This document is for IP Office release R11.1 FP1 and Avaya Session Border Controller for
Enterprise (ASBCE) Release 7.2. It looks at examples of supporting Avaya SIP clients and remote
SIP desk phones when also using an ASBCE server.
Supported SIP ClientsSupported Remote SIP
Deskphones
• Avaya Workplace clients
• Avaya Communicator for
Windows
• Avaya Communicator for iPad
• Avaya one-X Mobile Preferred
for Android
• Avaya one-X Mobile Preferred
for iOS
• 1120, 1140, 1220, 1230
• E129
• H175
• J100 Series
• Vantage K100 Series
• These are just examples used to illustrate how the different components interact and exchange
information. Actual installations will have different requirements specific to the individual
customer sites. Refer to the Avaya Session Border Controller for Enterprise manuals for
details.
• This document should be used in conjunction with the
documentation.
• For IP Office Release 11.1 FP1 and higher, an IP Office server running WebLM can act as the
server for ASBCE licenses.
Related links
Example schematic on page 4
Other
• WebRTC
IP Office SIP Phone Installation Notes
Example schematic
The deployment example used in the first parts of this document is as follows:
February 2021IP Office SIP Phones with ASBCE4
Comments on this document? infodev@avaya.com
Example schematic
The IP Office is the SIP registrar for telephony services. The one-X Portal for IP Office service
connects to the IP Office and in this scenario acts as the XMPP presence provider for the users.
The ASBCE sits on the edge of the customer's network with both internal and external IP
interfaces. Using these, it acts as the gateway for SIP traffic into and out of the network.
When used internally, SIP clients register to the IP Office directly. When used externally, the SIP
clients connect to the ASBCE. This is achieved using Split DNS. That automatically resolves the
FQDNs to the internal IP address of the IP Office or the public IP address of the ASBCE
depending on where the clients is currently located.
It assumes that the IP Office is an IP Office Server Edition or IP Office Select primary server. This
means it hosts the IP Office and Avaya one-X® Portal for IP Office services on the same physical
or virtual server. Therefore in this case they share the same IP address. They could also use the
same single FQDN for the IP Office SIP domain and Avaya one-X® Portal for IP Office XMPP
domain, however for this example we have used separate addresses for the domains to better
illustrate their usage.
Related links
Purpose on page 4
February 2021IP Office SIP Phones with ASBCE5
Comments on this document? infodev@avaya.com
Chapter 2:IP Office Configuration
This section provides a general summary of the IP Office settings relevant to SIP softphone
operation.
Related links
Licenses and Subscriptions on page 6
SIP VoIP Setup on page 6
Password complexity rules on page 8
Creating users on page 9
Creating SIP Extensions on page 10
Creating Presence Groups (XMPP) on page 10
Setting the one-X Portal for IP Office XMPP Domain on page 11
Licenses and Subscriptions
The IP Office does not require any additional licenses to support operation with an (ASBCE). The
phones and applications connected to the IP Office via the ASBCE require the same licenses or
subscriptions as for local operation.
• For IP Office Release 11.1 FP1 and higher, an IP Office server running WebLM can act as
the server for ASBCE licenses.
Related links
IP Office Configuration on page 6
SIP VoIP Setup
Procedure
1. Using IP Office Manager, load the IP Office configuration.
2. Click System.
February 2021IP Office SIP Phones with ASBCE6
Comments on this document? infodev@avaya.com
SIP VoIP Setup
3. Select the LAN1 tab.
FieldDescription
SIP Registrar EnableSelecting this option allows SIP devices to register with the IP Office.
SIP Remote Extn
Enable
SIP Domain NameSet this to the domain that SIP clients need to use for registration.
SIP Registrar FQDNSet this to the fully qualified domain name for SIP connections to the IP
Layer 4 ProtocolCheck the required Layer 4 protocols and set relevant ports. In this
Deselect this option. The ASBCE handles the remote extension
connections, so the IP Office does not need to handle their NAT
requirements.
Office server.
example TLS has been enabled in addition to the default UDP and TCP.
4. Select the VoIP sub-tab.
Enable Allow Direct Media With NAT Location checkbox.
• You must ensure that the Crypto Suites selection and order configured on the IP
Office and the ASBCE match. See Configuring media rules on page 51.
• Selecting this option allows direct media to be attempted between devices that
reside on the same side of any NAT that may be occurring.
February 2021IP Office SIP Phones with ASBCE7
Comments on this document? infodev@avaya.com
IP Office Configuration
• Direct media may still not be possible if there are codec or other VoIP setting
mismatches.
5. Go to VoIP Security tab and set the Media Security to Preferred.
6. Click OK.
7. Save the configuration.
Related links
IP Office Configuration on page 6
Password complexity rules
About this task
The default IP Office user password complexity requirements are that passwords must be at least
9 characters which must be a mix of alphanumeric characters and no consecutive characters.
There are some SIP softphone clients that only all the entry of numeric passwords. If that is the
case, you must decide if you want to continue supporting those clients, since the process to
enable number only user passwords significantly reduces the security of the IP Office system.
Warning:
This process should only be used if absolutely necessary. It reduces the password security for
all user access to the IP Office system and does so in a scenario where external access is
also being configured.
Procedure
1. Using IP Office Manager, select File > Advanced Settings File > Security.
2. Select the primary server and click OK. Login with an administrator account.
3. Select General.
4. Set the Minimum Password Complexity to Low. This allows the use of passwords
containing only digits.
5. Click OK.
6.
Click
Related links
IP Office Configuration on page 6
save icon.
February 2021IP Office SIP Phones with ASBCE8
Comments on this document? infodev@avaya.com
Creating users
About this task
Use the process below to create a new user or to amend the settings of any existing users.
Procedure
1. Using IP Office Manager, load the IP Office configuration. Select the primary server
configuration.
2. Select User.
3.
Click on the icon and select User.
4. Select the User tab and set the following:
FieldDescription
NameThis is the short name for the user. It is the user's user name for client
login. It only displayed in applications if the Full Name (below) is not set.
PasswordThis field is used to login to IP Office user applications. It may be
necessary to digits only as not all clients support the entry of
alphanumeric passwords. If so, the IP Office security settings have to
also be adjusted to permit this, see Password complexity rules on
page 8.
ExtensionThis is the user's extension number.
Full NameThis is the full name of the user. This is name displayed within
applications and on phone calls.
ProfileSelect the profile that supports the applications and features the user
wants to use. Refer to the appropriate IP Office installation manual for
the application.
Creating users
5. Select the Voicemail tab.
Enter and confirm a Voicemail Code. This is the pin code used for voicemail mailbox
access.
6. Click OK.
7. Depending on the selected profile, IP Office Manager may insist that other user
configuration fields are set. Follow the instructions given by IP Office Manager.
8. If the extension number doesn't match any existing extension, IP Office Manager prompts
you whether it should create an extension. Select SIP Extension and click OK.
9. Save the configuration.
Related links
IP Office Configuration on page 6
February 2021IP Office SIP Phones with ASBCE9
Comments on this document? infodev@avaya.com
IP Office Configuration
Creating SIP Extensions
About this task
Each SIP softphone requires a user and an extension entry in the IP Office configuration. If users
have been created without a SIP extension, use the following process to add the necessary
extensions.
Procedure
1. Using IP Office Manager, load the IP Office configuration.
2. Select Extension.
3.
Click on the
4. In Base Extension, enter the extension number. This associates the extension entry with
the user who has the same extension number.
5. Click OK.
6. Save the configuration.
Related links
IP Office Configuration on page 6
icon and select SIP Extension.
Creating Presence Groups (XMPP)
About this task
The Avaya one-X® Portal for IP Office acts as an XMPP server to provide presence indication to
selected users. Within the IP Office configuration, XMPP groups are used to control which users
can see each other's presence.
Procedure
1. Using IP Office Manager, load the IP Office configuration.
2. Select Group
3.
Click the icon and select Hunt Group.
4. Select the Group tab and set the following:
a. Enter the name of the group in Name.
b. Select XMPP Group in Profile.
c. Under the User List click Edit.
d. Select and append all the users who you want to be able to share their presence with
each other.
e. Click OK.
February 2021IP Office SIP Phones with ASBCE10
Comments on this document? infodev@avaya.com
Setting the one-X Portal for IP Office XMPP Domain
5. Click OK.
6. Save the configuration.
Related links
IP Office Configuration on page 6
Setting the one-X Portal for IP Office XMPP Domain
About this task
The Avaya one-X® Portal for IP Office needs to be configured with its fully qualified domain
names. It supports several different domain names, for use by the different functions that it
provides (portal host, XMPP domain and web collaboration domain). Whilst these can differ if
required, for this example we are using the same FQDN for each function.
Procedure
1. Login to the one-X Portal for IP Office administrator menus, either:
• Within IP Office Web Manager, select Applications > one-X Portal.
• Browse to https://<portal IP address>:9443/onexportal-admin.html and
login as the an administrator.
2. Select Configuration > IM/Presence.
a. Set the XMPP Domain Name. In this example we are using onex.example.com.
b. Click Save.
3. Select Configuration > Host Domain Name.
a. Set the Host Domain Name. In this example we are again using onex.example.com.
b. Set the Web Collaboration Domain Name. In this example we are again using
onex.example.com.
c. Click Save.
4.
Click on the icon at the top of the menus to restart the portal service.
Related links
IP Office Configuration on page 6
February 2021IP Office SIP Phones with ASBCE11
Comments on this document? infodev@avaya.com
Chapter 3:Certification overview
The examples in this document assumes that the IP Office system's own self-signed certificate is
being used. In that case, the ASBCE needs to have a copy of both the IP Office certificate and also
an identity certificate issued for it by the IP Office.
If the Avaya one-X® Portal for IP Office is running on a separate IP Office Application Server, that
too requires an identity certificate issued by the IP Office.
Related links
Downloading the IP Office root certificate on page 12
Generating an IP Office identity certificate on page 13
one-X Portal for IP Office identity certificate on page 13
Generating an identity certificate for the ASBCE on page 16
Extracting the ASBCE private key and identity certificate on page 17
Adding the IP Office Root CA to the ASBCE on page 18
Adding the ASBCE identity certificate on page 19
Downloading the IP Office root certificate
About this task
A copy of the IP Office root certificate is needed. It will be loaded onto the ASBCE.
Procedure
1. Login to the IP Office Web Control menus by either:
•
From within IP Office Web Manager, select the primary server. Click on and select
Platform View.
• Browse to https://<IP Office IP address>:7071 and login as the
Administrator.
2. Select the Settings tab and scroll down to Certificates.
3. Under CA Certificate, click on Download (PEM-encoded) and save the file to your PC.
4. Rename the file as IPO_RootCA.crt.
Related links
Certification overview on page 12
February 2021IP Office SIP Phones with ASBCE12
Comments on this document? infodev@avaya.com
Generating an IP Office identity certificate
Generating an IP Office identity certificate
About this task
Login to the IP Office Web Control menus by either:
Procedure
1. Login to the IP Office Web Control menus by either:
•
From within IP Office Web Manager, select the primary server. Click on and select
Platform View.
• Browse to https://<IP Office IP address>:7071 and login as the
Administrator.
2. Select the Settings tab and scroll down to Certificates.
3. Enter the following data:
a. Subject Name: Enter the FQDN of the IP Office SIP domain.
b. Subject Alternative Name(s): Enter comma separate DNS:<FQDN> and IP:<IP
address> entries.
These should include entries for the FQDNs of the Avaya one-X® Portal for IP Office,
XMPP Domain, IP Office SIP FQDNs and IP Office LAN IP addresses LAN1 and/or
LAN2) on which extensions are connecting.
4. Click Regenerate and Apply.
5. In the pop-up window click Yes.
Related links
Certification overview on page 12
one-X Portal for IP Office identity certificate
These processes are only required if the Avaya one-X® Portal for IP Office is run on a separate IP
Office Application Server. If that is the case, the portal requires its own identity certificate.
• Generating an Identity Certificate for the Portal Server
• Installing a Avaya one-X® Portal for IP Office Identity Certificate
Related links
Certification overview on page 12
Generating an identity certificate for the portal server on page 14
Installing a one-X Portal for IP Office identity certificate on page 15
February 2021IP Office SIP Phones with ASBCE13
Comments on this document? infodev@avaya.com
Certification overview
Generating an identity certificate for the portal server
About this task
This stage is only required if the Avaya one-X® Portal for IP Office is run on a separate IP Office
Application Server. If that is the case, the portal requires its own identity certificate.
Procedure
1. Login to the IP Office Web Control menus by either:
•
From within IP Office Web Manager, select the primary server. Click on
Platform View.
• Browse to https://<IP Office IP address>:7071 and login as the
Administrator.
2. Go to Settings tab and scroll down to Certificates.
3. Check Create certificate for a different machine.
4. Enter the following data:
and select
a. In Machine IP enter the IP address of the portal server.
b. In Password enter a password to encrypt the certificate and key.
Note:
Note that if any special characters are used in the password, to enter that
password at the command line requires the character to be prefixed with a \. For
example, a @ in the password would be typed as \@ at the command line.
c. In Subject Name enter the FQDN of the portal server.
d. In Subject Alternative Name(s) enter comma separate DNS:<FQDN> and IP:<IP
address> values for the portal's domain names and IP addresses.
5. Click Regenerate.
6. Click on the link in the popup window and save the file. Rename the downloaded file to
ONEX_ID.p12.
Next steps
You can now add the identity certificate to the Avaya one-X® Portal for IP Office server.
February 2021IP Office SIP Phones with ASBCE14
Comments on this document? infodev@avaya.com
one-X Portal for IP Office identity certificate
Related links
one-X Portal for IP Office identity certificate on page 13
Installing a one-X Portal for IP Office identity certificate
About this task
Having created an identity certificate for the IP Office Application Server , it needs to be installed
on the server.
Procedure
1. Browse to https://<IP Office IP address>:7070 and login as the Administrator.
2. Select Security Manager > Certificates.
3.
Click on the icon.
4. Click Set.
5. Browse to the location of the identity file created for the portal server.
6. Enter the certificate password.
7. Click Upload.
Related links
one-X Portal for IP Office identity certificate on page 13
February 2021IP Office SIP Phones with ASBCE15
Comments on this document? infodev@avaya.com
Certification overview
Generating an identity certificate for the ASBCE
About this task
In addition to the IP Office root certificate, we also need to provide the ASBCE with an identity
certificate. This certificate needs to include FQDN and IP address information for all the IP Office
servers and services for which the ASBCE will be handling traffic.
Procedure
1. Login to the IP Office Web Control menus by either:
•
From within IP Office Web Manager, select the primary server. Click on
Platform View.
• Browse to https://<IP Office IP address>:7071 and login as the
Administrator.
2. Go to Settings tab and scroll down to Certificates.
3. Check Create certificate for a different machine.
4. Enter the following data:
and select
a. In Machine IP enter the external IP address of the ASBCE.
b. In Password enter a password to encrypt the certificate and key.
Note:
Note that if any special characters are used in the password, to enter that
password at the command line requires the character to be prefixed with a \. For
example, a @ in the password would be typed as \@ at the command line.
c. In Subject Name enter the FQDN of the ASBCE.
d. In Subject Alternative Name(s) enter comma separate values for the DNS:<FQDN>
and IP:<IP address>.
Note:
If you were using different FQDNs for Avaya one-X® Portal, IP Office, XMPP and
SIP domains, enter all FQDNs as a comma separated list of DNS entries in the
Subject Alternate Name.
5. Click Regenerate.
6. Click on the link in the popup window and save the file.
7. Rename the downloaded file to SBCE_ID.p12.
Related links
Certification overview on page 12
February 2021IP Office SIP Phones with ASBCE16
Comments on this document? infodev@avaya.com
Extracting the ASBCE private key and identity certificate
Extracting the ASBCE private key and identity certificate
About this task
The IP Office identity certificate created for the ASBCE is a single file. For the ASBCE
configuration it needs to be split into two files.
Procedure
1. Using WinSCP, connect to the ASBCE management IP address using port 222 and the
ipcs login.
2. Copy the IP Office identity certificate created for the ASBCE (SBCE_ID.p12) to the
ASBCE /tmp directory.
3. SSH to the ASBCE management IP using port 222 and ipcs login.
4. Enter the command sudo su and type the root password.
5. Enter the following commands. When prompted for a password or PEM pass phrase, enter
the password specified when generating an identity certificate for the ASBCE.
Note:
If any special characters are used in the password, to enter that password at the
command line requires the character to be prefixed with a \. For example, a @ in the
password would be typed as \@ at the command line.
a. cd /tmp
b. openssl pkcs12 -in SBCE_ID.p12 -out SBCE_ID.crt
c. openssl pkcs12 -nocerts -in SBCE_ID.p12 -out SBCE_ID.key
The whole sequence should look similar to the following:
6. Copy the new SBCE_ID.crt and SBCE_ID.key files from ASBCE to your PC
7. The SBCE_ID.crt file contains the ID certificate we generated for ASBCE , the IP Office
root CA certificate, and the private key.
To be able to properly import this file to the ASBCE, the CA certificate and the private key
must be removed from this file.
a. Open SBCE_ID.crt in WordPad on your PC.
b. Remove all lines except those which are between the first BEGIN CERTIFICATE and
END CERTIFICATE lines. The resulting file should look similar to the following:
Related links
Certification overview on page 12
Adding the IP Office Root CA to the ASBCE
Procedure
1. Login to ASBCE web interface.
2. Go to TLS Management > Certificates .
3. Click Install.
a. Type: Select CA Certificate.
b. Name: Enter a descriptive name for the root CA certificate.
c. Allow Weak Certificate/Key: Enable this option.
d. Certificate File: Click Choose File and select the IPO_RootCA.crt file.
4. Click Upload.
A warning that this is a self-signed certificate will be displayed.
5. Click Proceed.
February 2021IP Office SIP Phones with ASBCE18
Comments on this document? infodev@avaya.com
The certificate is displayed.
6. Click Install and then Finish.
Related links
Certification overview on page 12
Adding the ASBCE identity certificate
Procedure
1. Login to ASBCE web interface.
2. Go to TLS Management > Certificates.
3. Click Install.
a. In Type select Certificate.
b. In Name enter a descriptive name for the certificate.
c. In Certificate File click Choose File and select SBCE_ID.crt.
Adding the ASBCE identity certificate
d. In Trust Chain File leave this field empty.
e. In Key select Upload Key File.
f. In Key File click Choose File and open SBCE_ID.key.
4. Click Upload. The certificate is displayed.
5. Click Install and then Finish.
6. Using Ssh, access the ASBCE Management IP address using port 222 and the ipcs login.
a. Enter the command sudo su and enter the root password.
b. Enter the following commands, replacing ******** with the password set when
generating the ID certificate for the ASBCE:
cd /usr/local/ipcs/cert/key
enc_key SBCE_ID.key ********
Note:
If any special characters are used in the password, to enter that password at the
command line requires the character to be prefixed with a \. For example, a @ in
the password would be typed as \@ at the command line.
Related links
Certification overview on page 12
February 2021IP Office SIP Phones with ASBCE19
Comments on this document? infodev@avaya.com
Chapter 4:ASBCE Configuration overview
This section looks at the specific ASBCE configuration required for the example schematic
Related links
Firewall configuration on page 21
Firewall Address Translation on page 21
Changing the default listen port range on page 22
Enabling the internal/external interfaces on page 22
Creating a TLS profile on page 23
Creating the media interfaces on page 24
Creating the signaling interfaces on page 25
Creating a server profile on page 25
Creating server routing on page 26
Creating a Topology Hiding on page 27
Configuring User Agent Profiles on page 27
Creating a subscriber flow on page 28
Creating a Server Flow on page 29
Create application relays on page 30
February 2021IP Office SIP Phones with ASBCE20
Comments on this document? infodev@avaya.com
Firewall configuration
Procedure
1. Allow Layer 3 NAT only, disable all SIP aware functionality, ALG, and so on.
2. Forward the TCP signaling ports to the B1 interface of the ASBCE which are needed for
the given clients.
3. Forward the RTP ports to the B1 interface of the ASBCE. The port range can be found on
the external Media Interface of the ASBCE, by default it is UDP 35000-40000. See
Creating the media interfaces on page 24
TCP5061SIP
TCP5222XMPP
TCP9443WebRTC, REST, XMPP
TCP7443BOSH/XMPP
TCP80HTTP
TLS443HTTPS
UDP3478STUN
UDP50000-55000RTP relay
UDP35000-40000RTP media
Firewall configuration
Related links
ASBCE Configuration overview on page 20
Firewall Address Translation
This process applies NAT between the IP address and Public IP address settings.
Procedure
1. Go to Device Specific Settings > Network Management.
2. Go to the Network Configuration tab.
3. Click Edit at the external interface.
4. Enter the following data:
FieldDescription
Default GatewayGateway IP address for the external interface.
Subnet MaskIP mask for the external interface.
IP AddressIP address of the external interface.
Public IPExternal IP address of the Firewall.
5. Click Finish.
February 2021IP Office SIP Phones with ASBCE21
Comments on this document? infodev@avaya.com
Loading...
+ 46 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.