Polycom VBP User Manual

Polycom® VBP™ System Configuration Guide

9.1.5.3 | January 2011 | 3725-78301-001B

VBP Series Configuration Guide

Trademark Information

Polycom ®, the Polycom logo design, [and others that appear in your document] are registered trademarks of Polycom, Inc.™ are trademarks of Polycom, Inc. in the United States and various other countries. All other trademarks are the property of their respective owners.

Polycom Inc. 4750 Willow Road Pleasanton, CA 94588-2708 USA

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Polycom, Inc. Under the law, reproducing includes translating into another language or format.

s between the parties, Polycom, Inc. retains title to, and ownership of, all proprietary rights with respect to the software contained within its products. The software is protected by United States copyright laws and international treaty provision. Therefore, you must treat the software like any other copyrighted material (e.g. a book or sound recording).

Every effort has been made to ensure that the information in this manual is accurate. Polycom, Inc. is not responsible for printing or clerical errors. Information in this document is subject to change without notice.

Export Notice

This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or re-export may be required by the U.S. Department of Commerce.

Regulatory Compliance

This product was tested to comply with FCC standards for home and office use. It also meets the applicable Industry Canada Terminal Equipment Technical Specifications an VCCI standards.

Licensing

Use of this product is subject to Edgewater Networks Software License Agreement. Portions of this product include software sponsored by the Free Software Foundation and are covered by the GNU GENERAL PUBLIC LICENSE.

Release Date:

January 19, 2011

VBP Series Configuration Guide

Feature Summary .......................................................................................................................................................................................................... 7

System Configuration................................................................................................................................................................................................... 10

Configuring VBP-E Network Settings ...................................................................................................................................................................... 11

Configure WAN settings ...................................................................................................................................................................................... 11

Configure WAN ADSL-PPPoE ............................................................................................................................................................................ 11

Configure WAN DHCP ........................................................................................................................................................................................ 12

Configure WAN Static IP Address....................................................................................................................................................................... 13

Configuring VBP-ST Network Settings .................................................................................................................................................................... 14

Configure Subscriber and Provider settings........................................................................................................................................................ 14

Subscriber Interface Settings .............................................................................................................................................................................. 14

Provider Interface Settings .................................................................................................................................................................................. 15

Configuring LAN Settings ........................................................................................................................................................................................ 16

Configure LAN network settings without VLANs................................................................................................................................................. 16

Configure LAN network settings with VLANs ...................................................................................................................................................... 16

Configuring VLANs .................................................................................................................................................................................................. 16

Set up VLANs on the 4350.................................................................................................................................................................................. 17

Set up VLANs on the 5300-E and 6400-E series................................................................................................................................................ 17

Delete a VLAN..................................................................................................................................................................................................... 17

Configuring Ethernet Interface Link Settings....................................................................................................................................................... 17

SNMP Overview....................................................................................................................................................................................................... 18

Configure SNMP.................................................................................................................................................................................................. 19

Disable SNMP ..................................................................................................................................................................................................... 20

Delete an SNMP trap........................................................................................................................................................................................... 20

Configuring DHCP Services .................................................................................................................................................................................... 20

DHCP Relay ........................................................................................................................................................................................................ 20

DHCP Server....................................................................................................................................................................................................... 21

Configuring DHCP Server ................................................................................................................................................................................... 22

Configuring DHCP With VLANs .......................................................................................................................................................................... 23

DHCP Leases...................................................................................................................................................................................................... 24

Configuring DNS for ANNEX O support....................................................................................................................................................................... 25

Diagnose your DNS settings ............................................................................................................................................................................... 28

Firewall rules for securing the network ........................................................................................................................................................................ 29

VBP Firewall Basics................................................................................................................................................................................................. 29

Configure the VBP-E Whitelist/Blacklist .............................................................................................................................................................. 30

VBP-E or VBP-S and ST blocking management ports........................................................................................................................................ 31

VBP-E management ports................................................................................................................................................................................... 31

Trusted Management Addresses ........................................................................................................................................................................ 32

VBP-S or ST management ports......................................................................................................................................................................... 33

CERT Advisory CA-2004-01.................................................................................................................................................................................... 35

Implementing Polycom VBP with a Third-Party Firewall.............................................................................................................................................. 36

Describing the Issue Between H.323 Communications and NAT ........................................................................................................................... 36

VBP Series Configuration Guide

Resolving the Issue Without VBP ............................................................................................................................................................................ 36

Using a 1-1 NAT ...................................................................................................................................................................................................... 36

Using an H.323-Compliant Firewall ......................................................................................................................................................................... 37

Resolving the Issue with VBP.................................................................................................................................................................................. 37

Implementing a VBP with a Third-Party Firewall ..................................................................................................................................................... 38

Implementing a DMZ with a Public IP Space .......................................................................................................................................................... 38

Implementing a DMZ with a Private IP Space ......................................................................................................................................................... 39

Required Ports......................................................................................................................................................................................................... 40

VBP-E DMZ required ports to and from the WAN interface................................................................................................................................ 42

VBP-E DMZ required ports inbound to the LAN interface................................................................................................................................... 43

VBP-E DMZ required ports outbound from the LAN interface ............................................................................................................................ 44

VBP-ST DMZ required ports inbound from the Internet to the VBP (H.460 support) ......................................................................................... 45

VBP-ST DMZ required ports outbound from the VBP to the Internet (H.460 support) ....................................................................................... 46

VBP-ST DMZ required ports inbound from the Internet to the VBP (H.460 and Access Proxy)......................................................................... 47

VBP-ST DMZ required ports outbound from the VBP to the Internet (H.460 and Access Proxy) ...................................................................... 49

VBP-ST DMZ required ports inbound from the LAN gatekeeper (H.323 and Access Proxy)............................................................................. 50

VBP-ST DMZ required ports outbound to the LAN gatekeeper (H.323 and Access Proxy)............................................................................... 52

VBP Topologies ........................................................................................................................................................................................................... 53

Overview .................................................................................................................................................................................................................. 53

Centralized Gatekeeper Diagram ............................................................................................................................................................................ 54

Distributed Gatekeeper Diagram - 1.................................................................................................................................................................... 55

Distributed Gatekeeper Diagram - 2.................................................................................................................................................................... 56

Configuring the VBP E-Series Appliance for LAN-side Gatekeeper Mode ............................................................................................................. 57

Alias Manipulation ............................................................................................................................................................................................... 60

Configuring the VBP E-Series Appliance for Embedded Gatekeeper Mode........................................................................................................... 61

Example for prefix routing to simplify dialing using the DST E.164 as a prefix................................................................................................... 64

Peering Proxy Overview .......................................................................................................................................................................................... 66

How Peering Proxy Works .................................................................................................................................................................................. 66

Configuring the VBP E-Series Appliance for Peering-Proxy Mode..................................................................................................................... 69

Regular Expressions ........................................................................................................................................................................................... 71

Centralized Gatekeeper Configuration................................................................................................................................................................ 73

Centralized Gatekeeper DiagramConfiguring the VBP S and ST-Series Appliance for Provider-side gatekeeper mode.................................. 74

Configuring the VBP S and ST-Series Appliance for Provider-side gatekeeper mode....................................................................................... 75

Configuring the VBP E-Series Appliance for WAN-side Gatekeeper Mode........................................................................................................ 77

Access Proxy Summary and Configuration ............................................................................................................................................................. 78

Access Proxy Diagram ........................................................................................................................................................................................ 79

NAT routers tested .............................................................................................................................................................................................. 80

Software requirements for Interoperability .......................................................................................................................................................... 80

Prerequisites........................................................................................................................................................................................................ 81

Configuration steps for the CMA server .............................................................................................................................................................. 82

CMA Setup for Sites............................................................................................................................................................................................ 85

Configuration steps for the VBP-ST .................................................................................................................................................................... 87

VBP Series Configuration Guide

Configure the VBP-ST VoIP ALG H.323 settings................................................................................................................................................ 88

CMA Desktop Configuration................................................................................................................................................................................ 91

HDX Configuration............................................................................................................................................................................................... 93

Troubleshooting Access Proxy............................................................................................................................................................................ 95

VVX 1500 D Configuration for Premise SIP Voice and H.323 Video ........................................................................................................................ 103

Configuring the VBP-ST Headquarters H.323 Video Settings .............................................................................................................................. 105

Configuring the VBP-ST Headquarters SIP Voice Settings .................................................................................................................................. 106

Configuring the VBP SoHo-2 H.323 Video Settings.......................................................................................................................................... 107

Configuring the VBP SoHo-2 SIP Voice Settings.............................................................................................................................................. 108

Configuring the VVX 1500 D for H.323 Video and SIP Voice Services................................................................................................................. 109

Sample SIP Voice and H.323 Video Signaling Flows ....................................................................................................................................... 117

Sample H.323 Video Call and RTP Flows ........................................................................................................................................................ 118

Sample SIP Voice Call and RTP Flows............................................................................................................................................................. 119

Optional VBP-E at the Headquarters Location...................................................................................................................................................... 120

Configuring the VBP H.323 Video Settings....................................................................................................................................................... 120

Configuring the VBP SIP Voice Settings........................................................................................................................................................... 121

Optional VBP-E at the Headquarters Location - CMA Settings ........................................................................................................................ 123

Sample H.323 Video Inbound Call and RTP Flows ..........................................................................................................................................126

Sample SIP Voice Inbound Call and RTP Flows .............................................................................................................................................. 127

Using the VBP to Diagnose Issues ...................................................................................................................................................................128

Traffic Shaper Configuration ...................................................................................................................................................................................... 133

Configuring the Traffic Shaper ..........................................................................................................................................................................133

Diagnostics and Troubleshooting............................................................................................................................................................................... 135

Viewing Version, Hardware Platform and LAN MAC Address .......................................................................................................................... 135

Viewing the ALG Registration Code.................................................................................................................................................................. 135

Entering the Registration Code ......................................................................................................................................................................... 135

Viewing Networking Information........................................................................................................................................................................ 136

Link Status......................................................................................................................................................................................................... 136

Interface Information ......................................................................................................................................................................................... 136

Using Troubleshooting Tools................................................................................................................................................................................. 137

Ping and Traceroute Tests ................................................................................................................................................................................ 137

Networking Restart............................................................................................................................................................................................ 138

Rebooting the System ....................................................................................................................................................................................... 138

Reboot the system............................................................................................................................................................................................. 138

Using T1 Diagnostics............................................................................................................................................................................................. 139

Perform T1 diagnostics ..................................................................................................................................................................................... 139

View T1 Statistics .............................................................................................................................................................................................. 139

View advanced T1 diagnostics.......................................................................................................................................................................... 139

Device Configuration Management............................................................................................................................................................................ 140

Using the configuration backup command ........................................................................................................................................................ 140

Creating a backup file and save to local flash................................................................................................................................................... 141

VBP Series Configuration Guide

Copy a backup file to a remote TFTP server .................................................................................................................................................... 141

Download a backup file from a remote TFTP server......................................................................................................................................... 141

List available backup files.................................................................................................................................................................................. 141

Delete a backup file........................................................................................................................................................................................... 141

Loading a backup file to become the running configuration.............................................................................................................................. 142

Regulatory Notices..................................................................................................................................................................................................... 143

END-USER LICENSE AGREEMENT FOR POLYCOM® SOFTWARE................................................................................................................ 143

Appendix A. Compliance and Compatibility for the VBP 200EW Converged Network Appliance............................................................................. 151

WIRELESS ............................................................................................................................................................................................................151

INDUSTRY CANADA (IC) NOTICE....................................................................................................................................................................... 151

Appendix B. Compliance and Compatibility for the VBP 4350 Converged Network Appliance ................................................................................153

JAPAN EMC COMPATIBILITY.............................................................................................................................................................................. 153

FCC PART 68 NOTICE TO USERS OF DIGITAL SERVICE................................................................................................................................ 153

Appendix C. Compliance and Compatibility for the VBP 4350W Converged Network Appliance............................................................................. 155

INDUSTRY CANADA (IC) NOTICE....................................................................................................................................................................... 155

Appendix D. Compliance and Compatibility for the VBP 5300S Converged Network Appliance.............................................................................. 157

FCC PART 15 NOTICE ......................................................................................................................................................................................... 157

Industry Canada NOTICE...................................................................................................................................................................................... 157

Appendix E. Compliance and Compatibility for the VBP 5300E Converged Network Appliance.............................................................................. 158

Appendix F. Compliance and Compatibility for the VBP 6400S Converged Network Appliance .............................................................................. 159

Appendix G. Compliance and Compatibility for the VBP 6400E Converged Network Appliance.............................................................................. 162

VBP Series Configuration Guide

Feature Summary

The Video Border Proxy (VBP) Series features intelligent, all-in-one networking solutions for enterprises and service providers. These solutions reduce costs by simplifying the deployment, management and security of converged voice, video and data networks. The following table lists the important functions provided by each model of the VBP Series:

Function 200 EW 4350 and 4350EW 5300-E 5300-S & ST 6400-E 6400-S & ST

Resolves NAT/firewall traversal problems by providing an application layer gateway (ALG) that supports voice and H.323 protocols

Protects the enterprise LAN using a stateful packet inspection (SPI) firewall for both H.323 and data traffic

Protects the enterprise LAN using a stateful packet inspection (SPI) firewall for H.323 traffic

Application aware firewall dynamically provisions and closes UDP ports used for H.323 calls

Provides NAT and PAT for data that hides enterprise LAN topology

Provides NAT and PAT for H323 that hides enterprise LAN topology

Provides integrated tools to facilitate problem isolation

Uses a simple web based GUI for configuration

Site-to-site networking using IPSec: 3DES, SHA-1

X X X X X X

X X X X

X X

X X X X X X

X X X X

X X X X X X

X X

Performs static IP routing

Supports logging to external syslog servers

X X X X X X

VBP Series Configuration Guide

Function 200 EW 4350 and 4350EW 5300-E 5300-S & ST 6400-E 6400-S & ST

Provides a DHCP server for enterprise PCs and video devices

Supports Access Proxy – requires H.460 traversal “ST” S systems will need to be upgraded

Provides H.460-based traversal support (1)

Supports up to 1 Mbps of H.323 traffic - or up to 35 Mbps data traffic

Supports up to 3 Mbps of H.323 traffic - or up to line rate for data traffic

Supports up to 10 Mbps of H.323 traffic - or up to line rate for data traffic

Supports up to 25 Mbps of H.323 traffic - or up to line rate for data traffic

Supports up to 25 Mbps of H.323 traffic (2)

Supports up to 85 Mbps of H.323 traffic - or up to line rate for data traffic

Supports up to 200 Mbps of H.323 traffic (2)

Supports up to 85 Mbps of H.323 traffic (2)

Supports up to 200 Mbps of H.323 traffic (2)

Supports T1 and Ethernet WAN types

Supports Ethernet WAN types

Supports WAN protocols, DHCP, ADSL-PPPoE, Static IP

X X X X

X X

X X X X X X

X X

VBP Series Configuration Guide

Supports WAN protocols, DHCP, Static IP

Supports up to 16 VLAN’s

X X X X

(1) ST models only (2) ST models do not support data NAT related features

VBP Series Configuration Guide

System Configuration

You can configure the Video Border Proxy (VBP) series appliance to support a wide range of network services and enable or disable specific services based on the requirements of your network.

This chapter explains how to configure the VBP series appliance to function in your IP network. You will configure the Ethernet interfaces, network addresses, DNS settings, default gateway, SNMP settings, DHCP services, firewall settings, and change the administrative password.

VBP Series Configuration Guide

Configuring VBP-E Network Settings

Note: Ask your ISP to assign an IP address for the VBP series appliance, an IP address for the gateway, and a preferred and secondary IP address for the DNS server.

Configure WAN settings

1. Choose Network from the Configuration Menu.

2. Select the method to use to obtain an Internet connection.

3. When you select a connection method, the page displays the appropriate settings in the WAN Interface Settings area. a. ADSL-PPPoE—Enter the user name and password assigned by the network provider, and indicate whether to monitor the

connection using keepalive ping messages. b. DHCP—No additional configuration required. c. Static IP Address—Enter the IP address and subnet mask. d. T1—Enter the IP address and subnet mask. Click the underlined T1 link to open the T1 Configuration page and set additional T1

parameters.

4. Click Submit.

A message indicates that service will be temporarily interrupted.

5. Click OK to confirm.

Configure WAN ADSL-PPPoE

ADSL-PPPoE (1)

Select to display these options. When selected the

WAN Ethernet port will perform a PPP negotiation to obtain and IP address, this IP will be assigned to the ppp0 interface viewable in the “Network Information page” a link to this page is provided. The default gateway and DNS servers are also sent to the system in the DHCP reply.

User Name (2)

Enter user name your ISP has assigned to your DSL

account.

Password (3)

Enter password for your user name your ISP has assigned to your DSL account

VBP Series Configuration Guide

Keepalive Ping (4)

Selected by default to send an LCP-echo request, this is called a link control protocol “ping” not to be confused with ICMP based ping. The PPP LCP “ping” interval is every 60 seconds; if 3 request are not responded to (180 seconds) the system will re-establish the PPP connection. When this happens you may receive a different IP address. For this reason it is recommended to setup a “Dynamic DNS” account, this allows remote locations to enter a DNS name to dial your location. (see the Dynamic DNS page under “System”) see RFC 1661 for PPP related information.

Primary DNS Server (5)

Entering static DNS information for a dynamic WAN type will override what is received during PPP negotiation

Secondary DNS Server (6)

Entering static DNS information for a dynamic WAN type will override what is received during PPP negotiation

Configure WAN DHCP

DHCP (1)

Select to choose this option. When selected the WAN Ethernet port will perform a DHCP negotiation to obtain and IP

address, this IP will be assigned to the eth1 interface viewable in the “Network Information page” a link to this page is provided. The default gateway and DNS servers are also sent to the system in the DHCP reply.

Primary DNS Server (2)

Entering static DNS information for a dynamic WAN type will override what is received during DHCP negotiation

Secondary DNS Server (3)

Entering static DNS information for a dynamic WAN type will override what is received during DHCP negotiation

VBP Series Configuration Guide

Configure WAN Static IP Address

Static IP Address (1)

Select to display these options

IP Address (2)

Enter IPv4 IP address

Subnet Mask (3)

Enter subnet mask as appropriate, default gateway must be in this subnet

Default Gateway (4)

Enter IP address of the upstream (WAN) router

Primary DNS Server (5)

Enter primary DNS server IP

Secondary DNS Server (6)

Enter Secondary DNS server IP

Note: The VBP WAN interface must be assigned a publicly routable IP address. Assigning a RFC1918 address to the WAN interface is not supported

VBP Series Configuration Guide

Configuring VBP-ST Network Settings

Configure Subscriber and Provider settings

1. Choose Network from the Configuration Menu.

2. Configure all parameters indicated, double check that you have the correct IP’s for the interfaces as defined

3. Click Submit.

A message indicates that service will be temporarily interrupted.

4. Click OK to confirm.

Subscriber Interface Settings

IP Address (1)

Enter the IPv4 IP address, while this interface is call “Subscriber”

its commonly placed on the Internet or WAN side of the network.

The default IP address is 192.168.1.1 while this IP is associated

to the LAN, it is used by default on the Subscriber interface. The

reason for this is for configuring the system for the first time for

documentation procedures of attaching your PC to “port 1” to

reach 192.168.1.1, when you reconfigure the Public IP on the

Subscriber interface, and the firewall is enabled, you will place

this interface on the public network

Subnet Mask (2)

Enter subnet mask as appropriate, default gateway must be in

this subnet

Default Gateway (6)

Enter IP address of the upstream (WAN) router

Primary DNS Server (7)

Enter primary DNS server IP

Secondary DNS Server (8)

Enter Secondary DNS server IP

VBP Series Configuration Guide

Provider Interface Settings

Static IP Address (3) Select to display these options, while DHCP is an option on

the Provider interface, it is not commonly used due to the

nature of H.323, and the dependencies that other H.323

network equipment have on the Provider or LAN network.

There are typically multiple devices that require entering this

IP statically as part of installing and configuring these other

H.323 devices, e.g. gatekeeper, MCU, other routers that

provide route entries to the VBP-ST. It is highly recommended

that you do not use DHCP on the Provider interface.

IP Address (4) Enter IPv4 IP address, while this interface is called “Provider”

In most deployments this interface will be placed in the private

or LAN side of the network

Subnet Mask (5)

Enter subnet mask as appropriate, when creating “Route”

entries the gateways for the route entry must be within this

subnet.

VBP Series Configuration Guide

Configuring LAN Settings

This section describes how to set up LAN parameters with and without VLANs. The VLAN configuration feature allows you to connect the appliance to an Ethernet switch that has been configured to use VLANs. VBP-S and ST platforms do not support VLAN’s

Note: The VBP appliance is shipped with LAN IP address 192.168.1.1 and subnet mask 255.255.255.0

Configure LAN network settings without VLANs

1. Choose Network from the Configuration Menu.

2. The LAN Interface Settings area of the Network page shows the LAN IP address (192.168.1.1) and subnet mask (255.255.255.0).

3. Clear the Enable VLANs checkbox.

4. Click Submit.

A message indicates that service will be interrupted while the new interface is added.

5. Click OK to confirm.

Configure LAN network settings with VLANs

1. Choose Network from the Configuration Menu.

2. Select Enable VLANs.

3. Click Submit.

A message indicates that service will be interrupted while the new interface is added.

4. Click OK to confirm.

5. Click VLAN Settings to open the VLAN page.

6. Configure settings as appropriate for your VBP model.

Configuring VLANs

The VBP series appliance supports tagged and untagged VLANs. As specified in the IEEE 802.1q standard, tagged VLANs incorporate the VLAN ID and priority in the packet header. Untagged VLAN packets do not include the VLAN ID or priority.

Most VBP series appliances (200EW, 4300T, 4350, 4350EW and the 5300/6400 series) provide support for multiple tagged VLANs. The 5300-E and 6400-E series each support a single untagged VLAN; while the 200EW, 4300T, 4350, 4350EW support up to four untagged VLANs. VBP-S and ST platforms do not support VLAN’s

All VBP-E series appliances support up to 16 VLANS.

VBP Series Configuration Guide

Set up VLANs on the 4350

1. Choose System > VLAN Configuration from the Configuration Menu.

2. Choose 802.1 or 802.1q from the LAN Port Membership pull-down list. Click Modify. If 802.1 is selected, radio buttons are presented to permit selection of a single VLAN. If 802.1q is selected, checkboxes are presented to permit selection of multiple tagged VLANs.

3. To add and configure a new VLAN, enter the new VLAN ID, IP address, and network mask. Click Add. A new VLAN entry is added to the VLAN configuration. The mode of the physical port determines the rules for VLAN assignment:

a. 802.1 mode: Assign the port to a single VLAN. b. 802.1q mode: Assign the port to multiple VLANs

4. Repeat steps 3 for each VLAN you wish to create.

Set up VLANs on the 5300-E and 6400-E series

1. Choose System > VLAN Configuration.

2. The screen displays the IP address and subnet mask of the default untagged VLAN. The LAN Ethernet port on the 5300 and 6400 can have both a single untagged and multiple tagged VLANs. Each new VLAN that you add will be tagged only, the untagged VLAN is represented as “eth0”, if changes to this VLAN are necessary go to the “Network” page and modify the “LAN Interface Settings”.

3. To add a tagged VLAN, enter the VLAN ID, IP address, and network mask, and click Submit.

A message indicates that service will be interrupted while the new interface is added.

4. Click OK to confirm.

5. Repeat steps 3 for each VLAN you want to create.

Delete a VLAN

1. Choose System > VLAN Configuration from the Configuration Menu.

2. Click the “trash can” icon to the right of the VLAN entry. It is not necessary to click Submit after deleting a VLAN.

Configuring Ethernet Interface Link Settings

You can modify the Ethernet interface link settings for the appliance, since “Auto-negotiate” interoperability can be problematic for real time protocols, it is recommended to statically configure both VBP Ethernet ports and the switch ports the VBP’s interfaces are connected to.

Depending on the WAN link it may be necessary to adjust the WAN MTU size, this issue is typically seen on connections under T1 rates or, DSL links and that depends on the DSL devices ability to set the MTU or MSS size.

VBP Series Configuration Guide

Note: Take care when adjusting the Ethernet link rate. The device may become unreachable if an incompatible rate is set.

1. Choose System > Set Link.

2. Select a rate for each Ethernet link, or choose Auto-negotiate.

3. Click Submit.

A message indicates that service will be interrupted while the new interface is added.

4. Click OK to confirm.

SNMP Overview

The VBP series appliance can be managed remotely by an SNMP network management system such as HP Openview. SNMPv1, v2, and v3 and the following MIBS are supported:

MIB-II (RFC 1213) IF-MIB (RFC 2863) SNMP MIB-V2 (RFC 3418) TCP-MIB (RFC 4022) IP-MIB (RFC 2011) UDP-MIB (RFC 4113) SNMP-VIEW-BASED-ACM-MIB (RFC 3415) SNMP-MPD-MIB (RFC 3412) SNMP-USER-BASED-SM-MIB (RFC 3414) SNMP-FRAMEWORK-MIB (RFC 3411)

All MIB variables are read only. The SNMP MIB-V2 variables sysContact, sysLocation and sysName can be set through the web GUI.

The web GUI supports the configuration of multiple SNMP v1 and SNMP v2 trap destinations. The traps are sent to each of the configured destination using the appropriate protocol version and community string. SNMPv3 supports only one trap destination.

The VBP series appliance sends the following traps:

coldStart authenticationFailure linkup linkDown

VBP Series Configuration Guide

Configure SNMP

1. Choose System > Services Configuration.

2. To use SNMPv1 or SNMPv2, select the Enable SNMPv1 checkbox. By default, the agent-address field in SNMPv1 traps is set to the address of the interface that is used to send the trap. You can assign a custom IP address by entering a value in the SNMPv1 Trap Agent IP Address field.

3. To use SNMPv3, check the Enable SNMPv3 checkbox. Enter the user name, passphrase, security method, trap context, and destination trap IP address. The following security methods are supported:

4. None: No authentication and no Privacy

5. Auth(MD5): Authentication using MD5

6. AuthPriv(MD5/DES): Authentication using MD5 and Privacy using DES protocol

7. Click Submit.

A message indicates that service will be temporarily interrupted.

8. Click OK to confirm.

The figure below displays the VBP configuration for the SNMP Network setup:

Figure 1. SNMP Configuration Example

VBP Series Configuration Guide

Disable SNMP

1. Choose System > Services Configuration.

2. Clear the Enable SNMPv1 or Enable SNMPv3 checkbox.

A message indicates that service will be temporarily interrupted.

3. Click OK to confirm.

Delete an SNMP trap

1. Choose System > Services Configuration.

2. Click the “trash can” icon for the trap.

3. Click Delete.

Configuring DHCP Services

You can configure DHCP services with and without VLANs on all E series appliances. You can also relay DHCP requests to an external DHCP server or use the DHCP server included in the VBP series appliance.

DHCP Relay

When you enable DHCP relay and point to a valid DHCP server, you determine that all DHCP requests will be forwarded to that server. Local DHCP and DHCP Relay are mutually exclusive. That is, turning on DHCP Relay automatically turns off local DHCP, and turning on DHCP automatically turns off DHCP Relay.

As you configure the functions featured on the page, review the following list:

Enable DHCP Relay

Select this checkbox to enable DHCP Relay.

DHCP Relay IP Address

Enter the IP address of the DHCP server where the system will forward traffic.

1. Choose DHCP Relay from the Configuration Menu.

2. Check Enable HDCP Relay

3. Enter the DHCP Relay IPv4 IP Address

4. Click Submit.

A message indicates that service will be temporarily interrupted.

5. Click OK to confirm.

VBP Series Configuration Guide

DHCP Server

DHCP is a protocol that enables PCs and workstations to get temporary or permanent IP addresses (out of a pool) from centrally administered servers. All VBP E series appliances can act as a DHCP server, assigning IP addresses to devices in the network. You can configure blocks of IP addresses, default gateway, DNS servers, and other parameters that can be served to requesting devices.

Table 1 lists the DHCP options supported by the systems DHCP Server.

DHCP on your system does not have to be enabled if a DHCP server exists elsewhere in your company network. It can be disabled. When you have enabled the DHCP server, you can turn it on or off using the Enable DHCP Server box without having to change other settings.

The DHCP IP Address Ranges table shows the dynamic addresses to use for the LAN devices. Enter individual DHCP IP addresses or a range. Assign static IP addresses for any common-access devices, such as printers or fax machines.

Table 1 DHCP Server Options

Option Description

1 Subnet Mask - LAN Netmask of the VBP Network page

2 Time Offset

3 Router - LAN IP of the VBP Network page

6 DNS Server - DNS IP, Network page

42 NTP Servers

51 IP address lease time - Lease duration in seconds, DHCP page

53 DHCP Message Type - Set by DHCP server

54 Server Identifier - LAN IP of the VBP

66 FTP Server name

67 Boot file name

129 Call Server IP Address - VLAN ID Discovery

150 Phone Image TFTP Server IP - LAN IP of the VBP, Network

Page

151 MGCP Control Server IP - LAN IP of the VBP, Network Page

159 Allows the user to enter a text string in the form of a FQDN. It can

be used to point phones to the domain name of a TFTP server using HTTP.

160 Allows the user to enter a text string in the form of a FQDN. It can

be used to point phones to the domain name of a TFTP server using HTTPS.

VBP Series Configuration Guide

Configuring DHCP Server

Configuring DHCP Server on the VBP appliance includes enabling the server and configuring the DHCP IP Address range to be used by LAN devices. Use the following procedure to configure DHCP.

Configure DHCP

Choose DHCP Server to open the DHCP Server page. As you configure the functions featured on the page, review the following list:

DHCP IP Address Ranges Table (1)

Shows the dynamic addresses to use for the LAN devices. Enter individual DHCP IP addresses or a range. To configure an address range, select the appropriate values and click Add. To delete an address, Click the trash can icon. When adding a new range you must click submit to apply the new range to the DHCP server.

VLAN (9) see next page for reference

Select the VLAN served by the DHCP server.

Enable DHCP Server (2)

Select this checkbox to enable the DHCP server.

Subnet Mask (3)

Subnet Mask address for the DHCP pool. This mask is configured from the LAN subnet mask in the Network page

Lease Duration (Days) (4)

Enter the number of days you want to lease the DHCP service. This is the amount of time a DHCP service will remain connected without lapse. The value can be 1 day minimum and 30 days maximum. Note: when the DHCP lease has expired and the client requests a new IP, it is common for the system to assign the same IP to that system MAC address, if 2 clients make a DHCP request at the same time the lease expires, it is “possible” the system will not assign the same IP.

Time Offset, +/- hours (option 2) (5) (optional)

Set the time offset in hours from UTC (Universal time Code) for your local location.

VBP Series Configuration Guide

NTP Server Address (option 42) (6) (optional)

Set the Network Time Protocol (NTP) address that is served out by DHCP. This field can have a IP address or DNS name of a valid NTP server. Note: if a DNS name is entered in this field the system will perform a DNS A record lookup and use the IP address returned from this lookup to respond to the DNS request from the client as option 42, if the systems DNS server’s configured on the Network page are unresponsive, the DHCP response will be delayed.

WINS Address (option 44) (7) (optional)

Enter the IPv4 IP address of your WINS server. The Windows Internal Naming Service (WINS) is a service that keeps a database of computer name-to-IP address mappings so that computer names used in Windows environments can be mapped to IP addresses.

TFTP/FTP Server Name (option 66) (optional)

Set the TFTP/FTP server name that is served out by DHCP. By default, this option is the same as the TFTP server on the ALG page.

VLAN ID Discovery (option 129) (optional)

Set the VLAN ID that devices will acquire after rebooting.

From the Network page (8)

This area is for information only, the DNS IP’s shown and the Default Gateway shown will be sent to the client in the DHCP reply

Configuring DHCP With VLANs

This section describes using the DHCP Server capability on the VBP series appliance with configured VLANs. The VBP series appliance supports a maximum of 16 VLANs, all of which could be associated with the DHCP Server. The following are default VLAN IDs used on the VBP appliance:

• VLAN ID 1 (formerly 2730)-- used for management interface (VBP 5300 and 6400 appliances only)

• VLAN ID 500 -- used for video

• VLAN ID 600 -- used for data

Note: To use DHCP with VLANs, the VLAN capability must be enabled and VLANs configured.

Once VLAN capability is enabled and VLANs configured, use the following procedure.

1. Select the VLAN to be used from the drop down list.

2. Check Enable DHCP Server.

3. Add DHCP IP Address Ranges (Scope). In the DHCP IP Address Range table input the starting and ending IP address, then click Add.

4. Click Submit, when adding an extra IP Address Range to this server you must click submit to apply the new range. 23

VBP Series Configuration Guide

DHCP Leases

The DHCP Leases page displays view-only information about clients that are currently leasing a DHCP address.

View DHCP lease information

Choose DHCP Server > DHCP Leases.

Hostname

Name of the client that is currently using

this DHCP address.

IP Address

IP address of the client.

MAC Address

MAC address of the client.

Expires

Date and time that the DHCP address expires.

Delete

Select the client you wish to delete and click “Delete”

VBP Series Configuration Guide

Configuring DNS for ANNEX O support

ANNEX O http://www.itu.int/rec/T-REC-H.323/en is a recommendation within the H.323 standard to define a means in which endpoints and border elements standardize on a common dial plan. ANNEX O is also referenced as URI or URL dialing in the form of john.smith@example.com user@host format.

The user portion of this format will be the H.323 endpoints E.164 and or H.323-ID. When the endpoint registers to the gatekeeper with these aliases the endpoint can be called with either as the user portion. The host portion can be a legal numeric IP address or a fully qualified domain name (FQDN) a company has registered, in this explanation we will reference example.com and discuss the DNS infrastructure and configurations needed. Using a FQDN for H.323 services will require specific SRV and A records to be created on the DNS sever.

If you choose to standardize on ANNEX O as your dial plan DNS records will be to needed to simplify the method in which remote locations call into your enterprise that could have a single VBP or multiple VBPs installed at the border. Outbound calls from the VBP to remote domains or enterprises will depend on what the user dialed and how that location has deployed there H.323 solution and domain records.

Discussed in this section is a simplified explanation of DNS SRV records and how to configure them for your domain for incoming calls. When users on the enterprise call outbound the VBP will perform SRV and A record queries as described for the H.323 endpoint as both use a similar but different DNS application client to perform the request.

SRV records also provide a method to prioritize which VBP receives incoming calls, or with the SRV priority field set to an equal value a round robin method could be supported to distribute the load throughout the enterprise. Using a round robin approach will depend on how the calling H.323 DNS client supports the usage of the priority and weighting fields, some H.323 endpoints may not support this feature correctly.

You will need to configure the following on your DNS server

• SRV service records – Service records specify the A record or FQDN of the VBP

• A Records – Defines the IPv4 address of the VBP

SRV record format as defined by http://www.ietf.org/rfc/rfc2782.txt locations to reach your enterprise. The method in which most inbound connections will be made will be using the _h323cs service lookup to support an adhoc call using the john.smith@example.com ANNEX O dial plan such as dialing the destination alias E.164 e.g. 8315551234 and require a _h323ls service type.

The proto field should be set to the service respectively e.g. _h323cs is TCP proto and _h323ls is UDP proto

_Service._Proto.Name TTL Class SRV Priority Weight Port Target

• Service: The symbolic name of the service e.g. _h323cs or _h323ls – this field is case sensitive

• Proto: The protocol type e.g. _tcp or _udp – this field is case sensitive

format. Some VBP deployments may require gatekeeper neighboring to support a non

Configuring your DNS settings are for services to your VBP for remote

VBP Series Configuration Guide

• TTL: Standard DNS time to live field

• Class: Standard DNS class field (this is always IN)

• Priority: Refers to the priority of this target host, a lower value receives a higher priority

• Weight: The weight field specifies a relative weight for entries with the same priority

• Port: The port of this target host of this service

• Target: The domain name of the target host, there must be a A record as this name

A record format as defined by http://www.ietf.org/rfc/rfc1034.txt

Configuring your DNS server A record type allows you to map a name to a IPv4 address. Each VBP installed on the network will have a unique IPv4 WAN address assigned and the same applies for the DNS A record name configured. Example;

Name Type Data vbp1.example.com IN A 12.48.270.1 vbp2.example.com IN A 12.48.280.1

DNS servers can be different in configuring the SRV or A record parameters, please consult with your IT staff or DNS provider in configuring the records required for your specific VBP deployment. In the diagram below the enterprise VBP deployment has installed 2 VBP systems in different locations on the WAN network, the reasons for this could be for network redundancy or to distribute the incoming calls between the 2 VBP’s. For the example DNS records we will assume a redundant VBP model is desired.

Create DNS A records for both VBP’s on your DNS server as shown above, then create the SRV records to related the A records. Example;

Name Type Data TTL _h323cs._tcp.example.com IN SRV 0 50 1720 vbp1.example.com 1 day _h323cs._tcp.example.com IN SRV 1 50 1720 vbp2.example.com 1 day

You will need to configure SRV and A record entries for all the VBP’s installed on the network as they relate to the _h323cs service for example.com.

In the above SRV example vbp1.example.com is set for a priority of 0, weight 50, port 1720 (default for call setup) and vbp2 is set for priority 1, weight 50, port 1720. The calling endpoint would send the call SETUP to vbp1 unless vbp1 has become unresponsive to the request, when the call to vbp1 times out, the calling endpoint will use the next lower priority to forward the call to, in this example the call will go to vbp2.

The calling endpoint will query the DNS server for an SRV record first, if there is no such record found the H.323 endpoint will perform an A record query, if there is no such record found the H.323 endpoint will fail the call and the user will need to dial the destination by the IPv4 address.

An important item to note is, example.com is the destination domain, this domain will usually have different services configured, HTTP, Email etc. Web browsers and email clients will query the DNS server for their service type, H.323 endpoints and border elements are another configured service type to the domain.

VBP Series Configuration Guide

Using the SRV and A record examples above the below diagram shows an example of a H.323 endpoint dialing john.smith@example.com the H.323 endpoint will perform a SRV query on example.com to the DNS server address configured in the endpoints network parameters. The DNS server will reply back with a DNS SRV query response with vbp1.example.com and vbp2.example.com. The endpoint will now perform a DNS A record query for vbp1.example.com and vbp2.example.com. The DNS server will reply back with a DNS A record response with 12.48.270.1 and

12.48.280.1. The endpoint will now send a call SETUP to 12.48.270.1 with a destination alias of john.smith. If 12.48.270.1 is unavailable, the endpoint will timeout the session and create a new call SETUP to 12.48.280.1

VBP Series Configuration Guide

Diagnose your DNS settings

Adding or changing DNS records can take 24 hours to propagate out internet based DNS servers, if there are users that cannot reach your VBP it may simply be the DNS server they are using have not been updated yet.

You can perform a simple request from your computer by opening a command prompt and typing

nslookup -q=srv _h323cs._tcp.example.com

C:\Documents and Settings\Jane Smith>nslookup -q=srv _h323cs._tcp.example.com Server: vnsc-bak.sys.gtei.net Address: 4.2.2.2

Non-authoritative answer: _h323cs._tcp.example.com SRV service location: priority = 1 weight = 50 port = 1720 svr hostname = vbp2.example.com _h323cs._tcp.example.com SRV service location: priority = 0 weight = 50 port = 1720 svr hostname = vbp1.example.com

Now perform a ping to the hostname for both entries

C:\Documents and Settings\Jane Smith>ping vbp1.example.com

Pinging vbp1.example.com [12.48.270.1] with 32 bytes of data:

Reply from 12.48.270.1: bytes=32 time=94ms TTL=49 Reply from 12.48.270.1: bytes=32 time=95ms TTL=49 Reply from 12.48.270.1: bytes=32 time=93ms TTL=49 Reply from 12.48.270.1: bytes=32 time=107ms TTL=49

Ping statistics for 12.48.270.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 93ms, Maximum = 107ms, Average = 97ms

VBP Series Configuration Guide

Firewall rules for securing the network

VBP Firewall Basics

The VBP system deploys a Linux iptables firewall, and as a converged system, this firewall is controlled by internal applications dynamically. The H.323 ALG application uses iptables dynamically; as H.323 calls are being proxied and modified at Layer 5, the firewall ports for TCP H.245 messages are dynamically opened. This H.245 TCP connection is used by the endpoints to send media related parameters, what codecs can be used for audio and video, how many channels will be used, what ports both endpoints intend to send/receive RTP on, etc. During this negotiation the VBP NAT/PAT’s this information as messages pass through the system, since the VBP provides the NAT (network address translation) PAT (port address translation) function, the VBP will know what UDP ports and IP’s to allow to incoming connections.

This process happens dynamically, there is nothing to configure on the Firewall page to setup the system. The below methods are mainly for call control, as soon as the call control is allowed the system will allow the RTP media ports dynamically. TCP Port 1720 is used by H.323 devices as the call control port and more important is the presence of the TCP port 1720 connection; if this connection is closed by any device in the path, the endpoints will disconnect the session and the VBP will shut down access to the UDP media ports dynamically. During normal call control when a user hangs up the system, there are normal disconnect messages that happen at Layer 5 when a system wishes to disconnect, the end result after these Layer 5 messages have terminated normally is both endpoints will close the TCP port 1720 connection causing all devices between the endpoints to remove their NAT/PAT contracts.

VBP Series Configuration Guide

Configure the VBP-E Whitelist/Blacklist

1. Select - > VoIP ALG

2. Select - > H.323

3. Select - > Whitelist/Blacklist

4. Click Whitelist (1) to deny all H.323 incoming calls by default and accept the listed addresses.

5. Click Blacklist (2) to accept all H.323 incoming calls by default and deny the listed addresses.

6. Select Commit

When the system comes back up you will now have the ability to add IPv4 addresses.

7. Enter the IPv4 Address (3) and click Add (4)

8. The system will warn you this action will cause active calls to be interrupted.

Note: This feature is designed to allow or deny TCP port 1720 on the WAN or Subscriber interface. This feature is not designed to block outbound access from the LAN or Provider interface.

+ 135 hidden pages