How it Works
TANDBERG
Loading...
D13691.03
User Manual
84 pgs2.01 Mb0
Table of contents
Loading...

TANDBERG D13691.03 User Manual

TANDBERG Border Controller
User Manual
Software version Q3.0
D13691.03
This document is not to be reproduced in whole or in par t without permission in writing from:
TANDBERG Border Controller User Manual
Trademarks and copyright
Copyright 1993-2006 TANDBERG ASA. All rights reserved.
and tradenames are the property of their respective holders and are hereby acknowledged.
Portions of this software are licensed under 3rd party licenses. See the CD accompanying this
product for details.
Disclaimer
without prior notice, and should not be construed as a commitment by TANDBERG ASA.
The information in this document is believed to be accurate and reliable, however TANDBERG
ASA assumes no responsibility or liability for any errors or inaccuracies that may appear in this
document, nor for any infringements of patents or other rights of third parties resulting from its
use. No license is granted under any patents or patent rights of TANDBERG ASA.
COPYRIGHTc2006, TANDBERG ASA
i
TANDBERG Border Controller User Manual
Environmental Issues
Thank you for buying a product which contributes to a reduction in pollution, and thereby helps
save the environment. Our products reduce the need for travel and transport and thereby reduce
pollution. Our products have either none or few consumable parts (chemicals, toner, gas, paper).
Our products are low energy consuming products.
TANDBERG’s Environmental Policy
TANDBERG’s Research and Development is continuously improving TANDBERG’s prod-
ucts towards less use of environmentally hazardous components and substances as well
as to make the products easier to recycle.
TANDBERG’s products are Communication Solutions. The idea of these solutions is to
reduce the need for expensive, time demanding and polluting transport of people. Through
people’s use of TANDBERG’s products, the environment will benefit from less use of
polluting transport.
TANDBERG’s wide use of the concepts of outsourcing makes the company itself a company
with a low rate of emissions and effects on the environment.
TANDBERG’s policy is to make sure our partners produce our products with minimal influence on the environment and to demand and audit their compatibility according to
applicable agreements and laws (national and international).
Environmental Considerations
Like other electronic equipment, the TANDBERG Border Controller contains components that may have a detrimental effect on the environment. TANDBERG works continuously towards
eliminating these substances in our products.
Printed-wiring boards made of plastic, with flame-retardants like Chloride or Bromide.
Component soldering that contains lead.
Smaller components containing substances with possible environmental effect.
After the product’s end of life cycle, it should be returned to authorized waste handling and should
be treated according to National and International Regulations for waste of electronic equipment.
ii
TANDBERG Border Controller User Manual
Operator Safety Summar y
For your protection, please read these safety instr uctio ns completely before operating the equipment and keep this manual for future reference. The information in this summary is
intended for operators. Carefully observe all warnings, precautions and instructions both on the
apparatus and in the operating instructions.
Warnings
Water and moisture - Do not operate the equipment under or near water - for example near
a bathtub, kitchen sink, or laundry tub, in a wet basement, or near a swimming pool or in
areas with high humidity.
Cleaning - Unplug the apparatus from the wall outlet before cleaning or polishing. Do not
use liquid cleaners or aerosol cleaners. Use a lint-free cloth lightly moistened with water for
cleaning the exterior of the apparatus.
Ventilation - Do not block any of the ventilation openings of the apparatus. Install in accordance with the installation instructions. Never cover the slots and openings with a cloth or other material. Never install the apparatus near heat sources such as radiators,
heat registers, stoves, or other apparatus (including amplifiers) that produce heat.
Grounding or Polarization - Do not defeat the safety purpose of the polarized or grounding-
type plug. A polarized plug has two blades with one wider than the other. A grounding type plug has two blades and a third grounding prong. The wide blade or third prong is provided
for your safety. If the provided plug does not fit into your outlet, consult an electrician.
Power-Cord Protection - Route the power cord so as to avoid it being walked on or pinched by items placed upon or against it, paying particular attention to the plugs, receptacles, and
the point where the cord exits from the apparatus.
Attachments - Only use attachments as recommended by the manufacturer.
Accessories - Use only with a cart, stand, tripod, bracket, or table specified by the manu-
facturer, or sold with the apparatus. When a cart is used, use caution when moving the
cart/apparatus combination to avoid injury from tip-over.
Lightning - Unplug this apparatus during lightning storms or when unused for long periods
of time.
Servicing - Do not attempt to service the apparatus yourself as opening or removing covers
may expose you to dangerous voltages or other hazards, and will void the warranty. Refer
all servicing to qualified service personnel.
Damaged Equipment - Unplug the apparatus from the outlet and refer servicing to qualified
personnel under the following conditions:
When the power cord or plug is damaged or frayed
If liquid has been spilled or objects have fallen into the apparatus
If the apparatus has been exposed to rain or moisture
iii
TANDBERG Border Controller User Manual
If the apparatus has been subjected to excessive shock by being dropped, or the
cabinet has been damaged
– If the apparatus fails to operate in accordance with the operating instructions.
iv
TANDBERG Border Controller User Manual
Contents
1 Introduction 1
1.1 TANDBERG Border Controller Overview . . . . . . . . . . . . . . . . . . . . . . . 2
2 Installation 3
2.1 Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Unpacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3 Mounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.4 Connecting Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.5 Switching on the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.6 Border Controller Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Getting started 7
3.1 System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3 Neighbor Gatekeepers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.4 Alternate Border Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.5 Call Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.6 Firewall Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Bandwidth Control 14
4.1 Bandwidth Control and Firewall Traversal . . . . . . . . . . . . . . . . . . . . . . 16
4.2 Bandwidth Control Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5 Registration Control 20
5.1 Registration Restriction Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6 URI Dialing 23
6.1 Creating DNS SRV records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7 Example Traversal deployments 25
7.1 Simple Enterprise deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
7.2 Enterprise Gatekeepers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.3 Dialing Public IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.4 Neighbored enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.5 URI dialing from within the enterprise . . . . . . . . . . . . . . . . . . . . . . . . 27
8 Call Policy 29
8.1 Making Decisions Based on Addresses . . . . . . . . . . . . . . . . . . . . . . .
8.2 CPL Script Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
8.3 Unsupported CPL Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
8.4 CPL Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
9 Logging 34
9.1 Controlling what is logged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
9.2 Event log format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
9.3 Event Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
29
v
TANDBERG Border Controller User Manual
9.4 Logged Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
9.5 Remote Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
10 Software Upgrade 40
10.1 Upgrading Using HTTP(S) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
10.2 Upgrading Using SCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
11 Command Reference 43
11.1 Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
11.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
11.3 Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
11.4 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
11.5 Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
11.6 Other commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
A Appendix: Configuring DNS Servers 65
A.1 Microsoft DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
A.2 Verifying the SRV record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
B Appendix: Configuring LDAP Servers 67
B.1 Microsoft Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67
B.2 OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
C Approvals 71
D Technical Specifications 72
E Glossary 75
vi
TANDBERG Border Controller User Manual

1 Introduction

This User Manual i s provided to help you make the best use of your TANDBERG Border
Controller.
A Border Controller is a key component of TANDBERG’s ExpresswayTMfirewall traversal solution.
Used in conjunction with a TANDBERG Gatekeeper or TANDBERG traversal enabled endpoints
it allows calls to be made into and out of a secured private network.
The main features of the TANDBERG Border Controller are:
IPv4 and IPv6 support
Registration of traversal enabled endpoints.
Supports up to 500 registered TANDBERG traversal endpoints.
Secure firewall traversal of any firewall or NAT.
Up to 100 traversal calls.
Supports up to 100 neighboring zones.
Flexible zone configuration with prefix and suffix support.
URI dialing with DNS enabling global connectivity.
Can function as a standalone Border Controller or be neighbored with other Border Con-
trollers and Gatekeepers.
Can be used to control the amount of bandwidth used both within the Border Controller
zone and to neighboring Border Controllers and Gatekeepers.
Can limit total bandwidth usage and set maximum per call bandwidth usage with automatic
down-speeding if call exceeds per-call maximum.
Can be managed with TANDBERG Management Suite 11.0 or newer, or as a standalone
system with RS-232, Telnet, SSH, HTTP and HTTPS.
Embedded setup wizard on serial port for initial configuration.
Note that features may vary depending on software package.
1
TANDBERG Border Controller User Manual

1.1 TANDBERG Border Controller Overview

On the front of the Border Controller there are three LAN interfaces, a serial port (Data 1) and
an LED showing the power status of the system. The LAN 1 interface is used for connecting
the system to your network, LAN interface 2 and 3 are disabled. The serial port (Data 1) is for
connection to a PC, and power on is indicated by the Light Emitting Diode (Power) being lit.
2) for connecting to a PC.
2
TANDBERG Border Controller User Manual

2 Installation

2.1 Precautions

Never install communication equipment during a lightning storm.
Never install jacks for communication cables in wet locations unless the jack is specifically
designed for wet locations.
Never touch uninstalled communication wires or terminals unless the communication line
has been disconnected at the network interface.
Use caution when installing or modifying communication lines.
Avoid using communication equipment (other than a cordless type) during an electrical
storm.
There may be a remote risk of electrical shock from lightning.
Do not use communication equipment to report a gas leak in the vicinity of the leak.
The socket outlet shall be installed near to the equipment and shall be easily accessible.
Never install cables without first switching the power OFF.
This product complies with directives: LVD 73/23/EC and EMC 89/366/EEC.
Power must be switched off before power supplies can be removed from or installed into
the unit.

2.2 Unpacking

the following components:
Border Controller unit
Installation sheet
User manual and other documentation on CD
Rack-ears and screws
Kit with 4 rubber feet
Cables:
Power cables
One Ethernet cable
One null-modem RS-232 cable
3
TANDBERG Border Controller User Manual
2.2.1 Installation site preparations
Make sure that the Border Controller is accessible and that all cables can be easily
connected.
For ventilation: Leave a space of at least 10cm (4 inches) behind the Border Controller’s
rear and 5cm (2 inches) on the sides.
The room in which you install the Border Controller should have an ambient temperature
between 0◦C and 35◦C (32◦F and 95◦F) and between 10% and 90% non-condensing
relative humidity.
Do not place heavy objects directly on top of the Border Controller.
Do not place hot objects directly on top, or directly beneath the Border Controller.
Use a grounded AC power outlet for the Border Controller.

2.3 Mounting

The Border Controller comes with brackets for mounting in standard 19” racks.
Before starting the rack mounting, please make sure the TANDBERG Border Controller is placed
securely on a hard, flat surface.
1. Disconnect the AC power cable.
2. Make sure that the mounting space is according to the ‘Installation site preparations’ in
section 2.2.1.
3. Attach the brackets to the chassis on both sides of the unit.
4. Insert the unit into a 19” rack, and secure it with screws.

2.4 Connecting Cables

Power cable Connect the system power cable to an electrical distribution socket.
LAN cable Connect a LAN cable from the LAN 1 connector on the front of the unit to your
network.
Null-modem RS-232 cable Connect the supplied null-modem RS-232 cable between the Bor-
der Controller’s Data 1 connector and the COM port on a PC.

2.5 Switching on the System

To start the TANDBERG Border Controller, make sure that the following has been done:
The power cable is connected.
The LAN cable is connected.
4
TANDBERG Border Controller User Manual
Then switch the power switch button on the back of the unit to ‘1’.
On the front of the chassis you will see the Power LED being lit.
2.6 Border Controller Initial Configuration
be done using a PC connected to the serial port (Data 1) or by connecting to the system’s default
IP address: 192.168.0.100.
The IP address, subnet mask and gateway must be configured before use. The Border Controller
has to be configured with a static IP address. Consult your network administrator for information
on which addresses to use.
To set the initial configuration, do the following:
1. Connect the supplied null-modem RS-232 cable from Data 1 to a PC running a terminal
program.
2. Start a terminal program and configure it to use the serial port with baud rate 115200, 8
data bits, no parity, 1 stop bit, no flow control.
3. Power on the unit if it is not already on.
4. You should see the unit display start up information.
5. After approximately 2 minutes you will get a login prompt.
6. Enter username admin and your password. The default password is TANDBERG.
7. You will be prompted if you want to run the install wizard. Type y and press Enter.
(none) login: admin Password: Run install wizard [n]: y
8. Specify the following:
(a) The password you want to use for your system. See section 3.1.1 for account details.
(b) The IP address of the system.
(c) The IP subnet mask of the system.
(d) The IP default gateway of the system.
(e) The Ethernet speed.
(f) The local zone prefix, if any, you want to use for the zone controlled by this system.
(g) Whether you want to use SSH to administer the system.
(h) Whether you want to use Telnet to administer the system.
9. You will be prompted to login again. You should see a welcome message like this:
5
TANDBERG Border Controller User Manual
Welcome to TANDBERG Border Controller Release Q3.0 SW Release Date: 2006-01-02 OK
10. Login with username admin and your password.
11. Review other system settings. You may want to set the following:
(a) The name of the Border Controller. This is used to identify the Border Controller by the
TANDBERG Management Suite. See the xConfiguration SystemUnit command in
section 11.2.17 for more information on setting the name.
(b) Automatic discovery. If you have multiple Borde r Controllers in the same network you
may want to disable automatic discovery on some of them. See the xConfiguration
Gatekeeper AutoDiscovery command in section 11.2.4.
(c) The DNS server address and the domain name if the Border Controller will be
configured with hostnames instead of IP address or if URI dialing is required. See the
xConfiguration DNS Server Address command in section 11.2.6 for more information.
12. Reboot the Border Controller by typing the command xCommand boot to make your new
settings take effect.
13. Disconnect the serial cable.
NOTE To securely manage the Border Controller you should disable HTTP and Telnet, using the
encrypted HTTPS and SSH protocols instead. For increased security, disable HTTPS and SSH
as well, using the serial port to manage the system.
NOTE If you do not have an IP gateway, configure the Border Controller with an unused IP
address that is valid in your subnet.
6
TANDBERG Border Controller User Manual

3 Getting started

3.1 System Administration

or a command line interface. The command line interface is available over SSH and Telnet, or
through the serial port. The interface is the same using all three access methods. By default
administration sessions remain active until you logout. Session timeouts may be enabled using the xConfiguration Session TimeOut command.
To enter commands you should start a session and login with user name admin and your
password.
The interface groups information in different commands:
xstatus Provides a read only interface to determine the current status of the system. Information
such as current calls and registrations is available through this command group.
xconfiguration A read/write interface to set system configuration data such as IP address and
subnet.
xcommand A miscellaneous group of commands for setting information or obtaining it.
xhistory Provides historical information about calls and registrations.
xfeedback An event interface, providing information about calls and registrations.
A command reference is given in section 11
3.1.1 Administrator Account
All administration requires you to log in to the administration account with a user name admin
and a password. The default password is TANDBERG, which you are recommended to change
as soon as possible. Choose a strong password, particularly if administraion over IP is en-
abled. Changing the password can only be done through the command line interface using the
command:
xconfiguration systemunit password: new password
If you forget your password, it is possible to set a new password using the following procedure:
Reboot the Border Controller.
Connect to the Border Controller over the serial interface once it has restarted.
Login with the user name pwrec. No password is required.
You will be prompted for a new password.
The pwrec account is only active for one minute following a restart. Beyond that time you will have to restart the system again to change the password. Because access to the serial port allows the password to be reset, it is recommended that you install the Border Controller in a
physically secure environment.
7
TANDBERG Border Controller User Manual
3.1.2 Root Account
The Border Controller provides a root account with the same password as the admin account. This account should not be used in normal operation, and in particular system configuration
should not be conducted using this account: use the admin account instead.

3.2 Registration

Before an endpoint can use the Border Controller it must first register with it. There are two ways
an endpoint can register:
Automatically.
Manually by specifying the IP address of the Border Controller.
You can disable automatic registration on the Border Controller. See auto discovery in section
11.2 for more information.
When registering, the endpoint registers with one or more of the following:
One or more H.323 IDs.
One or more E.164 aliases.
Users of other registered endpoints can then call the endpoint by using either the H.323 ID, a
URI, an E.164 alias, or one of the services.
You should choose H.323 aliases which do not reveal sensitive information. Like e-mail addresses,
they are passed unencrypted when a call is made.
Consult the endpoint documentation for information on how to configure it with a Gatekeeper.
NOTE Only traversal enabled endpoints can register with a TANDBERG Border Controller. All
other registration requests will be rejected. Traversal enabled endpoints include all TANDBERG Expressway endpoints and third party endpoints which support the ITU H.460.18 and H.460.19
standards.
NOTE When URI dialing is used to discover an endpoint, the URI used is based on either the
H.323 ID or the E.164 alias that the endpoint registered with. The local domain is then added to
this. See section 6

3.3 Neighbor Gatekeepers

As you start deploying more than one Gatekeeper or Border Controller, it is useful to neighbor
the systems together so that they can exchange information about registered endpoints. Each
Gatekeeper or Border Controller forms an H.323 zone and is responsible for the endpoints within
that zone.
Controller is then configured with the addresses of all other Gatekeepers and Border Controllers.
When a system receives a call for an endpoint which is not registered with, it will send out a
8
TANDBERG Border Controller User Manual
Location Request to all the other Gatekeepers and Border Controllers on the system. Whilst conceptually simple, this sort of flat dial plan does not scale very well: adding or moving a Gatekeeper requires changing the configuration of every Gatekeeper and B order Controller; one call attempt can result in a flood of location requests. Wi th 3 interconnected systems, an
unknown alias can result in 28 LRQs, with 4 systems some 50,000 LRQs will be generated.
An alternative deployment would use a structured dial plan: endpoints are assigned an alias
based on the system they are registering with. Using E.164 aliases, each Gatekeeper or Border
Controller would be assigned an area code. When the Gatekeepers and Border Controllers are
neighbored together, each neighbor is configured with its corresponding area code as a prefix.
That neighbor will now will only be queried for calls to numbers which begin with its prefix. In a
URI based dial plan, similar behaviour may be obtained by configuring neighbors with a suffix to
match the desired domain name.
It may be desirable to have endpoints register with just the subscriber number — the last part
of the E.164 number. In that case, the Border Controller should be configured to strip prefixes
before placing the Location Request.
A structured dial plan will minimize the number of location requests issued when a call is attempted, but, as described above, still requires a fully connected mesh of all Gatekeepers and Border Controllers in your deployment. A hierarchical dial plan can simplify this. One
Gatekeeper is nominated as the directory gatekeeper for the deployment. All Border Controllers and public Gatekeepers are neighbored with it and vice versa. There is no need to neighbor the
Border Controllers and public Gatekeepers with each other. Adding a new Border Controller or
public Gatekeeper now only requires changing configuration on that system and the Directory
Gatekeeper.
Failure of the directory gatekeeper could cause significant disruption to communications. Con-
sideration should be given to the use of Alternate Gatekeepers (section 3.4) for increased
resilience.
Neighbors are added and zones configured through the command line interface using the xconfiguration zones family of command, xCommand ZoneAdd or through the web interface: Border Controller Configuration Zones as shown in Figure 1. The prefixes and suffixes described above are formed usi ng patterns: each zone may have up to 5 patterns assigned,
each of which may be defined as a prefix or a suffix.
3.3.1 Search Order
If a called alias matches a prefix or suffix zone a strong match is achieved. A weak match is
achieved if a zone is to be queried only because it has no pattern matching configured.
When an incoming call request is received a Border Controller will first search all of its registered endpoints. If no match is found, all strongly matching neighbor and traversal zones will be queried
concurrently. If the target is not found in any of the strongly matching zones, all weakly matching
neighbor zones will be queried, then all weakly matching traversal zones. Finally, if a match has
still not been found, a DNS query may be attempted as descr ibed in section 6.
9
TANDBERG Border Controller User Manual
Figure 1: Adding a new zone
3.4 Alternate Border Controllers
Alternate Border Controller support is provided to increase the reliability of your deployment. If
one Border Controller becomes unavailable, perhaps due to a network or power outage, another
will be used as an Alternate. Alternates share responsibility for their endpoint community: an individual endpoint may be registered with any one of the Alternates. You should configure Alternates identically for all registration and call features such as authentication, bandwidth
control and policy. If you do not do this, endpoint behavior will vary unpredictably depending on
which Alternate it is currently registered with. Alternates should also be deployed on the same
LAN as each other so that they may be configured with the same routing information such as
local domain names and local domain subnet masks.
Each Border Controller may be configured with the IP addresses of up to five Alternates. When
an endpoint registers with the Border Controller, it is presented with t he IP addresses of all the
Alternates. If the endpoint loses contact with its initial Border Controller, it wil l seek to register with one of the Alternates. This may result in your endpoint community’s registrations being
spread over all the Alternates.
Enterprise Gatekeepers which register with the Border Controller may also be given a list of
Alternate Border Controllers to use.
When a Border Controller receives a Location Request, if it cannot respond from its own
registration database, it will query all of its Alternates before responding. This allows the pool of
registrations to be treated as if they were registered with a single Border Controller.
The Alternate Border C ontrollers can be configured within the web interface of the Border Controller by navigating to Border Controller Configuration Gatekeeper. Up to five different
alternates can be configured. Please see Figure 2 for a screenshot of a sample configuration.
10
3.5 Call Control
TANDBERG Border Controller User Manual
Figure 2: Alternate Border Controller configuration
When an endpoint wants to call another endpoint it presents the address it wants to call to the Border Controller using a protocol knows as RAS. The Border Controller tries to resolve
this address and supplies the calling endpoint with information about the called endpoint. The
destination address can take several forms: IP address, H.323 ID, E.164 alias or a full H.323
URI.
When an H.323 ID or E.164 alias is used, the Border Controller looks for a match between the
dialed address and the aliases registered by its endpoints. If no match is found, it may query
other Gatekeepers and Border Controllers.
When dialing by H.323 URI, the destination address resembles an email address. The Border
Controller first follows the procedure for matching H.323 IDs. If that fails it looks for a Gatekeeper
or Border Controller responsible for the domain (the part of the URI following the @ symbol) and
queries that device.
Dialing by IP address is necessary when the destination endpoint is not registered with a Gatekeeper or Border Controller. If it is registered, then one of the other addressing schemes should be used instead as they are more flexible. From your registered endpoint, dial the IP address of the endpoint you wish to call. This requires that the Border Controller has
xConfiguration Gatekeeper CallToUnknownIPAddresses correctly configured.
It is not possible to dial endpoints behind a Border Controller by IP address. Calls should be
made using an E.164 or H.323 alias.
Figure 3 illustrates the process the Border Controller performs when receiving call requests:
11
TANDBERG Border Controller User Manual
12
Figure 3: Location decision flow diagram
TANDBERG Border Controller User Manual

3.6 Firewall Traversal

The Border Controller works with the TANDBERG Gatekeeper, TANDBERG Expressway end­points and other endpoints which support the ITU H.460.18 and H.460.19 standards. In order
to successfully traverse a firewall, the firewall is required to allow initial outbound traffic to des-
ignated ports on the border controller and return traffic from those ports. The ports used are
configurablea and by default are:
UDP/1719
TCP/1720
TCP/2776
TCP/2777
UDP/2776
UDP/2777
Non traversal calls — calls to the public internet — send traffic to ports determined by the
receiving endpoint and from ports. Traffic is sent from UDP ports 1719 and 50,000–51,000 and TCP ports 15,000–24,000
Having the firewall only accept incoming data from the IP address and port to which data has already been sent allows you to maintain a secure network behind the firewall: unsolicited
incoming data will not be accepted.
You are recommended to turn off any H.323 traversal features on the firewall: these are not
needed in conjunction with the Expressway solution and may interfere with its operation.
The Gatekeeper identifies itself to the Border Controller with its Traversal Zone Name which may
be determined with the command:
xConfiguration Zones TraversalZone Name
or using the Gatekeeper’s web interface on the System Configuration Misc page.
Up to 50 Gatekeepers may register with the Border Controller. Each is identified with a unique
Traversal Zone Name which is set with the command:
xConfiguration Zones TraversalZone [1..50 ] Name: name
or using the Border Controller’s web interface on the Border Controller Configuration Traver-
salZones page.
13
TANDBERG Border Controller User Manual

4 Bandwidth Control

The TANDBERG Border Controller allows you to control endpoints’ use of bandwidth on your network. Figure 4 shows a typical deployment: a broadband LAN, where high bandwidth calls are acceptable, a pipe to the internet with restricted bandwidth, and two satellite offices, each with their own restricted pipes. In order to utili ze the available bandwidth efficiently, the TANDBERG Border Controller allows you to model your network, and bandwidth controls on
individual components of the network. Bandwidth controls may be set on a call by call basis and
on a total concurrent usage basis.
Figure 4: Typical network deployment
All endpoints registered with your Border Controller are part of its local zone. As shown in Figure
4, the local zone can contain many different networks with different bandwidth limitations. In order to model this, the local zone is made up of one or more subzones. When an endpoint
registers with the Border Controller it is assigned to a subzone, based on its IP address.
By default all endpoints registering with the Border Controller are assigned to the default subzone.
have differing bandwidth provision, as in Figure 4, you should create a new subzone for each
pool of endpoints.
Subzones are added and configured through the web interface on the Border Controller Configu­ration SubZones page (Figure 5), or through the command line using the following commands:
xConfiguration SubZones SubZone [1..100] Name xConfiguration SubZones SubZone [1..100] Subnet IP Prefixlength xConfiguration SubZones SubZone [1..100] Subnet IP Address
Subzones may be configured with links joining them to each other and to other zones. These links
are used to calculate how a call is routed over the network and so which zones and subzones
are involved. If multiple routes are possible, your Border Controller will select the one wi th the
fewest links.
14
TANDBERG Border Controller User Manual
Figure 5: Configuring a SubZone
Links may be configured through the web interface on the Border Controller Configuration
Links page, or through the command line using the following commands:
xConfiguration Links Link [1..100] Name xConfiguration Links Link [1..100] Node1 Name xConfiguration Links Link [1..100] Node2 Name xConfiguration Links Link [1..100] Pipe1 Name xConfiguration Links Link [1..100] Pipe2 Name
Each subzone may be configured with its own bandwidth limits. Calls placed between two endpoints in the same subzone consume resource from the subzone’s allocation. Subzone
bandwidths are configured on the Border Controller Configuration SubZones page (see Figure
6 for a screenshot of the configuration) or using the following command line commands:
xConfiguration SubZones SubZone [1..100] Bandwidth Total Mode xConfiguration SubZones SubZone [1..100] Bandwidth Total Limit xConfiguration SubZones SubZone [1..100] Bandwidth PerCall Mode xConfiguration SubZones SubZone [1..100] Bandwidth PerCall Limit
When calls are placed between endpoints in different subzones, it is possible to control the bandwidth used on the link between them. To do this, create a pipe and configure it with the
required bandwidth characteristics. This pipe is then assigned to a link. Calls traversing the link
will now take the pipe’s bandwidth allocation into consideration. Pipes are created and configured
on the Border Controller Configuration Pipes page (Figure 6) or using the following command
line commands:
Figure 6: Configuring a pipe
xConfiguration Pipes Pipe [1..100] Name xConfiguration Pipes Pipe [1..100] Bandwidth Total Mode xConfiguration Pipes Pipe [1..100] Bandwidth Total Limit
15
TANDBERG Border Controller User Manual
xConfiguration Pipes Pipe [1..100] Bandwidth PerCall Mode xConfiguration Pipes Pipe [1..100] Bandwidth PerCall Limit
Pipes may be shared between one or more links. This is used to model the situation where a
site communicates with several other sites over the same broadband connection to the Internet.
Each link may have up to two pipes associated with it. This is useful for modeling two sites, each with their own broadband connection to the Internet backbone. Calls between zones or subzones
consume bandwidth from each zone and any pipes on the link between them.
When a Border Controller is neighbored with another Gatekeeper or a Border Controller, the neighbor is placed in its own zone. This allows you to control the bandwidth used by calls to
and from endpoints controlled by the other Gatekeeper. Sometimes you may place and receive
calls to Gatekeepers you are not neighbored with ( See section 6). These Gatekeepers, and any
unregistered endpoints reached by dialing their IP address, are placed in the Default Zone.
If bandwidth control is in use, there are two possible behaviors when a call cannot be placed at the bandwidth requested. By default the call will be connected at a reduced bandwidth
(down-speeding), assuming that there is some bandwidth still available. Optionally the call may
be rejected if it cannot be placed at the requested bandwidth. This option is controlled through
the web interface of the Border Controller by navigating to Border Controller Configuration
Gatekeeper(Figure 7) or through the following command line instructions:
Figure 7: Configuring down-speeding options
xConfiguration Gatekeeper Downspeed PerCall Mode: <On/Off> xConfiguration Gatekeeper Downspeed Total Mode: <On/Off>

4.1 Bandwidth Control and Firewall Traversal

When a Border Controller and Gatekeeper are being used to traverse a firewall, an additional
zone and subzone come into use.
The traversal zone is used to represent the zone containing the Gatekeeper Controller this
Border Controller is paired with. This zone is automatically added for you. The traversal subzone
represents the Border Controller itself. The traversal subzone allows you to control total and per call bandwidths passing through the Border Controller. Unlike other subzones, no endpoints will
ever be registered in this subzone.
16
TANDBERG Border Controller User Manual
4.2 Bandwidth Control Examples
One possible configuration for the deployment in Figure 4 is shown in Figure 8. Each of the
offices is represented as a separate subzone, with bandwidth configured according to local policy.
The enterprise’s leased line connection to the Internet, and the DSL connections to the remote
offices, are modelled as separate pipes.
Figure 8: Bandwidth control example
There are no firewalls involved in the scenario shown in figure 4, so we can configure links between each of the offices. Each link is then assigned two pipes, representing the Inter net connections of the offices at each end of the link. A call placed between the Home Office and
Branch Office will consume bandwidth in the home and branch subzones and on the home and
branch pipe. The enterprise’s bandwidth budget will be unaffected by the call.
If we now modify our deployment to include firewalls between the offices, we can use the firewall
traversal capability of the TANDBERG Gatekeeper and Border Controller to maintain connectivity.
In Figure 9, the endpoints in the enterprise register with the Gatekeeper, whilst those in the
branch and home office register with the Border Controller.
Figure 10 shows how the Border Controller could be configured for the deployment in Figure 9.
The introduction of the firewalls means that there is no longer any direct connectivity between the Branch and Home offices. All traffic must be routed through the Border Controller. This is
shown by the absence of a link between the Home and Branch subzones.
The Traversal Zone in Figure 10 represents the Enterprise Gatekeeper. The Border Controller
will consume bandwidth from the Traversal Zone for all calls placed to endpoints managed by the
Enterprise Gatekeeper. In this example we have assumed that there is no bottleneck on the link
between the Border Controller and the Enterprise network, so have not placed a pipe on this link.
If you want to limit the amount of traffic flowing through your firewall, you could provision a pipe
on this link.
17
TANDBERG Border Controller User Manual
Figure 9: Network Deployment with firewalls
Figure 10: Border Controller example configuration
Because the Gatekeeper is only managing endpoints on the LAN, its configuration is simpler as
shown in Figure 11.
All of the endpoints in the enterprise w il l be assigned to the default subzone. The Traversal subzone controls traversal traffic flowing through the Gatekeeper, whilst the Traversal Zone
controls all traffic traversing the enterprise firewall and passing on to the Border Controller. Both
subzones and the Traversal zone are linked: the link between the default subzone and the
Traversal zone is used by endpoints which can send media directly to the Border Controller. The
other two links are used by endpoints using the Gatekeeper to traverse the firewall.
The Border Controller is shipped with Default Zone and Default and Traversal subzones already
configured. They are also preconfigured with the links between these zones to allow calls to be placed. You may delete or amend the default links if you need to model restrictions of your
18
TANDBERG Border Controller User Manual
Figure 11: Gatekeeper example configuration
network. The default links may be restored by running the command:
xCommand DefaultLinksAdd
19
Loading...
+ 58 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use