Avaya VPNremote Administrator's Guide

VPNremote for the 4600 Series IP Telephones

Release 2.0 Administrator Guide

19-600753

Issue 2

July 2006

Notice

While reasonable efforts were made to ensure that the infor mation in this document was complete and accurate at the time of printing, Avaya Inc. can assume no liability for any errors. Changes and corrections to the information in this document may be incorporated in future releases.

Documentation disclaimer

Avaya Inc. is not responsible for any modifications, addition s, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. Customer and/or End User agree to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation to the extent made by the Customer or End User.

Link disclaimer

Avaya Inc. is not responsible for the contents or reliability of any linked Web sites and does not necessarily endorse the products, services, or information described or offered within them. We cannot guarantee that these links will work all of the time and we have no control over the availability of the linked pages.

Warranty

Avaya Inc. provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warran ty. In addition, Avaya’s standard warranty language, as well as information regarding support for this product, while under warranty, is available through the following Web site:

http://www.avaya.com/support

Preventing toll fraud

"Toll fraud" is the unauthorized use of your telecommunications system by an unauthorized party (for example, anyone who is not a corporate employee, agent, subcontractor , or person working on your company's behalf). Be aware that there may be a risk of toll fraud associated with your system and that, if toll fraud occurs, it can result in substantial additional charges for your telecommunications services.

Avaya fraud intervention

If you suspect that you are being victimized by toll fraud and you need technical assistance or support, call Technical Service Center Toll Fraud Intervention Hotline at +1-800-643-2353 for the United States and Canada. For additional support telephone numbers, see the Avaya Web site:

http://www.avaya.com/support

Providing telecommunications security

T eleco mmunications security (of voice, dat a, and video communications) is th e prevention of any type of intrusion to (that is, either unauthorized or malicious access to or use of) your company's telecommunications equipment by some party.

Your company's "telecommunications equipment" includes both this Avaya product and any other voice/data/video equipment that could be accessed via this Avaya product (that is, "networked equipment").

An "outside party" is anyone who is not a corporate employee, agent, subcontractor, or person working on your company's behalf. Whereas, a "malicious party" is anyone (including someone who may be otherwise authorized) who accesses your telecommunications equipment with either malicious or mischievous intent.

Such intrusions may be either to/through synchronous (time-multiplexed and/or circuit-based) or asynchronous (character-, message-, or packet-based) equipment or interfaces for reasons of:

• Use (of capabilities special to the accessed equipment)

• Theft (such as, of intellectual property, financial assets, or toll-facility access)

• Eavesdropping (privacy invasions to humans)

• Mischief (troubling, but apparently innocuous, tampering)

• Harm (such as harmful tampering, data loss or alteration,

Be aware that there may be a risk of unauthorized intrusions associated with your system and/or its networked equipment. Also realize that, if such an intrusion should occur, it could result in a variety of losses to your company (including, but not limited to, human and data priva cy, intellectual pr operty, material assets, financial resources, labor costs, and legal costs).

regardless of motive or intent)

Your responsibility for your company's telecommunications security

The final responsibility for securing both this system and its networked equipment rests with you, an Avaya customer's system administrator, your telecommunications peers, and your managers. Base the fulfillment of your responsibility on acquired knowledge and resources from a variety of sources, including, but not limited to:

• Installation documents

• System administration documents

• Security documents

• Hardware-/software-based security tools

• Shared information between you and your peers

• Telecommunications security experts

To prevent intrusions to your telecommunications equipment, you and your peers should carefully program and configure:

• Your Avaya-provided telecommunications systems and their interfaces

• Your Avaya-provided software applications, as well as their underlying hardware/software platforms and interfaces

• Any other equipment networked to your Avaya products.

Trademarks

Avaya is a trademark of Avaya Inc. All non-Avaya trademarks are the property of their respective owners.

Avaya support

Avaya provides a telephone number for you to use to repo rt problems or to ask questions about your contact center. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site:

http://www.avaya.com/support

About this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

What products are covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Online Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

VPNremote Phone overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

VPNremote Phone features in Release 2. . . . . . . . . . . . . . . . . . . . . 10

VPNremote Phone features in Release 1. . . . . . . . . . . . . . . . . . . . . 11

Chapter 2: Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Configuration preparation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Preparing Communication Manager for the VPNremote Phone . . . . . . . . 14

VPNremote Phone as a single extension on Communication Manager . . 14

VPNremote Phone as a bridged appearance on Communication Manager 14

Installing the VPNremote Phone in the enterprise network. . . . . . . . . . . 14

Preparing the Avaya Security Gateway for the VPNremote Phone. . . . . . . 15

Configuring VPNremote Phone system parameters on the devices . . . . . . 15

Converting an IP Telephone to VPN IP Telephone . . . . . . . . . . . . . . . 17

Downloading the VPN firmware. . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring the VPN Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Deploying the VPNremote Phone. . . . . . . . . . . . . . . . . . . . . . . . . 19

Appendix A: Avaya VPNremote for 4600 Series IP Telephones Installation

Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Appendix B: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . 23

Error Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Authentication Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

TCP/IP Connection Failure . . . . . . . . . . . . . . . . . . . . . . . . . . 23

SSL Connection Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

General Phone Errors and Behaviors . . . . . . . . . . . . . . . . . . . . 24

IKE and IPSec Negotiation Failures . . . . . . . . . . . . . . . . . . . . . 24

Phone fails to register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Error and Status Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Appendix C: System Parameters Customization . . . . . . . . . . . . . 31

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Issue 2 July 2006 3

Contents

4 Administrator Guide

About this book

The guide provides network administrator and end-user configuration information for the A vaya VPNremote for the 4600 Series IP Telepho nes. This document is to be used in conjunction with the Avaya 4600 Series IP Telephone LAN Administrator Guide.

In the following pages, information is provided describing configuration of the Avaya VPNremote for the 4600 Series IP Telephones (VPNremote Phone) from the Administrator’s perspective, including items that should be noted as part of installation. For more information regarding Administrator configuration, see Chapter 2:

In addition, end-user configuration information is provided to assist the end user in installing and configuring the VPNremote Phone in their small office home office (SOHO) environment with minimal assistance from corporate IT or Telephony groups. For more information regarding end-user installation and configuration, see VPNremote for 4600 Series IP Telephone User Installation and Configuration Quick Start, document number 19-601608.

What products are covered

The following products is covered in this manual:

Configuration.

● Avaya VPNremote for the 4600 Series IP Telephones

The Avaya 4600 Series IP Telephones that support the VPNremote Phone firmware includes the following devices:

- Avaya 4610SW IP Telephone

- Avaya 4620SW IP Telephone

- Avaya 4621SW IP Telephone

- Avaya 4622SW IP Telephone

- Avaya 4625SW IP Telephone

Online Documentation

The online documentation for the Avaya VPNremote for the 4600 Series IP Telephones is located at the following URL:

http://www.avaya.com/support

Issue 2 July 2006 5

About this book

Chapter 1: Introduction

The Avaya VPNremote for 4600 Series IP Telephones (VPNremote Phone) is an Avaya H.323 IP Telephone with an integrated virtual private network (VPN) client and an advanced web-enabled graphical display.

VPNremote Phone overview

The VPNremote Phone provides enterprise telephony services at a remote or small of fice home office (SOHO) location through a secure VPN connection to the user’s Enterprise Communication Manager infrastructure. The VPNremote Phone uses a high-speed connection to the Internet and then to the VPN solution in the enterprise network.

The Avaya VPNremote for 4600 Series IP Telephones provides a significant improvement on communications capabilities of SOHO users. The VPNremote Phone provides users with an extension on an enterprise PBX over a secure VPN connection in a single-box solution.

For additional information regarding the 4600 Series IP Telephones, see the A vaya 4600 Series IP Telephone, Release 2.4, LAN Administrator Guide.

Beginning with Release 2, the VPNremote Phone is capable of implementation in Enterprise networks with third-party devices. For more information regarding supported third-party devices, see VPNremote Phone features in Release 2

The VPNremote Phone is targeted to work with most SOHO network configurations. Figure 1 illustrates a possible corporate network configuration with an Avaya SG203 at the headend device with three VPNremote Phones connected through secure VPN connections.

Figure 1: VPNphone in a corporate network with an Avaya SG203 as the headend device

Issue 2 July 2006 9

Introduction

VPNremote Phone features in Release 2

The following summarizes a number of significant feature, performance, and usability enhancements provided by VPNremote Phone, Release 2.

● Third-party devices– Beginning in this release, the VPNremote Phone supports the

following third-party devices:

Supported Device Minimum Software

Cisco VPN 3000 Series Concentrators Any Cisco PIX 500 Series Security Appliances Any

Requirement

Juniper Networks NetScreen series VPN

Screen OS 5.1.0 and higher

devices Juniper Networks Secure Services Gateway

Screen OS 5.1.0 and higher

500 Series devices Juniper Networks Integrated Security Gateway

Screen OS 5.1.0 and higher

(ISG) Series devices

● Automatic discovery of UDP encapsulation method– The VPNremote Phone will

automatically select the correct UDP encapsulation mode during the connection process.

● SNMP and syslog support through the VPN tunnel– The VPNremote Phone can be

SNMP polled through the VPN tunnel, and syslog messages can be securely sent through the VPN tunnel.

● Copy TOS– Allows TOS to be copied to ESP header packets.

● Selectable connectivity test– The VPNremote Phone tests connectivity to the known

hosts. This test can be set to first time, always, or never.

● Quality test (Qtest)– The VPNremote Phone tests the connection quality.

● Remote Feature Activation (RFA)–The VPNremote Phone license file is generated by

the Remote Feature Activation (RFA) process and is managed by the Web Licence Manager (WebLM) process. The license file must be installed for full functionality. The VPNremote Phone can function without a license file, but only for a 30-day period. When this time period expires, the VPNremote Phone is non-operational and the user must download the previous software for any functionality.

You must contact your Avaya sales representative or business partner to get your license file.

10 Administrator Guide

VPNremote Phone features in Release 1

The following summarizes a number of significant feature, performance, and usability enhancements provided by VPNremote Phone, Release 1.

● H.323 IP Telephone – The VPNremote Phone is a fully featured Avaya H.323 IP

Telephone. The H.323 IP Telephone includes the following features:

- A large display area that allows up to 12 application-specific buttons to be presented and labeled at one time.

- Twelve line/feature buttons

- Four softkeys

- Fixed buttons that provide access to powerful capabilities such as: local telephone and call server-based features, speed dialing, a Call Log, and a Wireless Markup Language (WML) browser.

● Integrated IPSec Client – The VPNremote Phone contains an integrated IPSec VPN

Client that supports the following IPSec protocols:

- Internet Protocol Security (IPSec) VPNremote Phone supports IPSec. VPNremote Phone supports IPSec when

implemented under an existing implementation of an IP protocol. For additional information regarding IPSec protocol support, see the Avaya Security Gateway Configuration Guide for VPNos 4.6.

- Internet Key Exchange (IKE) VPNremote Phone supports the standard IKE key management protocol for IPSec. For

additional information regarding IKE protocol support, see the Avaya Security Gateway

Configuration Guide for VPNos 4.6.

- Internet Security Association and Key Management (ISAKMP) VPNremote Phone supports the standard IISAKMP protocol for IPSec. For additional

information regarding IS AK MP protocol support, see the Avaya Security Gateway

Configuration Guide for VPNos 4.6.

Issue 2 July 2006 11

Introduction

12 Administrator Guide

Chapter 2: Configuration

This section provides administrators with information on how to configure the Avaya VPNremote for 4600 Series IP Telephone as a VPNremote Phone.

It is recommended that administrators configure the Avaya VPNremote for 4600 Series IP Telephone (VPNremote Phone) for the end user. Administrators should load the VPNremote Phone with the latest software, configure the VPNremote Phone to connect to the Enterprise Communication Manager infrastructure, and provide the end users with information for configuration in their small office home office (SOHO) environment.

the security device through the internet, and must allow telephony traffic between the security device and Communication Manager.

Configuration preparation

To insure that the end user is able to configure VPNremote Phone in their SOHO environment and to connect to the enterprise network, administrators must preconfigure the IP telephone prior to deployment.

The initial configuration is to be completed by the administrator while the IP telephone is connected to the enterprise network, and prior to deployment to the end user. By using this method, the administrator maximizes their configuration time; and minimizes end user configuration requirements that are entered using the telephone keypad. This preconfiguration method also protects the end user’s login ID and password.

Following is the recommended preconfiguration method, including the sequence and procedures:

1. Create and administer a new extension with Communication Manager, Release 2.3 or higher. For additional information see Preparing Communication Manager for the

VPNremote Phone.

2. Install and test the IP telephone on the enterprise network. For additional information, see the Avaya 4600 Series IP Telephone Installation Guide.

3. Allow access into and out of the corporate firewall through VPN tunnels, see Preparing the

Avaya Security Gateway for the VPNremote Phone.

4. Convert the 4600 Series IP Telephone, see Converting an IP Telephone to VPN IP

Telephone.

5. Download the VPN firmware from the TFTP server, see Downloading the VPN firmware

6. Configure the VPN settings to meet the configuration parameters for each VPNremote Phone site, see Configuring the VPN Settings

7. Ship preconfigured device to the end user.

Issue 2 July 2006 13

Configuration

Preparing Communication Manager for the VPNremote Phone

A VPNremote Phone is configured the same as other IP telephones on the A vaya Media Server running Avaya Communication Manager. Even though the VPNremote Phone is physically located outside of the corporate network, the VPNremote Phone will behave the same as other Avaya IP telephones located on the LAN once the VPN tunnel has been established.

VPNremote Phone as a single extension on Communication Manager

The VPNremote Phone user can have a single extension on the Avaya Media Server running Avaya Communication Manager. A single extension allows the user to be connected to the Communication Manager from one location at a time - either the office or the SOHO.

If the desired configuration is to connect to Communication Manager from both the office and the SOHO, you must configure VPNremote Phone as a separate extension that has a bridged appearance of the office extension. For more information on a bridged appearance on Communication Manager , see VPNremote Phone as a bridged appearance on Communication

Manager.

For additional information regarding Communication Manager configuration, see the Administrator Guide for Avaya Communication Manager.

VPNremote Phone as a bridged appearance on Communication Manager

The VPNremote Phone user can have a bridged appearance of the office extension on the Avaya Media Server running Avaya Commu nication Manager. A bridged appearance allows the user to be connected to the Communication Manager from two locations at the same time. As a call comes in, both telephones ring. If a voicemail message is received and the message indicator light is configured, the light appears on both telephones.

The bridged appearance configuration is the most common configuration for VPNre mote Phone users.

For additional information regarding Communication Manager configuration, see the Administrator Guide for Avaya Communication Manager.

Installing the VPNremote Phone in the enterprise network

The Avaya VPNremote for 4600 Series IP Telephone is a standard Avaya 4600 Series IP Telephone with an additional VPNremote Client capability. The installation of the VPNremote Phone in the enterprise network is the same as the installation of any Avaya 4600 Series IP Telephones.

For detailed instructions on how to install the VPNremote Phone into the enterprise network, see the Avaya 4600 Series IP Telephone Installation Guide.

14 Administrator Guide

Configuration preparation

Preparing the Avaya Security Gateway for the VPNremote Phone

VPNremote Phone users who login to the VPN through the Avaya security gateway must have their user authentication configured on that security gateway. The user authentication configuration allows VPN traffic to flow through the corporate firewalls to the security gateway. VPN traffic is remote traffic that has traversed the VPN tunnel.

As a minimum, you must configure a user name and the password for each remote user. User names can be up to 128 characters long and can contain any character except a comma (,). Note that once you add a user name, you cannot change the name.

For additional information regarding configuring the security gateway for the VPNremote Phone, see the Avaya Security Gateway Configuration Guide for VPNos 4.6.

Configuring VPNremote Phone system parameters on the devices

Table 1 lists the configurable system parameters for the supported devices. For more

information regarding system parameters, see Appendix C:

System Parameters Customization.

Table 1: Supported devices system parameters

Supported Device System Parameter Values

Avaya Security Gateway Set the following values:

NVVPNCFGPROF(1) NVCERTUNK(2) NVIKECONFIGMODE(2)

Cisco VPN 3000 Series Concentrators Set the following values:

NVVPNCFGPROF(3) NVVPNSVENDOR(2) NVVPNAUTHTYPE(4) NVIKEXCHGMODE(1) NVIKEIDTYPE(11) NVIKECONFIGMODE(1)

Cisco PIX 500 Series Security Appliances Set the following values:

NVVPNCFGPROF(3) NVVPNSVENDOR(2) NVVPNAUTHTYPE(4) NVIKEXCHGMODE(1) NVIKEIDTYPE(11) NVIKECONFIGMODE(1)

1 of 2

Issue 2 July 2006 15

Configuration

Table 1: Supported devices system parameters (continued)

Supported Device System Parameter Values

Juniper Networks NetScreen series VPN devices

Juniper Networks Secure Services Gateway 500 Series devices

Juniper Networks Integrated Security Gateway (ISG) Series devices

Any Security Device (Generic) with Preshared Key (PSK)

Set the following values:

NVVPNCFGPROF(5) NVVPNSVENDOR(1) NVVPNAUTHTYPE(4) NVIKEIDTYPE(3) NVIKEXCHGMODE(1) NVIKECONFIGMODE(1)

Set the following values:

NVVPNCFGPROF(5) NVVPNSVENDOR(1) NVVPNAUTHTYPE(4) NVIKEIDTYPE(3) NVIKEXCHGMODE(1) NVIKECONFIGMODE(1)

Set the following values:

NVVPNCFGPROF(5) NVVPNSVENDOR(1) NVVPNAUTHTYPE(4) NVIKEIDTYPE(3) NVIKEXCHGMODE(1) NVIKECONFIGMODE(1)

Set the following values:

NVVPNCFGPROF(6) NVVPNSVENDOR(4) NVVPNAUTHTYPE(3)

NVIKECONFIGMODE(2) NVIKEXCHGMODE(1) NVIKEIDTYPE(3)

Any Security Device (Generic) with IKE Extended Authentication (Xauth)

16 Administrator Guide

Set the following values:

NVVPNCFGPROF(7) NVVPNSVENDOR(4) NVVPNAUTHTYPE(4) NVIKEIDTYPE(3) NVIKEXCHGMODE(1) NVIKECONFIGMODE(1)

2 of 2

Converting an IP Telephone to VPN IP Telephone

Use the following procedure and the telephone key pad to convert a non-VPNremote IP telephone into a VPNremote telephone:

1. Allow the telephone to initialize and register with Communication Manager.

2. After the phone is registered, set the GROUP for each phone you want to upgrade to a VPN IP telephone to 876. To initiate the GROUP command from the telephone key pad, press:

Mute 4-7-6-8-7 #

3. After the GROUP command is initiated, enter 8-7-6 # (V-P-N #) for the New value. Use Page LEFT key to erase any errors.

4. Press # to save the new value.

Save new value?

* = no #=yes

Configuration preparation

Downloading the VPN firmware

Prior to configuring the VPNremote Phone, you must first install the VPNremote Phone firmwa re on an existing internal TFTP server. Install the VPNremote Phone firmware files on the same TFTP server that the existing IP telephones 2.3 firmware or higher.

Note:

Note: The TFTP server should not be accessible from outside the enterprise network

without a VPN connection.

To download the firmware:

1. Verify that the file server is configured to upgrade the telephone firmware.

2. Copy the VPNremote Phone software files to the TFTP server. The VPNremote Phone firmware files must be on the same TFTP server as the existing IP telephones firmware.

3. Create a new 46xxupgrade.scr file.

4. Add the following lines to the beginning of the new 46XXupgrade.scr file:

IF $GROUP SEQ 876 goto DEFVPN

GOTO NOVPN

# DEFVPN

GET 46xxvpn.scr

GOTO END

# NOVPN

Issue 2 July 2006 17

+ 39 hidden pages