings revert to t heir defaults.
Table 8-2: SNMP Trap Destinations Parameters Description
Parameter Description
Web: SNMP Manager
[SNMPManagerIsUsed_x]
Web: IP Address
[SNMPManagerTableIP_x]
Trap Port
[SNMPManagerTrapPort_x]
Web: Trap User
[SNMPManagerTrapUser]
Enables the SNMP Manager to receive traps and chec ks
the validity of the configured destination (IP address and
port number).
[0] (check box cleared) = (Default) Disables SNMP
Manager
[1] (check box selected) = Enables SNMP Manager
Defines the IP address (in dotted-decimal notation, e.g.,
108.10.1.255) of the remote host used as the S NMP
Manager. The device sends SNMP traps to this IP
address.
Defines the port number of the remote SNMP M anager.
The device sends SNMP traps to this port.
The valid value range is 100 to 4000. The default is 162.
Associates a trap user with the trap destinat i on. This
determines the trap format, authentication level, and
encryption level.
v2cParams (default) = SNMPv2 user community string
SNMPv3 user configured in ''Configuring SNMP V3
Users'' on page 79
Trap Enable
[SNMPManagerTrapSendingEnable_x]
Activates the sending of traps to the SNMP Manager.
[0] Disable
[1] Enable (Default)
Version 6.8 77 Mediant 500 E-SBC
Page 78
Mediant 500 E-SBC
8.3 Configuring SNMP Trusted Managers
The SNMP Trusted Managers table lets you configure up to five SNMP Trusted Managers
based on IP addresses. By default, the SNMP agent accepts SNMP Get and Set requests
from any IP address as long as the correct community string is used in the request.
Security can be enhanced by using Trusted Managers, which is an IP address from which
the SNMP agent accepts and processes S NMP requests.
The following procedure describes how to configure SNMP trusted managers in the Web
interface. You can also configure this using the table ini file parameter,
SNMPTrustedMgr_x or CLI command, configure system > snmp > trusted-managers.
To configure SNMP Trusted Managers:
1. Open the SNMP Trusted Managers page (Configuration tab > System menu >
Management > SNMP > SNMP Trusted Managers).
Figure 8-2: SNMP Trusted Managers
2. Select the check box corresponding to the SNMP Trusted Manager that you want to
enable and for whom you want to define an IP addre ss.
3. Define an IP address in dotted-decimal notation.
4. Click Submit, and then save ("burn") your settings to f l ash memory.
User's Manual 78 Document #: LTRT-10427
Page 79
User's Manual 8. SNMP-Based Management
8.4 Configuring SNMP V3 Users
The SNMP v3 Users table lets you configure up to 10 SNMP v3 users for authentication
and privacy.
The following procedure describes how to configure SNMP v3 users in the Web interface.
You can also configure this using the table ini file parameter, SNMPUsers or CLI
command, configure system > snmp v3-users.
To configure an SNMP v3 user:
1. Open the SNMP v3 Users page (Configuration tab > System menu > Management
> SNMP > SNMP V3 Users).
2. Click Add; the following dialog box appears:
Figure 8-3: SNMP V3 Setting Page - Add Record Dialog Box
3. Configure the SNMP V3 Setting parameters according to the table below.
4. Click Submit, and then save ("burn") your settings to fl ash m emory.
Note: If you delete a user that is associated with a trap destination (see ''Configuring
SNMP Trap Destinations'' on page 76), the configured trap destination becomes
disabled and the trap user reverts to default (i.e., SNMPv2).
Parameter Description
Index
[SNMPUsers_Index]
User Name
CLI: username
[SNMPUsers_Username]
Authentication Protocol
CLI: auth-protocol
[SNMPUsers_AuthProtocol]
Table 8-3: SNMP V3 Users Parameters
Defines an index number for the new table record.
Note: Each table row must be configured wit h a uni que index.
Name of the SNMP v3 user. This name must be unique.
Authentication protocol of the SNMP v3 user.
[0] None (default)
[1] MD5
[2] SHA-1
Privacy Protocol Privacy protocol of the SNMP v3 user.
Version 6.8 79 Mediant 500 E-SBC
Page 80
Mediant 500 E-SBC
CLI: priv-protocol
[0] None (default)
Parameter Description
[SNMPUsers_PrivProtocol]
[1] DES
[2] 3DES
[3] AES-128
[4] AES-192
[5] AES-256
Authentication Key
CLI: auth-key
[SNMPUsers_AuthKey]
Privacy Key
CLI: priv-key
[SNMPUsers_PrivKey]
Group
CLI: group
[SNMPUsers_Group]
Authentication key. Keys can be entered in the form of a text
password or long hex string. Keys are always p ersisted as long hex
strings and keys are localized.
Privacy key. Keys can be entered in the form of a text password or
long hex string. Keys are always persisted as lon g hex strings and
keys are localized.
The group with which the SNMP v3 user is associated.
[0] Read-Only (default)
[1] Read-Write
[2] Trap
Note: All groups can be used to send traps.
User's Manual 80 Document #: LTRT-10427
Page 81
User's Manual 9. INI File-Based Management
9 INI File-Based Management
The device can be configured using an ini file, which is a text-based file with an ini file
extension name that can be created using any standard text-based editor such as
Notepad. Each configuration element of the device has a corresponding ini file parameter
that you can use in the ini file for configuring the device. When you have created the ini file
with your ini file parameter settings, you apply these settings to the device by installing
(loading) the ini file to the device.
Notes:
• For a list and description of the ini file parameters, see ''Configuration Parameters
9.1 INI File Format
Reference'' on page 673.
• To restore the device to default settings using the ini file, see ''Restoring Factory
Defaults'' on page 583.
The ini file can be configured with any number of parameters. These ini file parameters can
be one of the following types:
Individual parameters - see ''Configuring Individual ini File Parameters'' on page 81
Table parameters - see ''Configuring Table ini File Parameters'' on page 81
9.1.1 Configuring Individual ini File Parameters
The syntax for configuring individual ini file para m eters in the ini file is as follows:
An optional, subsection name (or group name) enclosed in square brackets "[...]". This
is used to conveniently group similar parameters by their functionality.
Parameter name, followed by an equal "=" sign and then its value.
Comments must be preceded by a semicolon ";".
[subsection name]
parameter name = value
parameter name = value
; this is a comment line
; for example:
[System Parameters]
SyslogServerIP = 10.13.2.69
EnableSyslog = 1
For general ini file formatting rules, see ''General ini Fi l e F ormatting Rules'' on page 83.
9.1.2 Configuring Table ini File Parameters
The table ini file parameters allow you to configure tables, which include multiple
parameters (columns) and row entries (indices). When loading an ini file to the device, it's
recommended to include only tables that belong to applications that are to be configured
(dynamic tables of other applications are em pty, but static tables are not).
The table ini file parameter is composed of the following elements:
Title of the table: The name of the table in square brackets, e.g.,
[MY_TABLE_NAME].
Format line: Specifies the columns of the table (by their string names) that are to be
Version 6.8 81 Mediant 500 E-SBC
Page 82
Mediant 500 E-SBC
configured.
• The first word of the Format line must be " F ORM A T " , followed by the Index field
name and then an equal "=" sign. After the equ al sign, the names of the columns
are listed.
• Columns must be separated by a comma ",".
• The Format line must only include columns that can be modified (i.e., parameters
that are not specified as read-only). An exceptio n is Index fields, which are
mandatory.
• The Format line must end with a semicolon ";".
Data line(s): Contain the actual values of the columns (parameters). The values are
interpreted according to the Format line.
• The first word of the Data line must be the table’ s string name followed by the
Index field.
• Columns must be separated by a comma ",".
• A Data line must end with a semicolon ";".
End-of-Table Mark: Indicates the end of the table. The same string used for the
table’s title, preceded by a backslash "\", e.g., [\MY_TABLE_NAME].
The following displays an example of the struct ure of a table ini file parameter.
[Table_Title]
; This is the title of the table.
FORMAT Index = Column_Name1, Column_Name2, Column_Name3;
; This is the Format line.
Index 0 = value1, value2, value3;
Index 1 = value1, $$, value3;
; These are the Data lines.
[\Table_Title]
; This is the end-of-the-table-mark.
The table ini file parameter formatting rules are li st ed below:
Indices (in both the Format and the Data lines) must appear in the same order. The
Index field must never be omitted.
The Format line can include a subset of the configurable fields in a table. In this case,
all other fields are assigned with the pre-defined def ault values for each configured
line.
The order of the fields in the Format line isn’t significant (as opposed to the I ndex
fields). The fields in the Data lines are interpreted according to the order specified in
the Format line.
The double dollar sign ($$) in a Data line indicates the default value for the parameter.
The order of the Data lines is insignificant.
Data lines must match the Format line, i.e., it must contain exactly the same number
of Indices and Data fields and must be in exactly the same order.
A row in a table is identified by its table name and Index field. Each such row may
appear only once in the ini file.
Table dependencies: Certain tables may depend on other tables. For exam pl e, one
table may include a field that specifies an entry in another table. This method is used
to specify additional attributes of an entity, or to specify that a given entity is part of a
larger entity. The tables must appear in t he order of their dependency (i.e., if Table X
is referred to by Table Y, Table X must appear in t he ini fil e before Table Y).
For general ini file formatting rules, see ''General ini Fi l e F ormatting Rules'' on page 83.
The table below displays an example of a table ini file parameter:
[ CodersGroup0 ]
FORMAT CodersGroup0_Index = CodersGroup0_Name, CodersGroup0_pTime,
CodersGroup0_rate, CodersGroup0_PayloadType, CodersGroup0_Sce;
User's Manual 82 Document #: LTRT-10427
Page 83
User's Manual 9. INI File-Based Management
CodersGroup0 0 = g711Alaw64k, 20, 0, 255, 0;
CodersGroup0 1 = eg711Ulaw, 10, 0, 71, 0;
[ \CodersGroup0 ]
Note: Do not include read-only parameters in the table ini file parameter as this can
cause an error when attempting to load the fil e to the device.
9.1.3 General ini File Formatting Rules
The ini file must adhere to the following formatti ng rules:
The ini file name must not include hyphens "-" or spaces; if necessary, use an
underscore "_" instead.
Lines beginning with a semi-colon ";" are ignored. These can be used for addi ng
remarks in the ini file.
A carriage return (i.e., Enter) must be done at the end of each line.
The number of spaces before and after the equals sign "=" is irrelevant.
Subsection names for grouping parameters are optional.
If there is a syntax error in the parameter name, the value is ignored.
Syntax errors in the parameter's value can cause unexpected errors (param eters may
be set to the incorrect values).
Parameter string values that denote file names (e.g., CallProgressTonesFileName)
must be enclosed with inverted commas, e.g. , CallProgressTonesFileName =
'cpt_usa.dat'.
The parameter name is not case-sensitive.
The parameter value is not case-sensitive, except for coder names.
The ini file must end with at least one carriage return.
9.2 Configuring an ini File
There are different methods that you can use for configuring the ini file before you load it to
the device.
Modifying the device's current ini file. This method is recommended if you mainly need
to change the settings of parameters that you have previously configured.
1. Save the device's current configuration as an ini file on your computer, using the
Web interface (see ''Saving Configuration'' on page 530).
2. Open the file using a text file editor, and then modify the ini file as required.
3. Save and close the file.
4. Load the file to the device.
Creating a new ini file that includes only updated configuration:
1. Open a text file editor such as Notepad.
2. Add only the required parameters and their settings.
3. Save the file with the ini file extension name (e.g., myconfiguration.ini).
4. Load the file to the device.
For loading the ini file to the device, see ''Loading an i ni Fi l e to the Device'' on page 84.
Version 6.8 83 Mediant 500 E-SBC
Page 84
Mediant 500 E-SBC
Note: To restore the device to default settings using the ini file, see ''Restoring
Factory Defaults'' on page 583.
9.3 Loading an ini File to the Device
You can load an ini file to the device using the following m ethods:
CLI:
• Voice Configuration: # copy voice-configuration f rom <URL>
Web interface:
• Load Auxiliary Files page (see ''Loading Auxiliary Files'' on p age 537): The device
updates its configuration according to the loaded ini file, while preserving the
remaining current configuration.
• Configuration File page (see ''Backing Up and Loadi ng Configuration File'' on
page 567): The device updates its configuration according to the loaded ini file,
and applies default values to parameters that were not included in the loaded ini
file. Thus, all previous configuration is ov erridden.
When you load an ini file to the device, its configuration settings are saved to the device's
non-volatile memory.
Note: Before you load an ini file to the device, make sure that the file extension name
is .ini.
9.4 Secured Encoded ini File
The ini file contains sensitive information that is required for the functioning of the device.
The file may be loaded to the device using HTTP. These protocols are not secure and are
vulnerable to potential hackers. To overcome this security threat, the AudioCodes
DConvert utility allows you to binary-encode (encrypt) the ini file before loading it to the
device. For more information, refer to the DConvert Utility User's Guide.
Note: If you save an ini file from the device to a folder on your PC, an ini file that was
loaded to the device encoded is saved as a regular ini file (i.e., unencoded).
User's Manual 84 Document #: LTRT-10427
Page 85
User's Manual 9. INI File-Based Management
9.5 Configuring Password Display in ini File
Passwords can be displayed in the ini file in one of the following formats, configured by the
INIPasswordsDisplayType ini file parameter:
Obscured: The password characters are concealed and displayed as encoded. The
password is displayed using the syntax, $1$<obscured password>, for example,
$1$S3p+fno=.
Hidden: the password is replaced with an asterisk (*).
When you save an ini file from the device to a PC, the passwords are displayed according
to the enabled format. When you load an ini file to the device, obscured passwords are
parsed and applied to the device; hidden pass words are ignored.
By default, the enabled format is obscured passwords, thus enabling their full recovery in
case of configuration restore or copy to another device.
When obscured password mode is enabled, you can enter a password in the ini file using
any of the following formats:
$1$<obscured password>: Password in obscured format as generat ed by the device;
useful for restoring device configuration and copying configuration from one device to
another.
$0$<plain text>: Password can be entered in plain text; useful for configuring a new
password. When the ini file is loaded to the dev i ce and then later saved from the
device to a PC, the password is displayed obscure d (i.e., $1$<obscured password>).
Version 6.8 85 Mediant 500 E-SBC
Page 86
Mediant 500 E-SBC
9.6 INI Viewer and Editor Utility
AudioCodes INI Viewer & Editor utility provides a user-friendly graphical user interface
(GUI) that lets you easily view and modify the device's ini file. This utility is available from
AudioCodes Web site at www.AudioCodes.com/downloads
Windows-based PC.
For more information, refer to the INI Viewer & Edit or User's Guide.
, and can be installed on any
User's Manual 86 Document #: LTRT-10427
Page 87
General System Settings
Part III
Page 88
Page 89
User's Manual 10. Configuring Certificates
10 Configuring Certifi ca te s
The TLS Contexts page lets you configure X.509 certificates, which are used for secure
management of the device, secure SIP transact i ons, and other security applications.
Notes:
• The device is shipped with an active, default TLS set up. Thus, configure
certificates only if required.
• Since X.509 certificates have an expiration date and time, you must configure the
10.1.1 Configuring TLS Certificate Contexts
The TLS Contexts table lets you configure up to 12 TLS certificates, referred to as TLS
Contexts. The Transport Layer Security (TLS), also known as Secure Socket Layer (SSL),
is used to secure the device's SIP signaling connections, Web interface, and Telnet server.
The TLS/SSL protocol provides confidentiality, integrity, and authenticity between two
communicating applications over TCP/I P .
The device is shipped with a default TLS Context (ID 0 and string name "default"), which
includes a self-generated random private key and a self-signed server certificate. The
subject name for the default certificate is "ACL_nnnnnnn", where nnnnnnn denotes the
serial number of the device. The default TLS Context can be used for SIP over TLS (SIPS)
or any other supported application such as Web (HTTPS), Telnet, and SSH.The default
TLS Context cannot be deleted.
The user-defined TLS Contexts are used only for SIP over TLS (SIPS). This enables you
to use different TLS certificates for your IP Groups (SIP entities). This is done by assigning
a specific TLS Context to the Proxy Set and/or SIP Interface associated with the IP Group.
Each TLS Context can be configured with the following:
device to use Network Time Protocol (NTP) t o obtain the current date and time
from an NTP server. Without the correct date and time, client certificates cannot
work. For configuring NTP, see Configuring Automatic Dat e and Time using SNTP
on page 101.
Context ID and name
TLS version - SSL 2.0 (only for TLS handshake), SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2)
Encryption ciphers for server and client - DES, RC4 compatible, Advanced E ncryption
Standard (AES)
Online Certificate Status Protocol (OCSP). Some Public-Key Infrastructures (PKI) can
revoke a certificate after it has been issued. Y ou can configure the device to check
whether a peer's certificate has been revoked, using the OCSP. When OCSP is
enabled, the device queries the OCSP server fo r rev ocation information whenever a
peer certificate is received (IPSec, TLS client m ode, or TLS server mode with mutual
authentication).
Private key - externally created and then uploaded to device
X.509 certificates - self-signed certificates or signed as a result of a certificate signing
request (CSR)
Trusted root certificate authority (CA) store (for validating certificates)
Version 6.8 89 Mediant 500 E-SBC
Page 90
Mediant 500 E-SBC
When the device establishes a TLS connection (handshake) with a SIP user agent (UA),
the TLS Context is determined as follows:
Incoming calls:
1. Proxy Set: If the incoming call is successfully classified to an IP Group based on
Proxy Set (i.e., IP address of calling party) and the Proxy Set is configured for
TLS ('Transport Type' parameter is set to TLS), the TLS Context assigned to the
Proxy Set is used. For configuring Proxy Sets, see Configuring Proxy Sets on
page 270.
2. SIP Interface: If the Proxy Set is either not configured for TLS (i.e., the 'Transport
Type' parameter is set to UDP) or not assigned a TLS Context, and/or
classification to a Proxy Set fails, the device uses the TLS Context assigned to
the SIP Interface used for the call. For configuring SIP Interfaces, see Configuring
SIP Interfaces on page 256.
3. Default TLS Context (ID 0): If the SIP Interface is not assigned a TLS Context or
no SIP Interface is used for the call, the device uses the default TLS Context.
Outgoing calls:
1. Proxy Set: If the outgoing call is sent to an IP Group associated with a Proxy Set
that is assigned a TLS Context and the Proxy Set is configured for TLS (i.e.,
'Transport Type' parameter is set to TLS), the TLS Context is used. If the
'Transport Type' parameter is set to UDP, the device uses UDP to communicate
with the proxy and no TLS Context is used.
2. SIP Interface: If the Proxy Set is not assigned a TLS Context, the device uses the
TLS Context assigned to the SIP Interface used f or the call.
3. Default TL S Context (ID 0): If the SIP Interface is not assigned a TLS Context or
no SIP Interface is used for the call, the device uses the default TLS Context.
Notes:
• If the TLS Context used for an existing TLS connection is changed during the call
by the user agent, the device ends the connection.
• The device does not query OCSP for its own certificat e.
• Some PKIs do not support OCSP, but generate Certifi cat e Revocation Lists
(CRLs). For such scenarios, set up an OCSP serv er such as OCSPD.
TLS Context certification also enables employing different levels of security strength (key
size) per certificate. This feature also enables the display of the list of all trusted certificates
currently installed on the device. For each certificate, detailed information such as issuer
and expiration date is shown. Certificates can be deleted or added from/to the Trusted
Root Certificate Store.
You can also configure TLS certificate expiry check, whereby the device periodically
checks the validation date of the installed TLS server certificates and sends an SNMP trap
event if a certificate is nearing expiry. This feature is configured globally for all TLS
Contexts. For configuring TLS certificate expiry check, see 'Configuring TLS Server
Certificate Expiry Check' on page 100.
The following procedure describes how to configure a TLS Context in the Web interface.
You can also configure this using the table ini file parameter, TLSContexts or CLI
command, configure system > tls <ID>.
User's Manual 90 Document #: LTRT-10427
Page 91
User's Manual 10. Configuring Certificates
To configure a TLS Context:
1. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts).
2. Click Add; the following dialog box appears:
Figure 10-1: TLS Contexts Table - Add Record Dialog Box
3. Configure the TLS Context according to the parameters described in the table below.
4. Click Submit, and then save ("burn") your settings to flash memory.
TLS Context Parameter Descriptions
Parameter Description
Web: Index
CLI: tls <ID>
Defines an index number for the new table record.
Note: Each table row must be configured with a unique index.
[TLSContexts_Index
]
Web: Name
CLI: name
Defines an arbitrary name to easily identif y the TLS Context.
The valid value is a string of up to 31 characters.
[TLSContexts_Name
]
Web: Version
CLI: tls-version
[TLSContexts_TLSV
ersion]
Defines the supported SSL/TLS protocol version.
[0] 0 = (Default) SSL 3.0 and all TLS versions (1.0, 1.1, and 1.2) are
supported. SSL/TLS handshakes always start with an SSL 2.0compatible handshake and then switch to the highest TLS version
supported by both peers.
[1] 1 = Only TLS 1.0 is used. Clients attempting to contact the device
using any other version are rejected.
Version 6.8 91 Mediant 500 E-SBC
Page 92
Mediant 500 E-SBC
Parameter Description
Web: Ciphers Server
CLI: ciphers-server
[TLSContexts_Serve
rCipherString]
Web: Ciphers Client
CLI: ciphers-client
[TLSContexts_Client
CipherString]
Web: Ocsp Server
CLI: ocsp-server
[TLSContexts_Ocsp
Enable]
Defines the supported cipher suite for the TLS server (in OpenSSL cipher
list format).
For valid values, refer to URL
http://www.openssl.org/docs/apps/ci phers.html. The default is "AES:RC4".
For example, use "ALL" for all ciphers suites (e.g. , for ARIA encryption for
TLS). The only ciphers available are RC4 and DES, and the cipher bit
strength is limited to 56 bits.
Notes:
If the installed Software License Key includes the Strong Encryption
feature, the default of this parameter is changed to RC4:EXP, enabling
RC-128-bit encryption.
The value "ALL" can be used only if the installed Software License Key
includes the Strong Encryption feature.
Defines the supported cipher suite for TLS clients.
The valid value is up to 255 strings (e.g., "EXP " ). The default is
"ALL:!ADH".
For possible values and additional details, ref er to
http://www.openssl.org/docs/apps/ciphers.html.
Enables or disables certificate checking using OCS P.
[0] Disable (default)
[1] Enable
Web: Ocsp Server
Primary
CLI: ocsp-serverprimary
[TLSContexts_Ocsp
ServerPrimary]
Web: Ocsp Server
Secondary
CLI: ocsp-serversecondary
[TLSContexts_Ocsp
ServerSecondary]
Web: Ocsp Port
CLI: ocsp-port
[TLSContexts_Ocsp
ServerPort]
Web: Ocsp Default
Response
CLI: ocsp-defaultresponse
[TLSContexts_Ocsp
DefaultResponse]
Defines the IP address (in dotted-decimal notation) of the primary OCSP
server.
The default IP address is 0.0.0.0.
Defines the IP address (in dotted-decimal notation) of the secondary OCSP
server (optional).
The default IP address is 0.0.0.0.
Defines the OCSP server's TCP port num ber.
The default port number is 2560.
Determines whether the device allows or rej ects peer certificates if it
cannot connect to the OCSP server.
[0] Reject (default)
[1] Allow
User's Manual 92 Document #: LTRT-10427
Page 93
User's Manual 10. Configuring Certificates
10.1.2 Assigning CSR-based Certificates to TLS Contexts
The following procedure describes how to request a digitally signed certificate from a
Certification Authority (CA) for a TLS Context. This process is referred to as a certificate
signing request (CSR) and is required if your organization employs a Public Key
Infrastructure (PKI) system. The CSR contains information identifying the device (such as a
distinguished name in the case of an X.509 certificate).
To assign a CSR-based certificate to a TLS Context:
1. Your network administrator should allocate a unique DNS name for the device (e.g.,
dns_name.corp.customer.com). This DNS name is used to access the device and
therefore, must be listed in the server certificate.
2. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts).
3. In the TLS Contexts table, select the required TLS Context index row, and then click
the Context Certificates button, located at the bottom of the TLS Contexts page;
the Context Certificates page appears.
4. Under the Certificate Signing Request group, do the following:
a. In the 'Subject Name [CN]' field, enter the DNS name.
b. Fill in the rest of the request fields according t o your security provider's
instructions.
c. Click the Create CSR button; a textual certificate signing request is displayed in
the area below the button:
Figure 10-2: Certificate Signing Request Group
5. Copy the text and send it to your security provider (CA) to sign this request.
Version 6.8 93 Mediant 500 E-SBC
Page 94
Mediant 500 E-SBC
6. When the CA sends you a server certificate, s ave the certificate to a file (e.g., cert.txt).
Ensure that the file is a plain-text file containing the"‘BEGIN CERTIFICATE" header,
as shown in the example of a Base64-Encoded X.509 Certificate below:
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIEAgAAADANBgkqhkiG9w0BAQQFADA/MQswCQYDVQQGEw
JGUjETMBEGA1UEChMKQ2VydGlwb3N0ZTEbMBkGA1UEAxMSQ2VydGlwb3N0ZSBT
ZXJ2ZXVyMB4XDTk4MDYyNDA4MDAwMFoXDTE4MDYyNDA4MDAwMFowPzELMAkGA1
UEBhMCRlIxEzARBgNVBAoTCkNlcnRpcG9zdGUxGzAZBgNVBAMTEkNlcnRpcG9z
dGUgU2VydmV1cjCCASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEAPqd4Mz
iR4spWldGRx8bQrhZkonWnNm`+Yhb7+4Q67ecf1janH7GcN/SXsfx7jJpreWUL
f7v7Cvpr4R7qIJcmdHIntmf7JPM5n6cDBv17uSW63er7NkVnMFHwK1QaGFLMyb
FkzaeGrvFm4k3lRefiXDmuOe+FhJgHYezYHf44LvPRPwhSrzi9+Aq3o8pWDguJ
uZDIUP1F1jMa+LPwvREXfFcUW+w==
-----END CERTIFICATE-----
7. Scroll down to the Upload certificates files from your computer group, click the
Browse button corresponding to the 'Send Device Certificate...' field, navigate to the
cert.txt file, and then click Send File.
8. After the certificate successfully loads to the device, save the configuration with a
device reset.
9. Open the TLS Contexts page again, select the TLS Context index row, and then verify
that under the Certificate Information group, the 'Private key' field displays "OK";
otherwise, consult your security administ rator:
Figure 10-3: Private key "OK" in Certificate Information Group
Notes:
• The certificate replacement process can be repeated when necessary (e.g., the
new certificate expires).
• It is possible to use the IP address of the device (e.g., 10.3.3.1) instead of a
qualified DNS name in the Subject Name. This is not recommended since the IP
address is subject to change and may not uniquely identify the device.
• The device certificate can also be loaded via the A utomatic Update Facility by
using the HTTPSCertFileName ini file parameter.
10.1.3 Assigning Externally Created Private Key s to TLS Conte xts
The following procedure describes how to assign an externally created private key to a TLS
Context.
To assign an externally created private key to a TLS Context:
1. Obtain a private key in either textual PEM (PKCS #7) or PFX (PKCS #12) format
(typically provided by your security administrator). The file may be encrypted with a
short pass-phrase.
2. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts).
3. In the TLS Contexts table, select the required TLS Context index row, and then click
the Context Certificates button, located at the bottom of the TLS Contexts page;
the Context Certificates page appears.
User's Manual 94 Document #: LTRT-10427
Page 95
User's Manual 10. Configuring Certificates
4. Scroll down to the Upload certificate files from your computer group.
Figure 10-4: Upload Certificate Files from your Computer Group
5. Fill in the 'Private key pass-phrase' field, if required.
6. Click the Browse button corresponding to the 'Send Private Key' field, navigate to the
private key file (Step 1), and then click Send File.
7. If the security administrator has provided you with a device certificate file, load it using
the 'Send Device Certificate' field.
8. After the files successfully load to the device, save the configuration with a device
reset.
9. Open the TLS Contexts page again, select the TLS Context index row, and then verify
that under the Certificate Information group, the 'Private key' field displays "OK";
otherwise, consult your security administ rator.
10.1.4 Generating Private Keys for TLS Contexts
The device can generate the private key for a TLS Context, as described in the procedure
below.
To generate a new private key for a TLS Context:
1. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts).
2. In the TLS Contexts table, select the required TLS Context index row, and then click
the Context Certificates button, located at the bottom of the TLS Contexts page;
the Context Certificates page appears.
3. Scroll down to the Generate new private key and self-signed certificate group:
Figure 10-5: Generate new private key and self-signed certificate Group
4. From the 'Private Key Size' drop-down list, select the desired private key size (in bits)
for RSA public-key encryption for newly self-sign ed generated keys:
• 512
• 1024 (default)
• 2048
Version 6.8 95 Mediant 500 E-SBC
Page 96
Mediant 500 E-SBC
5. Click Generate Private Key; a message appears requesting you to confirm key
generation.
6. Click OK to confirm key generation; the device generates a new private key, indicated
by a message in the Certificate Signing Request group.
Figure 10-6: Indication of Newly Generated Private Key
7. Continue with the certificate configuration, by either creating a CSR or generating a
new self-signed certificate.
8. Save the configuration with a device reset for the new certificate to take effect.
10.1.5 Creating Self-Signed Certificates for TLS Contexts
The following procedure describes how to assign a certificate that is digitally signed by the
device itself to a TLS Context. In other wor ds, the device acts as a CA.
To assign a self-signed certificate to a TLS Context:
1. Before you begin, make sure that:
• You have a unique DNS name for the device (e.g.,
dns_name.corp.customer.com). This name is used to access the device and
therefore, must be listed in the server certificate.
• No traffic is running on the device. The certificate generation process is disruptive
to traffic and should be done during maintenance time.
2. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts).
3. In the TLS Contexts table, select the required TLS Context index row, and then click
the Context Certificates button, located at the bottom of the TLS Contexts page;
the Context Certificates page appears.
4. Under the Certificate Signing Request group, in the 'Subject Name [CN]' field, enter
the fully-qualified DNS name (FQDN) as the certifi cate subject.
User's Manual 96 Document #: LTRT-10427
Page 97
User's Manual 10. Configuring Certificates
5. Scroll down the page to the Generate new private key and self-signed certificate
group:
Figure 10-7: Generate new private key and self-signed certificate Gr o up
6. Click Generate Self-Signed Certificate; a message appears (after a few seconds)
displaying the new subject name.
7. Save the configuration with a device reset for the new certificate to take effect.
10.1.6 Importing Certificates and Certificate Chain into Trusted Certificate Store
The device provides its own Trusted Root Certificate Store. This lets you manage
certificate trust. You can add up to 20 certificates to the store per TLS Context (but this
may be less depending on certificate file size).
The trusted store can also be used for certificate chains. A certificate chain is a sequence
of certificates where each certificate in the chain is signed by the subsequent certificate.
The last certificate in the list of certificates is the Root CA certificate, which is self-signed.
The purpose of a certificate chain is to establish a chain of trust from a child certificate to
the trusted root CA certificate. The CA vouches for the identity of the child certificate by
signing it. A client certificate is considered trusted if one of the CA certificates up the
certificate chain is found in the server certificate directory.
Figure 10-8: Certificate Chain Hierarchy
For the device to trust a whole chain of certificates per TLS Context, you need to add them
to the device's Trusted Certificates Store, as described below.
To import certificates into device's Trusted Root Certificate Store:
1. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts).
2. In the TLS Contexts table, select the required TLS Context index row, and then click
the Context Trusted-Roots button, located at the bottom of the TLS Contexts
page; the Trusted Certificates page appe ars.
Version 6.8 97 Mediant 500 E-SBC
Page 98
Mediant 500 E-SBC
3. Click the Import button, and then select the certificate file to load.
Figure 10-9: Importing Certificate into Trusted Certificates Store
4. Click OK; the certificate is loaded to the device and listed in the Trusted Certificates
store.
You can also do the following with certificates that are in the Trusted Certificates store:
Delete certificates: Select the required certificate, click Remove, and then in the
Remove Certificate dialog box, click Remove.
Save certificates to a file on your PC: Select the required certificate, click Export, and
then in the Export Certificate dialog box, browse to the folder on your PC where you
want to save the file and click Export.
10.1.7 Configuring Mutual TLS Authentication
10.1.7.1 TLS for SIP Clients
When Secure SIP (SIPS) is implemented using TLS, it is sometimes required to use twoway (mutual) authentication between the device and a SIP user agent (client). When the
device acts as the TLS server in a specific connection, the device demands the
authentication of the SIP client’s certificate. Both the device and the client use certificates
from a CA to authenticate each other, sending their X.509 certificates to one another during
the TLS handshake. Once the sender is verified, the receiver sends its' certificate to the
sender for verification. SIP signaling starts when authentication of both sides completes
successfully.
TLS mutual authentication can be configured for specific calls by enabling mutual
authentication on the SIP Interface used by the call. The TLS Context associated with the
SIP Interface or Proxy Set belonging to these calls are used.
Note: SIP mutual authentication can also be configured globally for all calls, using the
'TLS Mutual Authentication' parameter (SIPSRequireClientCertificate) in the General
Security Settings page (Configuration tab > VoIP menu > Security > General
Security Settings).
To configure mutual TLS authentication for SIP messaging:
1. Enable two-way authentication on the specific SIP Interface:
a. In the SIP Interface Table page (see Configuring SIP Interfaces on page 256), set
the 'TLS Mutual Authentication' parameter to Enable for the specific SIP
Interface.
b. Click Submit, and then reset the device with a burn-to-flash for your set tings to
take effect.
User's Manual 98 Document #: LTRT-10427
Page 99
User's Manual 10. Configuring Certificates
2. Configure a TLS Context with the following certificates:
• Import the certificate of the CA that signed the certificate of the SIP client, into the
Trusted Root Store so that the device can authent icate the client (see 'Importing
Certificates and Certificate Chain into Trust ed Certificate Store' on page 97).
• Make sure that the TLS certificate is signed by a CA that the SIP client trusts so
that the client can authenticate the devi ce.
10.1.7.2 TLS for Remote Device Management
By default, servers using TLS provide one-way authentication. The client is certain that the
identity of the server is authentic. When an organizational PKI is used, two-way
authentication may be desired - both client and server should be authenticated using X.509
certificates. This is achieved by installing a client certificate on the management PC and
loading the root CA's certificate to the device's Trusted Root Certificate Store. The Trusted
Root Certificate file may contain more than one CA certificate combined, using a text
editor.
To enable mutual TLS authentication for HTTPS:
1. Set the 'Secured Web Connection (HTTPS)' field to HTTPS Only in the Web Security
Settings page (see Configuring Web Security Settings on page 61) to ensure you have
a method for accessing the device in case the client certificate does not work. Restore
the previous setting after testing the configuration.
2. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts).
3. In the TLS Contexts table, select the required TLS Context index row, and then click
the Context Trusted-Roots button, located at the bottom of the TLS Contexts
page; the Trusted Certificates page appe ars.
4. Click the Import button, and then select the certificate file.
5. When the operation is complete, set the 'Requires Client Certificates for HTTPS
connection' field to Enable in the Web Security Settings page.
6. Save the configuration with a device reset (see Saving Configuration).
When a user connects to the secured Web interf ace of the device:
If the user has a client certificate from a CA that is listed in the Trusted Root Certificate
file, the connection is accepted and the user is p rompted for the system password.
If both the CA certificate and the client certificate appear in the Tru st ed Root
Certificate file, the user is not prompted for a password (thus, providing a singl e-signon experience - the authentication is performed using the X.509 digital signature).
If the user does not have a client certificate from a listed CA or does not have a client
certificate, the connection is rejected.
Notes:
• The process of installing a client certificate on your PC is beyond the scope of this
document. For more information, refer to your operating system documentation,
and/or consult your security administrator.
• The root certificate can also be loaded via the Automatic Update facility, using the
HTTPSRootFileName ini file parameter.
• You can enable the device to check whether a peer's certi ficate has been revoked
by an OCSP server, per TLS Context (see 'Configuring TLS Certificate Contexts'
on page 89).
Version 6.8 99 Mediant 500 E-SBC
Page 100
Mediant 500 E-SBC
10.1.8 Configuring TLS Server Certificate Expiry Check
You can also configure the TLS Server Certificate Expiry Check feature, whereby the
device periodically checks the validation date of the installed TLS server certificates. You
can also configure the device to send a notification SNMP trap event
(acCertificateExpiryNotification) at a user-defined number of days before the installed TLS
server certificate is to expire. This trap event indicates the TLS Context to which the
certificate belongs.
Note: TLS certificate expiry check is configured globally for all TLS Contexts.
To configure TLS certificate expiry checks and notification:
1. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts).
2. Scroll down the page to the TLS Expiry Settings group:
Figure 10-10: TLS Expiry Settings Group
3. In the 'TLS Expiry Check Start' field, enter the number of days before the installed TLS
server certificate is to expire at which time the device sends an SNMP trap event to
notify of this.
4. In the 'TLS Expiry Check Period' field, enter the periodical interval (in days) for
checking the TLS server certificate expiry date. By default, the device checks the
certificate every 7 days.
5. Click the Submit TLS Expiry Settings button.
User's Manual 100 Document #: LTRT-10427
Loading...