VTech Telecommunications 80-7597-01 User Manual

MP252 Multimedia Home Gateway 13. Remote MP252 Management

Figure 13-5: Create Self Signed X509 Certificate Screen

c. Enter the fields as required, and then click Generate; a message appears notifying

you that MP252 is generating the certificate.

d. After a few moments, click Refresh; the 'New Self Signed X509 Certificate' screen

appears.

Figure 13-6: New Self Signed X509 Certificate Screen

e. Click OK; the new certificate appears listed in the 'Certificates' screen.

Figure 13-7: Newly Created Self-Signed Certificate

Version 3.4.0 201 June 2011

User's Manual

f. In the 'Certificates' screen, click the Download icon corresponding to the new

self-signed certificate that you created; the 'File Download' window appears.

Figure 13-8: File Download Window

g. Click Save, and then browse to the folder to where you want to save the file; the file

is saved as a *.crt file.

3. Configure the Apache server, by configuring the SSLCACertificateFile parameter to

point to the location where the certificate file is located. Since this is a self-signed certificate, you are also considered the CA.

4. Load the self-signed certificate to MP252:

a. In the 'Certificates' screen, click the Upload Certificate link; the ‘Load MP252’s

Local Certificate’ screen appears.

Figure 13-9: Load MP252’s Local Certificate

b. Click Browse, locate the certification file that you created, and then click Upload to

load the file.

5. Load the CA’s certificate to MP252:

a. Select the CA’s tab; the ‘CA’s’ screen appears.

Figure 13-10: CA's Certificates Page

MP252 Multimedia Home Gateway 202 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

Version 3.4.0 203 June 2011

User's Manual

b. Click the New icon; the ‘Load CA’s Certificate’ screen appears.

Figure 13-11: Load CA's Certificate Page

c. Click Browse, locate the CA certification file that you created, and then click

Upload to load the file.

6. Configure the Apache server, using the following parameters:

• SSLCACertificateFile: Set the path to the CA’s certificate.

• SSLCertificateFile: Set the path to your signed certificate.

• SSLCertificateKeyFile: Set the path to your private key.

MP252 Multimedia Home Gateway 204 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

13.4 Remote Configuration and Management Interfaces

MP252 supports the following remote configuration and management interfaces:

 Web server (GUI) over HTTP/HTTPS

 TR-069 and TR-104

 SNMP

 Syslog

 Firmware or configuration file download through HTTP/HTTPS and FTP/TFTP

 CLI over Telnet/SSH

The table below lists the possible operations over these different interfaces:

Table 13-5: Operations per Configuration/Management Interface

Operation Web GUI TR-069 SNMP Syslog File D/L CLI

Configuration Update

Firmware Upgrade

Status Monitoring

Debugging and Diagnostics

Service providers can choose to combine several management interfaces, for example, automatic file download for configuration and firmware updates plus SNMP for alarms.

Yes Yes Yes No Yes Yes

Yes Yes Yes No No Yes

Yes No No Yes No Yes

13.4.1 Embedded Web Server

MP252 provides an embedded Web server with a rich Graphical User Interface (GUI). The Web server can be accessed from the local LAN interface (e.g. by the home user) or from the WAN interface (e.g. by the service provider support personnel). The Web GUI provides easy and intuitive configuration of all MP252 parameters (i.e., VoIP, network interfaces, security, QoS and advanced system settings). In addition, the Web GUI provides status monitoring pages, diagnostic pages and enabled firmware upgrade.

Typically, service providers do not want to configure each MP252 manually and therefore, they do not use the Web server in live deployments. However, the Web server is still useful for:

 Trying different configurations in the lab during the integration phases

 Creating mass-configuration template files

 Debugging special customer problems (by accessing the Web server from the WAN

interface)

Since the Web server allows all configuration and management operations, it is important to protect it. The following security measures are available:

 The Web server is user and password protected. Several users can be defined. A

special user with limited-access (only to the 'Quick Setup' screen) can be defined.

 The access to the Web server can be blocked from the WAN and/or LAN interfaces.

 Access to the Web server can be limited to specific IP addresses.

 Secured HTTP (HTTPS) is supported. It is possible to enable HTTPS-only, if required.

Version 3.4.0 205 June 2011

User's Manual

 The HTTP and/or HTTPS port can be modified (from the default 80 and 8080).

13.4.2 TR-069 and TR-104 CPE WAN Management Protocol

TR-069 is a WAN management protocol intended for communication between Customer Premise Equipment (CPE) or residential devices (such as MP252), and an Auto-Configuration Server (ACS), residing on the service provider's side. It defines a mechanism that encompasses secure auto configuration of CPE, and also incorporates other CPE management functions into a common framework. In simpler terms, TR-069 is a protocol that enables remote server management of theMP252. Such a protocol is useful, for example, for remotely and securely controlling MP252 by the CPE provider. The standard is published by the DSL Forum. TR-069 runs over SOAP/HTTP and enables device configuration, management (including firmware upgrade), and status monitoring. TR-104 is an extension of TR-069 for VoIP configuration and monitoring.

The TR standards are published by the DSL forum:

 TR-069: http://www.broadband-forum.org/technical/download/TR-069.pdf

 TR-104: http://www.broadband-forum.org/technical/download/TR-104.pdf

Figure 13-12: TR-069 CPE WAN Management Protocol

The TR-069 protocol allows an ACS to provision a CPE or collection of CPE based on a variety of criteria. The provisioning mechanism includes specific provisioning parameters and a general mechanism for adding vendor-specific provisioning capabilities as needed. The provisioning mechanism allows CPE provisioning at the time of initial connection to the broadband access network, and the ability to re-provision at any subsequent time. This includes support for asynchronous ACS-initiated re-provisioning of CPE. TR-069 defines several Remote Procedure Call (RPC) methods, as well as a large number of parameters, which may be set or read. Some of these methods and parameters are defined as mandatory.

Notes:

• MP252 was tested for interoperability with two ACS vendors – Motive and

FriendlyTR69. Working with other ACS types may require specific interoperability effort.

• The parameter values in the subsequent tables are sample values only

taken from an ACS.

MP252 Multimedia Home Gateway 206 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

The method used to assign an address to the

The IP address of the default gateway for this

On creation of a WANIPConnection instance,

13.4.2.1 Configuring MP252 via TR-069 and TR-104

TR-069 allows basic configuration of MP252. The configuration is defined in a hierarchical

13.4.2.1.1 Configuring the WAN Interface

Table 13-6: InternetGatewayDevice.WANDevice.i.WANConnectionDevice.i.WANIPConnection.i

tree-like structure according to the TR-069 standard.

TR-069/TR-104

Parameter

Configuration File

Parameter

AddressingType mt_cwmp_param_wan_con

n_ip_addressing_type_get/ set

ConnectionStatus mt_cwmp_param_wan_con

n_ip_status_get

ConnectionType mt_cwmp_param_wan_con

n_ppp_type_get

Description

WAN side interface of the CPE for this connection:



“DHCP”



“Static”

Current status of the connection:



“Unconfigured”



“Connecting”



“Connected”



“PendingDisconnect”



“Disconneting”



“Disconnected”

Specifies the connection type of the connection instance:



“Unconfigured”



“IP_Routed”



“DHCP_Spoofed”



“PPPoE_Bridged”



“PPPoE_Relay”



“PPTP_Relay”



“L2TP_Relay”

DefaultGateway mt_cwmp_param_wan_con

n_ip_default_gateway_get/ set

DNSEnabled mt_cwmp_param_wan_con

n_ip_dns_enabled_get/set

DNSOverrideAllowed mt_cwmp_param_wan_con

n_ip_dnsoverrideallowed_ get/set

DNSServers mt_cwmp_param_wan_con

n_xxx_dnsservers_get/set( i)

Enable mt_cwmp_param_wan_con

connection. This parameter is configurable only if the AddressingType is Static.

Whether or not the device should attempt to query a DNS server across this connection.

Whether or not a manually set, non-empty DNS address can be overridden by a DNS entry received from the WAN.

Comma-separated list of DNS server IP addresses for this connection. Support for more than three DNS Servers is optional.

Enables or disables the connection instance.

n_xxx_enable_get/set(1)

it is initially disabled.

ExternalIPAddress mt_cwmp_param_wan_con

n_xxx_externalip_get(i)

The external IP address used by NAT for this connection. This parameter is configurable only if the AddressingType is Static.

Version 3.4.0 207 June 2011

User's Manual

PortMappingNumberOf

separated list indicating the types of

If less than or equal to 100, in percentages of

TR-069/TR-104

Parameter

Configuration File

Parameter

MaxMTUSize mt_cwmp_param_wan_con

n_ip_max_mtu_size_get/se t( i)

Name mt_cwmp_param_wan_con

n_xxx_name_get/set(i)

NATEnabled mt_cwmp_param_wan_con

n_xxx_nat_enabled_get/set (i )

Entries

PossibleConnectionTy

pes

RouteProtocolRx mt_cwmp_param_wan_con

n_xxx_route_protocol_rx_ get/set

Description

The maximum allowed size of an Ethernet frame from LAN-side devices.

User-readable name of this connection.

Indicates if NAT is enabled for this connection.

Total number of port mapping entries.

A commaconnections possible for this connection instance. Each element of the list is an enumeration of:



“Unconfigured”



“IP_Routed”



“IP_Bridged”

Defines the Rx protocol to be used:



“Off”



“RIPv1” (Optional)



“RIPv2” (Optional)



“OSPF” (Optional)

RSIPAvailable mt_cwmp_param_wan_con

n_xxx_rsip_available_get(i)

ShapingRate -

SubnetMask lan_host_config_managem

ent_get/set rg_conf dhcps/ netmask

SpecVersion “”

Uptime -

13.4.2.1.2 Configuring the LAN Interface

Indicates if Realm-specific IP (RSIP) is available as a feature on MP252.

Rate to shape this connection’s egress traffic to.

the rate of the highest rate-constrained layer over which the packet travels on egress. The rate is limited over the window period specified by ShapeWindow.

If greater than 100, in bits per second. A value of -1 indicates no shaping.

Subnet mask of the WAN interface. This parameter is configurable only if the AddressingType is Static.

Currently, 1.0 is the only available version.

The time in seconds that this connection has been up.

Table 13-7: InternetGatewayDevice.LANDevice.i.LANEthernetInterfaceConfig

MP252 Multimedia Home Gateway 208 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

TR-069/TR-104

Parameter

Configuration File

Parameter

Enable device_eic_enable_get/set

MACAddress device_mac_address_get

MaxBitRate device_max_bit_rate_get

Status device_status_get

Description

Enables or disables this interface.

The physical address of the interface.

The maximum upstream and downstream bit rate available for this connection:



“10”



“100”



“1000”



“Auto”

The status of the interface:



“Up”



“NoLink”



“Error”



“Disabled”

Version 3.4.0 209 June 2011

User's Manual

Table 13-8: InternetGatewayDevice.LANDevice.i.LANHostConfigManagement

TR-069/TR-104

Parameter

AllowedMACAddres ses

Configuration File

Parameter

allowed_mac_addresses_g et/set

DHCPLeaseTime dhcp_lease_time_get/set

DHCPRelay dhcp_relay_get/set

DHCPServerEnable lan_host_config_managem

ent_get/set rg_conf dhcps/enable

DNSServers dhcps_dns_servers_get/se

DomainName domain_name_get/set

Description

Represents a comma-separated list of hardware addresses that are allowed to connect to this connection if MACAddressControlEnabled is 1 for a given interface.

Specifies the lease time in seconds of client assigned addresses. A value of -1 indicates an infinite lease.

Determines if the DHCP server performs the role of a server (0) or a relay (1) on the LAN interface.

Enables or disables the DHCP server on the LAN interface.

Comma-separated list of DNS servers offered to DHCP clients. Support for more than three DNS Servers is optional.

Sets the domain name for clients on the LAN interface.

IPRouters ip_routers_get/set

MaxAddress lan_host_config_managem

ent_get/set rg_conf dhcps/end_ip

MinAddress lan_host_config_managem

ent_get/set rg_conf dhcps/start_ip

SubnetMask lan_host_config_managem

ent_get/set rg_conf dhcps/ netmask

Comma-separated list of IP addresses of routers on this subnet. Also known as default gateway. Support for more than one Router address is optional.

Specifies the last address in the pool to be assigned by the DHCP server on the LAN interface.

Specifies the first address in the pool to be assigned by the DHCP server on the LAN interface.

Specifies the client’s network subnet mask.

MP252 Multimedia Home Gateway 210 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

13.4.2.1.3 Configuring VoIP via TR-104

Table 13-9: InternetGatewayDevice.Services.VoiceService.i.Capabilities

TR-069/TR-104

Parameter

ButtonMap

DSCPCoupled

EthernetTaggingCou pled

FaxPassThrough

Configuration File

Parameter

- Support for a configurable button map. A true value indicates support for a configurable button map via the VoiceService.{i}.VoiceProfile.{i}.ButtonMap object.

- A true value indicates that the CPE is constrained such that transmitted call control packets use the same DSCP marking as transmitted RTP packets.

If the value is true, the CPE must not support the DSCPMark parameter for call control.

- A true value indicates that the CPE is constrained such that transmitted call control packets use the same Ethernet tagging (VLAN ID Ethernet Priority) as transmitted RTP packets.

If the value is true, the CPE must not support the VLANIDMark or EthernetPriorityMark parameters within a call control object (e.g., SIP, MGCP, or H323).

- Support for fax pass-through. A true value indicates support for the parameter VoiceService.{i}.VoiceProfile.{i}.FaxPassThro ugh. (True if voip/audio/fax/fax_transport_mode equals Bypass)

Description

FaxT38

MaxLineCount voip/num_of_fxs_lines

MaxProfileCount

MaxSessionCount

MaxSessionsPerLin e

Version 3.4.0 211 June 2011

- Support for T.38 fax. A true value indicates support for the object VoiceService.{i}.VoiceProfile.{i}.FaxT38.

Maximum number of lines supported across all profiles.

- Maximum number of distinct voice profiles supported.

- Maximum number of voice sessions supported across all lines and profiles. (This might differ from MaxLineCount if each line can support more than one session for CPE provided conference calling. This value can be less than the product of MaxLineCount and MaxSessionsPerLine.)

- Maximum number of voice sessions supported for any given line across all profiles. A value greater than one indicates support for CPE provided conference calling.

User's Manual

TR-069/TR-104

Parameter

ModemPassThrough

NumberingPlan

PSTNSoftSwitchOve

Configuration File

Parameter

- Support for modem pass-through. A true value

- Support for a configurable numbering plan. A

- A true value indicates MP252 is capable of

Regions pkg\mgt\lib\mgt_regiona

l_settings.c slic_dsp_general_and_r egional_settings_param s_array

Description

indicates support for the parameter VoiceService.{i}.VoiceProfile.{i}.ModemPassT hrough.

true value indicates support for a configurable numbering plan via the VoiceService.{i}.VoiceProfile.{i}.NumberingPla n object.

supporting the PSO_Activate Facility Action, which allows a call to be switched to a PSTN FXO.

Note: Currently, this parameter is not supported.

Comma-separated list of geographic regions supported by MP252. Each item in the list must be an alpha-2 (two-character alphabetic) country code as specified by ISO 3166.

An empty list indicates that MP252 does not support region-based customization.

Note: This format is currently not supported.

RingGeneration

RTCP

RTPRedundancy

- Support for ring generation. A true value

- Support for RTCP.

- Support for RTP payload redundancy as

SignalingProtocols voip/signalling/protocol

indicates support for control of ring generation via the VoiceService.{i}.VoiceProfile.{i}.Line.{i}.Ringer object.

A true value also indicates that the RingDescriptionsEditable, PatternBasedRingGeneration and FileBasedRingGeneration parameters in this object are present.

defined in RFC 2198. A true value indicates support for VoiceService.{i}.VoiceProfile.{i}.RTP.Redunda ncy.

Signal protocol:



“SIP”



“MGCP”

Each entry can be appended with a version indicator in the form “/X.Y”. For example: “SIP/2.0”.

Note: Only one protocol is supported at a time.

SRTP

- Support for SRTP. Note: Currently, SRTP is not supported.

MP252 Multimedia Home Gateway 212 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

TR-069/TR-104

Parameter

ToneGeneration

VoicePortTests

Configuration File

Parameter

- Support for tone generation. A true value

- Support for remotely accessible voice-port

Table 13-10: InternetGatewayDevice.Services.VoiceService.i.Capabilities.Codecs

TR-069/TR-104

Parameter

Configuration File

Parameter

Codec voip/codec/i/name

EntryID voip/codec/i/

Description

indicates support for the object VoiceService.{i}.VoiceProfile.{i}.Tone.

A true value also indicates that the ToneDescriptionsEditable, PatternBasedToneGeneration and FileBasedToneGeneration parameters in this object are present.

tests. A true value indicates support for the VoiceService.{i}.PhyInterface.{i}.Tests object.

Description

Identifier of the type of codec.

Unique identifier for each entry in the table.

PacketizationPeriod voip/codec/i/ptime

Comma-separated list of supported packetization periods (in milliseconds), or continuous ranges of packetization periods. Ranges are indicated as a hyphen-separated pair of unsigned integers.

For example:



“20” indicates a single discrete value.



“10, 20, 30” indicates a set of discrete values.



“5-40” indicates a continuous inclusive range.



“5-10, 20, 30” indicates a continuous range in addition to a set of discrete values.

A range must only be indicated if all values within the range are supported.

Note: Currently, only a single ptime per codec is supported.

Version 3.4.0 213 June 2011

User's Manual

Table 13-11: InternetGatewayDevice.Services.VoiceService.i.VoiceProfile

TR-069/TR-104

Parameter

Configuration File

Parameter

DTMFMethod voip/out_of_band_dtmf

Enable

Name

- Enables or disables all lines in this profile, or

- String to easily identify the profile instance.

Description

Method by which DTMF digits must be passed:



“InBand”



“RFC2833”



“SIPInfo

places it into a quiescent state:



“Disabled”



“Quiescent”



“Enabled”

On creation, a profile must be in the Disabled state.

In the Quiescent state, in-progress sessions remain intact, but no new sessions are allowed. Support for the Quiescent state in a MP252 is optional. If this parameter is set to “Quiescent” in a MP252 that does not support the Quiescent state, it must treat it the same as the Disabled state.

Note: Currently, this is not supported.

NumberOfLines voip/num_of_fxs_lines

Table 13-12: InternetGatewayDevice.Services.VoiceService.i.VoiceProfile.i.SIP

TR-069/TR-104

Parameter

Configuration File

Parameter

OutboundProxy voip/

signalling/sip/sip_outbou nd_proxy/addr

Number of instances of Line within this VoiceProfile.

Description

Host name or IP address of the outbound proxy. If a non-empty value is specified, the SIP endpoint must send all SIP traffic (requests and responses) to the host indicated by this parameter and the port indicated by the OutboundProxyPort parameter. This must be done regardless of the routes discovered using normal SIP operations, including use of Route headers initialized from Service-Route and Record-Route headers previously received. The OutboundProxy value is not used to generate the URI placed into the Route header of any requests.

MP252 Multimedia Home Gateway 214 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

TR-069/TR-104

Parameter

Configuration File

Parameter

OutboundProxyPort voip/

signalling/sip/sip_outbou nd_proxy/proxy

ProxyServer voip/signalling/sip/proxy_

address or voip/signalling/sip/sip_re gistrar/addr

ProxyServerPort voip/signalling/sip/proxy_

port or voip/signalling/sip/sip_re gistrar/port

ProxyServerTranspo rt

voip/signalling/sip/transp ort_protocol

RegisterExpires voip/signalling/sip/proxy_

timeout

Description

Destination port for connecting to the outbound proxy. This parameter must be ignored unless the value of the OutboundProxy parameter in this object is non-empty.

Host name or IP address of the SIP proxy server.

Destination port for connecting to the SIP server.

Transport protocol for connecting to the SIP server. Must be chosen from among the transports supported.

RegistrarServerTran sport

voip/signalling/sip/transp ort_protocol

Transport protocol for connecting to the SIP server. Must be chosen from among the transports supported.

UserAgentPort voip/signalling/sip/port

UserAgentTransport voip/signalling/sip/transp

ort_protocol

Port for incoming call control signaling.

Transport protocol for incoming call control signaling.

13.4.2.1.4 Upgrading Firmware via TR-069

TR-069 contains a built-in mechanism for MP252 firmware upgrade.

13.4.2.2 Monitoring MP252 Status via TR-069 and TR-104

13.4.2.2.1 Device Information

The service provider can monitor the status of MP252 via TR-069 and TR-104.

Table 13-13: InternetGatewayDevice.DeviceInfo

TR-069/TR-104

Parameter

Configuration File

Parameter

Description

Description manufacturer/description

DeviceLog “”

HardwareVersion Manufacturer/hardware/v

ersion

A full description of MP252 (string).

Vendor-specific log(s).

A string identifying the particular MP252 model and version.

Version 3.4.0 215 June 2011

User's Manual

TR-069/TR-104

Parameter

Configuration File

Parameter

Manufacturer manufacturer/vendor_na

ManufacturerOUI manufacturer/vendor_oui

ModelName manufacturer/model_num

ber

ProductClass manufacturer/product_cla

ProvisioningCode cwmp/provisioning_code

Description

A string identifying the manufacturer of MP252, i.e., AudioCodes.

Organizationally unique identifier of the device manufacturer. Represented as a six hexadecimal-digit value using all upper-case letters and including any leading zeros.

A string identifying the model name of MP252.

Identifier of the class of product for which the serial number applies. That is, for a given manufacturer, this parameter is used to identify the product or class of product over which the SerialNumber parameter is unique.

Identifier of the primary service provider and other provisioning information, which may be used by the Server to determine service provider-specific customization and provisioning parameters.

If non-empty, this argument must be in the form of a hierarchical descriptor with one or more nodes specified. Each node in the hierarchy is represented as a 4-character sub-string, containing only numerals or upper-case letters. If there is more than one node indicated, each node is separated by a "." (dot). For example, “TLCO” and “TLCO.GRP2”.

SerialNumber Manufacturer/hardware/s

erial_num

SoftwareVersion system/external_version

UpTime

- Time in seconds since MP252 was last reset.

Serial number of MP252.

A string identifying the software version currently installed in MP252.

To allow version comparisons, this element must be in the form of dot-delimited integers, where each successive integer represents a more minor category of variation. For example, 3.0.21 where the components mean Major.Minor.Build.

MP252 Multimedia Home Gateway 216 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

13.4.2.2.2 WAN Status

Table 13-14: InternetGatewayDevice.WANDevice.i.WANConnectionDevice.i.

WANIPConnection.i.Stats

TR-069/TR-104

Parameter

EthernetBytesRecei ved

Configuration File

Parameter

mt_cwmp_param_wan_co nn_ip_stats_get

(STAT_RX_BYTES)

EthernetBytesSent mt_cwmp_param_wan_co

nn_ppp_stats_get ( STAT_TX_BYTES)

EthernetPacketsRec eived

mt_cwmp_param_wan_co nn_ppp_stats_get

( STAT_RX_PACKETS)

EthernetPacketsSent mt_cwmp_param_wan_co

nn_ppp_stats_get

13.4.2.2.3 LAN Status

Description

Total number of bytes received over all connections within the same WANConnectionDevice that share a common MAC address since MP252 was last reset.

Total number of bytes sent over all connections within the same WANConnectionDevice that share a common MAC address since MP252 was last reset.

Total number of Ethernet packets received over all connections within the same WANConnectionDevice that share a common MAC address since MP252 was last reset.

Total number of Ethernet packets sent over all connections within the same WANConnectionDevice that share a common MAC address since MP252 was last reset.

Table 13-15: InternetGatewayDevice.LANDevice.i.LANEthernetInterfaceConfig.i.Stats

TR-069/TR-104

Parameter

BytesReceived mt_voip_get_state (line,

BytesSent mt_voip_get_state(line,

PacketsReceived mt_voip_get_state(line,

PacketsSent mt_voip_get_state(line,

Configuration File

Parameter

state)

Description

Total number of bytes received over the interface since MP252 was last reset.

Total number of bytes sent over the interface since MP252 was last reset.

Total number of packets received over the interface since MP252 was last reset.

Total number of packets sent over the interface since MP252 was last reset.

Version 3.4.0 217 June 2011

User's Manual

13.4.2.2.4 VoIP Status via TR-104

Table 13-16: InternetGatewayDevice.Services.VoiceService.i.VoiceProfile.i.Line.i.Stats

TR-069/TR-104

Parameter

ResetStatistics

PacketsSent mt_voip_get_state(line,

PacketsReceived mt_voip_get_state(line,

BytesSent mt_voip_get_state(line,

BytesReceived mt_voip_get_state(line,

PacketsLost mt_voip_get_state(line,

Overruns

Underruns

IncomingCallsReceive d

Configuration File

Parameter

- When set to one, it resets the statistics for

state)

- Total number of times the receive jitter buffer

Description

this voice line. Always False when read.

Total number of RTP packets sent for this line.

Total number of RTP packets received for this line.

Total number of RTP payload bytes sent for this line.

Total number of RTP payload bytes received for this line.

Total number of RTP packets that have been lost for this line.

has overrun for this line.

has underrun for this line.

Total incoming calls received.

IncomingCallsAnswere d

IncomingCallsConnect ed

IncomingCallsFailed

OutgoingCallsAttempt ed

OutgoingCallsAnswere d

OutgoingCallsConnect ed

OutgoingCallsFailed

CallsDropped

TotalCallTime

ServerDownTime

- Total incoming calls answered by the local

user.

- Total incoming calls that successfully

completed call setup signaling.

- Total incoming calls that failed to successfully

complete call setup signaling.

- Total outgoing calls answered by the called

- Total outgoing calls that successfully

- Total outgoing calls that failed to successfully

- Total calls that were successfully connected

- Cumulative call duration (in seconds).

- The number of seconds MP252 is unable to

Total outgoing calls attempted.

party.

completed call setup signaling.

complete call setup signaling.

(incoming or outgoing), but dropped unexpectedly while in progress without explicit user termination.

maintain a connection to the server. Applies only to SIP.

MP252 Multimedia Home Gateway 218 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

TR-069/TR-104

Parameter

Configuration File

Parameter

ReceivePacketLossRate mt_voip_get_state(line,

state)

FarEndPacketLossRat

- Current far-end receive packet lost rate (in

ReceiveInterarrivalJitte

- Current receive interarrival jitter (in

FarEndInterarrivalJitte

- Current Interarrival jitter (in microseconds) as

RoundTripDelay mt_voip_get_state

AverageReceiveInterar

- Average receive interarrival jitter (in

rivalJitter

AverageFarEndInterarr

- Average far-end interarrival jitter (in

ivalJitter

AverageRoundTripDel

- Average round-trip delay (in microseconds)

Description

Current receive packet loss rate (in percentage).

percentage).

microseconds).

reported from the far-end device via RTCP.

Current round-trip delay (in microseconds).

microseconds) since the beginning of the current call.

since the beginning of the current call. This is the average of the RoundTripDelay statistics accumulated each time the delay is calculated.

13.4.2.3 Security Concerns and Measures

The CPE WAN Management Protocol is designed to allow a high degree of security in the interactions that use it. The CPE WAN Management Protocol is designed to prevent tampering with the transactions that take place between a CPE and ACS, provide confidentiality for these transactions, and allow various levels of authentication.

The following security mechanisms are incorporated in this protocol:

 The protocol supports the use of SSL/TLS for communications transport between CPE

and ACS. This provides transaction confidentiality, data integrity, and allows certificate-based authentication between the CPE and ACS.

 The HTTP layer provides an alternative means of CPE authentication based on shared

secrets.

Version 3.4.0 219 June 2011

13.4.3 SNMP

Simple Network Management Protocol (SNMP) is used in network management systems to configure and monitor network-attached devices. SNMP is an IETF standard defined by RFC 1157, 1441 and additional RFCs for specific Management Information Base (MIBs).

MP252 contains an embedded SNMP agent and supports SNMPv1, SNMPv2 and partially supports SNMPv3. For monitoring of the network interfaces, the standard SNMP MIB-II (RFC 1213) is supported. For more options, a proprietary MIB, AC-MP20X-MIB includes the following sections:

 acMP20xConfig: for changing MP252's configuration

 acMP20xStatus: for monitoring MP252's status

The figure below shows the SNMP network architecture:

User's Manual

Figure 13-13: SNMP Network Architecture

13.4.3.1 Enabling SNMP in the Web Interface

Simple Network Management Protocol (SNMP) enables Network Management Systems (NMSs) to remotely configure and monitor your MP252. Your ISP may use SNMP to identify and resolve technical problems. Technical information regarding the properties of MP252's SNMP agent should be provided by your ISP.

The procedure below describes how to configure the SNMP agent embedded on the MP252.



To configure MP252's SNMP agent:

1. In the 'Advanced' screen, click the Simple Network Management Protocol (SNMP)

icon; the 'Simple Network Management Protocol (SNMP)' screen appears.

MP252 Multimedia Home Gateway 220 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

Figure 13-14: Simple Network Management Protocol (SNMP) Screen

2. Select the 'Enabled' check box to enable SNMP.

3. Select the ‘Allow Incoming WAN Access to SNMP’ check box to allow access to

MP252's SNMP agent over the Internet.

4. In the ‘Read-Only Community Names’ and ‘Read-Write Community Names’

fields, enter the SNMP community strings. These strings are passwords used in SNMP messages between the management system and MP252. A read-only community allows the manager to monitor MP252. A read-write community allows the manager to monitor and configure MP252.

5. From the ‘Trusted Pair’ drop-down list, enter the IP address, or subnet of addresses that

identify which remote management stations are allowed to perform SNMP operations on MP252.

6. Under the SNMP Traps group, select the ‘Enabled’ check box to allow MP252 to send

messages (traps) to a remote management station to notify the manager about the occurrence of important events or serious conditions.

• Version: SNMP version - SNMP v1 or SNMP v2c traps.

• Destination: remote management station's IP address.

• Community: community name that is associated with the trap messages.

7. Click OK to save your settings.

13.4.3.2 Configuring MP252 via SNMP

The acMP20xConfig MIB section is structured in a similar hierarchy as MP252's Web GUI. Each parameter in the MIB has a matching parameter in the Web GUI and a matching parameter in the gateway’s configuration file. The MIB file defines the valid range and the default value for each parameter. Typically, the customer integrates the MP20x MIB into the customer's Network Management System (NMS) to automate the configuration process.

Note: A special MIB object is defined to allow MP252 firmware upgrade triggered by

SNMP. The object acMP20xRemoteUpdate triggers a remote upgrade from the SNMP-configured URL.

Version 3.4.0 221 June 2011

User's Manual

13.4.3.3 Status Monitoring of System and Network Interfaces via SNMP

SMNP can be used to monitor the status of MP252. Status monitoring of the system and network interfaces can be done via the standard MIB-II (iso(1).org(3).dod(6).internet(1).mgmt(2).mib-2(1)). The following table shows some of the information elements available via MIB-II:

Table 13-17: Table 3-13: Information Elements Available via MIB-II

Section Available Information



system

interfaces Information per network interface:

Description



Version Information



Up-time



Description



Type



Speed



MAC address



Traffic statistics



Errors

icmp, udp, tcp

ifMIB

Assigned IP addresses and IP-related parameters

Transport-protocol specific statistical information

Information about network interfaces per RFC 2233

13.4.3.4 Security Concerns and Measures

Since SNMP allows write-access to configuration parameters, it is important to protect this interface. The following security measures are available:

 A community string (password) can be defined for read-only access and for read/write

access.

 It is possible to limit access to SNMP to a trusted peer (single IP address or a range of

addresses).

 SNMPv3 provides an significant security improvement over SNMPv1/2. Version 2.8.0

will support SNMPv3 and will allow the service provider to configure SNMPv3 security parameters.

 SNMP traffic can be allowed over an IPSec secured connection – check availability with

AudioCodes.

MP252 Multimedia Home Gateway 222 Document #: LTRT-23504

MP252 Multimedia Home Gateway 13. Remote MP252 Management

13.4.4 Syslog

Syslog is a standard protocol for reporting and logging of messages over IP network and is defined by RFC 3164. MP252 enables the service provider to configure a Syslog server and a severity level above which errors are sent to the server. Typically, only error-level messages should be sent to the Syslog server (in order not to flood it with irrelevant debug-level information). For debugging, it is possible to temporarily allow logging for debug-level messages (e.g. for SIP messages).

Many free Syslog servers exist, including Kiwi Syslog Daemon' (http://www.kiwisyslog.co'm http://www.kiwisyslog.com).

Note: Since Syslog is used only to output messages from MP252, it does not contain

any security concerns.

13.4.5 Automatic File Download

A practical, straight-forward and easy to implement method for mass configuration and firmware update is automatic file download from a remote file server (via HTTP, FTP, or TFTP). This method is used by many service providers.

13.4.5.1 Firmware File Download

MP252's firmware files contain information about the target product type and the firmware version information.

13.4.5.2 Configuration File Download

MP252 supports two configuration file formats, a *.conf file and an *.ini file. Both files define the same parameters, but in a different format; the *.conf file has a hierarchical tree-like structure and the *.ini file is "flat" (defining the full path for each parameter).

As with the firmware file, the configuration file can be “pushed” to MP252 via the Web server or “pulled” by MP252 from a remote server. This section refers only to the second option.

When MP252 downloads a file from a remote server, it performs the following actions:

 Decrypts the file, if it is encrypted.

 Checks that the file version is later than the current configuration file version (if it is not

later, the new configuration is not used).

 Checks the software version with which the configuration file was created (if the file was

created with a later software version, it is not used).

Version 3.4.0 223 June 2011

User's Manual

restored to factory settings, modify the required parameters using the Web

 Merges the configuration file with the current configuration:

• Parameters that appear in the new file are modified or added

• Parameters that do not appear in the new file remain in their existing value

Notes:

• It is recommended that the configuration file (that is downloaded from the

network), contains only the small subset of parameters that the service provider needs to update remotely.

• To create the configuration file, it is recommended to use a MP252 that is

GUI, and then upload the configuration file from MP252 with the option to get only the modified configuration fields enabled.

13.4.5.3 Security Concerns and Measures

The main security hazard in automatic file download is that a hacker can force MP252 to download a file from the hacker's server instead of the service provider’s legitimate server. Another concern is exposing information such as the SIP proxy IP address and user and password information in the configuration file (if the hacker is sniffing the network).

The following security measures are available to prevent this:

 The configuration file can be encrypted using 3DES with pre-configured key. This

prevents the user from learning the format of the file and obtaining information from it.

 HTTPS can be used to further encrypt the transport.

 HTTPS certificates can be used to allow MP252 to authenticate the server and also to

prevent the user from acquiring the file from the server.

13.4.6 Telnet CLI

MP252 features a Command Line Interface (CLI) over Telnet. The CLI enables the service provider to manage MP252 (e.g. reboot, force a firmware upgrade), to obtain information about the status of the device (e.g. VoIP calls, network interfaces, version information), to change the configuration and to perform different debugging tasks (e.g. enable debug logging, enable packet recording).

Typically, the CLI interface is only used for debugging and diagnostics, since it does not allow mass configuration and monitoring.

Since the CLI allows all configuration and management operations, it is important to protect it. The following security measures are available:

 The CLI is user and password protected (same as the Web).

 Telnet access can be blocked from the WAN and/or LAN interfaces.

 It is possible to limit Telnet access to specific IP addresses.

 Future versions will support SSH.

MP252 Multimedia Home Gateway 224 Document #: LTRT-23504

MP252 Multimedia Home Gateway 14. Security

14 Security

MP252's security suite includes comprehensive and robust security services: Stateful Packet Inspection Firewall, user authentication protocols and password protection mechanisms. These features together allow users to connect their computers to the Internet and simultaneously be protected from the security threats of the Internet.

The firewall, which is the cornerstone of your MP252's security suite, has been exclusively tailored to the needs of the residential/office user and has been pre-configured to provide optimum security.

Figure 14-1: Firewall in Action

MP252 firewall provides both the security and flexibility that home and office users seek. It provides a managed, professional level of network security while enabling the safe use of interactive applications, such as Internet gaming and video-conferencing.

Additional features, including surfing restrictions and access control, can also be easily configured locally by the user through a user-friendly Web-based interface, or remotely by a service provider.

MP252 firewall supports advanced filtering, designed to allow comprehensive control over the firewall's behavior. You can define specific input and output rules, control the order of logically similar sets of rules and make a distinction between rules that apply to WAN and LAN network devices.

The Web-based management screens in the Security section feature the following:

 The 'General' screen allows you to choose the security level for the firewall (see'

General Security Level Settings' on page 226).

 The 'Access Control' screen can be used to restrict access from the home network to

the Internet (see 'Local Servers (Port Forwarding)' on page 229).

 The 'Port Forwarding' screen can be used to enable access from the Internet to

specified services provided by computers in the home network and special Internet applications (see 'Port Forwarding' on page 229).

 The 'DMZ Host' screen allows you to configure a LAN host to receive all traffic arriving at

your MP252, which does not belong to a known session (see' Port Triggering' on page

235).

 The 'Port Triggering' screen allows you to define port triggering entries, to dynamically

open the firewall for some protocols or ports. (see 'Remote Administration' on page

261).

 The 'Website Restrictions' allows you to block LAN access to a certain host or web site

on the Internet (see 'Website Restrictions' on page 237).

 'Advanced Filtering' allows you to implicitly control the firewall setting and rules (see

'Advanced Filtering' on page 244).

Version 3.4.0 225 July 2011

User's Manual

 'Security Log' allows you to view and configure the firewall Log (see Security Log).

14.1 General Security Level Settings

Use the 'Security Settings' screen to configure the MP252's basic security settings.

Figure 14-2: General Security Level Settings

The firewall regulates the flow of data between the home network and the Internet. Both incoming and outgoing data are inspected and then either accepted (allowed to pass through MP252) or rejected (barred from passing through MP252) according to a flexible and configurable set of rules. These rules are designed to prevent unwanted intrusions from the outside, while allowing home users access to the Internet services that they require.

The firewall rules specify what types of services available on the Internet may be accessed from the home network and what types of services available in the home network may be accessed from the Internet. Each request for a service that the firewall receives, whether originating in the Internet or from a computer in the home network, is checked against the set of firewall rules to determine whether the request should be allowed to pass through the firewall. If the request is permitted to pass, then all subsequent data associated with this request (a "session") are also allowed to pass, regardless of its direction.

For example, when you point your Web browser to a Web page on the Internet, a request is sent out to the Internet for this page. When the request reaches MP252, the firewall identifies the request type and origin--HTTP and a specific PC in your home network, in this case. Unless you have configured access control to block requests of this type from this computer, the firewall allows this request to pass out onto the Internet (see 'WAN PPPoE' on page 181 for more on setting access controls). When the Web page is returned from the Web server the firewall associates it with this session and allows it to pass, regardless of whether HTTP access from the Internet to the home network is blocked or permitted.

MP252 Multimedia Home Gateway 226 Document #: LTRT-23504

MP252 Multimedia Home Gateway 14. Security

from Internet, except as configured in the

Note that it is the origin of the request, not subsequent responses to this request, that determines whether a session can be established or not.

You can choose from among three pre-defined security levels for MP252: Minimum, Typical, and Maximum (the default setting). The table below summarizes the behavior of MP252 for each of the three security levels.

Table 14-1: Behavior for the Three Security Levels

Security Level

Maximum Security (Default)

Typical Security

Minimum Security

These services include Telnet, FTP, HTTP, HTTPS, DNS, IMAP, POP3 and SMTP. The list of allowed services at 'Maximum Security' mode can be edited in the screen' 'Access

Contro'l on page 228'. Some applications (such as some Internet messengers and Peer-To-Peer client applications)

tend to use these ports if they cannot connect with their own default ports. When applying this behaviour, these applications are not blocked outbound, even at Maximum Security Level.

Requests Originating

in the WAN

(Incoming Traffic)

Blocked: No access to home network

Local Servers, DMZ host and Remote Access screens

Blocked: No access to home network

Local Servers, DMZ host and Remote Access screens

Unrestricted: Permits full access from Internet to home network; all connection attempts permitted.

Requests

Originating

in the LAN

(Outgoing Traffic)

Limited: Only commonly- used services, such as Web- browsing and e-mail, are permitted

Unrestricted: All services are permitted, except as configured in the Access Control screen

Version 3.4.0 227 June 2011

User's Manual



To configure MP252's security settings:

(See the figure 'General Security Level Settings')

1. Choose from among the three predefined security levels described in the table above.

'Maximum Security' is the default setting.

Using the Minimum Security setting may expose the home network to significant security risks, and thus should only be used, when necessary, for short periods of time.

2. Check the 'Block IP Fragments' check box to protect your home network from a

common type of hacker attack that could make use of fragmented data packets to sabotage your home network. Note that some UDP-based services make legitimate use of IP fragments. You need to allow IP fragments to pass into the home network to make use of these select services.

3. In the 'TCP Session timeout' field, enter the time-to-live (TTL) in units of seconds for

TCP sessions. The valid range is 1 to 3600 hours (default is an hour).

4. Click OK to save the changes.

14.2 Access Control

You may want to block specific computers within the home network (or even the whole network) from accessing certain services on the Internet. For example, you may want to prohibit one computer from surfing the Web, another computer from transferring files using FTP, and the whole network from receiving incoming e-mail.

Access Control defines restrictions on the types of requests that may pass from the home network out to the Internet, and thus may block traffic flowing in both directions. In the e-mail example given above, you may prevent computers in the home network from receiving e-mail by blocking their outgoing requests to POP3 servers on the Internet.

There are services you should consider blocking, such as popular game and file sharing servers. For example, to ensure that your employees do not put your business at risk from illegally traded copyright files, you may want to block several popular P2P and file sharing applications.



To view and allow/restrict these services:

1. From the menu bar, click the Security menu, and in the screen 'Security', click the

Access Control tab; the screen 'Access Control' opens.

Figure 14-3: Access Control

2. Click the New icon; the screen 'Add Access Control Rule' opens (see the figure

below).

Figure 14-4: Add Access Control Rule

MP252 Multimedia Home Gateway 228 Document #: LTRT-23504

MP252 Multimedia Home Gateway 14. Security

3. The parameter 'Address' enables you to specify the computer or group of computers for

which you would like to apply the access control rule. You can select between any or a specific computer address in your LAN. If you choose the 'Specify Address' option, the screen refreshes, and an 'Add' link appears. Click it to specify a computer address. Specify an address by creating a 'Network Object'.

4. The parameter 'Protocol' lets you select or specify the type of protocol to be used. In

addition to the list of popular protocols it provides, you may also choose any or a specific protocol. If you choose option 'Specify Protocol', the screen refreshes and an 'Add' link appears. Click it to specify a protocol address.

5. The parameter 'Schedule' allows you to define the time period during which this rule

takes effect. You can select between 'Always' or a specific schedule. If you choose the option 'Specify Schedule', the screen refreshes and an 'Add' link appears. Click it to specify a schedule.

6. Click OK to save your settings; the 'Access Control' screen displays a summary of the

rule that you just added. Click the Edit icon to edit the access control rule for the service; the screen 'Edit Service' opens.

7. Select the network group to which you would like to apply the rule and the schedule

during which the rule takes effect.

8. Click OK to save your changes and return to the 'Access Control' screen.

You can disable an access control rule and make the service available without having to remove the service from 'Access Control'. This can be useful when making the service only temporarily available and when expecting to reinstate the restriction in the future.

 To temporarily disable rule, clear the check box adjacent to the service name.

 To reinstate the restriction at a later time, recheck it.

 To remove a rule, click the Remove icon for the service; the service is removed from

'Access Control'.

Note: When Web Filtering is enabled, HTTP services cannot be blocked by Access

Control.

14.3 Port Forwarding

By default, MP252 blocks all external users from connecting to or communicating with your network. Therefore, the system is safe from hackers who may try to intrude on the network and damage it. However, you may want to expose your network to the Internet in certain limited and controlled ways to enable some applications to work from the LAN (game, voice and chat applications, for example) and to enable Internet access to servers in the home network. The Port Forwarding feature supports both of these functionalities.

Version 3.4.0 229 June 2011

User's Manual

The 'Port Forwarding' screen lets you define the applications that require special handling by MP252. You must select the application's protocol and the local IP address of the computer using or providing the service. If required, you can add new protocols in addition to the most common ones provided by MP252.

For example, to use an FTP application on one of your PCs, select 'FTP' from the list and enter the local IP address or host name of the designated computer; all FTP-related data arriving at MP252 from the Internet is then forwarded to the specified computer.

Similarly, to grant Internet users access to servers inside your home network, you must identify each service that you want to provide and the PC that provides it. For example, to host a Web server inside the home network you must select 'HTTP' from the list of protocols and enter the local IP address or host name of the computer that hosts the Web server. When an Internet user points her browser to the external IP address of MP252, it forwards the incoming HTTP request to the computer that is hosting the Web server.

Additionally, port forwarding enables you to redirect traffic to a different port instead of the one to which it was designated. If for example you have a Web server running on your PC on port 8080 and you want to grant access to this server to anyone who accesses MP252 via HTTP, do the following:

 Define a port forwarding rule for the HTTP service, with the PC's IP or host name.

 Specify 8080 in the field 'Forward to Port'.

All incoming HTTP traffic is now forwarded to the PC running the Web server on port 8080. When setting a port forwarding service, you must ensure that the port is not already in use by

another application, which may stop functioning. A common example is when using SIP signaling in Voice over IP - the port used by MP252's VoIP application (5060) is the same port on which port forwarding is set for LAN SIP agents.

Note: Some applications, such as FTP, TFTP, PPTP and H323, require the support of

special specific Application Level Gateway (ALG) modules in order to work inside the home network. Data packets associated with these applications contain information that allows them to be routed correctly. An ALG is needed to handle these packets and ensure that they reach their intended destinations. MP252 is equipped with a robust list of ALG modules in order to enable maximum functionality in the home network. The ALG is automatically assigned based on the destination port.

MP252 Multimedia Home Gateway 230 Document #: LTRT-23504

+ 178 hidden pages

VTech Telecommunications 80-7597-01 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual